Opinions
DEF CON: Navigating the chaos
Head of Research
Updated
Jan 15, 2026
12 min
"Drink all the booze, hack all the things," proclaims Dual Core in their unofficial DEF CON anthem, perfectly capturing that fine line between technical obsession and partying that defines the event. That's how the world's largest hacking conference goes down: nonstop intensity where 26,000 hackers gather in Las Vegas with a singular mindset to explore, break, and rebuild.
Origin and history of DEF CON
DEF CON was born in 1993 as a farewell party organized by Jeff Moss, aka The Dark Tangent, for the operator of Platinum Net, a BBS network for Canadian hackers. The original idea was to throw a party for all the network members since the operator was shutting it down, but due to his father's sudden job change, the operator had to leave early and disappeared, leaving Jeff with everything up in the air.
Jeff decided to keep going with the organization and invited everyone he could, ironically including the feds, on the premise that they were going to show up anyway. And so, the 18-year-old Moss pulled off DEF CON 1 with no schedule, no signage, just folding chairs, a tape recorder, 100 attendees, and 12 speakers.
The name DEF CON pays tribute to the phone phreakers who preceded computer hacking: on a telephone keypad, DEF corresponds to the number 3, a reference to DTMF tone manipulation techniques. CON refers to conference. On the other hand, the name also alludes to the word DEFCON itself, which references the movie WarGames (1983), where the protagonist decides to bomb Las Vegas.
This party has been bombing Las Vegas for 33 years now, and it's been through a lot: starting from that first edition, DC1, with 100 attendees in 1993, to the founding of the iconic DEF CON CTF at DC4 (1996), the event's first expansion outside the U.S. in 2018 in Beijing, China, and the celebration of a virtual edition (DEF CON Safe Mode) in 2020 during the pandemic, as well as the venue change in 2024 with the arrival of DC32. In 2025, DC33 added another chapter to that history, and you can check out the highlights in my post about the best of DEF CON in 2025.
A culture of anonymity and privacy
Even with over three decades of history, the conference still maintains its core: anonymity and privacy are sacred. This is simply a reflection of respect for the community, achieved by keeping minimal information about attendees. There's no attendee registration, badge payment can be made in cash, the culture of handles over real names prevails, you shouldn't reveal your employer, their websites only have strictly technical and necessary logs, and there's a whole photo policy.
Speaking of the latter, for example, you can't take photos of crowds or people without their consent first, and this is a rule enforced by everyone, including the Goons and other event staff.
The role of Goons
The Goons are all the people who make the event possible. They're red-shirted volunteers with a tag or handle who serve as Staff, SOC, NOC, Photo & Video Team, and all the other activities needed to keep the event running. Their only pay is free entry to DEF CON and t-shirts, as this is work they do for the community. They emerged organically in the conference's early editions as a response to troublemakers showing up, and they're truly an entire network of trusted people who help organize DEF CON and contribute to the community. The way to become one of them is usually through another Goon's recommendation, after being evaluated by them.
Other traditions that define the conference
Just like the Goons, there are many traditions or parts of DEF CON that have become immortalized over the years:
Wall of Sheep, where credentials are displayed from people who use the conference's unsecured networks or use the secure networks with incorrect configuration.
Spot the Fed, where you try to identify federal agents attending the conference, and if the identification is correct, both the spotter and the fed win an "I spotted the fed!" or "I am the fed!" t-shirt respectively.
Toxic BBQ, a tradition since 2004 (DC12) known as DEF CON's unofficial opening party, where burgers and food are given away and represents the calm before the storm.
DCGs (DEF CON Groups), also known as the way to bring DEF CON outside of DEF CON, which are local community meetups around the world.
Hacker Summer Camp
Today, DEF CON is a disruptive and diverse hacking conference, and it's part of the legendary Hacker Summer Camp: a full week in Las Vegas where some of the most important cybersecurity conferences take place. Hacker Summer Camp consists of 3 conferences: Black Hat (August 2-7), the corporate giant characterized by its trainings and highly technical or commercial content; BSides Las Vegas (August 4-6), which opens the camp's talks and is a more community-driven and accessible conference; and DEF CON (August 7-10), as the epic finale and hacker culture at its peak.
Badges: More than an entry ticket
The way for the general public to attend the conference is by buying a Human badge. A badge is your ticket to everything inside DEF CON. Initially they were made of laminated paper/plastic from DC1 to DC13, then in 2006 (DC14), the first electronic badge was introduced, and starting in 2011 (DC19 onward), the Tick/Tock cycle began, referring to a rotation of one year offering an electronic badge and the next an analog badge.
