With BSides Luxembourg, my conference year 2026 officially started. And what a kickoff it was! What an inspiringly insightful, community connecting event. We've built fond memories together and this instance will most definitely not be my last one.
Speaking in Luxembourg, how come? Well, it all started with a sketchnote. As usual during on-site conferences, I also took sketchnotes at BSides Munich 2025 and published them on Mastodon. One of the organizers of BSides Luxembourg, Claus Cramon Houmann, saw them and expressed his wish to see me at their event. That brought it to my attention in the first place. I checked out their website and things looked really intriguing!
As I try to get to conferences mostly by speaking, I checked out their call for papers. To my pleasant surprise, they offered financial support to reimburse costs occurring with speaking, aka travel and accommodation (mind me, I'm not speaking of a honorarium here). That's the normal bar I have for conferences, and I'm used to expect this from the many tech events I've been to. Sadly, this doesn't seem to be as common for cybersecurity conferences. Usually, I don't submit without that offer as I’m paying out of my own pocket otherwise – and many underrepresented folks have way less privilege than I have. Hence financial support is a green flag I’m actively looking for, indicating that the conference cares about inclusion and diversity. [Side note: That being said, I do understand that some community-driven non-profit conferences really cannot afford offering financial support (yet). I also am willing to meet them where they are - yet I can only support so many community conferences a year this way. Also, just inquiring about reimbursement often reveals a lot about where the organizers currently are, so I can make a way better informed decision for myself whether I'd like to continue with them or not.]
Back to BSides Luxembourg. I decided to go for it and hope for the best. For real, I caught myself time and time again the last months, hoping that I would get accepted - I had a feeling this would be awesome, and I really, really wanted to get in. The first round of speakers were revealed - I was not among them. I continued to hope. Then the email arrived - clarifying what financial support I would need! If they could make this happen, I would be in. I honestly loved this transparency from the start, as it made me trust this would be good for real.
Well, as you can see, I made the program indeed. My latest workshop and a brand-new talk got accepted. We also agreed that an older talk would serve as backup talk in case any speaker won't be able to make it. You can't imagine just how happy I was! Until I realized how close it was to the conference already. That was beginning of March. The conference took place beginning of May. I just agreed to a brand-new talk. Aaaaahhhh!!! This was cutting it awfully close to my taste. Especially given I knew what else was happening during these two months. Then I learned that even more and more had to happen during these exact two months as well. Literally everything all at once at the same time. Two travels, creating yet another brand-new conference talk with a dear co-speaker (and figuring out what works for us doing so), editing the latest novel of my best friend, preparing for all other upcoming conferences with due dates, oh and I also happen to co-organize my own conference, right? Of course we had certain immovable due dates during this exact time frame. All of this costing enormous amounts of hours and hours and hours.
What an absolutely stressful time. I knew it would be worth it, it was worth it, and yet. I cut and canceled everything I could (okay, not as ruthlessly as I would have loved to due to my inner people pleaser, and yet as much as I could possibly do). I halted my personal challenge. Friends and family didn't really see me during this time. The only thing I did not cut was movement - I even increased it because it was a one-time-too-good-to-possibly-true offer. I also didn't want to repeat my mistake to cut on exercise as I did the last years - and I had dearly paid for it as this resulted in losing range of movement, strength and general quality of life. I had just reclaimed some very basic capabilities I would not give up again anytime soon.
All in all, this was such a close call. Massive kudos to the folks who joined the dry run of my new talk, giving me just the constructive and tangible feedback I needed, allowing me to revise it heavily and cut it to the first version it had to become. Everything was close-knit to the very last moment, even finishing last tasks on my travel to Luxembourg. Anyone who knows me for a while, knows that this is absolutely not me. I'm the over-preparer par excellence, and while I've gotten pretty good at keeping things "good enough", this was unheard of. But hey, I made it. Still wonder how, but I made it.
Alright, fast forward to the conference! Here's how it went.
