BSides Luxembourg 2026 - True Community Spirit

With BSides Luxembourg, my conference year 2026 officially started. And what a kickoff it was! What an inspiringly insightful, community connecting event. We've built fond memories together and this instance will most definitely not be my last one.

Speaking in Luxembourg, how come? Well, it all started with a sketchnote. As usual during on-site conferences, I also took sketchnotes at BSides Munich 2025 and published them on Mastodon. One of the organizers of BSides Luxembourg, Claus Cramon Houmann, saw them and expressed his wish to see me at their event. That brought it to my attention in the first place. I checked out their website and things looked really intriguing!

As I try to get to conferences mostly by speaking, I checked out their call for papers. To my pleasant surprise, they offered financial support to reimburse costs occurring with speaking, aka travel and accommodation (mind me, I'm not speaking of a honorarium here). That's the normal bar I have for conferences, and I'm used to expect this from the many tech events I've been to. Sadly, this doesn't seem to be as common for cybersecurity conferences. Usually, I don't submit without that offer as I’m paying out of my own pocket otherwise – and many underrepresented folks have way less privilege than I have. Hence financial support is a green flag I’m actively looking for, indicating that the conference cares about inclusion and diversity. [Side note: That being said, I do understand that some community-driven non-profit conferences really cannot afford offering financial support (yet). I also am willing to meet them where they are - yet I can only support so many community conferences a year this way. Also, just inquiring about reimbursement often reveals a lot about where the organizers currently are, so I can make a way better informed decision for myself whether I'd like to continue with them or not.]

Back to BSides Luxembourg. I decided to go for it and hope for the best. For real, I caught myself time and time again the last months, hoping that I would get accepted - I had a feeling this would be awesome, and I really, really wanted to get in. The first round of speakers were revealed - I was not among them. I continued to hope. Then the email arrived - clarifying what financial support I would need! If they could make this happen, I would be in. I honestly loved this transparency from the start, as it made me trust this would be good for real.

Well, as you can see, I made the program indeed. My latest workshop and a brand-new talk got accepted. We also agreed that an older talk would serve as backup talk in case any speaker won't be able to make it. You can't imagine just how happy I was! Until I realized how close it was to the conference already. That was beginning of March. The conference took place beginning of May. I just agreed to a brand-new talk. Aaaaahhhh!!! This was cutting it awfully close to my taste. Especially given I knew what else was happening during these two months. Then I learned that even more and more had to happen during these exact two months as well. Literally everything all at once at the same time. Two travels, creating yet another brand-new conference talk with a dear co-speaker (and figuring out what works for us doing so), editing the latest novel of my best friend, preparing for all other upcoming conferences with due dates, oh and I also happen to co-organize my own conference, right? Of course we had certain immovable due dates during this exact time frame. All of this costing enormous amounts of hours and hours and hours.

What an absolutely stressful time. I knew it would be worth it, it was worth it, and yet. I cut and canceled everything I could (okay, not as ruthlessly as I would have loved to due to my inner people pleaser, and yet as much as I could possibly do). I halted my personal challenge. Friends and family didn't really see me during this time. The only thing I did not cut was movement - I even increased it because it was a one-time-too-good-to-possibly-true offer. I also didn't want to repeat my mistake to cut on exercise as I did the last years - and I had dearly paid for it as this resulted in losing range of movement, strength and general quality of life. I had just reclaimed some very basic capabilities I would not give up again anytime soon.

All in all, this was such a close call. Massive kudos to the folks who joined the dry run of my new talk, giving me just the constructive and tangible feedback I needed, allowing me to revise it heavily and cut it to the first version it had to become. Everything was close-knit to the very last moment, even finishing last tasks on my travel to Luxembourg. Anyone who knows me for a while, knows that this is absolutely not me. I'm the over-preparer par excellence, and while I've gotten pretty good at keeping things "good enough", this was unheard of. But hey, I made it. Still wonder how, but I made it.

Alright, fast forward to the conference! Here's how it went.

 

Arrival Day

My travel required to change trains several times - and to my pleasant surprise, it worked out. I arrived well in time to do another dry run of my brand-new talk and also prepare last things for my workshop. Most speakers had come together in a Signal group which made it easy to find a bunch of folks to go to dinner with together. I make use of such opportunities whenever I can as they allow getting to know a few people in a smaller setting before the conference starts.

Putting faces to names or aliases from the chat was great. I even uncovered I've already met one of the speakers already back at New Crafts 2024! The tech world is small, the conference speaker world even smaller. We enjoyed a lovely dinner and conversations on all kinds of topics together before it was time to prep for the next day.

 

Workshop Day

My own workshop "Secure Development Lifecycle Applied - How to Make Things a Bit More Secure than Yesterday Every Day" was scheduled for the morning just before lunch. We had a nice group of folks from all kinds of backgrounds coming together to learn and practice. The session worked out pretty well and my duty was done for the day! Things were off to a good start.

The lunch break was decently long to enjoy the food, have conversations with participants and also get some rest before the afternoon. I've decided to join "How to Read Code to Find Vulnerabilities" by Louis Nyffenegger. I was curious about this workshop due to a few reasons. First, I've been part of a code reading club a while ago, actively practicing techniques to understand code snippets and exchanging insights. Second, reading code was a big part of my previous role as a quality engineer, and still is as security engineer, with the specific focus on security. Third, I was keen on learning how Louis teaches code reading, as this is a topic I want to share further myself, and also given he's the founder of PentesterLab and I liked their style of conveying knowledge and skills. Long story short, it's been a really interesting workshop indeed! He shared a bunch of advice on what to look for when reading code and how to train this skill. We ran lots of exercises together on finding flaws in various code snippets, dissecting what made these insecure and how to build things in a secure way. Both detection and also knowing how to do better is such a crucial skill to hone. As the cherry on the top, Louis gave away copies of his book "CVE Archeologist's Field Guide: Methodology and lessons from 10 vulnerability analyses" - so much appreciated!

Right afterwards, I managed to get into the session "Dismantle The Bomb" by Stijn Tomme. This was designed as an escape game like scenario - and way too much fun to spoil what happened in this session! Let's just say: it's been the very first time I've seen a key being cut, a potato battery lighting up an LED, and cutting wires to deactivate the bomb. We had a really nice group to solve the riddles and puzzles together - teamwork for the win! Anyone having a chance to catch this session, go for it. We had a massively good time with this well-designed game, used our collective skills in new ways and came in touch with things that are not as common. Perfect for the afternoon - energy was really high afterwards.

Time for me to go back to the hotel and practice my talk for the last time, then head for the speakers dinner. The organizers were so kind to make this happen for us and we enjoyed lovely Vietnamese street food together - much appreciated! That kind of opportunity is usually great to connect with other speakers, learn about their passion topics and values, and just have a good time. As usual, we also discovered a few first-time speakers among us and shared experiences; we're all in the same boat and new folks are very welcome to realize they are not alone with struggles like last-minute preparations, coping with nervousness, and more. It was a great evening and things were ready for the conference days.

