While most of the conference circuit front-loads into the spring, SANS closes the year with what is arguably its most important event: Cyber Defense Initiative.
Running 14–19 December 2026 at the Grand Hyatt Washington in DC, CDI is less a conference than a six-day training intensive with conference-style content threaded through the evenings — and for CISOs setting team development budgets, it’s one of the most measurable spends on the calendar.
The Conference at a Glance
SANS Cyber Defense Initiative is structured around the SANS course catalogue — more than 30 courses spanning incident response, threat hunting, digital forensics, defensive operations, security leadership, cloud security, ICS, and offensive disciplines.
Each course runs four to six days with a SANS-certified instructor, and most map directly to a GIAC certification.
Evening programming includes SANS@Night talks, hands-on workshops, NetWars tournaments, a welcome reception, and a vendor expo that’s notably more restrained than the Vegas circuit.
The Grand Hyatt sits in downtown DC near Capital One Arena and the National Mall, which makes after-hours logistics easier than most conference venues.
Who It’s For
CDI is unambiguously for practitioners and the leaders responsible for their development.
SOC analysts, incident responders, threat hunters, forensics teams, cloud security engineers, and security architects make up the bulk of the audience.
CISOs attend the leadership tracks — MGT514 on strategic planning, policy, and leadership is a perennial — and use the week to embed alongside their technical teams.
Government attendees are a large and steady contingent, supported by per diem-friendly hotel rates and a course catalogue that maps to federal certification requirements.
International practitioners attend in numbers; SANS provides invitation letters for visa purposes.
Highlights and Themes from the Most Recent Edition
The 2025 edition (December 12–17 in Washington DC) reflected SANS’s continued evolution toward AI-augmented defensive operations: courses and SANS@Night talks covered how AI is changing analyst workflows, the practical mechanics of detection engineering at scale, and the maturing discipline of cyber threat intelligence.
SANS Senior Instructor Matt Edmondson’s talk on changes in how he uses AI day-to-day drew a notably full room.
Workshops included hands-on hardware exercises — programming a $4 microcontroller to compromise systems via USB was a memorable example.
The optional NetWars tournaments, which CDI attendees can play free with limited registration spots, remain one of the most useful ways to benchmark a team’s actual capability against peers from across industry and government.
What to Expect Going Forward
CDI 2026’s course catalogue will continue to weight heavily toward incident response, threat hunting, and defensive operations, with growing emphasis on cloud-native detection, AI/ML security operations, and ICS/OT defence.
Early Bird pricing — typically $900 off any 4–6 day course — closes 27 May 2026, and the Grand Hyatt block fills quickly with rates available through 23 November.
CISOs planning team development for the year should slot their course selections in by Q1 to take advantage of pricing and availability.
The Bottom Line
CDI isn’t cheap — individual courses run several thousand dollars — but the combination of certified training, certification exam prep, and a week of dedicated focus consistently produces measurable capability uplift.
For CISOs setting team development budgets, CDI is one of the few events where the ROI is straightforward to calculate: a credentialled, more capable team by year-end, with the certifications that help retention and progression.
If you can only fund one event for your senior practitioners, this is a strong candidate.