CtrlCon is a community organised series of events all over the world promoting GRC Engineering, threat-driven compliance, and modern automation practices. We think it's important to have a CtrlCon movement as the industry is evolving from audit-driven compliance factories to product-focused engineering teams, and practitioners need a space to share implementation patterns, challenge vendor marketing, and build the next generation of GRC infrastructure.
CtrlCon usually goes hand-in-hand with the famous "hallway track", as these events are free and have less of a vendor expo atmosphere than a practitioner meetup. Many people come to talk to peers solving similar problems, share implementation guides, and connect with others building GRC like engineers rather than auditors. Of course, there are always great talks and workshops, and that's the main focus of every CtrlCon event!
The name? CtrlCon has three meanings that capture what we're about:
1. Controls: The fundamental building block of GRC. We design controls, test controls, remediate control gaps, and build compensating controls. Every conversation in GRC eventually comes back to controls.
2. Ctrl shortcuts: Every GRC practitioner knows the power of keyboard shortcuts. Ctrl+C, Ctrl+V, Ctrl+F are the tools of our trade. We live in spreadsheets, we automate with code.
3. Taking control: Of how GRC is done. No more audit-driven compliance theatre. No more vendor marketing disguised as thought leadership. We're taking control back.
GRC Engineering represents an evolution in how organisations approach governance, risk, and compliance. Rather than treating GRC as a compliance factory optimising for auditors, GRC Engineering applies software engineering principles to build threat-driven programs that actually reduce risk.
To see what GRC Engineering means to the community, check out the GRC Engineering Manifesto and read implementation guides from practitioners who've scaled GRC programs at high-growth companies.
Ctrl+C / Ctrl+V - Stop copying compliance theatre from last year
Ctrl+F - Find control gaps before auditors do
Ctrl+Z - Undo broken audit-driven approaches
Ctrl+S - Save time with automated control testing
Ctrl+A - Select all controls and map them to actual threats
Ctrl+H - Replace compensating controls with proper ones
Ctrl+Alt+Delete - Restart GRC with threat-driven frameworks
The first CtrlCon will launch in Q2 2025 in London. This is not another compliance conference. This is where GRC Engineers meet to solve real problems.
Interested in organising a CtrlCon in your city? We're looking for practitioners who want to build local communities. Resources and support available.
CtrlCon events are being organised worldwide. Each event is run independently by local practitioners following the CtrlCon framework.
Want to organise a CtrlCon in your city? See the Organize page for guidelines and resources.
You can find us on the following social media sites:
LinkedIn X formerly known as Twitter Newsletter (GRC Engineer)"CtrlCon is a community-driven framework for building events for and by GRC practitioners who believe compliance should be threat-driven, not audit-driven. The goal is to bridge the gap between security engineering and traditional compliance, creating opportunities for practitioners to share implementation patterns, challenge the status quo, and build GRC infrastructure that actually reduces risk rather than just satisfying auditors. It is an intense event focused on real implementation details, threat-to-control mapping, automation patterns, and the hard problems that vendor marketing glosses over. It is where the conversations about GRC Engineering are happening." - GRC Engineering Framework
...
"CtrlCon emerged from the GRC Engineering movement that started in 2024 when practitioners realised traditional compliance approaches weren't working. The audit-driven model optimises for external stakeholders whilst creating the 364-Day Problem where controls work perfectly on audit day but drift the rest of the year. CtrlCon brings together security engineers, GRC practitioners, product managers, and forward-thinking auditors who believe we need to treat GRC like a data problem, build evidence collection as infrastructure, and push actionable information back to risk owners rather than just collecting artefacts for compliance theatre. Events are generally free to attend, rely on sponsorship from vendors who actually build useful tools, and are run by practitioners who've lived the pain of scaling GRC programs at high-growth companies."
Every GRC program ultimately comes down to controls. At CtrlCon, we focus on the real work:
- Designing controls that map to actual threats, not just framework requirements
- Testing controls continuously, not once per year
- Remediating control gaps before they become incidents
- Building compensating controls when primary controls fail
- Automating control evidence collection as infrastructure
- Measuring control effectiveness with real metrics, not audit opinions
- Understanding when a control is actually a detective control masquerading as preventive
- Pushing control monitoring data back to the teams who can act on it
See What to Expect for details on preparation, event formats, and how to get the most out of your CtrlCon experience.