 

Conference Day 1

If you had seen the program for this conference, you probably understood my massive struggle to decide which sessions to attend live. There were the main conference tracks, as well as an AI village, a detection engineering village, a lockpicking village and a car hacking village. So many amazing sessions to choose from! In addition, talks were hosted across not only one building, but two - without many breaks in between to get from A to B, which really made a difference in my choices. Fortunately, most talks had been recorded and I will still have a chance to catch up. Some talks, however, were not recorded, so I tried to prefer them where I could. Also, as usual at on-site conferences (as shared already above), I did sketchnotes for almost all talks I attended.

• "Things Fall Apart: Allying Cybersecurity and Diplomacy against Authoritarian Disorder" by Luc Dockendorf. I was a bit late for this opening talk by Luxembourg's Cybersecurity and Digitalisation Ambassador, so I chose not to sketchnote it. I did, however, really appreciate the clarity in addressing the current planetary, geo-political and social challenges we face. What a strong opener for the conference!
• Keynote: "Identity Security Just Exploded" by Wendy Nather. Wendy presented what makes identities for authentication such a challenge, back in the days, and especially nowadays given AI agents. Lots of problems that never got solved (like delegation) are multiplying now. What we can do right now is to make sure our fundamentals are covered. 
  
• "What Does Threat Modeling Solve for AI Security?" by Nathan Pembe. Nathan made a great point how threat modeling can not only help to make pentesting efforts a lot more targeted, it also helps fill the gaps to implement security controls for audits in the age of AI. I really appreciated his down-to-earth call to focus on realistically reachable attack paths and separate those from noise.
  
• "Beyond the Prompt: A Framework for Agentic AI Attack and Defense Strategies" by Jeremy Snyder. Jeremy walked us through the major risks that AI agents introduce. It's not only about the agent itself or the model used, but we need to consider the whole architecture including interfaces to retrieve incoming data as well as the output created. This talk was full of awesome questions to ask!
  
• "Cloud Misconfigurations: Poke Poke, Breach" by Kat Fitzgerald. This was a talk that was not recorded - hence I asked Kat afterwards if she consented to me publishing my sketchnote of her talk. Fortunately, she agreed! This was a really cool talk about how misconfigurations just keep coming and showing up in various (way too known) shapes and forms. All the classics included. The solution: policy as code to provide safe guardrails! No chasing, instant feedback, actual clarity.
  
• "Managing Uninvited Guests: Securing Open Source Dependencies" by Frithjof Hoffmann. Originally, this talk was meant to be given together with Kadi McKean who unfortunately couldn't make it. This was an ever-green reminder to evaluate which dependencies we really want to build on and which ones to keep out. SBOMs can help find vulnerable packages, while we also need to acknowledge that scans can be flawed. 
  
• "Out of Security Exception - What to Do Without an Expert to Secure Your Software" by me. This was the premiere for my brand-new talk. For anyone who missed it, it was recorded so you can still check it out once it's published. Unfortunately, there was no immediate feedback feasible as the next talk started right after mine. Yet all in all, I'm quite content with how it went and people seemed happy enough as well. 
  
• "The Forgotten Fingerprint: DNS Based OSINT Techniques for Product & Service Discovery" by Rishi. This talk looked at TXT records in specifics and how they could be used in threat hunting and hence accelerate incident response. Rishi demonstrated both OWASP Amass and Nuclei as two of the main tools you can use to start your discovery today. 
  
• "Turnkey Code – Enhancing Secrets Management in Large Scale Organizations" by Diogo Lemos. Diogo presented an interesting case study of what they learned when building a proper secrets management platform. They needed to control the noise and consider the whole lifecycle - including rescanning safely without overwriting human triaging decisions. 
  

That was the last session for the day. Participants gathered, enjoyed good food and conversations together, sharing their insights of the day with each other. Then it was time for "Security Impress Karaoke" hosted by Kirils Solovjovs. Basically PowerPoint Karaoke but using OpenOffice Impress, with slides sourced from Cybersecurity talks. Lots of folks accepted the challenge to present random slides thrown together and combine them in a way that's concise and hilarious at the same time! Good fun.

 

Conference Day 2

The final conference day started tired and early, as it's usually the case for me the longer a conference goes. And yet, I wouldn't miss it and didn't regret it one bit.

• "The High-Performance Fuel for Social Engineering (Now in AI Flavors!)" by Glen Sorensen. Glen showcased how much data companies are collecting about us. They claim to have legitimate interest, yet do they really? What's considered justified, by whom? The problem here is that all this data is used for highly effective social engineering attacks. Having LLMs at hand, this danger became even more imminent. Glen shared lots of things we can do to reduce our own attack surface.
  
• "Spyware: The Invisible Threat" by Julien vander Straeten. Really interesting talk on spyware as a specific type of malware. Its goal is to persist on the device, deep in the lower layers, and exfiltrate all kinds of data. Lots of countries buy spyware, including 14 EU countries - and quite a few of those also produce their own. Spyware is expensive, though, so attacks are highly targeted.
  
• "Confound and Delay: Honeypot Chronicles from the Digital Battlefield" by Kat Fitzgerald. Yet another talk by Kat that was not recorded - so once again I asked her if I could publish my sketchnote, and luckily, she gave her okay for this one as well. This was a really cool talk on what you can learn through deception, offering attackers a realistic enough trap to observe their behavior. What they try to do. Including hilarious attempts! Honeypots can not only reveal how attackers operate but also predict production threats. 
  
• Lightning talk "Good things can happen at conferences" by me. Well. This was not planned at all! Hence there's no proper abstract either. Here's the background story: On the workshop day, I shared with Claus as organizer of BSides Luxembourg that I am co-organizing the Open Security Conference (short osco). He instantly offered us their partnership - something I was just about to ask them as well. Super cool and kind! And then he shared there might be still a lightning talk slot available and asked whether I'd like to share a bit about osco. I usually don't do lightning talks at all, yet this one I felt would be feasible - it's pretty easy to talk about my own conference after all, I've done that plenty of times already. I kept this option in mind and inquired the next day whether the slot would still be free. Organizers shared it wasn't clear yet until the following day, but at best I would be ready for it. So at midnight I sat down and drafted a script. I knew I could just do a shameless plug - yet I wanted to give people more of a real message than just the mere promotion of our event. So I thought, what if I told the story how osco came to be? In general, how good things happened at conferences? I would have had plenty of examples on that matter, yet I decided to focus on three events. One, conceptualizing osco at SoCraTes 2023. Two, meeting my now manager at the first osco edition and only weeks after getting hired by him. Third, our freshly made partnership at BSides Luxembourg. Now I had my script ready to go. The last conference day came, and during the lunch break just before the lightning talks, I asked again if that slot would still be free. It was indeed! Just 15 minutes before the talks started, mine was added to the program. Then I realized, everyone else had slides - I had planned to just tell my story. But one supportive slide would be great indeed as a visual support. So I put our logo on one slide. A QR code next to it. That would do. Finished just a minute before going on stage! My whole speaking experience paid off in that moment. I went on stage and told my story. I made it. Later people came to me to tell me how much they loved the idea of osco and how good this talk was. For me as a recovering perfectionist and over-preparer, this whole feat was a real achievement unlocked! It seems I hit a note there. I'm already very curious if I'll ever learn what people took with them in the end. But well. Here's the script as I prepared it, and only slightly adapted when telling the story live.

  This is a true story on how good things can happen at conferences. 
  