Arrival Day
My travel required to change trains several times - and to my pleasant surprise, it worked out. I arrived well in time to do another dry run of my brand-new talk and also prepare last things for my workshop. Most speakers had come together in a Signal group which made it easy to find a bunch of folks to go to dinner with together. I make use of such opportunities whenever I can as they allow getting to know a few people in a smaller setting before the conference starts.
Putting faces to names or aliases from the chat was great. I even uncovered I've already met one of the speakers already back at New Crafts 2024! The tech world is small, the conference speaker world even smaller. We enjoyed a lovely dinner and conversations on all kinds of topics together before it was time to prep for the next day.
Workshop Day
My own workshop "Secure Development Lifecycle Applied - How to Make Things a Bit More Secure than Yesterday Every Day" was scheduled for the morning just before lunch. We had a nice group of folks from all kinds of backgrounds coming together to learn and practice. The session worked out pretty well and my duty was done for the day! Things were off to a good start.
The lunch break was decently long to enjoy the food, have conversations with participants and also get some rest before the afternoon. I've decided to join "How to Read Code to Find Vulnerabilities" by Louis Nyffenegger. I was curious about this workshop due to a few reasons. First, I've been part of a code reading club a while ago, actively practicing techniques to understand code snippets and exchanging insights. Second, reading code was a big part of my previous role as a quality engineer, and still is as security engineer, with the specific focus on security. Third, I was keen on learning how Louis teaches code reading, as this is a topic I want to share further myself, and also given he's the founder of PentesterLab and I liked their style of conveying knowledge and skills. Long story short, it's been a really interesting workshop indeed! He shared a bunch of advice on what to look for when reading code and how to train this skill. We ran lots of exercises together on finding flaws in various code snippets, dissecting what made these insecure and how to build things in a secure way. Both detection and also knowing how to do better is such a crucial skill to hone. As the cherry on the top, Louis gave away copies of his book "CVE Archeologist's Field Guide: Methodology and lessons from 10 vulnerability analyses" - so much appreciated!
Right afterwards, I managed to get into the session "Dismantle The Bomb" by Stijn Tomme. This was designed as an escape game like scenario - and way too much fun to spoil what happened in this session! Let's just say: it's been the very first time I've seen a key being cut, a potato battery lighting up an LED, and cutting wires to deactivate the bomb. We had a really nice group to solve the riddles and puzzles together - teamwork for the win! Anyone having a chance to catch this session, go for it. We had a massively good time with this well-designed game, used our collective skills in new ways and came in touch with things that are not as common. Perfect for the afternoon - energy was really high afterwards.
Time for me to go back to the hotel and practice my talk for the last time, then head for the speakers dinner. The organizers were so kind to make this happen for us and we enjoyed lovely Vietnamese street food together - much appreciated! That kind of opportunity is usually great to connect with other speakers, learn about their passion topics and values, and just have a good time. As usual, we also discovered a few first-time speakers among us and shared experiences; we're all in the same boat and new folks are very welcome to realize they are not alone with struggles like last-minute preparations, coping with nervousness, and more. It was a great evening and things were ready for the conference days.
Conference Day 1
If you had seen the program for this conference, you probably understood my massive struggle to decide which sessions to attend live. There were the main conference tracks, as well as an AI village, a detection engineering village, a lockpicking village and a car hacking village. So many amazing sessions to choose from! In addition, talks were hosted across not only one building, but two - without many breaks in between to get from A to B, which really made a difference in my choices. Fortunately, most talks had been recorded and I will still have a chance to catch up. Some talks, however, were not recorded, so I tried to prefer them where I could. Also, as usual at on-site conferences (as shared already above), I did sketchnotes for almost all talks I attended.
- "Things Fall Apart: Allying Cybersecurity and Diplomacy against Authoritarian Disorder" by Luc Dockendorf. I was a bit late for this opening talk by Luxembourg's Cybersecurity and Digitalisation Ambassador, so I chose not to sketchnote it. I did, however, really appreciate the clarity in addressing the current planetary, geo-political and social challenges we face. What a strong opener for the conference!