Badges are characterized by being, generally, hackable, or having their own related challenge within the conference. Whoever solves the challenge first can sometimes receive the famous Black Badge. This is the highest prize and recognition awarded at the conference, given to winners of some of the main competitions, allowing them free access to DEF CON for life. Similar to this, the Gold Badge also allows free lifetime access to DEF CON, but it's given to Goons with more than 10 years of service, so they can enjoy the conference for the rest of their days.
Legendary competitions
Getting into challenge territory now, there are tons of competitions at DEF CON. DC33, in 2025, had countless unofficial competitions, 75 official competitions, and 12 competitions that awarded Black Badges. Some of the most important ones are the following.
Hacker Jeopardy
Hacker Jeopardy, a tradition since DC3 (1995), is DEF CON's oldest competition. It's an irreverent parody of the television show Jeopardy!, but with a focus on hacker culture. Here, three teams of three people compete to answer questions ranging from pre-quantum cryptography and RFCs to the most obscure memes; and this while alcohol becomes the competition's mandatory fuel: an official Beer Score is kept alongside the game points.
The show's mantra is "Don't f*ck it up," and they repeat it constantly, especially when technical difficulties occur (which happens frequently), with chaos literally becoming part of the experience: microphones dying, screens shutting off, and the host losing their voice during the show.
Even so, halfway through this chaos, the atmosphere shifts for a charity auction benefiting the EFF (Electronic Frontier Foundation), where everything from rare commemorative coins to leftover tacos sells for hundreds of dollars. In the end, the winners (who in 2025 won by strategically betting $0) take home the glory and, traditionally, the coveted Black Badge.
DEF CON CTF
DEF CON CTF is one of the most recognized CTFs in the world, where the top 20 qualified teams compete in person in Las Vegas. Last year, this CTF reached a rating or weight of 100/100 on CTFtime.org, a platform where the vast majority of CTFs are announced and ranked.
DEF CON CTF is also one of the oldest CTFs still running. It began in 1996 (DC4) organized by the Goons themselves, and this year celebrated its 30th edition (DC33) organized by Nautilus Institute for the fourth and final consecutive time. Last year's winners, who hold the record with nine victories as the most awarded team in DEF CON history, are MMM (Maple Mallard Magistrates), the union of three great teams: PPP (Plaid Parliament of Pwning) from Carnegie Mellon University, The Duck from the company Theori.io, and Maple Bacon from UBC (The University of British Columbia).
The CTF has an Attack & Defense format, where teams simultaneously compete to attack opponents' systems to capture their flags and defend their own systems by remediating their vulnerabilities. Earning a spot in this competition requires finishing in the top teams of the DEF CON qualifying CTF (Jeopardy style), or winning one of the designated world CTFs, such as HITCON CTF in Taiwan or PlaidCTF in the U.S.
Scavenger Hunt
The Scavenger Hunt, the third longest-running competition, was born as a tradition at DC5 (1997) when its founder, Pinguino, wanted to make fake IDs with a friend, but no one would lend them a digital camera, so in desperation and an attempt not to get bored, she invented a "quick game." To do this, she made a list of weird things that required dumpster diving or social engineering, assigned a point value to each item, allowed teams of up to five people to play, and whoever reached 100 first won. That first winner was a hacker named ToiletDuck, who counted himself as the item 'A live duck'.
This highlights the competition's dynamic: the list is hackable and open to interpretation, because part of the game is convincing the judge that your item is correct. To give you some sense of the list's level of insanity, some items at DC33 were: #28 packet collision, #60 anti-social engineering, and #86 give a flight safety brief at the Aerospace Village.
DARPA's AI Cyber Challenge
Another of DEF CON's major competitions, and one of the most recent, is DARPA's AI Cyber Challenge, also known as AIxCC, which is part of the village bearing its name. This competition began at DC32 and lasted two years.
Unlike other competitions, here hackers don't find or remediate vulnerabilities—instead, their goal is to build autonomous systems that independently find and remediate vulnerabilities. These systems managed to remediate vulnerabilities in an average of 45 minutes each with an estimated cost per fix of $152, even finding zero-days in the systems they were reviewing.
Their numbers are impressive:
Detected 54/70 synthetic vulnerabilities (77%)
Remediated 43/70 synthetic vulnerabilities (61%)
Found 18 zero-days
Remediated 11 zero-days
Analyzed over 54 million lines of code
On top of everything, the winning models became open-source for the community to use. The specific winners were: Team Atlanta in first place, taking home $4 million; Trail of Bits in second, taking home $3 million, and Theori in third, taking home $1.5 million.
Villages and communities at DEF CON
As The Dark Tangent said at DC33:
"I want 50% of the time you guys to have a fantastic social experience and 50% of the time doing something crazy hands-on or learning or breaking something. That is the spirit of the hacker con."