  The year is 2023. I'm not yet working in security. I'm part of an engineering team, building products hands-on together. 
  
  I'm at a tech conference, called SoCraTes. It's a special kind of conference, as its program gets created right at the beginning of the conference - by the participants. The format is called an open space. It's designed in a way that everyone can contribute and everyone can learn in the ways they want at that moment in time, about the topics they want to learn about at that moment in time.
  
  So I'm at that open space conference, where I get to have a say on the program. I have a clear focus topic: I want to learn more about application security. Oh cool, there's a person who works in security and is also curious to learn more from other participants. His name is Claudius.
  
  Claudius and I, we agree to host a session together on usable security. Lots of folks join our session and we learn from each other. It's energizing. Claudius and I find we work well together, so we decide to host a workshop. Another success! Inspiring.
  
  We sit at lunch, and Claudius shares his idea with me: he wants to start a new conference. A security one. In the open space format. He feels that that's currently missing in the security community. I was hooked! And I added: Yes, a community-driven, non-profit conference - for everyone interested in cybersecurity, no matter their current roles or skills. Breaking down barriers and gatekeeping. I believe we all can learn from each other. 
  
  The idea of osco was born - the Open Security Conference. 
  
  We find further co-organizers on our journey. We find participants who love the idea. The idea becomes reality.
  
  Good things can happen at conferences.
  
  The year is 2024. We have the first edition of osco. Small. People love it. Many will return the following year. 
  
  And I? I also enjoy our conference. I'm sitting at dinner next to Rudi, who talks about his security team at his company. It sounds like a good place. Little do I know that I'm sitting next to my now manager, just 3 weeks before I will get laid off from my former company. Yes, I co-organized a conference and I got a job thanks to it. In application security. 
  
  Good things can happen at conferences.
  
  Fast forward to 2026. Our organizer team is preparing to host the third edition of osco on November 5th to 8th, in Germany, close to Frankfurt am Main.
  
  I'm here, at BSides Luxembourg. I talk with Claus and the other organizers. I share about osco - and our two conferences partner up. 
  
  Good things can happen at conferences.
  
  If an opportunity presents itself to you, seize it. It might come with the person right next to you, at lunch or dinner. Look out for them. 
  
  And if you're curious to learn more about the Open Security Conference? Come to me, get a postcard to spread the word, and become part of our story.
  
  Good things can happen at conferences - and beyond. 
  
  Thank you. 

• "Building Secure AI: Making Threat Modeling a Core Part of Development" Diana Waithanji. This talk was the perfect closure to the conference for me! Diana explained her approach to threat modeling, where I just sat and kept nodding along. Like that there's no one way to do threat modeling. Diana showcased how frameworks like STRIDE are still applicable when it comes to threat modeling AI systems - as one of many possible ways. She involved the audience actively and we heard from several people what they do and how it works for them. She also emphasized the importance of fostering good relationships with engineering teams, involving the whole team and collaborating across roles, as well as making threat modeling sessions high-energy and inclusive. So much this! Diana's talk highly resonated with my own experience. 
  

And that was it. Originally, I had planned my last conference afternoon differently beforehand, with more talks - yet things came different than expected. First with me joining the lightning talks at last notice, and then with me standing by to give my backup talk, as pre-agreed with organizers. In the end, I didn't have to give it, and I used that unexpected time as a lovely chance to catch up with Marina Stephanova, one of the organizers, instead.

Right after the conference ended, there was yet another neat opportunity: Marina invited interested speakers to go sightseeing together and showing us around Luxembourg city! An offer way too good to refuse for sure. We had a lovely group of around 15 people, the weather was perfect, and we enjoyed a nice tour together while learning about Luxembourg's history and people. Afterwards, we had a great dinner together. Once we headed back to the hotel, how could it be differently, the last core of us ended up in the hotel lobby. Just really good company (thanks to Ellis Stannard and Leonardo Wolff Takemasa Fernandes!), deep conversations in the middle of the night (extra special thanks to Diana Waithanji and Sonia Seddiki!), while tasting fiery hot snacks from India (huge shout-out to db here!). What could be better. 

 

Returning Home

The next day it was time to depart, saying thank you to everyone one more time, and take my memories with me. I realized how tired I was, and while that made it a more complicated ride home than it would have needed to be, I did arrive safely and roughly in time.

My heart was full and brimming of the community spirit I just experienced. Lots of folks I met for the first time where it was just easy to connect with each other. Some people I even met the second time; the world is small! What a pleasant surprise. And not to forget all the care that organizers put into all the little details, always ready to help out and solve things or make them at least better, always appreciative of feedback. Special kudos to the team for making this whole event such a welcoming and inclusive experience, I really felt that I belonged. Their choices how to craft this space for community showed in everything: representation among the speakers, reflected in the participants joining, the options in conference T-shirt fits and range of sizes, the food offer, the choice of language. Everything. It clearly showed their continuous intentional effort and it paid off. 

Looking back, this was such a good conference. The smooth organization, the speakers and participants from all kinds of backgrounds, the variety of super interesting topics, the space to connect with each other and stay connected. Can only recommend you checking this one out next year! It won't be my last BSides Luxembourg for sure. I'll cherish the memories we've made together and the kind feedback this community provided.

Back to Building - Make Problems Smaller

New year, new challenge! Wait, yet another one? To be frank, I did consider not doing a personal challenge this year and go with the flow instead. Things are challenging as they are, especially given the state of the world, and I'd rather focus on joy to counter-balance things while preparing for those very things getting worse. This thought popped up and vanished again. Because on the other hand, why not? I have too many things I want to do, and my yearly challenges help me focus on upskilling on specific topics. Therefore, I continued collecting ideas for themes during the last year and noted them down as they came to see how my thinking evolved. Here they are, as raw as they come with a few redactions. I've tried lots of different variations - read them at your own wish to get a glimpse into my head.

Well - likely it’s going to be preparing for any useful security certification. Or activism. Not sure if there’s going to be anything in between.

What I’ll keep up is conference speaking and organizing osco. Not sure if anything else, I need time and space also for newer things.

Last years had a social and a mental challenge - it's time again for a technical one!

Hack the Box (HTB) Academy, sharing publicly

Study security, would also give more content for sessions

Private challenge: art. Or fitness challenge, now that my body should be fine enough by then.

The year after it could be all around creation: build & art. Building with code mostly.

Other things I might focus on: read fiction, play games.

Build. Tools, code, that app and BFF and backend I wanted for so long. No need to share or talk prematurely. Just build and make errors and learn. Also: build my fitness. Maybe also: build my knowledge (e.g. HTB Academy). Could even be the osco community, it's on the radar as well. Maybe it's the theme that matters. Build it up.

Hypothesis: put in the time, regularly. And it will grow.

Not daring enough?

Maybe a fitness challenge indeed then. Definitely daring. Or gaming. Both. Don't know.

Study, get fit, prepare - 1 public, 1 personal, 1 private challenge

Activate. Re-activate.

Build a program per day.

Build. Build insecurely. Build securely.

Scaling. Finding ways to do things with less effort, higher impact.

Scaling slack. Both (scaling and slack) is super scary and I learned to avoid it. Both apply to both work and personal time, even sports. For security, private hobbies, even social impact.

