BSides Luxembourg 2026 - True Community Spirit

With BSides Luxembourg, my conference year 2026 officially started. And what a kickoff it was! What an inspiringly insightful, community connecting event. We've built fond memories together and this instance will most definitely not be my last one.

Speaking in Luxembourg, how come? Well, it all started with a sketchnote. As usual during on-site conferences, I also took sketchnotes at BSides Munich 2025 and published them on Mastodon. One of the organizers of BSides Luxembourg, Claus Cramon Houmann, saw them and expressed his wish to see me at their event. That brought it to my attention in the first place. I checked out their website and things looked really intriguing!

As I try to get to conferences mostly by speaking, I checked out their call for papers. To my pleasant surprise, they offered financial support to reimburse costs occurring with speaking, aka travel and accommodation (mind me, I'm not speaking of a honorarium here). That's the normal bar I have for conferences, and I'm used to expect this from the many tech events I've been to. Sadly, this doesn't seem to be as common for cybersecurity conferences. Usually, I don't submit without that offer as I’m paying out of my own pocket otherwise – and many underrepresented folks have way less privilege than I have. Hence financial support is a green flag I’m actively looking for, indicating that the conference cares about inclusion and diversity. [Side note: That being said, I do understand that some community-driven non-profit conferences really cannot afford offering financial support (yet). I also am willing to meet them where they are - yet I can only support so many community conferences a year this way. Also, just inquiring about reimbursement often reveals a lot about where the organizers currently are, so I can make a way better informed decision for myself whether I'd like to continue with them or not.]

Back to BSides Luxembourg. I decided to go for it and hope for the best. For real, I caught myself time and time again the last months, hoping that I would get accepted - I had a feeling this would be awesome, and I really, really wanted to get in. The first round of speakers were revealed - I was not among them. I continued to hope. Then the email arrived - clarifying what financial support I would need! If they could make this happen, I would be in. I honestly loved this transparency from the start, as it made me trust this would be good for real.

Well, as you can see, I made the program indeed. My latest workshop and a brand-new talk got accepted. We also agreed that an older talk would serve as backup talk in case any speaker won't be able to make it. You can't imagine just how happy I was! Until I realized how close it was to the conference already. That was beginning of March. The conference took place beginning of May. I just agreed to a brand-new talk. Aaaaahhhh!!! This was cutting it awfully close to my taste. Especially given I knew what else was happening during these two months. Then I learned that even more and more had to happen during these exact two months as well. Literally everything all at once at the same time. Two travels, creating yet another brand-new conference talk with a dear co-speaker (and figuring out what works for us doing so), editing the latest novel of my best friend, preparing for all other upcoming conferences with due dates, oh and I also happen to co-organize my own conference, right? Of course we had certain immovable due dates during this exact time frame. All of this costing enormous amounts of hours and hours and hours.

What an absolutely stressful time. I knew it would be worth it, it was worth it, and yet. I cut and canceled everything I could (okay, not as ruthlessly as I would have loved to due to my inner people pleaser, and yet as much as I could possibly do). I halted my personal challenge. Friends and family didn't really see me during this time. The only thing I did not cut was movement - I even increased it because it was a one-time-too-good-to-possibly-true offer. I also didn't want to repeat my mistake to cut on exercise as I did the last years - and I had dearly paid for it as this resulted in losing range of movement, strength and general quality of life. I had just reclaimed some very basic capabilities I would not give up again anytime soon.

All in all, this was such a close call. Massive kudos to the folks who joined the dry run of my new talk, giving me just the constructive and tangible feedback I needed, allowing me to revise it heavily and cut it to the first version it had to become. Everything was close-knit to the very last moment, even finishing last tasks on my travel to Luxembourg. Anyone who knows me for a while, knows that this is absolutely not me. I'm the over-preparer par excellence, and while I've gotten pretty good at keeping things "good enough", this was unheard of. But hey, I made it. Still wonder how, but I made it.

Alright, fast forward to the conference! Here's how it went.

 

Arrival Day

My travel required to change trains several times - and to my pleasant surprise, it worked out. I arrived well in time to do another dry run of my brand-new talk and also prepare last things for my workshop. Most speakers had come together in a Signal group which made it easy to find a bunch of folks to go to dinner with together. I make use of such opportunities whenever I can as they allow getting to know a few people in a smaller setting before the conference starts.

Putting faces to names or aliases from the chat was great. I even uncovered I've already met one of the speakers already back at New Crafts 2024! The tech world is small, the conference speaker world even smaller. We enjoyed a lovely dinner and conversations on all kinds of topics together before it was time to prep for the next day.

