The 2025 Cloud & Cyber Security Expo recently concluded its two-day event, showcasing insightful discussions, innovative perspectives and a cyber security ecosystem adapting to new challenges. Held from 12-13 March at ExCeL London, the event brought together thousands of security practitioners, developers, and CISOs. Conversations focused on staying ahead of threats, keeping security friction low, empowering developers by shifting security left, and helping security teams cut through the noise to focus on real risks—all while maximizing return of investment (ROI) and cutting down backlog.
AI-driven security, zero trust, DevSecOps integration, risk management, innovations in SaaS & cloud security, and the evolving threat landscape took center stage at the Expo. Keynote presentations, panel discussions, and exhibitor demos featured insightful discussions on how security teams and developers can streamline security practices, minimize friction, and stay ahead of emerging threats.
The expo highlighted five pivotal themes shaping cyber security
AI-centric cyber security
AI enhances threat detection, response, and automation while supporting security teams.
The role of cyber security frameworks in risk management
Security frameworks must be embedded into risk management rather than treated as compliance checkboxes
Securing the cloud: Safeguarding data in an ever-changing world
Cloud security should be automated and integrated from the outset to address scalability challenges.
Fostering the human element in cyber security
A strong security culture requires leadership support, ongoing training, and security champions.
Strategic implementation & the future of cyber security
AI-driven automation and adaptive security strategies are crucial for securing expanding attack surfaces.
Semgrep at the expo: Building developer-centric security
As a platinum sponsor, Semgrep was excited to engage with industry leaders and explore the event's central themes, particularly the integration of artificial intelligence (AI) in cyber security. Furthermore, we hosted the following:
Semgrep’s London Security Leaders Dinner—a fun and intimate gathering designed to spark real conversations on the future of DevSecOps and developer-driven security and meaningful connections. It was a great opportunity for security leaders to come together in a relaxed setting, share insights, dive into emerging cyber security challenges, and engage in insightful discussions.
Semgrep also showcased its presence with a booth and led two speaking sessions:
Security Keynote featuring Semgrep customer esure
DevSecOps panel discussion on the essential role of security integration in DevOps
Expo security keynote track (esure group + Semgrep):
Securing digital transformation in financial services with Semgrep - The esure approach
At the Cloud & Cyber Security Keynote, industry experts explored how AI and static analysis can work together to enhance secure development, with insights from a real-world case study featuring Kenichi Shibata Cloud Security Architect, esure group.
SPEAKERS
Kenichi Shibata, Cloud Security Architect, esure group
Nitin Nayar, EMEA Head of Solutions Engineering, Semgrep
Main takeaways from the discussion
The evolving AppSec & threat landscape: Why now?
AI is making cyber threats more sophisticated, forcing financial services to rethink security strategies.
Security teams face a skills gap (approx 1:100 ratio of security practitioners to developers), requiring smarter automation.
Traditional approaches like Software Composition Analysis (SCA) aren’t enough
— teams need deep visibility into their code.
Breaking the development velocity vs. security posture tradeoff
Security and development often compete—more security usually means slower development.
Semgrep’s Pro Rules have helped reduce noise and improve findings, enabling developers to address security at speed.
Shift-left scanning and IDE integration provide instant feedback before CI/CD runs, preventing slowdowns.
Developers quickly adopted Semgrep after a single demo, proving its ease of use.
Team scaling: AI as a force multiplier for AppSec teams
AI-driven auto-triage and rule customisation empowered esure’s small security teams to scale efficiently, enabling hundreds of developers and amplifying their impact as a force multiplier.
Semgrep learns over time (AI Memories), improving findings and reducing false positives for esure.
AI-powered auto-remediation helps security teams keep up with developers without manual intervention.
Fast Implementation – Within a week, developers fully adopted the tool and integrated it into their workflows
Scaling security at both extremes: Mass onboarding & monorepo challenges
esure handles several generations of code and infrastructure across hundreds of monorepos and thousands of services.
Semgrep enables rapid security adoption across this complex environment without slowing development.
Breaking the AppSec silo: Integrating security into the ecosystem
Security needs to be embedded into the developer workflow—not an isolated process.
esure integrates Semgrep’s APIs into internal dashboards to track security trends.
Future plans include squad and tribe-level tracking to align security efforts across teams.
Meeting developers where they are: The path to security adoption
Security tools fail if developers don’t use them—Semgrep’s developer-first approach ensures adoption.
GitHub PR integration and IDE-based scanning provide real-time security feedback.
Reduced false positives build trust, making security a seamless part of the development process.
With Semgrep, the ability to triage data efficiently, take action seamlessly, and simplify our processes has been transformative — brilliant.
Unprecedented developer engagement as developers were so enthusiastic about Semgrep that they proactively created documentation for the security tool.
Continuing the AppSec journey: What’s next?
esure plans to expand its security approach with integrations for broader cloud security insights.
