Security is the foundation of trust, the trust that enables collaboration, innovation, and open research across borders. GÉANT Security Days 2026 brings together the community that safeguards that trust: security professionals, network experts, incident responders, and CISOs from across its NREN community and their connected institutions.
Under the theme “Securing Tomorrow Together,” this year’s conference explores how collective intelligence, shared experience, and coordinated security measures are shaping the future of cybersecurity for research and education in Europe and beyond.
Through hands-on training sessions, eye-opening keynotes, real-world case studies, and forward-looking discussions, we’ll address topics such as: cloud security, community engagement, cyber resilience, the human factor, financial constraints and practical security.
GÉANT Security Days is a working forum where ideas become solutions and collaboration drives resilience. Whether you’re leading a CSIRT, building secure networks, or shaping security policy, this is where the community comes together to secure our future.
Rosanne Pouw (SURF) provides an introduction and the first hands-on training module to applying SURF’s practical awareness framework within higher education and research institutions. Participants will explore how the Plan–Do–Check–Act (PDCA) cycle can be used to structure, implement, evaluate, and continuously improve awareness initiatives in a systematic and measurable way.
Module risk management and behaviour change:
This workshop module and first step in the PDCA approach introduces participants to the strategic use of risk management as a foundation for effective awareness programmes within educational and research institutions.
Participants will learn how to assess the current state of awareness within their institution, develop and apply a risk matrix, and connect identified risks to desired behaviours. The workshop also introduces persona development, target group analysis, and practical behaviour change models, including the COM-B model, to support structured and evidence-based interventions.
Join us for a practical threat hunting workshop where we’ll dive into real-world threat scenarios based on multiple cases observed during this 2025. Don’t worry if you’re not familiar with this topic — this workshop is designed for all skill levels, oriented to threat hunting, and we’ll start with a clear and simple introduction to basic detections so you can get comfortable before jumping into the action.
What to Expect:
Bring Your Laptop!
You’ll need your computer — in the second part of the session, we’ll break into groups to solve real-world threat hunting cases using the tools and queries we explored in the morning.
The IT security enters a new era with the advent of agentic LLMs that can mimic the traits of successful attackers and defenders: endless patience, comprehensive knowledge and high attention focus. This new world does however not mean that the old problems go away. Maintaining control of your network, systems, endpoints and software has just become even more important, as things are speeding up considerably on all aspects. In this talk we will look at the bigger picture, where things are probably heading and what are good practices to keep our users secure.
Our internet access can be cut off at any time by accidents, natural disasters, and armed conflict. Climate change and current geopolitical threats make this increasingly likely in Europe. How can we prepare our communities to cope with a temporary loss of internet connectivity, and perhaps help speed the return of internet access? This talk describes how to start your own Internet Resiliency Club using LoRa radios, mesh networking, and community management.
Valerie Aurora is an open source software engineer with more than 25 years of experience in operating systems. After moving from San Francisco to Amsterdam in 2023, she now works on improving European digital independence. She was a special rapporteur for the Cyber Resilience Act and served on the program committee for RIPE. She is the co-founder, with Sasha Romijn, of the Amsterdam Internet Resiliency Club.
https://bowshock.nl/irc/
In today’s rapidly evolving cyber threat landscape, organisations can no longer rely solely on reactive security measures. Anticipating potential threats is essential, and threat modelling provides a structured way to do this. In this session, we will show how our team integrates threat modelling into the Cyber Threat Intelligence (CTI) reports produced as part of the GEANT GN5-2 project, delivering actionable insights for education and research institutions across Europe.
Threat modelling involves identifying and analysing potential threats, understanding how adversaries may exploit vulnerabilities, and prioritising risks. Rather than remaining a theoretical exercise, our approach uses threat models to produce intelligence that directly supports operational and strategic decision-making.
The presentation will introduce commonly used threat modelling frameworks and tools, including STRIDE, PASTA, and MITRE ATT&CK. These frameworks provide structure and consistency, helping analysts prioritise mitigation strategies and ensure intelligence is relevant and actionable.
We will also cover the threat modelling lifecycle, from threat identification and analysis to validation and ongoing refinement. Testing and revisiting models is critical to maintaining accuracy and alignment with real-world risks, ensuring CTI outputs remain practical and usable by decision-makers.
A central focus of the session will be our practical use of MITRE ATT&CK. ATT&CK offers a detailed view of adversary tactics and techniques, enabling us to map threats to the environments we support. Using examples from GN5-2 CTI reports, we will demonstrate how ATT&CK helps identify likely adversary behaviours, contextualise threats for education and research organisations, and inform mitigation strategies.
We will then discuss how we plan to extend our reporting using MITRE D3FEND and MITRE ATT&CK Flow. D3FEND provides a structured catalogue of defensive techniques, enabling analysts to link observed adversary behaviour directly to relevant countermeasures and strengthen defensive planning. Building on this, ATT&CK Flow allows analysts to visualise attack paths by showing how adversary actions, assets, tools, and conditions connect. We will show how Flow supports hypothesis-driven analysis and helps reason about adversary behaviour even when concrete indicators are limited. Together, these approaches strengthen the connection between threat analysis and practical defensive guidance.