 

Workshop Day

My own workshop "Secure Development Lifecycle Applied - How to Make Things a Bit More Secure than Yesterday Every Day" was scheduled for the morning just before lunch. We had a nice group of folks from all kinds of backgrounds coming together to learn and practice. The session worked out pretty well and my duty was done for the day! Things were off to a good start.

The lunch break was decently long to enjoy the food, have conversations with participants and also get some rest before the afternoon. I've decided to join "How to Read Code to Find Vulnerabilities" by Louis Nyffenegger. I was curious about this workshop due to a few reasons. First, I've been part of a code reading club a while ago, actively practicing techniques to understand code snippets and exchanging insights. Second, reading code was a big part of my previous role as a quality engineer, and still is as security engineer, with the specific focus on security. Third, I was keen on learning how Louis teaches code reading, as this is a topic I want to share further myself, and also given he's the founder of PentesterLab and I liked their style of conveying knowledge and skills. Long story short, it's been a really interesting workshop indeed! He shared a bunch of advice on what to look for when reading code and how to train this skill. We ran lots of exercises together on finding flaws in various code snippets, dissecting what made these insecure and how to build things in a secure way. Both detection and also knowing how to do better is such a crucial skill to hone. As the cherry on the top, Louis gave away copies of his book "CVE Archeologist's Field Guide: Methodology and lessons from 10 vulnerability analyses" - so much appreciated!

Right afterwards, I managed to get into the session "Dismantle The Bomb" by Stijn Tomme. This was designed as an escape game like scenario - and way too much fun to spoil what happened in this session! Let's just say: it's been the very first time I've seen a key being cut, a potato battery lighting up an LED, and cutting wires to deactivate the bomb. We had a really nice group to solve the riddles and puzzles together - teamwork for the win! Anyone having a chance to catch this session, go for it. We had a massively good time with this well-designed game, used our collective skills in new ways and came in touch with things that are not as common. Perfect for the afternoon - energy was really high afterwards.

Time for me to go back to the hotel and practice my talk for the last time, then head for the speakers dinner. The organizers were so kind to make this happen for us and we enjoyed lovely Vietnamese street food together - much appreciated! That kind of opportunity is usually great to connect with other speakers, learn about their passion topics and values, and just have a good time. As usual, we also discovered a few first-time speakers among us and shared experiences; we're all in the same boat and new folks are very welcome to realize they are not alone with struggles like last-minute preparations, coping with nervousness, and more. It was a great evening and things were ready for the conference days.

 

Conference Day 1

If you had seen the program for this conference, you probably understood my massive struggle to decide which sessions to attend live. There were the main conference tracks, as well as an AI village, a detection engineering village, a lockpicking village and a car hacking village. So many amazing sessions to choose from! In addition, talks were hosted across not only one building, but two - without many breaks in between to get from A to B, which really made a difference in my choices. Fortunately, most talks had been recorded and I will still have a chance to catch up. Some talks, however, were not recorded, so I tried to prefer them where I could. Also, as usual at on-site conferences (as shared already above), I did sketchnotes for almost all talks I attended.

• "Things Fall Apart: Allying Cybersecurity and Diplomacy against Authoritarian Disorder" by Luc Dockendorf. I was a bit late for this opening talk by Luxembourg's Cybersecurity and Digitalisation Ambassador, so I chose not to sketchnote it. I did, however, really appreciate the clarity in addressing the current planetary, geo-political and social challenges we face. What a strong opener for the conference!
• Keynote: "Identity Security Just Exploded" by Wendy Nather. Wendy presented what makes identities for authentication such a challenge, back in the days, and especially nowadays given AI agents. Lots of problems that never got solved (like delegation) are multiplying now. What we can do right now is to make sure our fundamentals are covered. 
  
• "What Does Threat Modeling Solve for AI Security?" by Nathan Pembe. Nathan made a great point how threat modeling can not only help to make pentesting efforts a lot more targeted, it also helps fill the gaps to implement security controls for audits in the age of AI. I really appreciated his down-to-earth call to focus on realistically reachable attack paths and separate those from noise.
  
• "Beyond the Prompt: A Framework for Agentic AI Attack and Defense Strategies" by Jeremy Snyder. Jeremy walked us through the major risks that AI agents introduce. It's not only about the agent itself or the model used, but we need to consider the whole architecture including interfaces to retrieve incoming data as well as the output created. This talk was full of awesome questions to ask!
  
• "Cloud Misconfigurations: Poke Poke, Breach" by Kat Fitzgerald. This was a talk that was not recorded - hence I asked Kat afterwards if she consented to me publishing my sketchnote of her talk. Fortunately, she agreed! This was a really cool talk about how misconfigurations just keep coming and showing up in various (way too known) shapes and forms. All the classics included. The solution: policy as code to provide safe guardrails! No chasing, instant feedback, actual clarity.
  
