It's now exactly one week after the Open Security Conference 2025 ended. And I'm still amazed about what happened there. Co-organizing a conference means a lot of things. You put in effort to make this a great experience for everyone. You prepare for anything you can imagine that could happen so you're prepared in the moment (yes, we do have a threat model for the conference). And then the conference runs and you experience something you didn't expect yet for this second edition: that participants give testimonials and help spread the word for you. I'm so very, very grateful.
What's an #osco again?
The Open Security Conference, short "osco", is an open space conference. In a nutshell, it means that the people who come co-create the program and the space we're in. With some liberating constraints, beautiful things can happen in such a format, things you didn't expect - so be prepared to be surprised.
We organizers found that in our cybersecurity bubbles, the open space format isn't well spread or even known at all. Hence, we decided to fill this gap. Yet osco is more than just an open space conference for cybersecurity enthusiasts. It's also intended as a place where everyone is welcome who's interested in security and learning from each other. No matter their current roles, areas or levels of expertise. We wanted to focus on inclusion and break any gatekeeping in the industry. You can learn more about the osco values on our conference website.
Oh and by the way, our little monkey mascot is also named "osco" - you can find their bio as well on our organizer team page.
How I Experienced #osco25
Well, on the one hand, there's the organizer view. A lot of work is going into creating a fresh new conference and help it grow and evolve to become not only valuable for folks but also sustainable on the longer run. A lot of hours, a lot of energy, a lot of care. We deliberately and intentionally committed to ethical choices and not taking the easy routes as much as we can. It's not all perfect, we're also human and messing up at times, yet we committed to continue learning and doing better. And that's what we hope to spread as well among the crowd.
Last year, we had our very first edition, basically our proof of concept - and people told us "yes, we love having this space". This year, for our second edition, we were delighted to have doubled the number of participants. Having around 40 folks turned out to be the perfect size for lots of engaging sessions and interactions, for getting to know people better. We had such a lovely crowd indeed. And we got real lucky: no cancellations, no no-shows this time!
We also gained further sponsors this year to make this event more affordable. We're a non-profit event and splitting costs among everyone (besides keynote speakers who at least get their ticket covered; hopefully more in the future), so any support is helping us making this event more feasible. There are lots of ideas to make it more accessible for the future on top of that, yet we have to start from where we are and sometimes go smaller steps than we'd love to.
Some might have noticed that currently, it's mostly me posting on our official social media accounts (feel free to follow osco on Mastodon, LinkedIn, or Bluesky). Last year, taking care of social media was pretty stressful to do during the conference while everything else was going on. Pretty overwhelming especially given it was our very first edition. This year, we included Bluesky as a third platform to reach more folks - which would have made it even more overwhelming to cross-post manually across three platforms. Hence, we chose to use a cross-platform posting solution which also allowed me to draft and schedule a lot of posts in advance, which I then could just adapt or post on the fly during the event. A massive helper that reduced my personal stress a lot, and it was an invaluable tool for live posting during the keynotes.
Well, there's a lot more that could be shared from an organizer point of view. But it's not the only perspective here.
There's also my view as a participant. Because yes, all organizers are usual participants as well, while they do have their organizing hats on top. This was especially tricky at last year's first edition where there were so many unknowns (back then I didn't even know the venue myself yet). This year, things were so much smoother, and I truly enjoyed this ride. I had a lot of fun joining the sessions, learning and contributing, and also giving sessions myself.
My very personal highlight: several people I knew from various areas of my life decided to join osco - so osco was the place to get them together in one place for the first time. I was very excited about this and confident they would get along with each other very well. New connections had been made for sure! Special kudos also to my dear colleagues Rudolf Kärtner (whom I met at #osco24), and Lucas - it was a real pleasure having you both there.
Here's the overall schedule we co-created. We'll post it on our website as well for reference, just bear with us while we're resting for a while after the conference.
Now, here's how my own conference days looked like overall.
