CtrlCon London — September 2026

Community-run. In person. Slightly opinionated.

CtrlCon

The first community-driven GRC conference for practitioners who are done with compliance theatre and ready to build GRC like engineers.

No sales pitches. No buzzword bingo. Just real controls, real threats, and real implementation experience.

Join the London 2026 waitlist Call for Papers Sponsor CtrlCon

Community-run. In person. Slightly opinionated, genuinely welcoming.

STATUS: FOUNDING EVENT Hallway-first Ctrl+Enter
LON-2026 Founding event

A practitioner-led conference built for real implementation detail, threat-driven controls, and honest conversations.

Ctrl+C Ctrl+V Ctrl+F

London, September 2026. Date to follow soonish.

Waitlist

Get early access to London 2026 updates, speaker announcements, and planning details.

What CtrlCon is / isn't

A practitioner-first conference with zero compliance theatre.

CtrlCon is

  • A practitioner-driven conference, organised by people who actually build and run GRC programs
  • A place to talk openly about what works, what doesn't, and why
  • Focused on controls, threats, evidence, automation, and engineering trade-offs
  • Heavy on hallway conversations, shared patterns, and honest war stories

CtrlCon isn't

  • A sales event or lead-generation exercise
  • A sequence of thinly veiled product demos
  • A framework-recital or checkbox optimisation workshop
  • A place where buzzwords replace implementation detail
  • An event optimised for auditors instead of practitioners

If you're looking for real conversations about building GRC that actually reduces risk, you're in the right place.

What is CtrlCon

CtrlCon is a community-organised series of events around the world promoting GRC Engineering, threat-driven compliance, and modern automation practices.

We believe the industry is evolving from audit-driven compliance factories to product-focused engineering teams. Practitioners need a space to share implementation patterns, challenge vendor marketing, and build the next generation of GRC infrastructure.

The vibe

Hallway-first, implementation-heavy, and unapologetically practitioner-led.

CtrlCon is built around the famous hallway track. Events are designed to feel more like a practitioner meetup than a vendor expo. People come to:

  • Talk to peers solving similar problems
  • Share implementation guides
  • Exchange patterns and lessons learned
  • Connect with others building GRC like engineers rather than auditors

And yes, there are always great talks and workshops, because that is the main focus of every CtrlCon event.

Hallway track NO VENDOR THEATRE

Why the name

Controls

The fundamental building block of GRC. We design controls, test controls, remediate control gaps, and build compensating controls.

Ctrl shortcuts

Ctrl+C, Ctrl+V, Ctrl+F. We live in spreadsheets. We automate with code.

Ctrl+C Ctrl+V Ctrl+F

Taking control

No more audit-driven compliance theatre. No more vendor marketing disguised as thought leadership. We're taking control back.

What is GRC Engineering

GRC Engineering represents an evolution in how organisations approach governance, risk, and compliance. Instead of optimising for audit outcomes, GRC Engineering applies software and security engineering principles to build threat-driven programs that actually reduce risk.

  • A data and systems problem
  • An engineering discipline, not a documentation exercise
  • A continuous process, not a once-a-year audit sprint

CtrlCon exists to give practitioners a place to share how this works in the real world.

News

LONDON-2026 Founding event

CtrlCon London — September 2026

CtrlCon London will take place September 2026 (date to follow soonish). This is the founding CtrlCon event and will be held in person in London. Expect actually helpful sessions, honest practitioner discussions, and the kind of hallway conversations you don't get at vendor-led conferences.

What happens at CtrlCon

Implementation guides and real code, not vendor pitches
Threat-to-control mapping workshops with actual frameworks
Live demos of GRC automation patterns and infrastructure-as-code
Honest discussions about what works and what doesn't
Deep dives into treating GRC as a data architecture problem
Challenge sessions that push back on broken industry practices
Excel horror stories and keyboard shortcut competitions (for fun)

Who should attend

  • Security engineers building control automation
  • GRC practitioners scaling programs at high-growth companies
  • Product managers at GRC vendors who want to build better tools
  • Forward-thinking auditors interested in continuous monitoring
  • CISOs and security leaders rethinking their GRC strategy
  • People who dream in spreadsheet formulas and API calls

Tracks

Engineering Track

Automation patterns, IaC, CI/CD integration, data pipelines

Architecture Track

System design, vendor evaluation, build vs buy, integrations

Operations Track

Scaling programs, team structures, stakeholder management, CCM

Strategy Track

Threat-driven frameworks, risk quantification, board reporting, maturity models

Resources

New here?

Volunteers

Want to volunteer?

Reach out via LinkedIn or email: <TBD>

Socials

LinkedIn: https://www.linkedin.com/company/ctrlcon/

More channels will be added as the community grows.

Call for Papers

We're looking for talks that share real implementation experience.

Ideal topics include:

  • Threat-to-control mapping with real examples
  • Evidence automation at scale
  • Lessons learned from failed GRC implementations
  • Continuous controls monitoring
  • Deep dives into technical challenges (RBAC evidence, SoD, etc.)
  • Honest vendor evaluations from a practitioner perspective
  • That one Excel formula that saved you 40 hours a week

Submit: <TBD>

Code of Conduct

CtrlCon is a professional environment focused on learning and collaboration.

We expect

  • Respectful discourse
  • That everybody is welcome and treated with due respect
  • A shared understanding that we're one team for the day
  • No vendor ambushes or aggressive sales
  • Genuine knowledge sharing
  • Constructive criticism over cynicism

We do not expect

  • Racism, sexism, discrimination, or harassment of any kind
  • Behaviour that makes others feel unwelcome, unsafe, or unheard
  • Perfect answers or polished success stories
  • That everyone agrees on approaches, tools, or frameworks
  • Slides full of buzzwords without substance
  • Sales pitches disguised as talks or discussions
  • Performative compliance or theory without real-world context
  • That your implementation is "done" or "mature"

CtrlCon values honesty over perfection, curiosity over certainty, and learning over posturing.

Stay Updated

Coming soon

[TODO: Newsletter signup block text]