Starts
Ends
(Timezone - Europe/Amsterdam)
Security Days 2026, 7-9 April 2026, Utrecht
Jaarbeurs Supernova
Jaarbeurs Supernova
Utrecht, Netherlands
Description
Securing tomorrow together
Utrecht, Netherlands | 7-9 April 2026
Security is the foundation of trust, the trust that enables collaboration, innovation, and open research across borders. GÉANT Security Days 2026 brings together the community that safeguards that trust: security professionals, network experts, incident responders, and CISOs from across its NREN community and their connected institutions.
Under the theme “Securing Tomorrow Together,” this year’s conference explores how collective intelligence, shared experience, and coordinated security measures are shaping the future of cybersecurity for research and education in Europe and beyond.
Through hands-on training sessions, eye-opening keynotes, real-world case studies, and forward-looking discussions, we’ll address topics such as: cloud security, community engagement, cyber resilience, the human factor, financial constraints and practical security.
GÉANT Security Days is a working forum where ideas become solutions and collaboration drives resilience. Whether you’re leading a CSIRT, building secure networks, or shaping security policy, this is where the community comes together to secure our future.
Security Days Organisational Committee
Registration
Participants
166
View full list
-
-
Workshop: MISP 101 – How to Setup Your Own MISP Expedition Room
Expedition Room
Jaarbeurs Supernova
Utrecht, NetherlandsThis hands-on workshop will guide you through everything you need to get your own MISP instance up and running. Starting with an overview of the Jisc MISP containers, you'll follow along as we walk through deployment, configuration, and best practices — step by step. We'll also cover how to connect your instance to the GÉANT MISP test environment, giving you a real-world foundation for threat intelligence sharing. Whether you're just watching or following along live, you'll leave with the knowledge to confidently deploy and manage MISP in your own environment.
Here are the planed topics:
- An overview of the Jisc MISP containers and goals when creating them
- Walk through the steps to deploy MISP using the containers
- Live demo, with optional follow along, of configuration and deployment of MISP.
- Walk through the steps for project participants to connect their instance to the GÉANT MISP (test) instance.
- Live demo, with optional follow along, of connecting to GÉANT MISP (test)
- Best practices for creating events.
- Q&A
Conveners: Mr Joe Pitt (Jisc), Vladislav Bidikov (MARNET / UKIM) -
Workshop: Security Awareness Community Training - How to implement a structured approach to addressing human related risk Mission 1 Room
Mission 1 Room
Jaarbeurs Supernova
Utrecht, NetherlandsRosanne Pouw (SURF) provides an introduction and the first hands-on training module to applying SURF’s practical awareness framework within higher education and research institutions. Participants will explore how the Plan–Do–Check–Act (PDCA) cycle can be used to structure, implement, evaluate, and continuously improve awareness initiatives in a systematic and measurable way.
Module risk management and behaviour change:
This workshop module and first step in the PDCA approach introduces participants to the strategic use of risk management as a foundation for effective awareness programmes within educational and research institutions.Participants will learn how to assess the current state of awareness within their institution, develop and apply a risk matrix, and connect identified risks to desired behaviours. The workshop also introduces persona development, target group analysis, and practical behaviour change models, including the COM-B model, to support structured and evidence-based interventions.
Conveners: Cornelia Puhze (SWITCH), Davina Luyten, Rosanne Pouw (SURF) -
Workshop: Threat Hunting Mission 2 Room
Mission 2 Room
Jaarbeurs Supernova
Utrecht, NetherlandsJoin us for a practical threat hunting workshop where we’ll dive into real-world threat scenarios based on multiple cases observed during this 2025. Don’t worry if you’re not familiar with this topic — this workshop is designed for all skill levels, oriented to threat hunting, and we’ll start with a clear and simple introduction to basic detections so you can get comfortable before jumping into the action.
What to Expect:
- Learn how to hunt for threats across different scenario such as: Network-based threats, Identity-based anomalies, Host-based suspicious behavior.
- Apply Threat Intelligence on Threat Hunting.
- Explore how to turn raw data into real detections.
- Discover how to build your own hunting queries and detection rules.
Bring Your Laptop!
You’ll need your computer — in the second part of the session, we’ll break into groups to solve real-world threat hunting cases using the tools and queries we explored in the morning.
Conveners: Benjamin Zullinger (FHNW), Gianni Castaldi, Sergio Albea -
11:30
Coffee Break
-
13:30
LUNCH
-
Opening Plenary Progress Room
Progress Room
Jaarbeurs Supernova
Utrecht, NetherlandsConvener: Nicole Harris (GÉANT)-
1
Welcome from GÉANT & SURFSpeakers: Alf Moens, Floor Jas (SURF), Klaas Wierenga
-
2
The bumpy road ahead – IT security challenges of the next years (Keynote Frank Rieger)
The IT security enters a new era with the advent of agentic LLMs that can mimic the traits of successful attackers and defenders: endless patience, comprehensive knowledge and high attention focus. This new world does however not mean that the old problems go away. Maintaining control of your network, systems, endpoints and software has just become even more important, as things are speeding up considerably on all aspects. In this talk we will look at the bigger picture, where things are probably heading and what are good practices to keep our users secure.
-
3
Start your own Internet Resiliency Club (Keynote Valerie Aurora)
Our internet access can be cut off at any time by accidents, natural disasters, and armed conflict. Climate change and current geopolitical threats make this increasingly likely in Europe. How can we prepare our communities to cope with a temporary loss of internet connectivity, and perhaps help speed the return of internet access? This talk describes how to start your own Internet Resiliency Club using LoRa radios, mesh networking, and community management.
Valerie Aurora is an open source software engineer with more than 25 years of experience in operating systems. After moving from San Francisco to Amsterdam in 2023, she now works on improving European digital independence. She was a special rapporteur for the Cyber Resilience Act and served on the program committee for RIPE. She is the co-founder, with Sasha Romijn, of the Amsterdam Internet Resiliency Club.
https://bowshock.nl/irc/
-
1
-
16:00
BREAK
-
Preventive Security Mission 1 Room
Mission 1 Room
Jaarbeurs Supernova
Utrecht, NetherlandsHow can we keep up with the exponentially increasing rate of cyber attacks facilitated by automation and AI? We have a great lineup of speakers in this session that will leave you with some actionable means for getting and staying ahead of the game by modelling threats, implementing security services like DNS firewalling and gaining visibility through attack surface discovery and testing before the attackers do. Come join us to Secure Tomorrow Together :)
Conveners: Raymond Dijkxhoorn (SURBL), Roderick Mooi (GÉANT)-
4
Threat Modeling 101
In today’s rapidly evolving cyber threat landscape, organisations can no longer rely solely on reactive security measures. Anticipating potential threats is essential, and threat modelling provides a structured way to do this. In this session, we will show how our team integrates threat modelling into the Cyber Threat Intelligence (CTI) reports produced as part of the GEANT GN5-2 project, delivering actionable insights for education and research institutions across Europe.
Threat modelling involves identifying and analysing potential threats, understanding how adversaries may exploit vulnerabilities, and prioritising risks. Rather than remaining a theoretical exercise, our approach uses threat models to produce intelligence that directly supports operational and strategic decision-making.
The presentation will introduce commonly used threat modelling frameworks and tools, including STRIDE, PASTA, and MITRE ATT&CK. These frameworks provide structure and consistency, helping analysts prioritise mitigation strategies and ensure intelligence is relevant and actionable.
We will also cover the threat modelling lifecycle, from threat identification and analysis to validation and ongoing refinement. Testing and revisiting models is critical to maintaining accuracy and alignment with real-world risks, ensuring CTI outputs remain practical and usable by decision-makers.
