This year I had my first opportunity to go to Elbsides, the BSides of Hamburg. I had heard lots of folks recommend this conference and I was eager to experience it myself. It's been a lovely couple of days for sure!
On arriving in Hamburg, I met a dear friend for dinner. Really enjoyed the conversations, the tasty food, and in general taking a break after some wildly packed months. It was just what I needed before diving fully into the conference experience.
Workshop Day
With batteries recharged, I made my way to the workshop venue. What a warm welcome from the organizers! I knew two of them already from BSides Munich the last years, so it was really nice to catch up.
Then it was time for my own workshop: "Secure Development Lifecycle Applied - How to Make Things a Bit More Secure than Yesterday Every Day". I've given this session plenty of times now, each time to a different kind of audience. The participants I had this time were just great - they happily grouped up, engaged with the hands-on exercises, were eager to bring up even more ideas and try things out together. They truly made my job an easy one! In general, each time I repeat a workshop, I just love to see how different people approach a task and find different things. We can learn so much from each other. At the end of the workshop, participants shared a ton of feedback with me which is invaluable - much appreciated! That's how I knew the time flew by and people couldn't fathom how fast a 4 hour workshop could be over again. This was truly a good start to the conference for me.
Lunch was conveniently served right at the venue, so we could use the time effectively to enjoy the food and also exchange experiences. In the afternoon, I joined a half-day workshop myself: "Exploiting and Securing AI Applications on AWS" by Anne Stein and Robert von Massow. All too relevant these days. No matter if we like generative and agentic AI tooling or not, we have to deal with their outcome and impact at the least. What I really appreciated in this workshop was that the trainers acknowledged this situation. They also were really clear on what kinds of safeguards we can build and where we are at a lost stake due to the probabilistic nature of the beast. In specifics, they emphasized to make the tools that AI agents can call as descriptive as possible to control them via deterministic means as much as possible. AI models, however, can still go rogue on their own terms, so we need to build with this risk as a given. Any guardrails we add are probabilistic as well and hence aren't predictable either. The other part of this workshop I really appreciated was that we had plenty of interactive hands-on exercises to interact with a complex enough and at the same time simple enough system of an LLM having a set of tools available. We practiced both how to exploit the system and get the LLM to do what we wanted, and also how to constrain their reach through making the tools more restrictive, including classics like input validation. I paired up with another participant which was just perfect for the hands-on nature - we came up with more ideas this way and indeed managed to find our ways past the guards, also outside the foreseen path.
The workshop day was over. In the evening, I met a dear community friend I haven't seen for a while. They happened to show me around Hamburg and we had perfect weather for a bit of sightseeing! I love it when these occasions turn up at conferences. After long conversations and a really nice dinner, it was time for me to catch some sleep and get ready for the main conference day.
Conference Day
This BSides is a one-track conference. Which comes with benefits: no need to decide where to go, no fear of missing out, no issues trying to change rooms if the schedule is tight! Everyone experiences the same program. Which also means, you'll experience something you wouldn't have chosen otherwise. This really allows for serendipity and insights you would have likely missed. Sure, it might be that you're listening to a talk that's really not relevant for you - but that could happen also if you chose it yourself as you never know how the talk will turn out for real. This time, I did appreciate only having one track as it made sketchnoting easier.
-
Keynote: "Secrets don’t age well: Cyber, Kyber, Quantum and the encryption time
bombs" by
Natalie Kilber. Quantum computing is one of those areas I haven't learned much about so far. So Natalie's keynote was welcome to introduce a few concepts, in specifics given that cryptography is something most of us don't directly work on, but most of us for sure need to make use of. And in software, we need to prepare for migrating towards quantum. Also, this was the first time I heard about a cryptographic bill of materials (CBOM)!
-
"Harvest Now, Decrypt Later: Bringing Post-Quantum Cryptography to SSH" by
Leon Rickert. More quantum! Leon shared a hybrid PQC approach, increasing security through redundancy by having a classical secret and a PQC secret combined in a shared hybrid session key. This could be just the first step in a gradual migration you hoped for. We also need to keep the context of our system in mind, some environments are heavily resource-constrained so performance matters a lot.