• "Managing Uninvited Guests: Securing Open Source Dependencies" by Frithjof Hoffmann. Originally, this talk was meant to be given together with Kadi McKean who unfortunately couldn't make it. This was an ever-green reminder to evaluate which dependencies we really want to build on and which ones to keep out. SBOMs can help find vulnerable packages, while we also need to acknowledge that scans can be flawed. 
  
• "Out of Security Exception - What to Do Without an Expert to Secure Your Software" by me. This was the premiere for my brand-new talk. For anyone who missed it, it was recorded so you can still check it out once it's published. Unfortunately, there was no immediate feedback feasible as the next talk started right after mine. Yet all in all, I'm quite content with how it went and people seemed happy enough as well. 
  
• "The Forgotten Fingerprint: DNS Based OSINT Techniques for Product & Service Discovery" by Rishi. This talk looked at TXT records in specifics and how they could be used in threat hunting and hence accelerate incident response. Rishi demonstrated both OWASP Amass and Nuclei as two of the main tools you can use to start your discovery today. 
  
• "Turnkey Code – Enhancing Secrets Management in Large Scale Organizations" by Diogo Lemos. Diogo presented an interesting case study of what they learned when building a proper secrets management platform. They needed to control the noise and consider the whole lifecycle - including rescanning safely without overwriting human triaging decisions. 
  

That was the last session for the day. Participants gathered, enjoyed good food and conversations together, sharing their insights of the day with each other. Then it was time for "Security Impress Karaoke" hosted by Kirils Solovjovs. Basically PowerPoint Karaoke but using OpenOffice Impress, with slides sourced from Cybersecurity talks. Lots of folks accepted the challenge to present random slides thrown together and combine them in a way that's concise and hilarious at the same time! Good fun.

 

Conference Day 2

The final conference day started tired and early, as it's usually the case for me the longer a conference goes. And yet, I wouldn't miss it and didn't regret it one bit.

• "The High-Performance Fuel for Social Engineering (Now in AI Flavors!)" by Glen Sorensen. Glen showcased how much data companies are collecting about us. They claim to have legitimate interest, yet do they really? What's considered justified, by whom? The problem here is that all this data is used for highly effective social engineering attacks. Having LLMs at hand, this danger became even more imminent. Glen shared lots of things we can do to reduce our own attack surface.
  
• "Spyware: The Invisible Threat" by Julien vander Straeten. Really interesting talk on spyware as a specific type of malware. Its goal is to persist on the device, deep in the lower layers, and exfiltrate all kinds of data. Lots of countries buy spyware, including 14 EU countries - and quite a few of those also produce their own. Spyware is expensive, though, so attacks are highly targeted.
  
• "Confound and Delay: Honeypot Chronicles from the Digital Battlefield" by Kat Fitzgerald. Yet another talk by Kat that was not recorded - so once again I asked her if I could publish my sketchnote, and luckily, she gave her okay for this one as well. This was a really cool talk on what you can learn through deception, offering attackers a realistic enough trap to observe their behavior. What they try to do. Including hilarious attempts! Honeypots can not only reveal how attackers operate but also predict production threats. 
  
• Lightning talk "Good things can happen at conferences" by me. Well. This was not planned at all! Hence there's no proper abstract either. Here's the background story: On the workshop day, I shared with Claus as organizer of BSides Luxembourg that I am co-organizing the Open Security Conference (short osco). He instantly offered us their partnership - something I was just about to ask them as well. Super cool and kind! And then he shared there might be still a lightning talk slot available and asked whether I'd like to share a bit about osco. I usually don't do lightning talks at all, yet this one I felt would be feasible - it's pretty easy to talk about my own conference after all, I've done that plenty of times already. I kept this option in mind and inquired the next day whether the slot would still be free. Organizers shared it wasn't clear yet until the following day, but at best I would be ready for it. So at midnight I sat down and drafted a script. I knew I could just do a shameless plug - yet I wanted to give people more of a real message than just the mere promotion of our event. So I thought, what if I told the story how osco came to be? In general, how good things happened at conferences? I would have had plenty of examples on that matter, yet I decided to focus on three events. One, conceptualizing osco at SoCraTes 2023. Two, meeting my now manager at the first osco edition and only weeks after getting hired by him. Third, our freshly made partnership at BSides Luxembourg. Now I had my script ready to go. The last conference day came, and during the lunch break just before the lightning talks, I asked again if that slot would still be free. It was indeed! Just 15 minutes before the talks started, mine was added to the program. Then I realized, everyone else had slides - I had planned to just tell my story. But one supportive slide would be great indeed as a visual support. So I put our logo on one slide. A QR code next to it. That would do. Finished just a minute before going on stage! My whole speaking experience paid off in that moment. I went on stage and told my story. I made it. Later people came to me to tell me how much they loved the idea of osco and how good this talk was. For me as a recovering perfectionist and over-preparer, this whole feat was a real achievement unlocked! It seems I hit a note there. I'm already very curious if I'll ever learn what people took with them in the end. But well. Here's the script as I prepared it, and only slightly adapted when telling the story live.