A central focus of the session will be our practical use of MITRE ATT&CK. ATT&CK offers a detailed view of adversary tactics and techniques, enabling us to map threats to the environments we support. Using examples from GN5-2 CTI reports, we will demonstrate how ATT&CK helps identify likely adversary behaviours, contextualise threats for education and research organisations, and inform mitigation strategies.
We will then discuss how we plan to extend our reporting using MITRE D3FEND and MITRE ATT&CK Flow. D3FEND provides a structured catalogue of defensive techniques, enabling analysts to link observed adversary behaviour directly to relevant countermeasures and strengthen defensive planning. Building on this, ATT&CK Flow allows analysts to visualise attack paths by showing how adversary actions, assets, tools, and conditions connect. We will show how Flow supports hypothesis-driven analysis and helps reason about adversary behaviour even when concrete indicators are limited. Together, these approaches strengthen the connection between threat analysis and practical defensive guidance.
Beyond our own use cases, the session will address how organisations can adopt and adapt these methods themselves. We will explore how ATT&CK, D3FEND, and Flow can serve as building blocks for bespoke threat models tailored to national contexts, sector-specific risks, or constituent communities.
Practical steps for enabling this capability will be outlined, including establishing repeatable modelling processes, aligning models with organisational priorities, and integrating threat modelling into existing CTI and risk management workflows. This approach supports sustainable, continuously improving threat modelling rather than one-off exercises.
By the end of the session, participants will be able to:
- Apply MITRE ATT&CK to CTI reporting for education and research organisations.
- Use D3FEND and ATT&CK Flow to create richer threat context and structured defensive guidance.
- Build attack flows to visualise adversary behaviour and test hypotheses in the absence of concrete indicators.
- Validate and refine threat models to ensure intelligence remains accurate and actionable.
- Design and maintain bespoke threat models tailored to their countries, sectors, or constituent communities.
- Embed threat modelling into their own intelligence activities.
This session is aimed at security practitioners, threat analysts, and decision-makers seeking to move beyond reactive security approaches. By demonstrating how threat modelling can be embedded into intelligence reporting — and scaled for organisational use — we aim to equip participants with practical methods to prioritise threats, understand adversary behaviour, and support informed security decisions across the European education and research sector.Speakers: Nicole Stewart, Ms Olga Spillane (Asiera) -
5
Protective DNS
When trying to protect against malware and phishing attacks we can try to protect our users and systems at different levels in the network. We could, for example, block suspicious connections at our firewalls. It would be even better though if we could even prevent clients from even trying to set up those connections in the first place. This is where the Protective DNS project (GN5-2, WP8, task 3) comes in.
The Protective DNS project is an effort to design and implement a prototype recursive DNS resolver that will block requests for malicious domain names and thus prevent clients from even requesting the IP address for a potentially malicious host. This is transparent for the users and does not require special settings on their end. This is not meant as a replacement for existing security measures but as an addition.
The goal is to design a setup that uses open source materials, and which will provide flexible security functionality while at the same time being performant. There are two objectives for this project. First is to provide a reference implementation to share within the community so that the work can be duplicated if desired. Second, if sufficient interest is found within the GÉANT community we will explore providing a (multi-feed) opt-in service for sites to use for more complete protection.
This is an update on the project both in terms of where we are in the planning and implementation, but also a request for identifying groups of people who might be interested in helping us test the current operational model. This update will include the current software architecture, the set of security controls we intend to make available, the state of anycast for redundancy and performance, as well as some initial ideas about which feeds we are intending to test.
Speaker: Joeri de Ruiter (SURF) -
6
The national picture of risk: two years of UK ASM results
An organisation’s external attack surface comprises all its online (Internet-facing) assets: domains, subdomains and IP addresses, and respective websites, ports and services, components, DNS records and certificates.
Using .ac.uk domain data, Jisc conducted a scanning project of the entire .ac.uk namespace in 2024 and again in 2025. This has produced a national picture of risk of the education and research sectors. It also illuminated the range and extent of technologies deployed across the sectors.
Iain Brown, Jisc's Chief Security Architect, will present an overview of this sector-wide attack surface management (ASM) scans and its insights into its surprising findings. Gain insight into how institutional infrastructure is viewed externally and why inviting open doors and windows could and should be closed and locked. This session explores how this work is helping Jisc, universities and colleges identify risks, reduce exposure, and strengthen collective resilience.
Iain will explain the benefits of passive attack surface discovery and testing. He will give an insight how building a comprehensive view of the UK education and research sectors' exposed assets and potential vulnerabilities has been developed into a rich and valuable data resource. And he will talk about plans for this year's scanning efforts.
Speaker: Iain Brown
-
4
-
Unconference Session: NIS2 CSIRTs Mission 2 Room
Mission 2 Room
Jaarbeurs Supernova
Utrecht, NetherlandsAt SURF, we've been pilotting several types of offensive security testing for a few years now. This ranges from attack surface mapping, vulnerability scanning and cloud configuration assessment all the way to SOC-chain tests, pentests and red teaming. We are planning to group some of these efforts in a service to our members, also taking some roles in gathering fidings, making sure others can learn from those and managing follow-up by our members.
We would like to brainstorm with other NRENs how we can serve our members with this type of service. We imagine a session where several NRENs can share what they do, why and how (products, setup, governance) to then split into groups discussing specific topics. Questions we are facing that might be a start:
- When doing vulnerability scans, who has an up-to-date list of assets?
- What does a business case for doing this as an NREN look like? How do you pay for it?
- What open source tools can be used for the different types of tests, how do you host/procure them?
- Are our members ready for full-fledged red teaming exercises?
- How do we relate this to crisis exercises?Conveners: Floor Jas (SURF), Thijs Kinkhorst (SURF)-
7
Meet other NIS2 CSIRTs
This session is specific for CSIRTs are or will be formally appointed as a CSIRT under the NIS2 directive (article 10.1). We'd like to strenghten bonds and exchange experiences and ideas about the impact on the team's services portfolio, understand how governance and funding works for this role, and what challenges are faced. The goal is that we can help each other take on this new task in the best way possible.
Speakers: Floor Jas (SURF), Thijs Kinkhorst (SURF)
-
7
-
Unconference Session: Scenario session: How can we prepare for our greatest fears? Expedition Room
Expedition Room
Jaarbeurs Supernova
Utrecht, NetherlandsAt SURF, we've been pilotting several types of offensive security testing for a few years now. This ranges from attack surface mapping, vulnerability scanning and cloud configuration assessment all the way to SOC-chain tests, pentests and red teaming. We are planning to group some of these efforts in a service to our members, also taking some roles in gathering fidings, making sure others can learn from those and managing follow-up by our members.
We would like to brainstorm with other NRENs how we can serve our members with this type of service. We imagine a session where several NRENs can share what they do, why and how (products, setup, governance) to then split into groups discussing specific topics. Questions we are facing that might be a start:
- When doing vulnerability scans, who has an up-to-date list of assets?
- What does a business case for doing this as an NREN look like? How do you pay for it?
- What open source tools can be used for the different types of tests, how do you host/procure them?
- Are our members ready for full-fledged red teaming exercises?
- How do we relate this to crisis exercises?Convener: Charlie van Genuchten (SURF)-
8
Scenario Session on Our Greatest Fears
A session to combine our knowledge to discuss what could happen in case our greatest fears would become reality.
Setup of the session:- Everyone writes down one or two scenarios that they are concerned about (could be geopolitical, climate based or something different)
- We all vote which 2 or 3 we feel is most likely and impactful
- Then we have discussions in groups going through one or more of the scenarios (depending on time) discussing how this would affect our NRENs and our members and what effects this would have on the first day, after a week and after a month. Trying to get to the bottom of what cascading effects there could be and what actions we would take to mitigate the biggest problems.