Each CtrlCon may use different formats:
- Structured: Traditional conference format with pre-selected talks
- Unconference: Participant-driven schedule set on the day
- Hybrid: Mix of pre-scheduled talks and open space discussions
Unlike traditional compliance conferences, CtrlCon focuses on:
- Implementation guides and real code, not vendor pitches
- Threat-to-control mapping workshops with actual frameworks
- Live demos of GRC automation patterns and infrastructure-as-code
- Honest discussions about what works and what doesn't in real environments
- Deep dives into treating GRC as a data architecture problem
- Challenge sessions where practitioners push back on broken industry practices
- Excel horror stories and keyboard shortcut competitions (for fun)
CtrlCon is for practitioners who are frustrated with compliance theatre and want to build GRC programs that actually reduce risk. You'll find:
- Security engineers building control automation
- GRC practitioners scaling programs at high-growth companies
- Product managers at GRC vendors who want to build better tools
- Forward-thinking auditors interested in continuous monitoring
- CISOs and security leaders rethinking their GRC strategy
- Anyone who's read the GRC Engineering manifesto and wants to contribute
- People who dream in spreadsheet formulas and API calls
Each CtrlCon features multiple tracks focusing on different aspects of modern GRC:
Engineering Track: Automation patterns, infrastructure-as-code, CI/CD integration, data pipelines
Architecture Track: System design, vendor evaluation, build vs buy decisions, integration patterns
Operations Track: Scaling programs, team structures, stakeholder management, continuous controls monitoring
Strategy Track: Threat-driven frameworks, risk quantification, board reporting, programme maturity models
New here? Start with these resources:
- Read the GRC Engineering Manifesto
- Browse Implementation Guides (32 guides, 60,000 words)
- Join the LinkedIn Group
- Subscribe to the GRC Engineer Newsletter
- Listen to the GRC Engineer Podcast
Read about organising a local CtrlCon. Resources are available to help you make the event a success. Please send an email to crew [at] ctrlcon [dot] io if you would like to organise a CtrlCon event in your city.
We'll schedule a conversation to explain the rules and guidelines, answer questions, and connect you with other organisers.
Interested in sponsoring CtrlCon or a specific event? We work with vendors who understand practitioner problems and support the GRC Engineering philosophy.
CtrlCon sponsorship is different. We only work with vendors who:
- Actually understand the problems practitioners face
- Are willing to have honest discussions about what they don't solve
- Support the community without expecting a sales pitch slot
- Believe in the GRC Engineering philosophy
Contact: sponsors [at] ctrlcon [dot] io
You want to volunteer? Get in touch with us via LinkedIn, via email or be old fashioned and send us an email to crew [at] ctrlcon [dot] io.
Please use #CtrlCon and #GRCEngineering for content related to these events.
CtrlCon was born out of frustration with traditional compliance conferences that focused more on vendor marketing and audit checklists than on solving real practitioner problems. In 2024, Ayoub launched the GRC Engineering movement through his manifesto and newsletter, advocating for treating GRC like a product organisation rather than a compliance factory.
The movement gained traction as practitioners worldwide resonated with the idea that GRC should be threat-driven, not audit-driven. By late 2024, a community of 2,000+ newsletter subscribers, 25,000+ LinkedIn followers, and 150+ company leaders had formed around these principles.
CtrlCon emerged as the natural next step: a conference framework that would bring this community together for genuine knowledge sharing, implementation pattern discussions, and collaborative problem-solving, without the vendor theatre that dominates traditional compliance events.
The name reflects the daily reality of GRC practitioners: we live in spreadsheets, we automate with code, and we know every keyboard shortcut. But more fundamentally, we live and breathe controls. We design controls, we test controls, we document control evidence, we build compensating controls, we map controls to frameworks, and we obsess over control effectiveness. CtrlCon is about taking back control of how we work with controls.
Ayoub (Founder) - ..and community volunteers joining soon
Ayoub is a GRC professional at GitLab leading Security Assurance Automation, founder of GRC Engineer, and creator of the GRC Engineering movement. Recognised as the #2 cybersecurity voice in the UK with 25,000+ LinkedIn followers.
CtrlCon is built on the principles of the GRC Engineering movement:
1. Compliance should be threat-driven, not audit-driven
2. GRC is fundamentally a data architecture problem
3. Evidence collection should be automated infrastructure, not manual toil
4. Controls should be continuously monitored, not checked once per year
5. The goal is risk reduction, not just satisfying frameworks
6. Practitioners should challenge broken industry practices
7. Knowledge sharing beats vendor marketing every time
We're looking for talks that share real implementation experience, not theory or vendor pitches. Ideal topics include:
- Your approach to threat-to-control mapping with real examples
- How you automated evidence collection at scale
- Lessons learned from failed GRC implementations
- Novel approaches to continuous controls monitoring
- Deep dives into specific technical challenges (e.g., RBAC evidence, segregation of duties)
- Honest vendor evaluations from a practitioner perspective
- That one Excel formula that saved you 40 hours a week
Submit proposals to: cfp [at] ctrlcon [dot] io
CtrlCon is a professional environment focused on learning and collaboration. We expect:
- Respectful discourse, even when challenging ideas
- No vendor ambushes or aggressive sales tactics
- Genuine knowledge sharing, not just promoting your company
- Constructive criticism over cynicism
- Recognition that we're all trying to solve hard problems
- Sharing your best keyboard shortcuts with fellow attendees
To maintain the quality of CtrlCon as a practitioner-focused community, we have strict policies against vendor spam and aggressive sales tactics. CtrlCon is by practitioners, for practitioners.
...
"The GRC industry needs this. We've spent too long optimising for auditors instead of risk reduction. CtrlCon is where practitioners can finally have honest conversations about what works, what doesn't, and how to build GRC programs that actually make organisations more secure. This isn't another vendor conference. This is where the real work happens. Press Ctrl+Enter to join us." - Early Supporter
CtrlCon is just getting started. Subscribe to the GRC Engineer newsletter for updates on:
- Event dates and locations
- Call for papers announcements
- Speaker lineups
- Organiser resources
- Community initiatives
- Advanced Excel tips (just kidding, but maybe)