  This is a true story on how good things can happen at conferences. 
  
  The year is 2023. I'm not yet working in security. I'm part of an engineering team, building products hands-on together. 
  
  I'm at a tech conference, called SoCraTes. It's a special kind of conference, as its program gets created right at the beginning of the conference - by the participants. The format is called an open space. It's designed in a way that everyone can contribute and everyone can learn in the ways they want at that moment in time, about the topics they want to learn about at that moment in time.
  
  So I'm at that open space conference, where I get to have a say on the program. I have a clear focus topic: I want to learn more about application security. Oh cool, there's a person who works in security and is also curious to learn more from other participants. His name is Claudius.
  
  Claudius and I, we agree to host a session together on usable security. Lots of folks join our session and we learn from each other. It's energizing. Claudius and I find we work well together, so we decide to host a workshop. Another success! Inspiring.
  
  We sit at lunch, and Claudius shares his idea with me: he wants to start a new conference. A security one. In the open space format. He feels that that's currently missing in the security community. I was hooked! And I added: Yes, a community-driven, non-profit conference - for everyone interested in cybersecurity, no matter their current roles or skills. Breaking down barriers and gatekeeping. I believe we all can learn from each other. 
  
  The idea of osco was born - the Open Security Conference. 
  
  We find further co-organizers on our journey. We find participants who love the idea. The idea becomes reality.
  
  Good things can happen at conferences.
  
  The year is 2024. We have the first edition of osco. Small. People love it. Many will return the following year. 
  
  And I? I also enjoy our conference. I'm sitting at dinner next to Rudi, who talks about his security team at his company. It sounds like a good place. Little do I know that I'm sitting next to my now manager, just 3 weeks before I will get laid off from my former company. Yes, I co-organized a conference and I got a job thanks to it. In application security. 
  
  Good things can happen at conferences.
  
  Fast forward to 2026. Our organizer team is preparing to host the third edition of osco on November 5th to 8th, in Germany, close to Frankfurt am Main.
  
  I'm here, at BSides Luxembourg. I talk with Claus and the other organizers. I share about osco - and our two conferences partner up. 
  
  Good things can happen at conferences.
  
  If an opportunity presents itself to you, seize it. It might come with the person right next to you, at lunch or dinner. Look out for them. 
  
  And if you're curious to learn more about the Open Security Conference? Come to me, get a postcard to spread the word, and become part of our story.
  
  Good things can happen at conferences - and beyond. 
  
  Thank you. 

• "Building Secure AI: Making Threat Modeling a Core Part of Development" Diana Waithanji. This talk was the perfect closure to the conference for me! Diana explained her approach to threat modeling, where I just sat and kept nodding along. Like that there's no one way to do threat modeling. Diana showcased how frameworks like STRIDE are still applicable when it comes to threat modeling AI systems - as one of many possible ways. She involved the audience actively and we heard from several people what they do and how it works for them. She also emphasized the importance of fostering good relationships with engineering teams, involving the whole team and collaborating across roles, as well as making threat modeling sessions high-energy and inclusive. So much this! Diana's talk highly resonated with my own experience. 
  

And that was it. Originally, I had planned my last conference afternoon differently beforehand, with more talks - yet things came different than expected. First with me joining the lightning talks at last notice, and then with me standing by to give my backup talk, as pre-agreed with organizers. In the end, I didn't have to give it, and I used that unexpected time as a lovely chance to catch up with Marina Stephanova, one of the organizers, instead.

Right after the conference ended, there was yet another neat opportunity: Marina invited interested speakers to go sightseeing together and showing us around Luxembourg city! An offer way too good to refuse for sure. We had a lovely group of around 15 people, the weather was perfect, and we enjoyed a nice tour together while learning about Luxembourg's history and people. Afterwards, we had a great dinner together. Once we headed back to the hotel, how could it be differently, the last core of us ended up in the hotel lobby. Just really good company (thanks to Ellis Stannard and Leonardo Wolff Takemasa Fernandes!), deep conversations in the middle of the night (extra special thanks to Diana Waithanji and Sonia Seddiki!), while tasting fiery hot snacks from India (huge shout-out to db here!). What could be better. 