The focus remains on automating security while empowering developers to build securely from the start.
Expo DevSecOps panel discussion:
The essential role of security integration in the DevOps cycle against emerging threats
At the DevSecOps track at the expo, a panel discussion examined the importance of integrating security into DevOps to combat emerging threats. Industry experts shared insights on key challenges, best practices, and strategies for strengthening security while maintaining development efficiency.
Moderator:
Emeka Anachebe (DevOps Engineer, DWP)
Panellists:
Mahendren Selvakumar (Devopstronaut)
Sanmat Jhanjari (Nationwide Building Society)
Sebastian Revuelta (Semgrep)
Panel discussion topics
TOPIC #1: The DevSecOps struggle & common challenges
(MODERATOR QUESTION #1)
What are the biggest challenges in integrating security into development workflows?
(PANELIST RESPONSES #1)
Overwhelming security reports: Developers often receive extensive lists of vulnerabilities, traditionally delivered via spreadsheets or ticketing systems, making it challenging to prioritize and address issues effectively.
Tool overload: The proliferation of security tools can inundate developers with alerts, leading to confusion and difficulty in determining which issues require immediate attention.
Cultural divide: A disconnect between development and security teams exists, where developers focus on rapid innovation, while security teams emphasize risk mitigation, potentially causing friction.
Proposed solutions:
Embed security in pull requests: Integrate security insights directly into pull requests to enable real-time issue resolution by developers.
Consolidate security data: Streamline alerts from multiple tools into a unified dashboard, providing developers with contextualized and actionable insights.
Establish security champions: Position dedicated security advocates within development teams to promote a collaborative approach, ensuring security is viewed as a facilitator rather than an obstacle.
TOPIC #2: Supply chain security & dependency risks
(MODERATOR QUESTION #2)
We’ve seen major supply chain attacks, like Log4Shell. How should companies address dependency security?
(PANELIST RESPONSES #2)
The Log4Shell vulnerability served as a wake-up call, highlighting how many organizations blindly updated Log4J instances without assessing actual risk.
A more effective approach is reachability analysis, ensuring only actively at-risk dependencies are updated.
The growing use of third-party and open-source libraries has expanded the attack surface, making package registries a key target for attackers.
To mitigate these risks, organizations should adopt automated scanning, dependency tracking, and digital signing of artifacts to maintain software integrity and prevent tampering.
TOPIC #3: Secrets management & hardcoded credentials
(MODERATOR QUESTION #3)
Hardcoded secrets remain a major security risk. How can teams manage secrets more effectively?
(PANELIST RESPONSES #3)
Developers frequently and unintentionally commit secrets into repositories, exposing critical credentials.
Traditional approaches, such as periodic scans and manual tracking, are ineffective due to slow remediation.
A proactive solution is automated secret scanning tools, preventing sensitive credentials from entering repositories.
Teams should transition from static credentials to dynamic, short-lived secrets to minimize exposure.
Integrating automated secrets management and rotation into CI/CD pipelines enhances security while maintaining seamless developer workflows.
TOPIC #4: Best practices for security automation
(MODERATOR QUESTION #4)
How can teams integrate security without slowing down development?
(PANELIST RESPONSES #4)
Shift security left by embedding it early in the SDLC using IDE plugins and pre-commit hooks to catch vulnerabilities before code is pushed.
Automate security enforcement with pull request scanning and blocking deployments when vulnerabilities are detected, ensuring compliance without manual intervention.
Leverage AI to filter false positives, reduce alert fatigue, and suggest automated code fixes within PRs, accelerating security remediation.
TOPIC #5: Future of DevSecOps & emerging trends
(MODERATOR QUESTION #5)
What’s next for DevSecOps? How will AI impact security?
(PANELIST RESPONSES #5)
AI will be a key enabler for security automation, detecting vulnerabilities and suggesting fixes that developers can apply with a single click, streamlining remediation.
AI-driven tools will reduce false positives, allowing security teams to focus on real threats rather than noise.
The future of DevSecOps will shift towards proactive security, preventing vulnerabilities rather than just reacting to them.
Seamless security integration into DevOps workflows is essential to address emerging threats.
A culture shift is needed to position security as an enabler, not a blocker, ensuring a more resilient and efficient development process.
Final thoughts
The Cloud & Cyber Security Expo 2025 reinforced a key principle — that the best security solutions are the ones that actually get used and that seamlessly integrate into workflows and are actively adopted by teams. Whether it’s AI-powered security, DevSecOps integration, or cloud security automation, the main goal should always be reducing friction and making security an enabler rather than an obstacle.
The future of cyber security is about balance — between automation and human expertise, security and development, speed, innovation and risk management. Finding that balance will be the challenge, but also the opportunity, in the years ahead.
If you missed the expo but want to learn more about building a mature cyber security practice and enhancing your security and reliability, schedule a demo to see Semgrep in action.