Thursday
- Registration. Throughout the afternoon and early evening, people arrived and first conversations were had over delicious snacks and hot beverages. The registration itself is something I really enjoyed last year already. It's our first chance to make folks feel welcome and get them introduced to what we have. A few things always stand out, like people's pleasant surprise that photo consent is explicit opt-in (instead of the usual opt-out if it's an option at all), and that we support initiatives like the sunflower as a symbol for hidden disabilities and Daniela Schreiter alias Fuchskind's amazing communication cards as special helper for neurodivergent folks.
- Dinner. Snacks aren't enough for sure! Before everything started for real, dinner was served and people could get a bit more familiar with the venue.
- Official conference opening. The original idea initiator Claudius Link and I had the honor to welcome everyone and introduce them to our conference. We shared the origins and main idea, the values we share, our goal. Getting to know our participants a bit. Having each organizer introduce themselves; it was real sad that two of us weren't able to join on-site this year, yet they were with us in the form of a lovely video greeting for everyone. Setting the space and getting everyone familiar with a few helper tools to make this space as inclusive as we can.
- Opening keynote: "Building an AppSec Program from Scratch" by Mireia Cano. I witnessed a former version of Mireia's talk last year right after I got to know her - and I felt it would be the perfect opener for osco. I'm ever so grateful that Mireia agreed to take a leap of faith and do this! Her AppSec stories of what worked and what didn't were just fabulous and already initiated lots of conversations on the first evening, as well as ongoing throughout the conference. Check Mireia's point of view further down below to see that convincing her to come to osco wasn't only good for us. ;-) Also, check out all the live posts made during Mireia's keynote to get an impression of her keynote.
- Socializing at the bar. Some people went to their rooms to rest, some people opted for getting to know each other a bit before the first full day came. This was already a real good and promising start.
Friday
- Open Space Marketplace. Claudius and I also had the honor to introduce everyone to the open space, explaining how we do things, the principles and the one law, and basically how to get the best out of it. This first marketplace of ideas already showed: we won't run out of awesomeness. Lots of people came up and offered a whole variety of sessions. Sessions can be talks or workshops, yet they can also be "pull sessions" aka asking people to share their knowledge, maybe ask for help to solve an issue they face, or invite people together to try something out for the first time, or practice hands-on, or just have a conversational knowledge exchange - you name it. Any format you can imagine. Topics can also range from anything cybersecurity (which is the main theme bringing us together), to socio-technical and social topics, to hobbies and other activities we'd like to share. Anything goes that's not against the code of conduct.
- Hallway track. During the first slot, I'm usually tired and undecided. Additionally, as an organizer, I also feel the need to make sure everything's working out, so I decided not to join an official session right away. Instead, I ended up having a lovely hallway conversation with Sofia Borga on security champions (yep, one of my favorite topics indeed).
- "Session on InfoSec awareness for fresh folx at a Fachhochschule, studying public infrastructure IT" by Janis. What a really insightful conversation. Raising awareness on security (and also privacy) topics is such a crucial core challenge many of us face. We gathered lots of ideas from what content to focus on to how people could experience the importance without causing real harm.
- "Fediverse #Q&A #experienceSharing" by Konstantin Weddige. Yet another wonderful conversation sharing insights on all things Fediverse with its plentiful social platforms like Mastodon, PeerTube, Pixelfed and many others. Pretty sure this made more people join and try it out for themselves.
- Lunch. Some sessions were held over lunch, and unfortunately I didn't make it there before they filled up. Nonetheless, I enjoyed the conversations I had a lot.
- "Help! I'm a security champion - exchange on how to champion security" by Sofia Borga. This was such an amazing session. Sofia shared her own journey as a security champion as a consultant for a customer project. All the bumps and lessons learned, what helped and what not. This resulted in a great exchange on what kinds of experiences people made so far with either running a security champion program or being a champion on it.
- "Capture the Flag Together (Beginners Edition)" by me. What can I say, I just love introducing people to the practice labs out there to learn more about penetration testing in a safe and ethical environment. It's like little puzzles which are intrinsically intriguing, while you have to use lots of the tech knowledge and things in your toolbox to solve them. Especially when doing this in a collaborative, non-competitive mode, it's an amazing tool. It helps showcase what folks already know that's useful in this situation, how a diverse crowd can help fill our own gaps, learn more as we go together, experience how to breach a system and also gain insights on what we need to do to prevent this from happening. Once again, I had a really nice crowd joining me. Lots of fun included!