Activities at DEF CON vary and mix learning and fun. There are many spaces to learn and be entertained: villages, communities, parties, workshops, trainings, and the talks themselves.
Villages: Where every niche has its space
Villages are learning spaces organized by knowledge area or hacking specialty, and while they also have talks, they have a more hands-on focus within the conference. The number of villages reached 35 at DC33, currently including the following:
Village | Theme |
|---|---|
Adversary Village | Adversary simulation, purple teaming, and the Adversary Wars CTF |
Aerospace Village | Aviation and space security and Drone Flying Experience |
AI Village | AI and security, deepfakes, and model red teaming |
AIxCC (Challenge) | DARPA's AI Cyber Challenge finale |
AppSec Village | Application security: web, mobile, and API hacking |
Biohacking Village | Healthcare and hospital infrastructure security |
Blacks In Cyber Village | Black community experience in hacking |
Blue Team Village (BTV) | Defense, incident response, threat intelligence, and threat hunting |
Bug Bounty Village | Bug bounty, AppSec, and research |
Car Hacking Village | Automotive and electric vehicles security |
Cloud Village | Cloud hacking (AWS, Azure, GCP, Alibaba), demos, and CTFs |
Crypto Privacy Village | Cryptography, privacy, surveillance, and the Gold Bug Challenge |
Data Duplication Village | Free terabyte data copying, storage, and data duplication |
Embedded Systems Village | Hardware, firmware, and embedded systems hacking |
GameHacking.GG | Video game security, modding, cheats, and anti-cheating |
Ham Radio Village | Amateur radio, satellite control, and wireless communications |
Hardware Hacking (HHV/SSV) | Soldering skills and electronics modification |
ICS Village | Industrial control systems and critical infrastructure |
IOT Village | Internet of Things, Meshtastic, and smart devices |
Lock Pick Village | Lock-picking techniques for padlocks and locks |
Malware Village | Malware analysis, reverse engineering, and sandbox evasion |
Maritime Hacking Village | Maritime systems hacking: ships, GPS, and marine drones |
Packet Hacking Village | Packet analysis, Wall of Sheep, and Capture The Packet |
Payment Village | Hacking ATMs, credit cards, and payment systems |
Physical Security Village | Access systems, doors, alarms, and surveillance systems |
Policy @ DEF CON | Policies, regulations, and hacker-government relations |
Quantum Village | Computing, security, and post-quantum cryptography |
Radio Frequency Village | RF security and signal analysis |
Recon Village | OSINT, reconnaissance, and digital espionage |
Red Team Village | Offensive security, Active Directory, and Red Team CTF |
Social Engineering Village | Social engineering, vishing, and phishing |
Tamper-Evident Village | Evidence tampering without leaving traces |
Telecom Village | Telecommunications, 5G networks, and protocol analysis |
Voting Village | Election security and voting machine hacking |
Communities: A place for everyone
Unlike villages, which focus on a specific discipline (like hacking cars or satellites), communities connect with people and focus on their identity (veterans, women, LGBTQ+, Spanish speakers), life situation (sobriety, disabilities), or interests (retro tech, hard hats). Communities emerged at DC32, initially with eight, and this year at DC33 they reached 31, specifically the following:
Community | Theme |
|---|---|
.edu Community | Educational technology, universities/K12, and remote learning |
Badgelife | Museum, exchange, sale, and creation of electronic badges |
BBWIC Foundation | Support, mentorship, and leadership for women in cybersecurity |
Code Breaker | Cryptanalysis and puzzles |
Cryptocurrency Community | Blockchain, DeFi, and Web3 |
DC Maker's Community | Intersection of design, electronics, art, and makers, 3D and DIY |
DC NextGen | Official youth track (ages 8-18) |
DDoS Community | DDoS attack defense, stories, and mitigation |
DEF CON Academy | Mentorships, intro to hacking and CTFs (by pwn.college) |
DEF CON Groups (DCG) | Meeting point for local hacker groups worldwide |
DEF CON Groups VR | DCGs through a virtual reality experience |
Friends of Bill W | Sobriety and addiction recovery support |
Hackers With Disabilities | Support space for disabilities and service animals |
Hackers.town | Distributed networks, Mastodon, LoRa, and Meshtastic radios |
Hard Hat Brigade | The combination of hats, art, and functionality |
Illumicon | All about lights: lasers, LEDs, and light shows |
La Villa | Latinx, Spanish-speaking, and Portuguese-speaking community |
Lonely Hackers Club | Support group for solo or first-time attendees |
Loong Community | Asian InfoSec community |
Memorial Chamber | Space to honor and remember deceased hackers |
Mobile Hacking Community | Mobile app security and hardening |
Nix Vegas Community | NixOS and the Nix package manager |
NMDP (Be The Match) | Bone marrow donors and saving lives |
Noob Community | Space for absolute beginners; learning and guidance |
Operating Systems Community | OS development, optimization, and hacking |
OWASP | Global open-source web app security community |
Queercon Community Lounge | Safe space and inclusion for LGBTQIA+ community |
Retro Tech Community | Retro computers and games |
The Diana Initiative | Promoting diversity and women in InfoSec |
The Diana Initiative Quiet Room | Quiet room to relax, recharge, or avoid sensory overload |
VETCON | Meeting point and networking for military veterans |
Women in Security & Privacy | Professional development and training for women |
Workshops, trainings, and... party!
