I’ve wanted to attend DEF CON for as long as I’ve been working in IT and cyber security. For more than a decade, it’s represented the centre of the hacking and security community — curiosity‑driven, community‑led, and relentlessly focused on how systems actually work (and, more importantly, how they fail).
Arriving at DEF CON Singapore was emotional. It felt like finally walking into a room I’d been standing outside of for years.
What I didn’t expect was to attend Milipol TechX at the same time.
By chance — and through a free expo pass — I found myself moving between two very different conference floors, only days apart. What I walked away with wasn’t just a comparison of events, but a clear insight into two very different conversations happening around technology, security, and the future.
That contrast has stayed with me.
Two worlds, two very different messages
DEF CON and Milipol TechX could not have felt more different.
DEF CON was exactly what I’d hoped for: a global community of hackers, researchers, and practitioners pulling systems apart, challenging assumptions, and sharing hard‑earned knowledge openly. The audience felt grounded and principled. Curious, often sceptical — particularly of hype.
Milipol TechX was something else entirely.
Here, the audience was governments, defence, law enforcement, and large technology vendors. The tools on display were powerful, polished, and explicitly operational. Surveillance platforms embedded with AI. Unmanned systems. Capabilities that felt closer to Watch Dogs or Detroit: Become Human than anything I’d previously seen up close.
This was innovation — but with very different intent, and very different consequences.
Signals that cut across both conferences
Despite the contrast, some themes were impossible to ignore.
Artificial intelligence, of course.
It’s not slowing down — and thinking otherwise now feels naïve in hindsight. Yet despite the rapid capability gains, many systems are still not designed with security front and centre. We continue to bolt security on after the fact, or handball it to another team, another layer, or another product.
Data and identity remain unresolved.
Data access and identity featured heavily across new tools and platforms. And yet individual digital identity is still a major, largely unsolved problem. Ownership, trust, accountability — none of it is settled, particularly when AI systems are making decisions based on that data.
Impressive technology, familiar mistakes.
There is no shortage of genuinely impressive innovation. At the same time, many of the security mistakes we’ve lived with for years are simply being rebuilt at scale — now accelerated by AI.
The ethical line I didn’t expect to confront
What surprised me most at Milipol wasn’t the technology itself — it was the ethical discomfort it created.
With global conflict dominating headlines, including the ongoing tensions involving Iran, Milipol felt like a candid glimpse into how future wars may be fought: autonomous platforms, AI‑assisted targeting, and unmanned systems designed to operate at machine speed.
It left me asking some uncomfortable questions:
- Should AI decide whether someone is friend or foe?
- Where does my ethical line sit — and why does it differ from others?
- Is building autonomous weapons compatible with the values many of us hold in cyber and technology?
For me, the answer is no. That sits outside my ethical boundary. But it was confronting to see how comfortably that boundary shifts depending on role, industry, or incentive.
What this means for APAC — and Australia
One conclusion I keep coming back to is this: APAC — particularly Australia — feels behind the curve.
That’s not a criticism of talent or intent. But many of the trends on display in Singapore are not yet being discussed back home with the same urgency. Australia doesn’t have a true Milipol equivalent, and that absence may itself be telling.
If AI really is “coming for our jobs”, then our value will increasingly lie in specialisation — in understanding how these systems work, how they fail, and how they can be secured — not simply in operating them.
Organisations that fail to adopt AI to improve efficiency will be left behind. But adopting AI without serious attention to data security, governance, and identity is reckless.
If organisations don’t have this capability internally, they need to engage specialists who do. Hope is not a security strategy — and never has been.
A personal takeaway
These two conferences reinforced something I need to keep front of mind as a founder and practitioner: technical capability does not equal ethical responsibility.
Past‑me would have been impressed purely by the scale. Present‑me still felt like a kid in a candy store — but tempered by an awareness of the responsibility that comes with building and enabling powerful systems.
What gives me optimism is the DEF CON community. The collaboration, openness, and shared desire to make systems better — not just more powerful — is something worth protecting.
Because the future of security won’t be defined by technology alone.
It will be defined by the values of the people who choose how that technology is used.