Personal challenge: tech only. ONLY! Only hands-on. ONLY. No excuses.

Build mobile Android app with Node TS BFF and .NET backend service. Just that. Publish it. Like really ship, often. Then iterate.

That's it. No excuses. In general. Regarding tech. Exercising. Drawing. Games. Anything. No excuses.

Variant of bigger test app for all kinds of purposes (including actual usage in production): Android app with Node TS BFF and .NET backend service with SQL database and another Kotlin backend with MongoDB - for practicing different frameworks and also simulate microservices more realistically. Just that. Publish it. Like really ship, often. Then iterate.

Scaling might mean to use scary new tools and constrain them. Have a tool to extend my reach and speed myself up. Become not afraid to use tools and know what to look for and what to secure.

Have a scrapbook for my own learning. Have it visual for scaling goals and things to learn and certifications to do, etc.

Do it now challenge. Not postpone it further. Whatever it is. No matter if it makes sense or not.

Allowing myself to fail. And hence even try, no matter if I fail. I'll learn.

A new allower message: It’s okay to be behind and go at my own pace.

Only experience can give me experience.

Go at your own pace but keep on keeping on moving.

This speaks to me: https://mastodon.sdf.org/@Lichtenbergian/115673218133345093 making the way into the calm space to create in, through all the tasks around us 

It's not about what I do. It's what others do because of my actions. It's not about me, it's about the bigger picture.

Optimize for slack; to think, ideate, experiment, fail, learn, and scale.

Looking at all these notes, this year, there are many themes and none really stands out. For work, the theme of the year will be indeed scaling. For my personal challenge, here are many themes - with scaling overlapping with work:

• Scaling (impact)
• Slack
• Building
• Fail at my own pace and gain experience
• Certificate / trainings
• Societal change & activism
• Fitness
• Art
• Games

Scaling goes both ways - it's not always up, sometimes we need to go smaller. Especially for experiments and failure safety.

Interesting article: Do Things that Don't Scale

One challenge for me, for work, for society? Constraints: 3x sports per week, 2h games. Reading fiction and art as well or as options?

I'm usually falling back to busyness instead of doing the thing. Because being busy and having no time is familiar, comfortable, cozy. And that thing would require energy and is scary and I could fail.

No excuses. Do the thing. #DoTheThing

I see theirs and what they do and I feel jealous. Instead of also doing stuff myself. Especially bad when they say I inspired them to do x, and they outrun me with ease on the very topic. For many years, I defaulted to doing things together, to trick my brain to make time for things - yet then didn't do anything outside these times, and didn't dare much on my own anymore, feeling I needed the others anyways. Sharing frustration felt better than getting stuck on my own feeling, like it's me (and it was me indeed). Only very slightly and slowly recovered a bit this year (aka 2025). 

The main personal development goal: build the actual real-life use case app for both personal use and demonstration purposes I always dreamt of, tried two times and never fully dared to go all in. Would support the scaling through building scheme where I'm weakest (through community and education I've done already, building only super small). Would be hands-on, tech, development and security. On my own, as much as possible. Constraints: find time to play games, read fiction, meditative drawing every week. To have slack, give my brain space and joy for new thoughts.

My private personal goal is on fitness. Have a concrete target for strength, mobility, running, coordination - ask my coach what's feasible and makes sense for me. So here I would invest in movement, health, nutrition, sleep, everything. Also, it's been a long time since I've had a sports goal, it's about time again.

Both are just do the thing, no excuses goals.

CTFs would still be on the side without pressure, as I go - to learn. Or maybe even during work time. But not the one and only, as getting back closer to development is even more crucial for me. The testing one is nice for exploits though and demonstration. So this is just a supporting activity, not the main content. Maybe in 2027 I'll go for formal education and a certification then.

#BuildItUp #DoTheThing #NoExcuses #Scale4Slack #BuildTheScale #BuildToScale

The last one triggers an image: a stairway as a scale, to scale a mountain or wall, building it up to literally reach higher ground or more people for more growth and more impact

Fitness goal: stay pain-free & gain mobility needed for starting weight lifting (chest, wrists, ankles, etc.)

The joy of building :) tools, stuff, community, muscle, coordination, anything :) detracting the hardship or hurdles to even start

#ShowUp #BuildTheThing #JustBuild

Well now. What to make of all this? In the end, I believe I have a few most prominent challenges in these notes, yet they fit different spaces or parts of my life.

So I figured I first draw out what else is coming in 2026 for me.

• Speaking at conferences. I'm not going to stop any time soon. It's time to draft and propose new sessions, and if they get accepted, create them. This takes a considerable amount of time and is pretty public. If I do paired sessions, there's also collaboration efforts to consider.
• Organizing the third edition of the Open Security Conference. This is a collaborative endeavor by design, and very public indeed. I already know it'll take me some time during the first half of the year, and a lot of time during the second.
• Evolving the security card deck game. Fortunately, this is a low-pressure, deliberately slow-going leisure project. It's still collaborative, and it'll need time and care, yet this is one of the most sustainable endeavors I do.
• Practicing with my CTF team. Collaborative as well, yet nicely paced and spread out. As long as I don't overdo by adding an enormous amount of private practice, it's very combinable with the other endeavors.
• Communing with community folks. As every year, there'll be remote sessions with various people I got to know over the years. Some to check in, some to share advice or exchange experiences, some to work on something together. These happen all year long and they do take focus and energy, yet they are invaluable and they also tend to be pretty controllable as long as I spread them out enough.

Besides those personal development and community initiatives, there's work with its own challenges and measures. Mostly around scaling through education, building tools, and a security champion program (can't wait for it to start!). 

There's also a fitness and physical health challenge to reach: to increase my body control and mobility range so I can pick up barbell training again (and this will help volleyball and running of course as well). As long as old and potential new injuries don't stop or slow me down of course. 

Mentally, I need to keep slack in the system not to overwhelm myself once again, but to stay able to think and enjoy all the things. Play some games just for fun. Stuff like that. Yet something else would really help me move forward and get across a bump I'm facing again and again.

 

The Challenge

Keeping all of the above in mind, let's talk about the scary thing I want to tackle. I want to finally do the thing that I tried a few times but never gave the attention it would have needed. The thing that I started, then usually postponed, and finally dropped again in favor of other things. I want to get back to building software.

For a very long time, I wanted to build my own application. To use it myself and solve a real problem. To use it for demonstration purposes. Just to practice. I've tried with my #CodeConfident challenge. I tried together with others on the SnackShop during my Contributing in New Ways challenge. I tried countless attempts to get something started on my own, and dropped them all.

There's more to it. Every time there's a problem to solve, I come up with a solution and try it out manually. Now if it works, instead of building a helper tool, I tend to keep doing the thing manually - to be fair, which is often the fastest and pretty fine as long as I don't overdo. Only when I see there are aspects involved that make manual execution very unfortunate, like too much data to go through, or repeating a task too often, or it becomes too error-prone, I start building and automating. Usually with as little effort as possible to achieve my goal, e.g. writing a small shell script to just do the job. Trying to avoid overengineering where I can.

The problem here is not the smart use of time or experimenting with what would solve the problem (e.g. rather changing a process than making a faulty one faster). It's taking away opportunities from myself to learn. It's keeping me hesitating to just create throw-away scripts that solve one problem one time. To build a small service that serves one purpose. That might not be polished, and yet good enough for now. It takes away building up experience in building. Because sometimes the best answer is indeed to build. 