 

Returning Home

The next day it was time to depart, saying thank you to everyone one more time, and take my memories with me. I realized how tired I was, and while that made it a more complicated ride home than it would have needed to be, I did arrive safely and roughly in time.

My heart was full and brimming of the community spirit I just experienced. Lots of folks I met for the first time where it was just easy to connect with each other. Some people I even met the second time; the world is small! What a pleasant surprise. And not to forget all the care that organizers put into all the little details, always ready to help out and solve things or make them at least better, always appreciative of feedback. Special kudos to the team for making this whole event such a welcoming and inclusive experience, I really felt that I belonged. Their choices how to craft this space for community showed in everything: representation among the speakers, reflected in the participants joining, the options in conference T-shirt fits and range of sizes, the food offer, the choice of language. Everything. It clearly showed their continuous intentional effort and it paid off. 

Looking back, this was such a good conference. The smooth organization, the speakers and participants from all kinds of backgrounds, the variety of super interesting topics, the space to connect with each other and stay connected. Can only recommend you checking this one out next year! It won't be my last BSides Luxembourg for sure. I'll cherish the memories we've made together and the kind feedback this community provided.

Back to Building - Make Problems Smaller

New year, new challenge! Wait, yet another one? To be frank, I did consider not doing a personal challenge this year and go with the flow instead. Things are challenging as they are, especially given the state of the world, and I'd rather focus on joy to counter-balance things while preparing for those very things getting worse. This thought popped up and vanished again. Because on the other hand, why not? I have too many things I want to do, and my yearly challenges help me focus on upskilling on specific topics. Therefore, I continued collecting ideas for themes during the last year and noted them down as they came to see how my thinking evolved. Here they are, as raw as they come with a few redactions. I've tried lots of different variations - read them at your own wish to get a glimpse into my head.

Well - likely it’s going to be preparing for any useful security certification. Or activism. Not sure if there’s going to be anything in between.

What I’ll keep up is conference speaking and organizing osco. Not sure if anything else, I need time and space also for newer things.

Last years had a social and a mental challenge - it's time again for a technical one!

Hack the Box (HTB) Academy, sharing publicly

Study security, would also give more content for sessions

Private challenge: art. Or fitness challenge, now that my body should be fine enough by then.

The year after it could be all around creation: build & art. Building with code mostly.

Other things I might focus on: read fiction, play games.

Build. Tools, code, that app and BFF and backend I wanted for so long. No need to share or talk prematurely. Just build and make errors and learn. Also: build my fitness. Maybe also: build my knowledge (e.g. HTB Academy). Could even be the osco community, it's on the radar as well. Maybe it's the theme that matters. Build it up.

Hypothesis: put in the time, regularly. And it will grow.

Not daring enough?

Maybe a fitness challenge indeed then. Definitely daring. Or gaming. Both. Don't know.

Study, get fit, prepare - 1 public, 1 personal, 1 private challenge

Activate. Re-activate.

Build a program per day.

Build. Build insecurely. Build securely.

Scaling. Finding ways to do things with less effort, higher impact.

Scaling slack. Both (scaling and slack) is super scary and I learned to avoid it. Both apply to both work and personal time, even sports. For security, private hobbies, even social impact.

Personal challenge: tech only. ONLY! Only hands-on. ONLY. No excuses.

Build mobile Android app with Node TS BFF and .NET backend service. Just that. Publish it. Like really ship, often. Then iterate.

That's it. No excuses. In general. Regarding tech. Exercising. Drawing. Games. Anything. No excuses.

Variant of bigger test app for all kinds of purposes (including actual usage in production): Android app with Node TS BFF and .NET backend service with SQL database and another Kotlin backend with MongoDB - for practicing different frameworks and also simulate microservices more realistically. Just that. Publish it. Like really ship, often. Then iterate.

Scaling might mean to use scary new tools and constrain them. Have a tool to extend my reach and speed myself up. Become not afraid to use tools and know what to look for and what to secure.

Have a scrapbook for my own learning. Have it visual for scaling goals and things to learn and certifications to do, etc.

Do it now challenge. Not postpone it further. Whatever it is. No matter if it makes sense or not.

Allowing myself to fail. And hence even try, no matter if I fail. I'll learn.

A new allower message: It’s okay to be behind and go at my own pace.

Only experience can give me experience.

Go at your own pace but keep on keeping on moving.

This speaks to me: https://mastodon.sdf.org/@Lichtenbergian/115673218133345093 making the way into the calm space to create in, through all the tasks around us 

It's not about what I do. It's what others do because of my actions. It's not about me, it's about the bigger picture.

Optimize for slack; to think, ideate, experiment, fail, learn, and scale.