- We'll wrap up with trying to formulate preventative actions as far as we have them.
Speaker: Charlie van Genuchten (SURF)
-
8
-
Welcome Drinks: Social
-
-
-
Plenary: Play More Today. Secure Tomorrow. (Keynote Nancy Beers) Progress Room
Progress Room
Jaarbeurs Supernova
Utrecht, NetherlandsHacking in essence is playing with technology.
Playing is proven to be crucial for learning, innovating and flexibility. And thus a fundamental tool for any security expert out there.
One of Nancy's favorite quotes is “If you don’t want to be replaced by a computer, don’t act like one.” By Arno Allan Penzias
So…. Are you ready to get up from your seat and add a little spice to your life with the Power of Play? Join the Nancy Beers on an exhilarating journey exploring the power of playing and playfulness in a security setting.
Using the full breadth and depth of her scientifically-backed knowledge, she shows you the ways in which play can bring measurable, impactful and positive change to the way we interact, think and create. Nancy will delve deep into the dynamics of playing in a presentation perfect for those looking to shake things up in their personal or professional lives, in teams, business and organizations.
She will combine recent insights in skills for the future with interactive games to prove her point.
Time to take playfulness seriously!
Convener: Rosanne Pouw (SURF) -
10:30
BREAK
-
Capture the Flag Expedition Room
Expedition Room
Jaarbeurs Supernova
Utrecht, NetherlandsThe CTF (Capture the Flag) challenge is a cybersecurity competition where teams or individuals search for vulnerabilities in systems and networks to find "flags," which are secret texts or point accumulations, functioning like a hacker game to develop practical skills in areas of OSINT, Web Security, Forensics and Log Analysis, Cryptography and Steganography, and GRC.
Sharing RNP Brasil's experience in promoting CTF (Capture the Flag), this exercise integrates technical and strategic areas to test knowledge of offensive and defensive security and compliance in a controlled and gamified environment, uniting teams from academic networks in Europe to complete the challenges.
Convener: Humberto Forsan (RNP)-
9
Capture the Flag: Testing knowledge of offensive and defensive security and compliance in a controlled and gamified environment
Objective: Sharing RNP Brasil's experience in promoting CTF (Capture the Flag), this exercise integrates technical and strategic areas to test knowledge of offensive and defensive security and compliance in a controlled and gamified environment, uniting teams from academic networks in Europe to complete the challenges.
Details: The CTF (Capture the Flag) challenge is a cybersecurity competition where teams or individuals search for vulnerabilities in systems and networks to find "flags," which are secret texts or point accumulations, functioning like a hacker game to develop practical skills in areas of OSINT, Web Security, Forensics and Log Analysis, Cryptography and Steganography, and GRC.
Our CTF is configured in Jeopardy mode (Challenges by categories and scoring).
For Security Days, we will assemble teams of 3 to 4 people, where mixed profiles are recommended.
We will divide the challenges into 5 pillars. The idea is that all flags require security reasoning, but not all require knowing how to program or use Kali Linux tools.
Together with the Geant team, we will still define whether to execute the following modes:
• Standard Challenges (Static and Regex): Participants submit a "flag" for validation.
• Unlockable Challenges: Allows creating dependencies between challenges. A challenge only becomes visible or accessible after a prerequisite has been met.
• Multiple Choice Questions: Ideal for checking theoretical knowledge.For the CTF, we are requesting 3 hours (30 minutes setup + 2:30 hours for the competition). However, we can adjust the time according to the Geant team's instructions.
Intended audience: This presentation is intended for professionals in the global research and education community who work to strengthen cybersecurity and risk management practices. It will be particularly relevant to research and education network security technical teams (NRENs), cybersecurity incident response team (CSIRT) members, risk management specialists, and technical leaders responsible for protecting digital infrastructure.
Speaker: Humberto Forsan (RNP)
-
9
-
DDoS Mitigation Mission 1 Room
Mission 1 Room
Jaarbeurs Supernova
Utrecht, NetherlandsDDoS attacks are a constant reality for research and education networks. The attacks keep getting bigger, the infrastructure behind them keeps evolving, and the threat actors just won't chill. This track brings together security teams, network engineers, and researchers dealing with this on the front lines.
We'll look at real attack data and what it tells us about current traffic patterns. We'll cover automated approaches for hunting threat actor infrastructure. And we'll dig into the surprising sources powering modern attacks. From IoT botnets to cheap Android TV boxes turned into DDoS machines.
Three talks, real experiences, practical takeaways. This is about understanding the current landscape, sharing what works and staying ahead of the next wave. If you're defending networks against DDoS, this track is for you.
Convener: Eugene Brin (DFN-CERT)-
10
Examining attack data to evaluate DDoS traffic assumptions
Most sites with a mature DDoS defense strategy have a number of historical assumptions baked into how traffic dynamics happen in and around the larger NREN community. These assumptions are necessary for the development of mental models and understanding for security teams, but it is important to periodically walk through real attack data and make sure that these critical assumptions still reflect how packets are getting to you.
This talk will take several examples of lessons learned from GEANT and use them to explore potential sources of exposure involving not only commodity transit, but also (public) internet exchanges, private peerings, some complex relationships with "upstream" communities, and the hyperscalars that we all know and ... peer with.
Historically traffic between NRENs has been assumed to be legitimate workflow activity. This has been largely supported by observations on intrer-NREN traffic patterns and other empirical measures. We will also explore some trends regarding this as well.
Finally I will present some examples of what happens when the assumptions we make do not end up reflecting reality. This could be because of a failure of mental models, or misconfiguration in equipment. This failure mode is important to think about and look for. Accidents happen, and if we don't look for those while examining the data it is easy to intemperate the results as attack traffic when it is not.
Summary:
- It is critical to periodically examine real attack traffic to determine if mental models are correct in terms how traffic is behaving within the network
- This is particularly true for non-commodity transit
- Misconfigurations can look like hostile trafficSpeaker: Scott Campbell (GEANT) -
11
Prevention, Detection, Response & Deception: On Canaries, Horses and Honey
This session looks at how modern security programmes combine deception techniques (such as honeypots and canaries), using practical examples from the education sector.
Speaker: Floris Dankaart-Chang (Fox-IT) -
12
The $30 Trojan horse: How off-brand Android TV boxes became DDoS infrastructure
In October 2025, Nokia Deepfield observed a 33 terabits-per-second DDoS attack against a gaming provider—a volume exceeding the total capacity of many national internet backbones. Terabit-scale attacks are now a daily occurrence, with 78% of campaigns concluding in under five minutes. The era of IoT botnets has given way to something far more insidious: residential proxy networks commanding an estimated 100 to 200 million consumer endpoints.
The attack surface has shifted. Budget Android TV boxes—sold for as little as $30 on mainstream marketplaces—increasingly ship with malware pre-installed at the factory or embedded in unofficial firmware updates. These devices arrive backdoored—not through user negligence, but compromised supply chains. The malware activates silently, enrolling each device into distributed attack infrastructure while the owner streams content unaware.
This presentation examines Kimwolf, a sophisticated botnet we analyzed extensively in a controlled laboratory environment, which exemplifies this new threat model. Unlike traditional botnets that scan for vulnerable IoT devices, Kimwolf recruits its army through a different vector: uncertified Android TV boxes, mobile phones with "free" VPN applications, and backdoored home routers. These devices sit behind NAT, invisible to external scanning, yet capable of generating attack traffic that dwarfs what security teams prepared for even two years ago.