Beyond villages and communities, some spaces focused purely on learning are workshops and trainings. Workshops are free 4-hour sessions (included with the badge) that require advance registration and have limited capacity. These run all three days of the conference (Friday through Sunday), in time slots from 9 AM to 2 PM. On the other hand, trainings cost between $1,500 and $4,200, lasting between two and four days, during or after the event.
Besides being a space for learning and community, DEF CON was born as a party, and of course it still is one. When night falls, the vibe shifts and parties take over the conference. Techno is the predominant music, but there are DJs of various genres and styles. In fact, at DC33 there were 12 official parties, over 40 unofficial ones, and a total of 241 events, parties, and meetups organized by DEF CON.
Practical guide to enjoying DEF CON
For anyone reading this who's interested or about to travel to DEF CON, first up is trip logistics:
There are two types of tickets available: online pre-sale tickets cost $540, $560, and/or $580 in 2025, depending on when you bought them (the price gets higher the closer to the event date). Tickets purchased at the cash line cost $500. This info can be useful assuming DC34 prices might be similar.
Once you're in Las Vegas, it's important to consider transportation. The event takes place at LVCC (Las Vegas Convention Center), which is crossed by the Vegas Loop, a network of underground tunnels that can be traveled free of charge in Teslas that go through different parts of the convention center. Besides this, there's the Las Vegas Monorail, a transit system that crosses the city, and in 2025 provided exclusive DEF CON discounts. The recommended monorail pass to buy is the 4-day pass, which can be useful for getting around the city all conference days, with closing times on Mondays at midnight, Tuesday through Thursday at 2 AM, and Friday through Sunday until 3 AM.
Regarding accommodation, each year DEF CON negotiates with several hotels and sets up DC Room Blocks, meaning those hotels that have exclusive discounts that week or event days. In 2025, participating hotels were the Sahara, directly connected to the Monorail, the Venetian, 7 minutes by car, and the Fontainebleau, one of the closest hotels to the LVCC (10-15 minute walk). A couple hotels immediately near the LVCC, although they weren't part of the DC33 room blocks, are the Las Vegas Marriott and the SpringHill Suites by Marriott Las Vegas Convention Center.
Once you're at the event, the best thing to do on the first day is arrive early (a couple hours before) to Linecon—this is the line to buy or pick up your badge—immediately after, get in line for merch, taking advantage of the time before the conference starts and getting ahead of merchandise sellouts, and finally explore the venue with the map, to familiarize yourself with the layout of everything and the location of what you want to visit.
As tips focused on the conference itself, the best way to navigate the chaos, besides knowing what you're facing, is as follows:
First is internalizing reality: It's impossible to see everything! As you may have noticed, at DEF CON there are tons of stories and activities happening at the same moment in time, so it's common to feel FOMO (Fear Of Missing Out) and get overwhelmed by the vastness of the event. To deal with this, the best approach is to choose a few villages, talks, and must-do activities for you, and focus only on those, also reserving space in your schedule for chaos—that is, all those unpredictable events or activities that might pop up suddenly.
Second is using Hacker Tracker, a mobile app and website with all the information from this and several other hacking and cybersecurity conferences, to plan those priority activities in advance.
Third is following at least the 3-2-1 rule: three hours of sleep, two meals, one shower. Minimum requirements to survive DEF CON's intensity. It can also be very helpful to eat breakfast before going to the event, bring snacks, wear comfortable and cool clothing (Las Vegas is a desert), and drink water constantly to stay hydrated.
With all this, you now have the tools to plan your trip and dare to live the experience.
The next edition, DEF CON 34, will take place at the LVCC from August 6-9, 2026.
Though it's somewhat ironic to say after all this information: DEF CON can't be explained, it has to be lived. This article tries to prepare you for what's coming, but the truth is nothing really prepares you for the intensity of those four days. You'll have to go, get lost in the chaos, and discover why thousands of hackers come back year after year.
See you there...
Get started with Fluid Attacks' PTaaS right now
Other posts