Looking at all these notes, this year, there are many themes and none really stands out. For work, the theme of the year will be indeed scaling. For my personal challenge, here are many themes - with scaling overlapping with work:

• Scaling (impact)
• Slack
• Building
• Fail at my own pace and gain experience
• Certificate / trainings
• Societal change & activism
• Fitness
• Art
• Games

Scaling goes both ways - it's not always up, sometimes we need to go smaller. Especially for experiments and failure safety.

Interesting article: Do Things that Don't Scale

One challenge for me, for work, for society? Constraints: 3x sports per week, 2h games. Reading fiction and art as well or as options?

I'm usually falling back to busyness instead of doing the thing. Because being busy and having no time is familiar, comfortable, cozy. And that thing would require energy and is scary and I could fail.

No excuses. Do the thing. #DoTheThing

I see theirs and what they do and I feel jealous. Instead of also doing stuff myself. Especially bad when they say I inspired them to do x, and they outrun me with ease on the very topic. For many years, I defaulted to doing things together, to trick my brain to make time for things - yet then didn't do anything outside these times, and didn't dare much on my own anymore, feeling I needed the others anyways. Sharing frustration felt better than getting stuck on my own feeling, like it's me (and it was me indeed). Only very slightly and slowly recovered a bit this year (aka 2025). 

The main personal development goal: build the actual real-life use case app for both personal use and demonstration purposes I always dreamt of, tried two times and never fully dared to go all in. Would support the scaling through building scheme where I'm weakest (through community and education I've done already, building only super small). Would be hands-on, tech, development and security. On my own, as much as possible. Constraints: find time to play games, read fiction, meditative drawing every week. To have slack, give my brain space and joy for new thoughts.

My private personal goal is on fitness. Have a concrete target for strength, mobility, running, coordination - ask my coach what's feasible and makes sense for me. So here I would invest in movement, health, nutrition, sleep, everything. Also, it's been a long time since I've had a sports goal, it's about time again.

Both are just do the thing, no excuses goals.

CTFs would still be on the side without pressure, as I go - to learn. Or maybe even during work time. But not the one and only, as getting back closer to development is even more crucial for me. The testing one is nice for exploits though and demonstration. So this is just a supporting activity, not the main content. Maybe in 2027 I'll go for formal education and a certification then.

#BuildItUp #DoTheThing #NoExcuses #Scale4Slack #BuildTheScale #BuildToScale

The last one triggers an image: a stairway as a scale, to scale a mountain or wall, building it up to literally reach higher ground or more people for more growth and more impact

Fitness goal: stay pain-free & gain mobility needed for starting weight lifting (chest, wrists, ankles, etc.)

The joy of building :) tools, stuff, community, muscle, coordination, anything :) detracting the hardship or hurdles to even start

#ShowUp #BuildTheThing #JustBuild

Well now. What to make of all this? In the end, I believe I have a few most prominent challenges in these notes, yet they fit different spaces or parts of my life.

So I figured I first draw out what else is coming in 2026 for me.

• Speaking at conferences. I'm not going to stop any time soon. It's time to draft and propose new sessions, and if they get accepted, create them. This takes a considerable amount of time and is pretty public. If I do paired sessions, there's also collaboration efforts to consider.
• Organizing the third edition of the Open Security Conference. This is a collaborative endeavor by design, and very public indeed. I already know it'll take me some time during the first half of the year, and a lot of time during the second.
• Evolving the security card deck game. Fortunately, this is a low-pressure, deliberately slow-going leisure project. It's still collaborative, and it'll need time and care, yet this is one of the most sustainable endeavors I do.
• Practicing with my CTF team. Collaborative as well, yet nicely paced and spread out. As long as I don't overdo by adding an enormous amount of private practice, it's very combinable with the other endeavors.
• Communing with community folks. As every year, there'll be remote sessions with various people I got to know over the years. Some to check in, some to share advice or exchange experiences, some to work on something together. These happen all year long and they do take focus and energy, yet they are invaluable and they also tend to be pretty controllable as long as I spread them out enough.

Besides those personal development and community initiatives, there's work with its own challenges and measures. Mostly around scaling through education, building tools, and a security champion program (can't wait for it to start!). 

There's also a fitness and physical health challenge to reach: to increase my body control and mobility range so I can pick up barbell training again (and this will help volleyball and running of course as well). As long as old and potential new injuries don't stop or slow me down of course. 

Mentally, I need to keep slack in the system not to overwhelm myself once again, but to stay able to think and enjoy all the things. Play some games just for fun. Stuff like that. Yet something else would really help me move forward and get across a bump I'm facing again and again.

 

The Challenge

Keeping all of the above in mind, let's talk about the scary thing I want to tackle. I want to finally do the thing that I tried a few times but never gave the attention it would have needed. The thing that I started, then usually postponed, and finally dropped again in favor of other things. I want to get back to building software.