- Keynote: "History repeating itself" by Bianca Kastl. Just like with Mireia, I was so happy to see Bianca accepting our invite to give a keynote at osco this year. I've seen her and Martin Tschirsich's talk about the German electronic health record at CCC last year which left me very impressed, and I was following her since. Her keynote at osco was such a great reminder on what we already learned in the past, and an analysis on why we keep repeating similar mistakes. Make sure to check out the live posts for Bianca's keynote to learn more!
- Evening news. This is where everyone comes together again to reflect upon what happened during the day, sharing thoughts and feedback, giving kudos. It's also the place to create our evening (and early morning) program. Lots of sessions came together, just loved seeing people use this space as well.
- Dinner. For me, conversations over food are just awesome. Especially at conferences. Thoroughly enjoyed having proper time to talk before the evening program started.
- "Capture the Flag Together (Adventurers Edition)" by me. Yes, I just can't get enough of these sessions. This time, no guidance was available - it was up to us to explore, get into the system and find the secret flags. And we did! What an awesome group to learn with.
- Lockpicking at the bar. The evening (or shall I say night) wasn't over yet. People tend to gather at the bar as the last stop to socialize just a bit more before bedtime. Some people played games, some just talked. I joined a group who tried their skills at lockpicking. I always wanted to try this out, yet missed my opportunities at past conferences so far. Now I finally had my hands on a first practice lock to learn how simple locks work and how you can exploit tolerances to make them open. Well, we didn't have much time that evening, yet it was enough to get intrigued and get myself an entry-level practice set for myself at home.
Saturday
- Open Space Marketplace. From now on, my fellow co-organizers Janina Nemec and Christian Ciochina took over the moderation, and they did wonderfully. Once again, so many people queued up and presented their session ideas. Once again, we quickly had a program for the day where it was hard to choose which sessions to go to and hence which sessions to miss out on.
- "Osco 2026" by Claudius, Janina and me. Just like last year, we organizers offered a dedicated slot to talk about next year's edition. Ideas, improvements, wishes, good things to keep. Also, answering any questions regarding organizing, and seeing if there's anyone willing to support our endeavors. We received so much invaluable feedback! Much appreciated, many thanks to everyone who came.
- "Dark OSINT 4 Good" by Kristof Van Kriekingen. What an awesome talk, what a frightening scary world, and what an amazing initiative to use OSINT skills for good causes. I really don't want to spoil this one at all. If you ever have the chance to see this one, go for it.
- "Trust me, I'm lying" by Kush Mehra. Really interesting talk around all things deception tactics, honeypots, and other approaches to defend against adversaries. I hope this one becomes a full conference talk, more people should learn from it.
- Lunch. Obviously! Great food, great conversations. Time to digest what we learned so far.
- Organizer session. This was a closed, non-public side-track. Nothing I can reveal here as of now!
- "Hacking Toys" by Sebastian Strobl. Really interesting session on all kinds of little offensive security tools, educational and fun. You might have heard of the Flipper Zero, yet there are more tools like the Wi-Fi Shadowapple, the Pwnagotchi, Bjorn, or the PiSquirrel.
- "SecCardGame needs content, ideas and other things" by Martin Schmidt and me. You might remember, I'm part of a little group developing a security card game as a no-pressure, leisure-time project. Where to present it better than at osco and ask people to playtest! (Such a pity Philipp Zug couldn't be there as well, we missed you.) Martin did an awesome job taking the lead for the session, explaining the background of the game, where we are now, how things are currently working. We played two different scenarios together with the group and found lots of improvement ideas! People also really liked it, which is in combination super encouraging for us to keep going evolving this little game of ours.
- Evening news. The last full open space day came to an end. Once again, people shared which sessions impressed them or left them with insights, how they experienced this open space, gave credit where credit was due. We also invited them to a little continuous retro board until we all had to leave. And of course evening and morning sessions were announced as well. The highlight of this last evening's news: we had gathered tip money for the hotel during the conference, and now was the time to hand it over to the staff members. Super grateful for such awesome folks supporting us throughout, they fully deserved the applause!