-
Keynote: "Identity Security Just Exploded" by
Wendy Nather. Wendy presented what makes identities for authentication such a
challenge, back in the days, and especially nowadays given AI agents. Lots
of problems that never got solved (like delegation) are multiplying now.
What we can do right now is to make sure our fundamentals are covered.
-
"What Does Threat Modeling Solve for AI Security?" by
Nathan Pembe. Nathan made a great point how threat modeling can not only help to make
pentesting efforts a lot more targeted, it also helps fill the gaps to
implement security controls for audits in the age of AI. I really
appreciated his down-to-earth call to focus on realistically reachable attack
paths and separate those from noise.
-
"Beyond the Prompt: A Framework for Agentic AI Attack and Defense
Strategies" by
Jeremy Snyder. Jeremy walked us through the major risks that AI agents introduce. It's
not only about the agent itself or the model used, but we need to consider
the whole architecture including interfaces to retrieve incoming data as
well as the output created. This talk was full of awesome questions to ask!
-
"Cloud Misconfigurations: Poke Poke, Breach" by
Kat Fitzgerald. This was a talk that was not recorded - hence I asked Kat afterwards if
she consented to me publishing my sketchnote of her talk. Fortunately, she
agreed! This was a really cool talk about how misconfigurations just keep
coming and showing up in various (way too known) shapes and forms. All the
classics included. The solution: policy as code to provide safe guardrails!
No chasing, instant feedback, actual clarity.
-
"Managing Uninvited Guests: Securing Open Source Dependencies" by
Frithjof Hoffmann. Originally, this talk was meant to be given together with
Kadi McKean
who unfortunately couldn't make it. This was an ever-green reminder to
evaluate which dependencies we really want to build on and which ones to
keep out. SBOMs can help find vulnerable packages, while we also need to
acknowledge that scans can be flawed.
-
"Out of Security Exception - What to Do Without an Expert to Secure Your
Software" by me. This was the premiere for my brand-new talk. For anyone who missed
it, it was recorded so you can still check it out once it's
published. Unfortunately, there was no immediate feedback feasible as the
next talk started right after mine. Yet all in all, I'm quite content with
how it went and people seemed happy enough as well.
-
"The Forgotten Fingerprint: DNS Based OSINT Techniques for Product &
Service Discovery" by
Rishi.
This talk looked at TXT records in specifics and how they could be used in
threat hunting and hence accelerate incident response. Rishi demonstrated
both
OWASP Amass
and
Nuclei
as two of the main tools you can use to start your discovery today.
-
"Turnkey Code – Enhancing Secrets Management in Large Scale
Organizations" by
Diogo Lemos. Diogo presented an interesting case study of what they learned when
building a proper secrets management platform. They needed to control the
noise and consider the whole lifecycle - including rescanning safely without
overwriting human triaging decisions.
That was the last session for the day. Participants gathered, enjoyed good food and conversations together, sharing their insights of the day with each other. Then it was time for "Security Impress Karaoke" hosted by Kirils Solovjovs. Basically PowerPoint Karaoke but using OpenOffice Impress, with slides sourced from Cybersecurity talks. Lots of folks accepted the challenge to present random slides thrown together and combine them in a way that's concise and hilarious at the same time! Good fun.
Conference Day 2
The final conference day started tired and early, as it's usually the case for me the longer a conference goes. And yet, I wouldn't miss it and didn't regret it one bit.
-
"The High-Performance Fuel for Social Engineering (Now in AI Flavors!)" by
Glen Sorensen. Glen showcased how much data companies are collecting about us. They
claim to have legitimate interest, yet do they really? What's considered
justified, by whom? The problem here is that all this data is used for
highly effective social engineering attacks. Having LLMs at hand, this
danger became even more imminent. Glen shared lots of things we can do to
reduce our own attack surface.