For a very long time, I wanted to build my own application. To use it myself and solve a real problem. To use it for demonstration purposes. Just to practice. I've tried with my #CodeConfident challenge. I tried together with others on the SnackShop during my Contributing in New Ways challenge. I tried countless attempts to get something started on my own, and dropped them all.

There's more to it. Every time there's a problem to solve, I come up with a solution and try it out manually. Now if it works, instead of building a helper tool, I tend to keep doing the thing manually - to be fair, which is often the fastest and pretty fine as long as I don't overdo. Only when I see there are aspects involved that make manual execution very unfortunate, like too much data to go through, or repeating a task too often, or it becomes too error-prone, I start building and automating. Usually with as little effort as possible to achieve my goal, e.g. writing a small shell script to just do the job. Trying to avoid overengineering where I can.

The problem here is not the smart use of time or experimenting with what would solve the problem (e.g. rather changing a process than making a faulty one faster). It's taking away opportunities from myself to learn. It's keeping me hesitating to just create throw-away scripts that solve one problem one time. To build a small service that serves one purpose. That might not be polished, and yet good enough for now. It takes away building up experience in building. Because sometimes the best answer is indeed to build. 

This is becoming even more of a problem now that I'm in a central enabler team where we do not develop a product ourselves - now there's no feature to implement myself or bug to fix to keep honing my building skills. We're only starting out on building tools and there's so much other (valuable) work to do that easily eats up all my capacity. It's also becoming more relevant now that I'm in my new role as security engineer, focusing on application security. We can't get out of touch with reality of building software. I've been in the trenches for many years, and I don't want to lose those building skills. (I'm aware there are lots of other building skills I'm still exercising, like building teams or communities or cultural systems. Yet software development is still core.)

So, back to building it is. That being said, what I cannot take this time is too much pressure and too much collaboration effort. I have both already covered with my other endeavors. For this challenge, I will choose to build on my own and in private as much as possible, yet build. I'll probably again take notes in my own coding journal - privately. I might choose to publish things, or maybe not. It's not the point this time. The point is to show up for myself. To build. To do the thing. No excuses. To keep building even if I throw things away or not use them more than once, or even at all. To just build, and build up the respective skills.

But is it scary, you ask? Shouldn't these personal challenges... actually challenge me? Oh hell it is. It means I don't have excuses anymore (as I keep repeating myself). It means I know I have all the means, nothing's stopping me - besides me, myself and I. And my fear of being judged. By others, and especially by myself. And that's scary, even though I've worked on calming my inner critic. Yet that critic also understood pretty well when I'm not knowing enough yet. That I need to get back to the basics, the foundational building blocks, and put them together myself. Building programs, tools, actual products. Building further understanding as I go. I'm scared of failing and learning, even though I preach such a growth mindset in various ways for many years.

Well. No excuses. Do the thing and get into the habit of just doing the thing. Or rather: Build humbly but build. I need to set myself up for success as well, not for failure by expecting overly huge things and results or instantly getting disappointed or frustrated with myself that I'm - surprise - still lacking the practice. Managing expectations will be huge. Yet I really want to hone the skill I never had much opportunity to hone at work and when I had, too often chose not to. Now that I do have lots of opportunity to practice security at work, building up my builder skills is what I can focus on in my private time. 

These days, I was reminded that learning is not a constant straight line but comes in waves. Trying something new (or even familiar on a bad day) will result in worse quality, less skill. We can only evaluate our progress on longer time frames (hence these yearly challenges in the first place). We need to be okay with doing something badly in order to do it at all. Anything worth doing is worth doing badly - as long as it's not causing harm.

Enough of the pep talk. 

 

The Hypothesis 

If you would only realize how many times I've rewritten this section, how much I've kept on adding thoughts, challenging my actual challenge over and over to uncover what's really moving me that I'm still shying away from. The truth is, it's all in the process! I often need to write and rewrite and start all over in order to realize what's my most valuable hypothesis here to tackle my challenge. This time, I struggled even more and it took longer than usual. Finally, here's the leanest, simplest hypothesis I found that narrows it all down.

I believe that consistently investing time in building software will hone my skills to make problems smaller. I've proven this hypothesis when I've made at least 3 real-life problems smaller through building within 300 days.

This is why I call this challenge "Back to building - make problems smaller". The core is going back to building, as I've started out in the last years but never followed up for real. At the same time, there's no need to solve the problems completely - that's too much pressure and unrealistic. Just tackle a part of a problem so the load and pain are reduced. Basically, just make it a tad smaller problem. 