Why should the R&E community care? Because these devices are already on your networks. Budget streaming boxes in student housing. Mobile devices running apps with embedded proxy SDKs. None of these require user error to become compromised—they arrive that way. Every affected device becomes a node in attack infrastructure that may target your own institution, or turn your network into an unwitting participant in attacks against others.
Our Kimwolf analysis revealed a multi-vector threat: UDP floods exceeding 500 Mbps from single nodes, credential stuffing campaigns against Microsoft and Instagram, and active recruitment into the PacketStream residential proxy network. The malware uses Ethereum Name Service (ENS) for resilient command-and-control, receives campaign-specific attack orders, and evades detection through sophisticated anti-analysis techniques.
What will attendees learn?
- The supply chain problem: how budget Android devices ship pre-compromised and why traditional endpoint security cannot address factory-installed malware
- The architectural shift from IoT botnets to residential proxy networks, and why scanning-based threat intelligence fails against NAT-hidden devices
- Inside Kimwolf: technical analysis of a modern DDoS botnet including C2 communication patterns, ENS-based infrastructure, and multi-vector attack capabilities
- Detection strategies for identifying compromised devices on campus networks before they participate in attacks
- The 100 Tbps horizon: what current attack growth trajectories mean for R&E network planning and why sub-60-second detection is now essential
- Disrupting botnets at the edge: why dynamic blocking of C2 communication at network boundaries will become an increasingly important defensive measure
The research and education community has historically been both target and unwitting participant in DDoS attacks. As residential proxy botnets blur the line between attacker and victim infrastructure, NRENs must evolve from reactive defense to proactive identification of compromised endpoints within their constituencies. This session provides the threat intelligence and practical detection approaches needed to begin that transition.
The presentation will include examples of captured attack traffic, C2 communication patterns, and detection signatures derived from our research.
Format: Presentation (25-30 minutes)
Track: Security Operations / Technical Deep Dive
Keywords: DDoS, botnets, residential proxies, threat intelligence, IoT securitySpeaker: Jérôme Meyer (Nokia)
-
10
-
Human Factor Mission 2 Room
Mission 2 Room
Jaarbeurs Supernova
Utrecht, NetherlandsThis track focuses on the critical role of awareness and the human factor in cybersecurity. While technology continues to evolve, people remain at the heart of both risk and resilience. These presentations explore how user behaviour, organizational culture, and effective communication shape security outcomes, highlighting that even the most advanced systems depend on informed and engaged individuals. Through practical insights and real-world examples, speakers will address how to strengthen awareness, foster a security-first mindset, and empower communities to act as the first line of defence in an increasingly complex threat landscape.
Convener: Rosanne Pouw (SURF)-
13
Onboarding as a security process – How new employees are introduced to information security in a welcoming and comprehensive manner
Many companies rely on training, awareness campaigns and technical controls for human centred security – but one crucial moment is often underestimated: the first day of new employees. This is precisely when the security culture becomes tangible – or not. A well-designed onboarding process not only ensures compliance but also invites new employees to understand security as part of their daily work – and to live it. For new employees, human-centred security does not begin with an introductory training course, but with a clear, inviting and well-thought-out onboarding process.
This presentation will contribute to the GÉANT Security Days by showing how a well-designed onboarding process can make a decisive contribution to human-centred security – beyond campaigns and training courses. Many relevant foundations are laid during the first few days at a new company. Not only the content conveyed, but also the way it is conveyed influences the perceived importance of the topic and has a lasting impact on how employees deal with information security during their induction and their membership within the organisation. The aim of the presentation is to inspire information security professionals to understand processes as a security tool: How do you design an onboarding process that introduces new employees to the company's security policies in a way that is understandable, inviting and comprehensive?
The presentation will address the importance of onboarding for security culture, outline the elements and roles that must be incorporated into an effective onboarding process, and use a concrete example from practice to illustrate how we have revised our onboarding process and what we have learned from it.
To this end, the term ‘security culture’ will be critically reviewed during the presentation and embedded in the context of human-centred security. The typical elements of an onboarding process will be examined in detail and the relevant stakeholders in the organisation will be introduced. Supporting documents and complete documentation of the process are also important components. The example from our organisation covers practical topics: communication surrounding the first day of work was analysed to find out where information on information security can be appropriately placed. Of course, security introductions when handing over work equipment also play an important role, with important tools such as password managers and VPNs being introduced. In addition, it was important to identify relevant contact persons for the new employees, such as their team leaders, and to support those persons with appropriate assistance in answering questions from the new employees. In addition, important stakeholders for the design of the process were identified and cooperation with them will be explained.
Finally, the audience is given specific take-home points that they can implement directly in their own organisations, such as how to plan communication around the start of employment or how to get in contact with relevant stakeholders to start adapting the onboarding process.
The presentation is aimed at information security professionals who are already familiar with human-centred security and are looking for practical approaches to not only communicate security, but also to embed it sustainably in an organisation.
Speaker: Fabio Greiner (Switch) -
14
From awareness to structured solutions - Helping organisations develop successful behavioural cybersecurity solutionsSpeaker: Dr Tommy van Steen (Leiden University)
-
15
Shaping the Future of Security Awareness
Since 2019, GÉANT has been running an annual awareness campaign tailored to the NREN community and its members. Over the years, the campaign has addressed key topics such as social engineering, incident reporting, and most recently, encouraging a “mindful pause” before responding to urgent or sensitive requests.
Each edition focuses on promoting key security behaviours through practical actions and tips. In 2026, we build on this approach by focusing on the importance of securing devices - recognising that our entire digital lives are increasingly stored on them.
To make this campaign as relevant and effective as possible, we invite participants to help shape it by sharing their needs and preferences.
Speaker: Cornelia Puhze (SWITCH)
-
13
-
12:30
LUNCH
-
Crisis Preparation Mission 1 Room
Mission 1 Room
Jaarbeurs Supernova
Utrecht, NetherlandsPreparing for the Next Cyber Crisis: Insights from Exercises Across Europe
This session explores how cyber crisis exercises can strengthen real‑world readiness across organisations and communities. You will hear practical insights from recent large‑scale exercises such as Cyberfortress and TALON, including lessons learned. The session also highlights how collaborative and story‑driven tabletop exercises can engage people in different roles, support better decision‑making, and make security work more meaningful. We also take a closer look at the structure and key quick wins from the TALON exercise, followed by a discussion on how these types of exercises can continue evolving within our community.
Convener: Maria Edblom Tauson (SUNET)-
16
How the claw of Talon hit the cyber-fortress Restena - Experiences and lessons learned from crisis exercises
In this presentation we will present Restena's approach to train staff members for potential future crisis. In March 2026, Restena participated in two crisis exercises, the national "cyberfortress" exercise and TALON organised by Geant. In this presentation we will highlight our experience as an exercise participant from a planner and player perspective as well as the lessons learned from the exercises.
Speakers: Cynthia Wagner (Fondation Restena), Denim Latić -
17
TALON: Preparing for a large-scale crisis with 9 N/RRENs and GÉANT
During this presentation, we will:
• Present the aims and setup of TALON
• Share the top 5 quick wins we learned from this exercise*
• Let a few different exercise leaders from the participating NRENs present how the exercise went on their side and what they gained from it
• Discuss with the room where we can go with these kinds of exercises in our community: what should be the next step?Speakers: Charlie van Genuchten (SURF), Cynthia Wagner (Fondation Restena) -
18
Increasing preparedness across entire sectors, nations
Our incident handling capabilities will always rely on people who are able to collaborate, improvise and make good decisions effectively – and collectively. Preparedness exercises with participation across organizations (and sectors) are however less common, because they quickly get complex in both planning and execution.