This is becoming even more of a problem now that I'm in a central enabler team where we do not develop a product ourselves - now there's no feature to implement myself or bug to fix to keep honing my building skills. We're only starting out on building tools and there's so much other (valuable) work to do that easily eats up all my capacity. It's also becoming more relevant now that I'm in my new role as security engineer, focusing on application security. We can't get out of touch with reality of building software. I've been in the trenches for many years, and I don't want to lose those building skills. (I'm aware there are lots of other building skills I'm still exercising, like building teams or communities or cultural systems. Yet software development is still core.)

So, back to building it is. That being said, what I cannot take this time is too much pressure and too much collaboration effort. I have both already covered with my other endeavors. For this challenge, I will choose to build on my own and in private as much as possible, yet build. I'll probably again take notes in my own coding journal - privately. I might choose to publish things, or maybe not. It's not the point this time. The point is to show up for myself. To build. To do the thing. No excuses. To keep building even if I throw things away or not use them more than once, or even at all. To just build, and build up the respective skills.

But is it scary, you ask? Shouldn't these personal challenges... actually challenge me? Oh hell it is. It means I don't have excuses anymore (as I keep repeating myself). It means I know I have all the means, nothing's stopping me - besides me, myself and I. And my fear of being judged. By others, and especially by myself. And that's scary, even though I've worked on calming my inner critic. Yet that critic also understood pretty well when I'm not knowing enough yet. That I need to get back to the basics, the foundational building blocks, and put them together myself. Building programs, tools, actual products. Building further understanding as I go. I'm scared of failing and learning, even though I preach such a growth mindset in various ways for many years.

Well. No excuses. Do the thing and get into the habit of just doing the thing. Or rather: Build humbly but build. I need to set myself up for success as well, not for failure by expecting overly huge things and results or instantly getting disappointed or frustrated with myself that I'm - surprise - still lacking the practice. Managing expectations will be huge. Yet I really want to hone the skill I never had much opportunity to hone at work and when I had, too often chose not to. Now that I do have lots of opportunity to practice security at work, building up my builder skills is what I can focus on in my private time. 

These days, I was reminded that learning is not a constant straight line but comes in waves. Trying something new (or even familiar on a bad day) will result in worse quality, less skill. We can only evaluate our progress on longer time frames (hence these yearly challenges in the first place). We need to be okay with doing something badly in order to do it at all. Anything worth doing is worth doing badly - as long as it's not causing harm.

Enough of the pep talk. 

 

The Hypothesis 

If you would only realize how many times I've rewritten this section, how much I've kept on adding thoughts, challenging my actual challenge over and over to uncover what's really moving me that I'm still shying away from. The truth is, it's all in the process! I often need to write and rewrite and start all over in order to realize what's my most valuable hypothesis here to tackle my challenge. This time, I struggled even more and it took longer than usual. Finally, here's the leanest, simplest hypothesis I found that narrows it all down.

I believe that consistently investing time in building software will hone my skills to make problems smaller. I've proven this hypothesis when I've made at least 3 real-life problems smaller through building within 300 days.

This is why I call this challenge "Back to building - make problems smaller". The core is going back to building, as I've started out in the last years but never followed up for real. At the same time, there's no need to solve the problems completely - that's too much pressure and unrealistic. Just tackle a part of a problem so the load and pain are reduced. Basically, just make it a tad smaller problem. 

The problem itself could be scaling. It could be giving better advice from the trenches or conveying knowledge through showcases. It could be reducing repetitive manual work and making it less error-prone. It could be offloading cognitive load. It could be creating a product I'm using myself. Whatever. Just an actual problem made smaller. This way, I hope I'll not only train my building skills but also recognize more of those opportunities to reduce the problem space as I go.

The Experiment

To test the hypothesis, here's the experiment: I run my very own #Challenge321; inspired by the many #100DaysOfX, #100DayProject and #75DaysOfX challenges out there that I love following. In those challenges, there are certain strict rules - I chose to adapt them and make this my own as follows.

• For 3x100 days (aka 300), I dedicate at least 21 minutes of time each day into a specific topic, to build up momentum and a habit of spending time deliberately on what's important to me. That's why I call it my #Challenge321. 
• The three topics:
• #100DaysOfBuilding - building software to make problems smaller. From designing to developing to testing to fixing flaws to operating, this will include everything that goes into building products, helper tools, or the like. Basically, spending continuous time on this. I can use this time as I wish in the moment. I can build a full-blown product, no matter at which scale. I can build multiple pieces of software - tools, scripts, libraries, anything. I can use them or not. Keep them or throw them away. As long as I keep building.
• #100DaysOfMovement - literally getting that movement in for health and fitness. That's a rather common challenge to do. What I do doesn't matter as long as it gets me moving. Volleyball, running, even walking. Stretching, strength exercises, etc. As long as it helps me get moving it's fine - even better if it helps me move towards my fitness goal to increase my body control and mobility range so I can pick up barbell training again.
• #100DaysOfGames - playing computer games for pure joy and mental health. Casual games don't count here for once - I have so many absolutely stunning and exciting games in my library, I finally want to enjoy them to the fullest. This activity is also a perfect timeout for my head during busy days. It's only for me and no one else, and hence it's a perfect way to maintain my mental health and recharge my batteries. It's also about that "play first work later" mantra I built up in 2025 during my Calm and Steady challenge.
• I can choose to do only one of these three topics each day in 21 minutes and rotate through, or I can mix and match those three, e.g. do all of them in one day within a good hour. That's why the minimum time limit is deliberately low. I simply don't have excuses not to carve out that time per day. This is promising to work even on busy days, also considering all my other endeavors and tasks. If I continue beyond the 21 minutes on a topic, that's totally fine as well. I'll take it where my energy goes - yet the activity only counts once per day, I can't save up for future days.
• It's okay to miss days (e.g. for conferences or whatever else life has planned for me). It's also okay to have different counters on each of those three topics. The only constraint is that I have to finish all three of them within exactly 300 calendar days. That's from January 5th until October 31st (inclusive). Hence, the experiment stops at the latest on October 31st. If I finish within 100 days already, that's fine too. At the very moment I reach 100 on all three topics I can choose to evaluate my overarching challenge right away or continue and extend beyond 100 days for each topic, whatever I wish to do at that moment in time.
• I'll keep track of my progress for each challenge and the days that passed. Other x days of x challenges often require you to keep track publicly and to share your insights and experiences. I'm not mandating myself to do that each day, I might do it whenever and wherever I want to. I'm confident my track record of past personal challenges are good enough to prove it's fine to hold myself accountable.
• To enable myself to evaluate my hypothesis in the end, I'll also keep track of how many real-life problems I've solved through building during these 300 days.

I'm well aware that this experiment basically consists of three challenges to tackle a challenge to achieve an overarching challenge - and yet, bear with me. I believe it's a great way to ensure I do test out my hypothesis for real, one that keeps me going and also has liberating constraints baked in. I don't want to end up once again not investing in my own joy and health, here it's literally part of the game.