-
"Spyware: The Invisible Threat" by
Julien vander Straeten. Really interesting talk on spyware as a specific type of malware. Its
goal is to persist on the device, deep in the lower layers, and exfiltrate
all kinds of data. Lots of countries buy spyware, including 14 EU countries
- and quite a few of those also produce their own. Spyware is expensive, though, so attacks
are highly targeted.
-
"Confound and Delay: Honeypot Chronicles from the Digital Battlefield" by Kat Fitzgerald. Yet another talk by Kat that was not recorded - so once again I asked her
if I could publish my sketchnote, and luckily, she gave her okay for this one
as well. This was a really cool talk on what you can learn through
deception, offering attackers a realistic enough trap to observe their
behavior. What they try to do. Including hilarious attempts!
Honeypots can not only reveal how attackers operate but also predict
production threats.
- Lightning talk "Good things can happen at conferences" by me. Well. This was not planned at all! Hence there's
no proper abstract either. Here's the background story: On the workshop day,
I shared with Claus as organizer of BSides Luxembourg that I am
co-organizing the
Open Security Conference (short osco). He instantly offered us their partnership - something I
was just about to ask them as well. Super cool and kind! And then he shared
there might be still a lightning talk slot available and asked whether I'd like to
share a bit about osco. I usually don't do lightning talks at all, yet this
one I felt would be feasible - it's pretty easy to talk about my own conference after
all, I've done that plenty of times already. I kept this option in mind and inquired
the next day whether the slot would still be free. Organizers shared it wasn't clear yet until the following day, but at best I would be ready for it. So at midnight I sat down and drafted a script. I knew I could just do
a shameless plug - yet I wanted to give people more of a real message than
just the mere promotion of our event. So I thought, what if I told the story how
osco came to be? In general, how good things happened at conferences? I
would have had plenty of examples on that matter, yet I decided to focus on three events.
One, conceptualizing osco at SoCraTes 2023. Two, meeting my now manager at
the first osco edition and only weeks after getting hired by him. Third, our
freshly made partnership at BSides Luxembourg. Now I had my script ready to
go. The last conference day came, and during the lunch break just before the
lightning talks, I asked again if that slot would still be free. It was
indeed! Just 15 minutes before the talks started, mine was added to the program. Then I
realized, everyone else had slides - I had planned to just tell my story.
But one supportive slide would be great indeed as a visual support. So I put our logo on one slide. A
QR code next to it. That would do. Finished just a minute before going on stage!
My whole speaking experience paid off in that moment. I went on stage and
told my story. I made it. Later people came to me to tell me how much they
loved the idea of osco and how good this talk was. For me as a recovering
perfectionist and over-preparer, this whole feat was a real achievement
unlocked! It seems I hit a note there. I'm already very curious if I'll
ever learn what people took with them in the end. But well. Here's the
script as I prepared it, and only slightly adapted when telling the story
live.
This is a true story on how good things can happen at conferences.
The year is 2023. I'm not yet working in security. I'm part of an engineering team, building products hands-on together.
I'm at a tech conference, called SoCraTes. It's a special kind of conference, as its program gets created right at the beginning of the conference - by the participants. The format is called an open space. It's designed in a way that everyone can contribute and everyone can learn in the ways they want at that moment in time, about the topics they want to learn about at that moment in time.
So I'm at that open space conference, where I get to have a say on the program. I have a clear focus topic: I want to learn more about application security. Oh cool, there's a person who works in security and is also curious to learn more from other participants. His name is Claudius.
Claudius and I, we agree to host a session together on usable security. Lots of folks join our session and we learn from each other. It's energizing. Claudius and I find we work well together, so we decide to host a workshop. Another success! Inspiring.
We sit at lunch, and Claudius shares his idea with me: he wants to start a new conference. A security one. In the open space format. He feels that that's currently missing in the security community. I was hooked! And I added: Yes, a community-driven, non-profit conference - for everyone interested in cybersecurity, no matter their current roles or skills. Breaking down barriers and gatekeeping. I believe we all can learn from each other.
The idea of osco was born - the Open Security Conference.