The talk presents takeaways from deploying national cyber exercise campaigns in the Nordics/Baltics, where 8000 people who are responsible for IT, security and preparedness from 5000 companies have participated in events based on our concept since last year. We will describe key findings from discussions and input across a wide range of sectors, roles and locations participating, to help business continuity and reduce risk across entire communities of organizations, and also their supply chains.
Since storytelling is key to effective security communications – and training, the session will also discuss the potential of using exercises outside of just incident response and crisis management teams. This is based on a research project done in collaboration with NTNU, Institute for Design, in Norway. We will therefore exemplify how interactive tabletop exercise sessions can be used to unlock active participation from people having any kind of roles, responsibilities and level of security knowledge.
This includes how activities like identification of assets, threats, vulnerabilities and requirements can become both fun and more accurate by the active involvement of people through good storytelling in context of a cyber exercise, resulting in better awareness, knowledge and a mutual feeling of responsibility for looking out for both their company and colleagues. We will also explore how scenarios can be adapted to serve various learning objectives, and of course audiences – including across multiple organizations for securing the sector and/or entire supply chain. Which may be much more useful and rewarding than filling out static compliance spreadsheets!
Speaker: Erlend Andreas Gjære (Secure Practice)
-
16
-
Interactive Workshop: Technical Investigation in Compliance Assessments Mission 2 Room
Mission 2 Room
Jaarbeurs Supernova
Utrecht, NetherlandsConvener: Jan Landsaat-
19
Technical Investigation in Compliance Assessments
Getting the facts straight is paramount when assessing compliance, but documentation and contracts only tell part of the story. At SURF Vendor Compliance, we dig deeper by applying security investigation techniques to uncover how systems really handle data.
In this interactive workshop, you’ll join compliance experts to perform a simulated tech analysis on a fictional system. Using common technical analysis methods we’ll identify potential compliance risks and learn to translate technical findings into legal and organisational insights.
Expect an interactive session where you, in groups, are hunting for clues, mistakes and leads within information that's shared with you in a cascading fashion. Sharpen your investigative and analytical skills, see compliance from a technological perspective, and discover how technical deep‑dives can strengthen your privacy and security posture alike.
This workshop was already part of CPDP Conference 2025, SURF Security & Privacy Conference 2025 and Benelux Security & Privacy meetup Luxembourg 2025.
Speaker: Jan Landsaat
-
19
-
15:00
BREAK
-
Lightning Talks Progress Room
Progress Room
Jaarbeurs Supernova
Utrecht, NetherlandsConveners: Anna Wilson, Nicole Harris (GÉANT)-
20
Designing community engagement: bringing security and privacy together across borders
Abstract:
Security and privacy are intrinsically connected. Every security incident has privacy implications, and every privacy decision relies on underlying security controls. In research and education environments, where openness, collaboration and data sharing are core values, this connection is even more pronounced. Yet in practice, security and privacy professionals still often operate in parallel, rather than together.
This lightning talk uses the Benelux Security & Privacy Meeting as a concrete example of how this gap can be bridged.Full proposal: see attached
Speaker: Davina Luyten -
21
Ingredients for Resilience
The evolution of R&E network design has shifted focus from connectivity, to performance in the early 2000s, to reliability, and most recently, to security. Nowadays, reliability and security are integrated due to increased cyber threats and physical sabotage.
In 2025, a group of experts from the global NREN community, as part of the GNA-G (Global Network Architecture Group), held around 10 workshops focused on the question: what is the state of our networks, what are the weeks spots and what can you do about it?
Unfortunately there is no silver bullet and in this presentation we would like to present some of the challenges we faced.
Speaker: Harold Teunissen (SURF) -
22
Be Mindful. Stay Safe. Empowering cybersecurity awareness in the age of AI deception
The rise of generative AI has changed how cyberattacks work, placing human judgement and attention at the centre of the threat landscape. From deepfakes and voice cloning to emotionally targeted phishing and synthetic identities, AI-driven deception exploits trust, attention, and decision-making.
This lightning talk introduces the 2025 GÉANT Cybersecurity Campaign, which addresses this challenge through the concept of digital mindfulness. Under the tagline “Be Mindful. Stay Safe.”, the campaign shifts cybersecurity awareness from fear-based messaging to reflection, critical thinking, and informed action.
The talk highlights how the campaign uses AI responsibly, including ethical voice cloning for multilingual accessibility, to counter AI-enabled threats. It showcases strategic messaging, multilingual resources, social media animations, and a webinar series featuring experts in cognitive cybersecurity. The talk demonstrates how storytelling, behavioural science, and ethical AI can converge to support the conference theme, “Securing Tomorrow Together,” by strengthening collective human resilience against AI-driven deception.Speaker: Rosanna Norman -
23
Cybersecurity Treasure Hunt
A presentation of gamification in the field of cybersecurity. How to teach people about various cybersecurity topics in a fun and simple way. The presentation will demonstrate that tasks do not have to be only on paper or on a screen, but how to introduce tactile actions and stimulate interest. The presentation will show several types of "tasks" that game organizers can adapt to the topics they want to teach participants. This is a practical example of how to teach participants about topics such as cryptography, steganography, viruses, digital trace, web applications, and other.
Audience will get insight and new ideas for their own cybersecurity awareness activities that will help them promote security ideas and strengthen general public.
Speaker: Jakov Kis -
24
The power of community
With over 600 connected organisations of varying size, skills and resources, creating a sense of community among cyber security professionals to ask questions, share threat intelligence, host webinars and advertise cyber-related vacancies was the vision that led to the creation of the Jisc Cyber Security Community. In this talk we will give an overview of how the Jisc Cyber Community has grown to over 3000 professionals (and counting...) the value it brings and how simple it was to create and maintain. We hope that sharing our experience will encourage others to give it a go and encourage those who already have, to share experiences of their own.
Speaker: Mark Tysom (Jisc) -
25
From Blame to enable: What real-world social engineering tests teach us about the human factor
See File attached for proposal content (my formatting did not work)
Speaker: Lena Büchler -
26
GÉANT Security Innovation Lab – An Incubator for Security Research
We propose a lightning talk about the GÉANT Security Innovation Lab, what it is and how to join.
The GÉANT Security Innovation Lab is a new initiative designed to strengthen and accelerate security-related innovation across the European research and education networking community. Positioned as an incubator, the Lab provides a shared environment where security research projects from NRENs and other GÉANT members can connect, gain visibility, and receive access to specialized network hardware that is typically unavailable outside production environments. This talk touches on the concept, tells how to get access and calls on the community to actively participate.
Speaker: Andrej Zieger (DFN-CERT Services GmbH) -
27
How to be just the right amount of Paranoid (Cybersecurity Edition)
Hearing the first time about cybersecurity is exciting! You will learn how to hack things and learn how to defend against hackers. Red team, blue team and even purple team, but no one has told me that I will become more aware of security, or rather, become more aware of the lack of security in my surroundings. This awareness can grow into something much more than just being aware – “being paranoid”.
Speaker: Denim Latić -
28
Zero Hour Domain Abuse: Live Signals from Zonestream
Adversaries move faster than our blocklists. A growing share of malicious infrastructure is transient: domains are registered, abused for phishing or C2, then dropped within hours. Many disappear before they ever appear in daily zone file snapshots or threat intelligence feeds. For our community, this activity is effectively invisible to standard reputation systems.
In this lightning talk I introduce Zonestream, a live threat intelligence feed developed at the University of Twente as part of the OpenINTEL project and running in production for about a year. I show how we combine Certificate Transparency logs with active RDAP and DNS measurements to identify newly registered and newly deleted domains in near real time. Attendees will see how to access these open Kafka streams to catch short lived abuse and integrate zero hour signals into existing SOC workflows.