Also, I believe that not doing all of these within 100 days but choosing my own pace within 300 days makes all of them pretty sustainable and feasible, even combined with a busy life and lots of other endeavors. Every third day would already make me achieve each challenge - so if I do each of those 3 times per week I'm already doing very well. And that's very reasonable. Even for movement, that would be the default already as of now. No energy for one thing? No problem, just tackle one of the other topics! Also, two of them are energy-giving, only one is the scariest, and all are targeting different areas. It's basically #300DaysOfNoExcuses.

Usually, I keep just one hashtag or tag line in my head to refer to my personal challenges. It helps me keep my theme for the year in mind and collect my posts on them. Well, I guess this year, I have a whole bunch of fitting hashtags, a real collection - and that's okay just the way it is: #BackToBuilding #MakeProblemsSmaller #Challenge321 #100DaysOfBuilding #100DaysOfMovement #100DaysOfGames #300DaysOfNoExcuses #DoTheThing

 

Let it begin!

This time, all constraints are already baked in. So that's it. It's on. Wish me luck!

2025 - The Year in Review

What a year! Just like many others do, I use the end of the year to look back at what happened and acknowledge both achievements and struggles. I've written lots of those reviews over the years and this practice helps both present and future me see how things evolved over a longer timespan. So, without further ado, let's get to it.

 

Professional

• The biggest change of 2025 for me was that I've started at a new company in a new role. It's now nearly a year that I've been working at DocuWare as a security engineer in a central enabler team focusing on product and cloud security. This kind of role change was and is huge for me. Especially as I realized that I didn't only dare try something different. I could indeed contribute a lot of the experience, knowledge and skills I've built up over my career in this new, more focused area. At the same time, there's a lot more to learn and grow into, and I love that I continue to be very intrigued to do so. 
• For the first time, I've done third-party product assessments for security myself instead of asking our security team. Well, now we are the security team! It's been a really nice topic to get hands-on very early on the new role.
• I've done threat models and security reviews before for my own teams. This year, however, I've done them for and with a bunch of our engineering teams - which required building up a lot of context in very little time, again and again. I love that my teammate and I continuously experimented with even better ways to do threat modeling and make it a beneficial experience for everyone.
• In a cross-team collaboration, we've provided a convenient pipeline template to scan for vulnerabilities that teams could plug in easily and quickly to get going. It's been picked up widely and the feedback received was pretty good throughout the year.
• I've conceptualized our very first security champion program, we refined it in our team, and we managed to get buy-in from stakeholders very quickly. Another personal achievement here was that I've repeated the same presentation for all our team leads of all domains - 7 times in 2 days in 2 languages. Personal high score! The potential champions are currently learning about the pilot we want to run so they can make an informed decision whether they'd like to opt in from the start. Next year will be super interesting in this regard.
  
• We've grown a lot in the team, individually and as a team - even a lot quicker than I've observed this with other teams before. And it shows, we're having way different conversations now than we had beginning of the year. Everyone is sharing transparently, acting as sounding boards, truly collaborating - I just love seeing this. We've become more resilient, faster in our feedback, a lot more intentional and strategic in what we spend our time on and how we approach situations. I'm very grateful for my team including our manager so we can continue to improve together! 

 

Community

• I've paused speaking at conferences during the first half of the year to start at my new company without overloading myself or overburdening my new team. Therefore, I've only spoken at 3 conferences during the last months this year, including once more at a new conference in a country I haven't spoken before. Until now, I've had 110 speaking engagements overall, 51 of them conference sessions, given at 28 conferences, in 13 countries. Truth be told, I'm still amazed at such numbers, and I need to see them in front of me every end of the year to realize this actually happened.
• Sadly, I had to cancel my very first speaking engagement this year due to sickness that I just couldn't spread further at a conference. Hence, I didn't make it to my first Øredev - yet. On the other hand, I got super fortunate that this was indeed the very first case I had to cancel an engagement since I've started public speaking in 2017!
• I co-curated my first dedicated conference track - the security testing deep dive track at Agile Testing Days, together with  Kristof Van Kriekingen and Santhosh Tuppad. I loved that we could give the stage to lots of awesome folks and offer the audience a whole variety of insights this way!
• So far, I've given lots of workshops at conferences - yet this year I managed to give my first one at a security conference at BSides Munich!
  
• I acted as session chair for the first time at BSides Munich - trying to do sketchnotes at the same time. Phew, that combination was tough, yet I made it. Definitely a first timer for me.
  
• Including this one, I've written 11 blog posts this year - more than I expected. It didn't feel like I was writing much during the year, probably because I originally planned to write a lot more. Well, reality kicked in and I chose to prioritize other topics, so there was no energy and capacity left for writing much. Yet 11 posts aren't too bad after all.  
• We had the second edition of the Open Security Conference and it was both a big struggle to make it happen and a huge success! I just loved seeing folks enjoy themselves thoroughly in the space we co-created and share their own experiences out loud on social media. Very much looking forward to the third edition next year! Fingers crossed we learned enough as an organizer team to make the third one go smoother.
  
• I've started my very first CTF team together with Mireia Cano and Martin Schmidt, joining our first official CTF competition. We continued practicing throughout the year, even saw each other in real life at a conference for the first time. Just love that we have this small, safe group to learn together by solving security challenges!
• The security card game that Martin Schmidt, Philipp Zug and I are building is still alive, and while we're deliberately keeping the pace slow, the game grew both in concept and in content. We had a chance to showcase it at two conferences this year and gain further feedback and ideas - it's just a celebration in itself that we continue to work on this for so long now despite it being a pure leisure time, slow project. It's one of those rare sustainable ones!
• Last year, Shiva Krishnan and I had started a series of leadership workshops with our very first community cohort. We really struggled to get this going last year, and beginning of this year was no difference. We nearly reached the point to give up and pivot. Yet then our small cohort fully engaged and we actually made this happen! Super proud we did pull through in the end and had impact we hoped for. Even though it wasn't easy most of the time.

 

Personal

• In my volleyball team, we've managed to level up leagues in spring and started in the higher league in fall! Super proud and we're already learning a lot given our new challenges.
• Another volleyball highlight, and an extremely rare one: Together with our senior's team, I've had the honor to join the German senior championships! Yes, it's as wild as it sounds. Well, we got very lucky as there weren't many teams in our region for our age group, and yet: this was a true once-in-a-lifetime event. Playing against former premier league players, or even the dream team of former national team members is truly a unique experience you could only dream of. Acting as a referee for such games is just as well! This was a true rollercoaster of emotions and I wouldn't miss it.
• Over the last years, I sustained several small, but persistent and annoying injuries restricting my range of movement and affecting quality of life. I picked up custom training to help me get back to better shape, and it paid off massively. For example, I can finally kneel again which wasn't possible for nearly the whole year. Also when it comes to a bunch of other areas, I'm super happy that I managed to take care of my health a lot better this year. 
• I finally started to relax a bit again. It didn't work all the time, there were plenty of stressful and packed phases, and yet. The constant tension and anxiousness faded. Lots of people from all parts of life noticed that something changed compared to last year for the better, and it's been very clearly attributable to my change of workplace. I found my optimism again and rediscovered the joy in doing what I'm doing.
• Lastly, I managed to complete another personal challenge. This year's Calm and Steady endeavor was truly very personal. While I still have lots of stuff to work on, I did take things easier and celebrated when I noticed that I've been kinder to myself. I took more time for myself. Sometimes just to do... not much of anything. Or just things that I like doing for no other reason than that I like doing them. The best part here was being on this journey of reclaiming time and catering to our needs together with my best friend aka sister, holding ourselves accountable with each other. If you happen to read this: Thank you so much for all the wisdom shared in tough moments, all the reminders of taking things slower (yes, even slower than that), all the encouragement and reassurance that this is a basic need and not selfishness. I've already shared this with you, yet let me repeat it once more: without you I wouldn't have taken as many interpersonal risks this year and I'm both proud of you and very grateful to have you in my life!