The problem itself could be scaling. It could be giving better advice from the trenches or conveying knowledge through showcases. It could be reducing repetitive manual work and making it less error-prone. It could be offloading cognitive load. It could be creating a product I'm using myself. Whatever. Just an actual problem made smaller. This way, I hope I'll not only train my building skills but also recognize more of those opportunities to reduce the problem space as I go.

The Experiment

To test the hypothesis, here's the experiment: I run my very own #Challenge321; inspired by the many #100DaysOfX, #100DayProject and #75DaysOfX challenges out there that I love following. In those challenges, there are certain strict rules - I chose to adapt them and make this my own as follows.

• For 3x100 days (aka 300), I dedicate at least 21 minutes of time each day into a specific topic, to build up momentum and a habit of spending time deliberately on what's important to me. That's why I call it my #Challenge321. 
• The three topics:
• #100DaysOfBuilding - building software to make problems smaller. From designing to developing to testing to fixing flaws to operating, this will include everything that goes into building products, helper tools, or the like. Basically, spending continuous time on this. I can use this time as I wish in the moment. I can build a full-blown product, no matter at which scale. I can build multiple pieces of software - tools, scripts, libraries, anything. I can use them or not. Keep them or throw them away. As long as I keep building.
• #100DaysOfMovement - literally getting that movement in for health and fitness. That's a rather common challenge to do. What I do doesn't matter as long as it gets me moving. Volleyball, running, even walking. Stretching, strength exercises, etc. As long as it helps me get moving it's fine - even better if it helps me move towards my fitness goal to increase my body control and mobility range so I can pick up barbell training again.
• #100DaysOfGames - playing computer games for pure joy and mental health. Casual games don't count here for once - I have so many absolutely stunning and exciting games in my library, I finally want to enjoy them to the fullest. This activity is also a perfect timeout for my head during busy days. It's only for me and no one else, and hence it's a perfect way to maintain my mental health and recharge my batteries. It's also about that "play first work later" mantra I built up in 2025 during my Calm and Steady challenge.
• I can choose to do only one of these three topics each day in 21 minutes and rotate through, or I can mix and match those three, e.g. do all of them in one day within a good hour. That's why the minimum time limit is deliberately low. I simply don't have excuses not to carve out that time per day. This is promising to work even on busy days, also considering all my other endeavors and tasks. If I continue beyond the 21 minutes on a topic, that's totally fine as well. I'll take it where my energy goes - yet the activity only counts once per day, I can't save up for future days.
• It's okay to miss days (e.g. for conferences or whatever else life has planned for me). It's also okay to have different counters on each of those three topics. The only constraint is that I have to finish all three of them within exactly 300 calendar days. That's from January 5th until October 31st (inclusive). Hence, the experiment stops at the latest on October 31st. If I finish within 100 days already, that's fine too. At the very moment I reach 100 on all three topics I can choose to evaluate my overarching challenge right away or continue and extend beyond 100 days for each topic, whatever I wish to do at that moment in time.
• I'll keep track of my progress for each challenge and the days that passed. Other x days of x challenges often require you to keep track publicly and to share your insights and experiences. I'm not mandating myself to do that each day, I might do it whenever and wherever I want to. I'm confident my track record of past personal challenges are good enough to prove it's fine to hold myself accountable.
• To enable myself to evaluate my hypothesis in the end, I'll also keep track of how many real-life problems I've solved through building during these 300 days.

I'm well aware that this experiment basically consists of three challenges to tackle a challenge to achieve an overarching challenge - and yet, bear with me. I believe it's a great way to ensure I do test out my hypothesis for real, one that keeps me going and also has liberating constraints baked in. I don't want to end up once again not investing in my own joy and health, here it's literally part of the game.

Also, I believe that not doing all of these within 100 days but choosing my own pace within 300 days makes all of them pretty sustainable and feasible, even combined with a busy life and lots of other endeavors. Every third day would already make me achieve each challenge - so if I do each of those 3 times per week I'm already doing very well. And that's very reasonable. Even for movement, that would be the default already as of now. No energy for one thing? No problem, just tackle one of the other topics! Also, two of them are energy-giving, only one is the scariest, and all are targeting different areas. It's basically #300DaysOfNoExcuses.

Usually, I keep just one hashtag or tag line in my head to refer to my personal challenges. It helps me keep my theme for the year in mind and collect my posts on them. Well, I guess this year, I have a whole bunch of fitting hashtags, a real collection - and that's okay just the way it is: #BackToBuilding #MakeProblemsSmaller #Challenge321 #100DaysOfBuilding #100DaysOfMovement #100DaysOfGames #300DaysOfNoExcuses #DoTheThing

 

Let it begin!

This time, all constraints are already baked in. So that's it. It's on. Wish me luck!