- Dinner. I found yet another little awesome dinner group - to all of you: thank you for letting me vent and rant with you in a safe space about the systems I grew up in! Really appreciated it.
- "Capture the Flag Together (Adventurers Edition)" by me. Well, what can I say. Once I found like-minded people... it's really hard not to do yet another hacking session together! Once again, we found the flags. We had fun. We learned. Just having a great time.
- Hanging out at the bar, playing SET. Of course it's ending at the bar, as every night. My fellow co-organizer Janina and I, we have the tradition to always play a game of SET every day we see each other. This osco, we didn't get around to do so yet. At least on the final evening, we had to correct this and it was just awesome. You know, when you're super tired, and you're playing a game really requiring your brain capacity - what could be more fun? Of course we're playing anyways!
Sunday
- "Secure Development Lifecycle Applied - How to Make Things a Bit More Secure than Yesterday Every Day" by me. I've given this workshop for the first time at SoCraTes 2024 and it seemed to land very well with that crowd. Hence, I decided to submit it to further conferences this year. It was indeed accepted for three events in the coming weeks. Therefore, I wanted to give it once upfront in a rather informal setting to get a feeling again for this workshop - what better place than osco? I decided to give it in a very relaxed way, adapted to our setting. And it seems people did enjoy it indeed! They learned, they contributed, they had fun, it initiated lots of conversations. What more is there to want. :)
- Lunch. Most people already had to leave at some time during the morning, so lots of goodbyes were already had. We had cleaned up most rooms already last night as we closed them, and the last bits were quick and easy to do just before lunch, especially with folks helping together. During lunch, only a small little group was still there. It was one more lovely conversation.
- Train ride home. I was fortunate not leaving home alone. We were still three people, sharing the same train. So conversations continued until the very end, keeping the osco atmosphere alive. Very, very grateful for you two, you know who you are.
Arriving home, osco was officially over for me as well! As a participant that is, there's of course lots of follow-ups as an organizer. ;) Yet looking back as a participant, there are a few more notes to make.
As those who didn't know me yet might have noticed, I'm not a morning person at all (yet have to get up even earlier for organizing) - and as the day gets longer, my day gets better. I'm an absolute night owl so while other organizers were among the first ones up (some even went running in the morning), I was with the last ones standing every night. I don't regret one bit.
The hotel staff are super kind, attentive, and accommodating. The food at this venue is plenty and real delicious. The place and its surrounding landscape is beautiful. Everything is close together and perfect for an open space conference. Add to that the awesome folks we had - it's just perfect.
Lastly: we did spread physical kudos cards and encouraged people to use them. This year, it worked super well. I've seen many cards with little notes of appreciation being exchanged. I handed out many myself, I got many back. I can't tell you how good both giving and receiving such little cards feels. Maybe try it out for yourself if you haven't so far and see what happens.
What Others Said about #osco25
Let's have people speak for themselves! Here are my favorite posts people made during or after the conference. I'm still stunned what they had to say.
- Mireia Cano's review on LinkedIn
- Canan Cansu Caner's feedback on LinkedIn
- Kristof Van Kriekingen's post on LinkedIn
- Denis Zygann's report on LinkedIn and Janis Joan K.'s comment on it
- Martin Schmidt's post on LinkedIn
- Felix Dreissig's feedback on LinkedIn
- Clemens Hübner's report on LinkedIn
- Susanne Neunes' review on LinkedIn (German)
These were my personal highlights, yet there's more! Just look for the hashtags #osco and #osco25 on Mastodon, LinkedIn, and Bluesky.
We also received lots of feedback what we should keep and what we can improve or try out for next year's edition. Lots of awesome ideas, I'm already curious which of them we can implement the next year and how the next edition will look like.
See you at #osco26!
While we organizers still need to update our website (and absolutely take a break to recharge), I can already share one thing: there will be an Open Security Conference 2026 on November 5 - 8. Save the dates and see you there!