Speaker: Raffaele Sommese (University of Twente) -
29
A mental model for better security
A mental model is the internal map we use to understand how something works. It allows us to predict outcomes, see connections, and make better decisions, especially in complex environments. Without a coherent mental model, we rely on isolated rules; with one, we can reason, adapt, and develop a stronger sense of self-efficacy.
As a practitioner I’ve realised, that many people don’t have a coherent basic mental model of the digital world we live in, which has considerable consequences not just for their safety, their organisations security but also to digital citizenship and our collective future. In 5 minutes, I’ll just cover why we’ve come up with this workshop, how we’ve developed it in co-creation with our community and how anyone can use it with their constituents.
About the GÉANT Digital Safety Fresco
The GÉANT Digital Safety Fresco is a collaborative, card-based workshop that helps non-technical participants build a clear mental model of the digital world through four pillars: data, devices, software, and networks. By making the system visible, including its hidden layers, the workshop enables participants to better understand why security practices matter and how they can be safer online.The GÉANT Digital Safety Fresco was co-created in a workshop of the Swiss Security and Learning Community in collaboration with the GÉANT Awareness Task Force for the Security Awareness Community.
Speaker: Cornelia Puhze (SWITCH) -
30
Preventative DNS level protection - filter / block the resolution of phishing, malware and more (Sponsor SecurityZones)Speaker: Arnie Bjorklund (SecurityZones)
-
31
You Can’t Defend What You Can’t See: Why Internet Data Must Power Modern SOC & Threat Intelligence (Sponsor Censys)
Effective SOC and threat intelligence operations depend on having complete visibility into the Internet, where attackers operate and infrastructure constantly changes. Comprehensive coverage ensures unknown assets and adversary infrastructure are discovered, while fresh data enables timely detection of rapidly evolving threats. When combined with deep contextual information—such as services, ownership, and relationships—Internet data becomes actionable intelligence that allows SOC teams to prioritize alerts, investigate faster, and move from reactive defense to proactive security.
Speaker: Martin Solang (Censys) -
32
Beyond IT: Why Cyber‑Physical Security Matters for Education (Sponsor Fox-IT)
Across our campuses, cyber‑physical systems (building management, HVAC, access control, lab automation) have quietly become part of our critical infrastructure. But while these systems keep our universities running, they were never designed for a threat landscape where attackers can pivot from a thermostat to a domain controller… or from a building sensor to a research network.
In five minutes, I’ll show how small misconfigurations in CPS can create risks, why traditional IT security models don’t map cleanly to operational technology, and what practical, low‑friction steps education institutions can take to reduce exposure.
Speaker: Floris Dankaart-Chang (Fox-IT) -
33
Improving cybersecurity posture of the academic sector: communications and constituency benchmarking (Sponsor ArcticSecurity)Speaker: Juha Haaga (Arctic Security)
-
20
-
Evening Social De Utrechter
De Utrechter
-
-
-
Governance, Risk & Compliance Mission 1 Room
Mission 1 Room
Jaarbeurs Supernova
Utrecht, NetherlandsOperationalizing security: from controls to decisions
This session is about making security truly actionable. Across three talks, we will follow the same journey: turning security controls into concrete outcomes.
Convener: Thibaud BADOUARD (GIP RENATER)-
34
DALIA: Reinventing Cyber Resilience for Higher Education through Scalable EASM and SOC Models
Abstract:
Higher education institutions increasingly face sophisticated cyber threats while operating with limited visibility into their external attack surfaces and constrained security capabilities. To address this systemic challenge, the Ecuadorian NREN, CEDIA, Designed and implemented DALIA (Spanish name), an integrated security initiative whose name stands for Advanced Detection and Localization of Threat Indicators. DALIA combines automated External Attack Surface Management (EASM), Threat Intelligence, Brand Protection, and a progressive adoption framework for a managed Security Operations Center (SOC) tailored to universities with diverse maturity levels.
Within its first 18 months, DALIA delivered measurable, ecosystem-wide impact:
• 194,826 compromised accounts detected and coordinated for remediation across participating institutions.
• A 20-point reduction in external risk exposure, improving the average score of 80 institutions from 58/100 to 78/100.
• 31 universities deploying managed SOC capabilities, enabling real-time visibility, correlation, and coordinated response led by CEDIA.
DALIA demonstrates how an NREN can accelerate national cyber resilience through a cooperative, cost-efficient, and fully replicable model aligned with international standards (ISO/IEC 27001, EGSI, ISO/IEC 27701, and data protection frameworks). This presentation will detail DALIA’s architecture, automation pipelines, operational methodology, lessons learned, and a roadmap for adoption in other regions. Attendees will gain a practical blueprint for scaling cybersecurity capabilities across distributed academic ecosystems, which are highly relevant for NRENs seeking to elevate their security posture with sustainable resource investment.
Keywords:
NREN Security, EASM, Threat Intelligence, SOC-as-a-Service, Higher Education Cybersecurity, CSIRT Collaboration, Brand Protection, Cyber Resilience, Automation, Academic Networks.Speakers: Badi Quinteros (CEDIA), Jorge Merchan -
35
My cloud vendor is compliant, how does that help me?
The GÉANT cloud framework - OCRE 2024 - is very successul in terms of adoption among SURF's institutions. As part of our SURFcumulus service, we perform compliance checks on the OCRE 2024 vendors available in The Netherlands. A requirement on the vendors is that they are ISO 27001 compliant.
Compliance reports on information security, particularly reports from American hyperscalers, are hundreds of pages in size. Many of the institutions we serve lack the resources and expertise to analyze these reports. We centralized the effort, leveraging the expertise from SURF's Vendor Compliance team.
In our presentation we discuss what we learnt from our analysis of ISO 27001, SOC 2, C5, and CSA STAR reporting from the 4 vendors that have the most usage in The Netherlands. We discuss our approach, our engagement with the vendors, the high-level results and our reporting to our user community. Along the way we learn that diving into the details of information security compliance leads to valuable insights into the different approaches that vendors take to information security and compliance.
Speakers: John Segers (SURF), Shiyona Keenakkottil (SURF) - 36
-
34
-
The Art of Efficiency Mission 2 Room
Mission 2 Room
Jaarbeurs Supernova
Utrecht, NetherlandsDoing more with less! Explore how members of the community improved their security with limited resources.
This session includes talks that are technical, focus on team structure and solutions to security problems big and small entities are facing.
Convener: Denim Latić-
37
Fusion teams - breaking down barriers between areas
Objective: Sharing RNP Brasil's experience in using the Fusion Teams concept for delivering projects and solutions, bringing greater integration with the teams and reducing the gaps that exist between the internal areas of information security and IT.
This concept also manages to produce a more agile and functional delivery, encompassing aspects such as governance, processes, and documentation, something that is usually lacking in the deliverables of technical teams.Details: In 2025, the Information Security team (CAIS RNP) introduced a new concept for project management, team management, and value delivery: Fusion Teams.
This concept integrates different technical areas of CAIS RNP to work collaboratively and agilely to deliver results, working towards the evolution of monitoring and incident response capabilities, governance, and information security architecture.
With this approach, we were able to carry out 3 projects where we had members working from the following teams:
• Blue Team
• GRC
• Red Team
• Architecture
• Projects
• CSIRT
• SOCThis work gave the members a sense of "ownership." Allowing not only for delivery with greater operational excellence, but also for delivery with documents, processes, and regulations from the GRC team, continuous improvement processes by the Blue Team, offensive security validation processes by the Red Team, full infrastructure validation and network design by the Architecture team, incident response planning by the CSIRT, and constant monitoring by the SOC.
