Call for Papers

CanSecWest_newtype

Call for Papers / Trainings / Workshops for CanSecWest 2026

Send us your proposals for presentations, panels, workshops, and training courses. We want original research and practical work from people who build, break, and defend real systems.

We run a hybrid conference, so we are also taking submissions for online panels and remote sessions. If you want to present, run a panel, or host a working meeting online, pitch it on the same form and tell us it is remote.

For those that are accepted and attend in-person, hotel accommodations and travel is provided.

This year's theme: AI Security at Scale. The interesting problems have moved out of the lab. Models now run in production across large fleets, multi-tenant GPU fabrics, and shared inference infrastructure, and the attack surface scales with them. AI tools are starting to find and fix bugs faster than teams can triage them. We want work that engages with that reality. If your research is about what breaks, or holds, when the numbers or code repositories get large, send it.

We are looking for offensive and defensive research, AI and LLM security work, hardware and firmware research, and anything that moves the field forward. Some directions we want to see, weighted toward work that is breaking now, at production scale:

Agent security past prompt injection

  • Long-term agent memory as an attack surface: persistent compromise through poisoned experience and retrieval pools, write flooding, retrieval-latency poisoning, and reflection-loop denial of service.

  • Inter-agent trust exploitation: why a model that refuses a direct command runs the same payload from a peer, and what that breaks in current multi-agent trust models.

  • Principal trust inversion and cross-layer attacks: the shared root cause under most agent compromises, and whether a control at one layer can detect an attack localized at another.

  • Cross-session and sub-session-stack threats: cumulative compromise that current benchmarks do not cover.

  • Tool-calling and connector protocols (MCP and what follows) as a trust boundary: tool poisoning, skill-ecosystem abuse, and confused-deputy escalation.

  • Reinforcement-learning-generated prompt injection that transfers across frontier models, and defenses that survive it.

The inference stack as a target

  • Timing side channels in LLM serving: KV-cache and semantic-cache hits, speculative decoding, and output-token-count leakage that recover other users' prompts.

  • Mixture-of-experts routing as a side channel: expert-load and memory-access patterns that reconstruct prompts and responses.

  • Serving frameworks as software attack surface, including scheduling abuse and resource-exhaustion denial of service under multi-tenant load.

  • Confidential inference in practice: CVM-plus-GPU partitioning, masked outsourcing, and where token-reconstruction attacks still get through.

  • Verifiable and zero-knowledge inference: proving a model ran without revealing it, and the trivial-weight attacks that break naive schemes.

GPU and accelerator isolation at datacenter scale

  • Cross-tenant isolation on shared GPU fabrics: NVLink and PCIe interconnects as an under-protected surface on rack-scale systems.

  • When logical partitioning lies: validating whether MIG and similar mechanisms deliver the isolation they imply.

  • Reverse engineering as the entry point: what vendor opacity costs defenders, and how to evaluate isolation you cannot see.

  • Covert and side channels across multi-GPU machines, with bandwidths now rivaling early CPU channels.

  • Firmware, SmartNIC, and BMC security in AI clusters: the parts of the fleet nobody fuzzes.

Model theft, distillation, and the fragility of safety

  • Industrial-scale distillation: detecting and attributing systematic capability extraction from query patterns, and what counts as theft.

  • Behavioral distillation that clones a safety-aligned model's reasoning from output access alone, with alignment stripped.

  • Removing safety fine-tuning from open weights in minutes: QLoRA, ReFT, and activation-space edits, and which release strategies survive it.

  • The fragility of unlearning: relearning attacks, activation-direction recovery, and why distillation is one of the few things that makes forgetting stick.

  • Weight and architecture leakage through physical and microarchitectural channels.

Autonomous discovery and exploitation, grounded

  • Cyber reasoning systems on real codebases: zero-day discovery across hundreds of projects, and the gap between crashes triggered and bugs confirmed.

  • Honest benchmarking: what CyberGym, Exploitbench, CVE-bench, and AIxCC-derived leaderboards actually measure, and how vendor numbers mislead.

  • The false-positive problem: triaging machine-generated findings before they bury a human team.

  • Neuro-symbolic and agent-scaffold discovery, and where reasoning models still fail to apply what they know.

  • Patch generation and validation in the loop: autonomous fix, regression, and the risk of confident wrong patches.

  • Teams of agents against multi-step and zero-day targets, and the planning failures that still stop them.

Defending AI systems in production

  • Detection and response across fleets of models and agents: signal, noise, and the cost of false positives at volume.

  • Runtime monitoring and TEE-backed attestation of agent execution as trusted infrastructure for autonomous systems.

  • Securing RAG and Graph RAG: context poisoning, subgraph reconstruction from outputs, and untrusted retrieval.

  • Guardrail evaluation as an adversarial discipline, red teaming filters like any other control.

  • Zero-trust identity and runtime verification for agent actions, including consume-once semantics for autonomous payments.

Measurement, provenance, and governance that ships

  • Model and dataset provenance: signing, attestation, and detecting tampered weights.

  • Securing the ML supply chain: poisoned packages, malicious model hubs, and unsafe deserialization.

  • An agent bill of materials: knowing what your autonomous system is actually built from.

  • Reproducibility and benchmark integrity treated as security properties.

  • Practical governance and post-incident analysis for systems already running in production.

Classic depth, new targets

  • Microarchitectural attacks in the AI era: CPU and GPU fuzzing, speculative leaks, and new side channels.

  • Post-quantum migration at scale, harvest-now-decrypt-later, and AI-assisted cryptanalysis.

  • Embedded and on-device models: automotive, 5G, IoT, and the security of inference at the edge.

  • RF, wireless, and electronic-warfare security meeting machine learning.

  • Hardware-rooted trust for AI, from silicon attestation to the model.

This list is a starting point, not a fence. If you have work that advances the state of the art and does not fit a category above, send it anyway.

Training Training runs the four days before the conference. We will offer about ten courses this year and a few slots remain. We especially want AI and LLM security courses. If you teach this material, pitch us.

Panels and online sessions We welcome panel proposals, in person or online. Tell us the topic, the angle, and who you want on the panel. For online sessions, our hybrid setup has been refined since the pandemic and carried the [un]prompted online conference, so remote talks and meetings are first-class, not an afterthought.

Deadlines The first CFP round closes July 15. We announce some talks before then, so send yours early.

No product pitches. Bring research, not marketing.