We find further co-organizers on our journey. We find participants who love the idea. The idea becomes reality.
Good things can happen at conferences.
The year is 2024. We have the first edition of osco. Small. People love it. Many will return the following year.
And I? I also enjoy our conference. I'm sitting at dinner next to Rudi, who talks about his security team at his company. It sounds like a good place. Little do I know that I'm sitting next to my now manager, just 3 weeks before I will get laid off from my former company. Yes, I co-organized a conference and I got a job thanks to it. In application security.
Good things can happen at conferences.
Fast forward to 2026. Our organizer team is preparing to host the third edition of osco on November 5th to 8th, in Germany, close to Frankfurt am Main.
I'm here, at BSides Luxembourg. I talk with Claus and the other organizers. I share about osco - and our two conferences partner up.
Good things can happen at conferences.
If an opportunity presents itself to you, seize it. It might come with the person right next to you, at lunch or dinner. Look out for them.
And if you're curious to learn more about the Open Security Conference? Come to me, get a postcard to spread the word, and become part of our story.
Good things can happen at conferences - and beyond.
Thank you. -
"Building Secure AI: Making Threat Modeling a Core Part of Development"
Diana Waithanji. This talk was the perfect closure to the conference for me! Diana
explained her approach to threat modeling, where I just sat and kept nodding
along. Like that there's no one way to do threat modeling. Diana showcased
how frameworks like STRIDE are still applicable when it comes to threat
modeling AI systems - as one of many possible ways. She involved the
audience actively and we heard from several people what they do and how it
works for them. She also emphasized the importance of fostering good
relationships with engineering teams, involving the whole team and
collaborating across roles, as well as making threat modeling sessions
high-energy and inclusive. So much this! Diana's talk highly resonated with
my own experience.
And that was it. Originally, I had planned my last conference afternoon differently beforehand, with more talks - yet things came different than expected. First with me joining the lightning talks at last notice, and then with me standing by to give my backup talk, as pre-agreed with organizers. In the end, I didn't have to give it, and I used that unexpected time as a lovely chance to catch up with Marina Stephanova, one of the organizers, instead.
Right after the conference ended, there was yet another neat opportunity: Marina invited interested speakers to go sightseeing together and showing us around Luxembourg city! An offer way too good to refuse for sure. We had a lovely group of around 15 people, the weather was perfect, and we enjoyed a nice tour together while learning about Luxembourg's history and people. Afterwards, we had a great dinner together. Once we headed back to the hotel, how could it be differently, the last core of us ended up in the hotel lobby. Just really good company (thanks to Ellis Stannard and Leonardo Wolff Takemasa Fernandes!), deep conversations in the middle of the night (extra special thanks to Diana Waithanji and Sonia Seddiki!), while tasting fiery hot snacks from India (huge shout-out to db here!). What could be better.
Returning Home
The next day it was time to depart, saying thank you to everyone one more time, and take my memories with me. I realized how tired I was, and while that made it a more complicated ride home than it would have needed to be, I did arrive safely and roughly in time.
My heart was full and brimming of the community spirit I just experienced. Lots of folks I met for the first time where it was just easy to connect with each other. Some people I even met the second time; the world is small! What a pleasant surprise. And not to forget all the care that organizers put into all the little details, always ready to help out and solve things or make them at least better, always appreciative of feedback. Special kudos to the team for making this whole event such a welcoming and inclusive experience, I really felt that I belonged. Their choices how to craft this space for community showed in everything: representation among the speakers, reflected in the participants joining, the options in conference T-shirt fits and range of sizes, the food offer, the choice of language. Everything. It clearly showed their continuous intentional effort and it paid off.
Looking back, this was such a good conference. The smooth organization, the speakers and participants from all kinds of backgrounds, the variety of super interesting topics, the space to connect with each other and stay connected. Can only recommend you checking this one out next year! It won't be my last BSides Luxembourg for sure. I'll cherish the memories we've made together and the kind feedback this community provided.