-
"Ghost in the Hiring Machine: Catch Fake Personas Before They’re Hired" by
Michael Reimsbach
and Rishi. This talk comes timely, following all the news where imposters had been hired by companies, thinking these folks were legit applicants. Michael and Rishi showed up what companies can do before a hiring decision in order to figure out whether a person is not who they claim to be, using a whole set of OSINT tools. I love that they also emphasized personal security and reminded us to protect ourselves and applying OSINT defensively.
-
"‘We Have Always Been at War With Eastasia’: Attacks Against Web
Archives" by
Robin Kirchner. Very interesting talk on how web archives can get targeted by malicious actors, trying to evade or deceive them. Robin presented the techniques that work most of the times that we need to be aware of.
-
"When Trust Breaks Under Pressure"
by
René Lößner. René shared sound advice on what you can do when confronted with information that is intended to manipulate you into unfortunate actions - and how to even detect that this is happening to you. Remember the FATE and SIFT acronyms.
-
"Let Him Cook! Hacking the Meatmeet BBQ Probe" by Julian (dead1nfluence). That talk was a fun ride of following the rabbit hole of "how does this tool work under the hood". Guess what, it ended up in lots of CVEs getting reported.
-
"The Map of Artificial Treasures: What to Automate in Security - and
Why?" by
Michael Helwig. Michael looked at the various options we have using AI systems, how they differ, and what makes more sense to use for which use case. Because not every hammer is for every nail.
-
"Pull the Plug: Kernel-Level Surgery to Blind EDRs" by
André Lima. This was a really interesting dive into tricking Windows EDR systems to let your bad driver go through without getting blocked, or even logged.
-
"I Let My Pi5 Hack: Building a 0$ AI Pentesting Agent" by Nithin Ravi. I really appreciate how Nithin started with the differentiation that AI is not the same as automation and that a lot of things can be automated well without the usage of any AI. AI tooling can be good for what it's actually good at. His journey on how to use low budget tools to build a pen testing agent, however, resulted in the following conclusion: no, you truly don't need AI for everything.
-
"Your Traffic Is Lying to You" by
Lisa Fröhlich. Lisa pointed out that the vast ratio of web traffic coming from bots these days and how they go undetected by traditional monitoring systems in the age of AI. We can still learn what's going on - yet only if we truly know our actual valid traffic.
-
"Still Out of Sight? The NIS-2 Reality Check in German SMEs" by
Younes Ahmadzei. I've enjoyed Younes' previous version of this talk at BSides Munich 2025. Now that NIS-2 is in effect, how did things change? Unfortunately, nothing much changed as of now. Companies are still behind, while they could have used this opportunity to their own benefit. I love how he concluded that cyber resilience is not created by paper but by empowered companies and active synergies.
-
"The Illusion of Finishability" by
Juliane Reimann. This talk was my absolute highlight of the conference. Juliane taught us what's behind our human need for closure, and how people experience this need very differently. Some yearn for closure, others try to avoid closure for as long as possible. This alone explains so much of what I experience every day interacting with various people and also when observing very distinct decision cultures within different teams and companies! Juliane of course also tied this to what we see in security, from statements to behavior and also systems we can use to meet our own needs for closure in a healthy way.
-
"Keynote: Who comes next?" by
Brian Hein
and
Constantin Jacob. This talk looked at how the threat intelligence community handled things in the past, building tight networks based on the iron principle of KMT: know you, met you, trust you. The problem is, this doesn't fit anymore to today's world of communication and we're loosing the next generation. We need to put in intentional effort to include and grow the next ones after us - and that applies to any community beyond threat intelligence.
By the way, all of these talks had been recorded and will at some point be published by Elbsides, so that's going to be your chance to check them out yourself.
The conference closed with a dedicated space for socializing with the community. Afterwards, it was time for speakers dinner. The organizers kindly invited us to really nice food and drinks together in a relaxed atmosphere. It was a great evening among great people, sharing experiences when working in teams but also with many other teams, how to truly help others and make an impact, learning more about wind energy and what's needed to build and maintain these farms, and much more. What a great closure to a great conference.
I went home with my heart full, new connections in my network, ideas sparking. What else can I want from a conference. If you have a chance to join a future Elbsides, seize that opportunity! You won't regret it.