In this way, we demonstrate the strategic and operational value of the Fusion Teams approach to accelerate innovation, project delivery, and digital transformation, enabling synergistic collaboration between Information Security professionals and even other areas, since we will now expand this concept to have joint deliveries with the entire RNP (Brazilian National Research and Education Network).
The operational advantage of Fusion Teams is the ability to deliver a project or system/tool implementation involving members from all areas. This allows for a more complete delivery, as it involves multiple areas, and also enables more detailed delivery with processes and governance structures already in place.Intended audience: This presentation is intended for professionals in the global research and education community who work to strengthen cybersecurity and risk management practices. It will be particularly relevant for research and education network security managers (NRENs), members of cybersecurity incident response teams (CSIRTs), risk management specialists, and technical leaders responsible for protecting digital infrastructure. It is also suitable for decision-makers, researchers, and technology vendors interested in adopting a practical approach to cybersecurity management in research and education networks.
Speaker: Humberto Forsan (RNP) -
38
RAG-Powered SOC Assistant
As a result of the ongoing project sponsored by GARR My GARR Page I will talk about a field-tested approach to using Retrieval-Augmented Generation (RAG) on top of Elasticsearch to transform raw security logs into an interactive and analyst-friendly investigation tool.
In this presentation I would like to walk through the design and implementation of Elasticsearch inside a University environment where constraint such as limited budgets, heterogeneous data sources and small to no security teams are the norm. Rather than focusing on the AI hype I would like to talk about the limitation encountered during this project and the effort required to implement this solution instead of relying to commercial solutions.
In particular, starting from normalized security logs indexed using the Elastic Common Schema I would like to explain how I leverage Elasticsearch Semantic Search on top of the existing operational knowledge base owned by each Text Generation AI model to output a reasonable and context-aware interpretation of security events, without building or maintaining a dedicated or fine-tuned knowledge base.
The RAG pipeline operates on an embedded version of the raw logs collected by the SIEM, combining a semantic vector search with traditional keywords such as source/destination IP addresses, source/destination email addresses, user identities, severity level, error code, log description and timestamps.
Once an operator interacts with the system, the RAG pipeline provides a natural language summary that links technical indicators to known adversarial tactics and provide insight on how to respond to the analyzed incident.
Finally, the presentation can broaden the perspective by discussing how AI/ML are increasingly used in offensive cybersecurity scenarios, not only as defensive tools as I discussed in a speech in GARR Security Days 2025. I will briefly explore how adversaries leverage generative models for scalable phishing, social engineering, and reconnaissance, and how these techniques influence the design assumptions and threat models of defensive RAG-based systems
Speaker: Nicolò THEI (University of Parma) -
39
Building a cybersecurity capability from scratch in Academia
Building a cybersecurity capability from scratch in an academic environment presents unique challenges and opportunities. Academia, with its open culture, diverse stakeholders, and limited resources, requires a tailored approach to cybersecurity that balances security, usability, and educational needs.
This presentation shares AGH University of Krakow’s firsthand experience in building an internal cybersecurity team, detailing the process from initial planning to operational execution. What problems have we encountered? What mistakes have we made? What successes do we have? These are the questions that will be answered here. Lessons learned from real-world implementations and strategies for continuous improvement will be highlighted, providing actionable guidance for institutions seeking to develop or enhance their cybersecurity posture, aligning with this year theme – “Securing Tomorrow Together”.
Speaker: Łukasz Faber (AGH University of Kraków)
-
37
-
Unconference Session: Offensive Security Testing Expedition Room
Expedition Room
Jaarbeurs Supernova
Utrecht, NetherlandsAt SURF, we've been pilotting several types of offensive security testing for a few years now. This ranges from attack surface mapping, vulnerability scanning and cloud configuration assessment all the way to SOC-chain tests, pentests and red teaming. We are planning to group some of these efforts in a service to our members, also taking some roles in gathering fidings, making sure others can learn from those and managing follow-up by our members.
We would like to brainstorm with other NRENs how we can serve our members with this type of service. We imagine a session where several NRENs can share what they do, why and how (products, setup, governance) to then split into groups discussing specific topics. Questions we are facing that might be a start:
- When doing vulnerability scans, who has an up-to-date list of assets?
- What does a business case for doing this as an NREN look like? How do you pay for it?
- What open source tools can be used for the different types of tests, how do you host/procure them?
- Are our members ready for full-fledged red teaming exercises?
- How do we relate this to crisis exercises?Conveners: Abdul Altawekji, Charlie van Genuchten (SURF), Joost Gadellaa (SURF)-
40
Offensive Security Testing unconference
At SURF, we've been pilotting several types of offensive security testing for a few years now. This ranges from attack surface mapping, vulnerability scanning and cloud configuration assessment all the way to SOC-chain tests, pentests and red teaming. We are planning to group some of these efforts in a service to our members, also taking some roles in gathering fidings, making sure others can learn from those and managing follow-up by our members.
We would like to brainstorm with other NRENs how we can serve our members with this type of service. We imagine a session where several NRENs can share what they do, why and how (products, setup, governance) to then split into groups discussing specific topics. Questions we are facing that might be a start:
- When doing vulnerability scans, who has an up-to-date list of assets?
- What does a business case for doing this as an NREN look like? How do you pay for it?
- What open source tools can be used for the different types of tests, how do you host/procure them?
- Are our members ready for full-fledged red teaming exercises?
- How do we relate this to crisis exercises?Speakers: Abdul Altawekji, Charlie van Genuchten (SURF), Joost Gadellaa
-
40
-
10:30
BREAK
-
Closing Plenary Progress Room
Progress Room
Jaarbeurs Supernova
Utrecht, NetherlandsConvener: Cornelia Puhze (SWITCH)-
41
Talk 1: Post-quantum cryptography for DNSSEC in practice
With the introduction of quantum computers we will be able to tackle problems that are difficult for our current computers. Unfortunately these difficult problems also include ones that we rely on for cryptographic algorithms, for example for digital signatures. The good news is that there is already a lot of work done on new post-quantum cryptographic (PQC) algorithms that cannot easily be broken by quantum computers. However, these new algorithms are not drop-in replacements due to their different properties with regard to, for example, key sizes, signature sizes, and/or computation times for signing and verification. This means that our systems and protocols might need to be (partly) redesigned to accommodate these new properties.
This is also the case for DNS, where we rely on cryptographic signatures in DNSSEC to determine whether data was not modified by a, potentially malicious, third party. DNS has been around for a long time already and is everywhere. As a result it is not easy to make changes to it and any change can take a long time before it is adopted at scale.
As the properties of the post-quantum algorithms vary so much, they have a different impact on different parts of DNS, for example due to the changes in size of the network packets or the time needed to sign or verify data. It is therefore important that we not only consider the theoretical impact of the different algorithms when deciding which ones to standardise for DNSSEC but also to determine what the practical impact would be for different types of operators. For an NREN the impact might not be the same as for a top-level domain operator.
In order to determine the practical impact, SURF works together with SIDN Labs (part of SIDN, the operator of the Dutch top-level domain .nl) to build a testbed in which we can experiment with post-quantum algorithms. The testbed is split over the two organisations in a way that is comparable with the roles they have in practice. At SIDN the nameservers run that provide the top-level domains, such as .nl. At SURF we run the nameserver for zones such as surf.nl, as well as the resolver that is used by end-users to request DNS-records. This setup allows us to experiment in a realistic setting with traffic that is comparable to our production traffic to see what the impact of different algorithms would be on our respective systems. This allows us to prepare ourselves and our members for the expected impact of the new algorithms and at the same time share our experiences as input for the standardisation process for DNSSEC.