 

Enjoying the Last Weeks of the Year

This year was a really good one for me, and I'm truly grateful. No one can choose what might happen during a year and I've been blessed. Special thanks and kudos go out to all the amazing people who shared my journey this year in little and big ways - you all made it so much better.

Now that it's the end of the year, some chores are coming up that I usually do over the holiday season. There are new conference proposals to draft so I can submit them beginning of the year - I've already preselected conferences I'd like to try my luck with in 2026. Finally, there's my next personal challenge to commit to and pour into written form so I can share it, make it real, and make it happen.

But whatever task awaits, I'm doing my best to enjoy this time of reflection and thinking ahead. And that includes that at times I'm just doing nothing, resting, playing games, exercising, whatever. I'm ready for what's to come in 2026!

Agile Testing Days 2025 - Taking Things Easier

The last conference for the year is done! I just love having Agile Testing Days as the one to close the yearly conference speaking season. I'm clearly biased with this event as it's been my first conference ever back in 2015 and it has a special place in my heart. Usually, I try to catch everything and everyone at this conference which can go close to 24/7. This year, I managed to be kinder to myself, stay calm instead of feeling I'm missing out, and take things a lot easier. Surprise, it really helped and I feel way better afterwards.

Another specialty of this year was that together with Santhosh Tuppad and Kristof Van Kriekingen we curated the brand-new Security Testing deep dive track for the conference. We intentionally included a whole variety of sessions from diverse speakers of different backgrounds to showcase how broad security can be and where people can find themselves to learn more, and also to get them into contact with actual practitioners. I made it a point to attend the complete track myself - there's a reason we selected those topics after all. Especially on the first busier days the room was full and people engaged with lots of questions, just loved seeing it. Looking back, I'm pretty pleased how the track turned out. 

 

Arriving Early

For a change, I decide to come a day earlier this year, already on Saturday, and it turned out to be the right decision after some pretty hectic, wild and especially packed weeks. Having that one day to just do whatever I want was awesome. I decided not to mingle yet but have a calm dinner on my own, then retreat and follow up on a few things I didn't manage the last weeks, then get as much sleep as possible before the busyness of Agile Testing Days.

Sunday started just as awesome with a nice walk to Potsdam and grabbing hot drinks and cake at a lovely café with my dear friends João Proença and Rita Avota. We decided to keep things relaxed and went to dinner together - right after which we encountered a whole group of Agile Testing Days people on their walk back to the hotel. Every year I love seeing how folks cheer when they see each other again, there's been some real friendships made over the years and it's filling my soul.

The evening continued with more people and more conversations at the hotel bar, catching up or freshly getting to know each other. Just a perfect prelude to what's coming.

 

Tutorial Day

Every year, I pick a tutorial, always a different topic that will either help me broaden my horizon or allow me practicing among peers. This year, the tutorial I originally chose couldn't take place, yet I did get a place in my second pick: "The art of crafting your custom tools" by Bart Knaack, Huib Schoots, and James Lyndsay. It's been a good choice indeed! The tutorial offered both inspiration and also concrete examples on what useful tools to build and how. I appreciate that we got a whole section on building our own tool and help from each other on how to approach it. Admittedly, I wasn't on my best that day - yet this tutorial also helped me reflect why that might be and what I would need to get back in a better spot. What I appreciated the most from facilitator side is that all of them faced hiccups during the day when presenting, and they were open and vulnerable about it. They shared their feelings when they were frustrated or nervous and helped each other out to get back on track - leading by example.

After the tutorial, the conference was officially opened. Santhosh Tuppad gave the first keynote on "Simplify to Amplify: How Slow Living Enriched My Soul". He reminded us on how much anxiety we can build up when we keep running - yet for what? Slowing down can help us actually live our lives and focus on what's important to us.

After the keynote, it was time for a photo session with all speakers on stage, and right afterwards we went for the speakers dinner. This year, we had a lovely new restaurant to spoil us with lots of awesome treats. Absolutely enjoyed my time with my fellow speakers, and also connecting with folks I haven't met before. I'm really grateful for such a generous start into the conference. Afterwards, I managed to instantly go up to my room instead of keeping socializing - a great idea to preserve my energy better than last years.

 

Conference Day 1

The first conference day usually starts earlier for me as this is my chance to catch a lean coffee session - the following days I would already be too tired for it. So here's how it went.

• Lean coffee with Ashley Hunsberger and Lisa Crispin. I just love lean coffee as a format to gather and discuss topics that are most important to the people who are present at that moment in time. This time as well, we had lots of interesting topics to talk about, like how to convince folks to give open space conferences a try, how to implement consumer-driven contract tests, what to do after being laid off. My own topic was voted on as well: what’s one security issue you see over and over again? Lots of familiar issues were gathered, from plain text passwords being transmitted over the wire or committed to version control, to default passwords and configurations opening doors to attackers, to lack of authentication and authorization in way too many places.
• Keynote "AI-Driven Quality Engineering" by Jonathon Wright. While I usually take sketchnotes for talks I attend live at on-site conferences, for this one I took it easy and preserved my energy.
•  "How Accessibility is Security" by Ina Tsvetkova and Jaunita Flessas. I love how both speakers demonstrated how to make talks more accessible by activating live captions. Very on point for the talk! I really appreciate these two to be the first ones to not only talk about usable security, but really combining accessibility and security issues which ultimately raised the need for security by inclusion. This talk triggered lots of thoughts for me to think about and also things I can take right back to work with me to check for and raise awareness.
• "Dark OSINT: I know where you live" by Kristof Van Kriekingen. This talk was just a perfect case of leaving people appropriately and properly scared. And at the same time massively inspired in what good we can do in the world with our current skill set. Amazing delivery as well! Absolutely loved it. I had a sneak peek of this session already at this year's Open Security Conference, yet being a co-organizer I couldn't fully focus on it - no problem this time!
• Keynote "Testing Transparently" by Elizabeth Zagroba and James Lyndsay. A very special keynote which didn't waste any time to get to the gist of it: live testing on stage. I loved the energy of both of them together, demonstrating how things can look like as a tangible example we're too often missing out on. Very happy about this being a keynote - as more people need to get inspired by how pairing can uncover a lot of useful feedback in a short timeframe.
• Workshop "Start Hacking Today (For Beginners)" by Anass Ahmed Ali. Anass had a really nice pace for people who are just starting out in tech and specifically security. I really like he didn't assume technical literacy or a specific level of knowledge. He introduced us to breaking into systems using the very accessible analogy of a house, and demonstrated approaches to learn more and find ways into this system. The workshop paved the way for people to practice on their own afterwards, and also to get an impression on what malicious actors might do so we can detect their activities.
• Keynote "The Agentic AI World is Already Here... Are You Ready?" by Martin Hynie. Martin shared a true story from his journey with AI systems and LLMs in specific, what to look out for and what to focus on. It's always good to learn about real-life examples like this.