In this presentation we will show the potential impact of new post-quantum cryptographic (PQC) algorithms (in this case with relation to DNS), we will do this by starting with a general introduction of PQC and then show how this applies to DNS. We will also discuss the setup of the testbed and (hopefully) the results of our experiments to show the practical impact for NRENs. The goal of this talk is to make the audience aware of the potential impact of PQC algorithms on an NREN as well as give them handholds to start their own experiments or join ours using the open source tooling we used in our testbed to get a more diverse view from within the NREN community.
Speaker: Joeri de Ruiter (SURF) -
42
Talk 2: Unconference Session Report: What are our Greatest Fears?Speaker: Charlie van Genuchten (SURF)
-
43
Talk 3 - The 2026 Threat Landscape for R&E
This talk will highlight the outcome of a Threat Landscaping workshop held with community experts in March 2026. Including our top ten threats, hot off the press!
Speaker: Roderick Mooi (GÉANT) -
44
Beyond tools: building an open security ecosystem for autonomy and intelligence sharing (Keynote Alexandre Dulaunoy)
Cybersecurity increasingly depends on transparency, collaboration, and trust. Yet many organizations still rely on closed platforms and opaque security technologies that limit autonomy and collective defense. Over the past 15 years, the open-source security community has demonstrated that an alternative model is not only possible but highly effective.
Projects such as MISP and the broader ecosystem of open tools developed around it show how independently built technologies can form a complete stack supporting threat intelligence sharing, incident response, and collaborative analysis across organizations and countries. Through the operational experience of the Computer Incident Response Center Luxembourg (CIRCL), these projects have helped shape new models of information sharing and open collaboration between CSIRTs, governments, private sector organizations, and research communities.
This practical experience demonstrated that open-source development is not only about publishing code. It is about creating trusted communities where security knowledge and intelligence can be shared effectively.
This talk explores why building and maintaining a fully open cybersecurity ecosystem is essential for digital autonomy. Open-source tools allow organizations to control their infrastructure, control their security capabilities, and avoid strategic dependencies on proprietary platforms.More importantly, open source enables something technology alone cannot provide: networks of trust between defenders. By openly sharing code, methodologies, and intelligence, communities can build resilient ecosystems where improvements benefit everyone.
Drawing from more than a decade of operational and development experience, this talk highlights how investing in open-source security projects strengthens collective defense, fosters innovation, and supports long-term cybersecurity sovereignty.
Speaker: Alexandre Dulaunoy (CIRCL) -
45
Closing
-
41
-
12:30
LUNCH
-
Workshop: (Practice Makes Perfect: PAW – A Crisis Exercise to Try and Take Home) Expedition Room
Expedition Room
Jaarbeurs Supernova
Utrecht, NetherlandsCrises are inevitable, and when they happen the ability to respond effectively under pressure is what makes the difference between recovery and chaos. Most organisations understand this, yet very few have the opportunity to practice their response in a realistic setting. Awareness alone is not enough, preparedness comes from doing. This workshop is designed to provide exactly that: a chance to sit together with a group of peers, some familiar and some new, and work collaboratively to solve an invented crisis scenario.
During the workshop the audience will do the PAW exercise, a simplified and reusable exercise format developed in GN5-2 by the GÉANT community. PAW was created to make crisis exercises accessible to any organisation, regardless of size or resources. It uses a pre-built scenario and role-play elements to create an engaging, realistic experience without requiring extensive preparation or budget. Participants will experience the urgency and complexity of a real crisis in a safe environment, where they can test their skills, learn from others, and understand the dynamics of decision-making under pressure.
A lot of effort and expertise has gone into creating this exercise and its predecessor CLAW. CLAW, the full-scale physical workshop, has become one of the most anticipated events in the GÉANT community and is always fully booked within days. This popularity shows how valuable these exercises are but it also means many people never get the chance to participate. By bringing PAW to Security Days, we want to give more exposure to this initiative and offer participants the opportunity to experience a simplified version of CLAW. It’s also a great way to reuse the materials we’ve developed and demonstrate how easy it is for others to adapt and run similar exercises internally or for their constituents.
The workshop will start with a short introduction to the basics of crisis management covering roles, communication, and decision-making principles before moving into the hands-on exercise. After the scenario, we will debrief together, sharing lessons learned and discussing how PAW can be adapted for different organisational contexts. This is not just about improving individual skills; it’s about empowering organisations to strengthen their preparedness without overburdening their teams.
The target audience for this session is anyone interested in practising their crisis management skills or providing hands-on crisis exercises to their organisation internally or to their connected institutions. It is particularly relevant for community representatives from Communications, NOC, CSIRT, and Information Security Management, as well as anyone responsible for organisational preparedness within NRENs and their communities.
Security Days is the perfect place for this session because crisis management is an essential part of security, yet it is often overlooked due to resource constraints. Bringing this workshop to Security Days allows us to address that gap in a practical, community-driven way. It is an opportunity for participants to practice together, exchange ideas, and leave with something tangible that strengthens resilience across the R&E community.
Conveners: Jože Hanc (ARNES), Maria Edblom Tauson (SUNET), Zoe Fischer -
Workshop: Honeynet CTI Mission 1 Room
Mission 1 Room
Jaarbeurs Supernova
Utrecht, NetherlandsJoin us for a hands‑on deep dive into modern honeypot technologies!
We’ll kick off with a brief overview of the GEANT HoneyNet initiative (Mikołaj Dobski) before moving straight into a practical HUGO session led by Václav Bartoš and Pavel Valach. In just 30‑40 minutes you’ll learn how to spin up your own HUGO honeypot, connect it to the data sharing platform, launch a simple attack against it, and explore the rich data it generates—from live traffic to the results of your own test intrusions.The second part the workshop then turns to an alternative to the HUGO solution - the T‑Pot platform, where Maciej Miłostan and Michał Ślusarczyk will guide you through deploying acknowledged honeypots (Cowrie and Dionaea), finally augmenting them with next‑generation, LLM‑driven decoys, and browsing the collected data in real time.
As such you will learn about the current scene of honeynets, their features as well as operational quirks.
In the final sandbox segment you'll put everything into practice: let the honeypot capture a suspicious file using pre‑crafted HTTP/FTP scenarios, feed it into a snadbox analysis engine and examine the forensic output.
What you’ll walk away with: Exclusive two‑week sandbox access, a month of dedicated honeynet resources, and an invitation to graduate into the GEANT‑wide Honeynet (subject to legal clearance and threat‑intelligence maturity). Spaces are limited to 20 participants—reserve your seat now and become part of the next wave of cyber‑defense innovators.
Conveners: Maciej Miłostan (PSNC), Michał Ślusarczyk, Mikołaj Dobski (PSNC), Pavel Valach, Václav Bartoš (CESNET) -
Workshop: Protecting Research and Education Networks from DDoS - What's Working, What's Not Mission 2 Room
Mission 2 Room
Jaarbeurs Supernova
Utrecht, NetherlandsDDoS attacks keep evolving, and they're not getting any easier to deal with. For research and education networks, it's less about fighting yesterday's battles and more about figuring out what's coming next. This sidemeeting is a chance for security people, NOCies, researchers, and anyone making decisions about network defense to get together, compare notes, and figure out how we can do this better: Together.
We're keeping the same two-part setup that worked well last time. First up, colleagues from European research and education networks will walk through what they've been working on lately: the technical stuff, what's actually working in operations, and the things that didn't go as planned. Real experiences from the field.
Then we switch to open discussion. This is where it gets provocative. Round table, panel format, whatever works for the room. The whole point is getting people talking. Bring your experiences, your questions, your "why doesn't this work better" frustrations. The best stuff usually comes from these conversations.
We'll keep going as long as it's useful with a hard stop at 17:00.
Convener: Eugene Brin (DFN-CERT) -
15:00
Coffee Break
-