During the evening of the first conference day, it's usually dinner and party time. This time, I took it easier as well, and opted in for an alternative program: a calm dinner at a restaurant outside the venue with a small group. Absolutely lovely and recharging my batteries. Once we returned, the party was still on, and I enjoyed lots of smaller conversations with various folks in the calmer hallway. A very special bonus for these evenings are the ATD Late Night Munchies - a Snack Exchange initiated and facilitated by Sophie Küster. She encouraged participants to contribute by bringing sweets and savory treats from wherever region they came from and enjoy each other's delicacies together. Just brilliantly wonderful. 

 

Conference Day 2

The second day was on. Being pretty tired already, and remembering my goal to take things easier this year, I decided to skip the morning keynote and rather catch more sleep. The good thing is, that certain talks like all keynotes had been recorded and with the online pass we can still watch them within the next six months.

• "VNCPhish: How Hackers Pwn Users Despite MFA" by Yvonne Johnson. I just love that Yvonne agreed to give this talk here as a subset of her keynote from Open Security Conference 2024. I knew it would be awesome, and I wasn't disappointed. She explained a rather complex topic in simple matters and made it both comprehensible and tangible for us. I loved that she also demonstrated live how easy it can be to gain access to another person's system through MFA phishing - I've heard people around me share how they have to check their own systems at home now for proper access policies to prevent this from happening. Very cool session!
• "Reimagining DAST: Integrating ZAProxy into Web Testing" by Sara Martínez. Sara introduced us to dynamic application security testing and demonstrated where they are left weaker than they could be, and how combining these with usual web testing scenarios can uncover their actual power. I love that she demonstrated her framework for this and made it open source so we all can take this inspiration with us! Very cool talk and so applicable.
• Keynote "Practical Application of the Modern Testing Principles 2.0" by Melissa Eaden. I really appreciated Mel showcasing actual applications of the modern testing principles and hence bringing them closer to our realities. I loved her stories demonstrating what we can do for real to get us closer to a good state. Very practical for any kind of change you're trying to affect. Super well delivered as always! 
  
• Workshop "Secure Development Lifecycle Applied - How to Make Things a Bit More Secure than Yesterday Every Day" by me, co-facilitated by Santhosh Tuppad. I loved having a variety of folks attending the workshop, from people having their first touch points with security to those who already brought some experience. It seems they enjoyed practicing what they can do from idea to production to bake security into the product instead of sprinkling it on top of the cake at best.
• Keynote "Air Fryers, Automation, and AI" by Angie Jones. Angie is one of the best keynoters I've witnessed so far. She didn't disappoint this time either! I really like how she provided a both opinionated and also differentiated point of view on what's currently happening and her personal advice on how to do good work with new tooling at hand. This keynote did remind me of her keynote a few years back when she told stories of how musicians had to adapt to new technology, this one used chefs as an example. The key message basically stayed the same - yet it seems people still need to hear it. I also loved how she responded to a critical (and very valid) question from the audience with such integrity and in such constructive manner. We all can learn from Angie.

After the formal program there was time for a short dinner, and then evening sessions already started. I chose to go to the Open Space hosted by Alex Schladebeck and João Proença. I love open spaces and really appreciate that this was an option to integrate it into a very busy conference program. At first, I thought I wouldn't have the energy to propose a session myself. Yet when attending Anass' hacking workshop yesterday, I decided to give it a go and suggest my "Capture the Flag Together" session for beginners to offer people a practice option to take their first steps on security / penetration testing to get into a system and find secrets (aka "flags") that we're not supposed to see. All that in a collaborative manner as an ensemble, bringing in all our knowledge and trying out our ideas together. People came indeed and we spent the open space seeing how far we could get. Unfortunately, the time slot at hand was rather short, so I couldn't see any other sessions.

Nonetheless, I spent the rest of the evening with lots of conversations with lots of amazing folks - as usual, gaining new inspiration from experience exchange on basically everything. Definitely one of the best parts and main arguments to go to an on-site conference that intentionally gives space for this to happen.

Conference Day 3

The final conference day arrived. Being really tired by now, I decided to repeat what helped me the day before and skip the morning keynote.

• Workshop "API Hacking using GPTs" by Santhosh Tuppad. He introduced the audience to API security testing in general and the impact security flaws can have. Afterwards, Santhosh demonstrated how AI tooling can help with API testing and security in specifics.
• Keynote "Orchestrating Chaos Into a Symphony" by Rachel Kibler. I loved Rachel's stage presence and way of delivery! True keynote speaker. She dropped lots of insights and wisdom, combined with real stories. I really liked how the transformation at her company revealed tangible advice for everyone who wants to affect change.
• Workshop "Threat Modelling Workshop for QA Heroes" by Giancarlo Cordero Ortiz. It was interesting to learn how threat modeling is done at SAP. Giancarlo pointed out lots of aspects what helps and what hinders based on his experience, and how testing and quality folks are well-equipped for this and also needed at the table.
• Keynote "Unlearning A.I." by Pradeep Soundararajan. Pradeep explained how he feels like an old man when hearing the same stories and seeing the same things happening over and over again in the industry. He shared observations on what people do and don't do and why it can be problematic. He applied the same for AI tooling and encouraged people to unlearn how to approach such new things to give ourselves a fresh perspective on them.
• "ATD’s NEXT Keynote Casting". This bonus session allowed folks who applied for a keynote at Agile Testing Days 2026 to pitch their idea. We heard from ten awesome people what they had in mind and then the audience got to vote for their favorite. We had a clear winner: huge congratulations to Clare Norman for an outstanding pitch of rethinking user situations and system errors - I can't wait to see this on the keynote stage next year! 

While the conference was officially over, of course people kept going during the evening. For one more time, a group of folks decided to go outside and enjoy a dinner at a nice restaurant together. More stories shared, a lot more laughter, so much community spirit. Once back at the hotel, we enjoyed those last moments of togetherness until the very end.

 

Time to Go Home

The time came to say goodbye and depart. Lucky me that I met Gabrijela Hladnik and Anna Bommas in the hotel lobby and we spontaneously decided to share our trip to Berlin. More time for further exchange! Just love it when this happens. There's usually never enough time to speak with everyone you want to speak with during Agile Testing Days, no matter how long the conference is. So these little coincidences and opportunities are just perfect to seize. Just like the lunch table you join and encounter a conversation on neurodiversity you absolutely appreciate to listen to and share experiences on. Like the late-night evening talk about nerdy hobbies and side projects. Like meeting other souls you meet for the first time and discover you share so much with and who can understand you pretty quickly this way. Like having a very dear friend precisely knowing what you'll have for dinner at a specific restaurant, because of course you do. 

I did take things easier this year. Nonetheless, I came home with a bunch of things to try and think about, renewed and new connections, and a lot of love for this very unique conference in my heart. Huge thanks to everyone for making this special place so special - with the amazing organizers leading the way. See you all next year!