Beyond our own use cases, the session will address how organisations can adopt and adapt these methods themselves. We will explore how ATT&CK, D3FEND, and Flow can serve as building blocks for bespoke threat models tailored to national contexts, sector-specific risks, or constituent communities.
Practical steps for enabling this capability will be outlined, including establishing repeatable modelling processes, aligning models with organisational priorities, and integrating threat modelling into existing CTI and risk management workflows. This approach supports sustainable, continuously improving threat modelling rather than one-off exercises.
By the end of the session, participants will be able to:
- Apply MITRE ATT&CK to CTI reporting for education and research organisations.
- Use D3FEND and ATT&CK Flow to create richer threat context and structured defensive guidance.
- Build attack flows to visualise adversary behaviour and test hypotheses in the absence of concrete indicators.
- Validate and refine threat models to ensure intelligence remains accurate and actionable.
- Design and maintain bespoke threat models tailored to their countries, sectors, or constituent communities.
- Embed threat modelling into their own intelligence activities.
This session is aimed at security practitioners, threat analysts, and decision-makers seeking to move beyond reactive security approaches. By demonstrating how threat modelling can be embedded into intelligence reporting — and scaled for organisational use — we aim to equip participants with practical methods to prioritise threats, understand adversary behaviour, and support informed security decisions across the European education and research sector.
When trying to protect against malware and phishing attacks we can try to protect our users and systems at different levels in the network. We could, for example, block suspicious connections at our firewalls. It would be even better though if we could even prevent clients from even trying to set up those connections in the first place. This is where the Protective DNS project (GN5-2, WP8, task 3) comes in.
The Protective DNS project is an effort to design and implement a prototype recursive DNS resolver that will block requests for malicious domain names and thus prevent clients from even requesting the IP address for a potentially malicious host. This is transparent for the users and does not require special settings on their end. This is not meant as a replacement for existing security measures but as an addition.
The goal is to design a setup that uses open source materials, and which will provide flexible security functionality while at the same time being performant. There are two objectives for this project. First is to provide a reference implementation to share within the community so that the work can be duplicated if desired. Second, if sufficient interest is found within the GÉANT community we will explore providing a (multi-feed) opt-in service for sites to use for more complete protection.
This is an update on the project both in terms of where we are in the planning and implementation, but also a request for identifying groups of people who might be interested in helping us test the current operational model. This update will include the current software architecture, the set of security controls we intend to make available, the state of anycast for redundancy and performance, as well as some initial ideas about which feeds we are intending to test.
An organisation’s external attack surface comprises all its online (Internet-facing) assets: domains, subdomains and IP addresses, and respective websites, ports and services, components, DNS records and certificates.
Using .ac.uk domain data, Jisc conducted a scanning project of the entire .ac.uk namespace in 2024 and again in 2025. This has produced a national picture of risk of the education and research sectors. It also illuminated the range and extent of technologies deployed across the sectors.
Iain Brown, Jisc's Chief Security Architect, will present an overview of this sector-wide attack surface management (ASM) scans and its insights into its surprising findings. Gain insight into how institutional infrastructure is viewed externally and why inviting open doors and windows could and should be closed and locked. This session explores how this work is helping Jisc, universities and colleges identify risks, reduce exposure, and strengthen collective resilience.
Iain will explain the benefits of passive attack surface discovery and testing. He will give an insight how building a comprehensive view of the UK education and research sectors' exposed assets and potential vulnerabilities has been developed into a rich and valuable data resource. And he will talk about plans for this year's scanning efforts.
This session is specific for CSIRTs are or will be formally appointed as a CSIRT under the NIS2 directive (article 10.1). We'd like to strenghten bonds and exchange experiences and ideas about the impact on the team's services portfolio, understand how governance and funding works for this role, and what challenges are faced. The goal is that we can help each other take on this new task in the best way possible.
A session to combine our knowledge to discuss what could happen in case our greatest fears would become reality.
Setup of the session:
Hacking in essence is playing with technology.
Playing is proven to be crucial for learning, innovating and flexibility. And thus a fundamental tool for any security expert out there.
One of Nancy's favorite quotes is “If you don’t want to be replaced by a computer, don’t act like one.” By Arno Allan Penzias
So…. Are you ready to get up from your seat and add a little spice to your life with the Power of Play? Join the Nancy Beers on an exhilarating journey exploring the power of playing and playfulness in a security setting.
Using the full breadth and depth of her scientifically-backed knowledge, she shows you the ways in which play can bring measurable, impactful and positive change to the way we interact, think and create. Nancy will delve deep into the dynamics of playing in a presentation perfect for those looking to shake things up in their personal or professional lives, in teams, business and organizations.
She will combine recent insights in skills for the future with interactive games to prove her point.
Time to take playfulness seriously!
The CTF (Capture the Flag) challenge is a cybersecurity competition where teams or individuals search for vulnerabilities in systems and networks to find "flags," which are secret texts or point accumulations, functioning like a hacker game to develop practical skills in areas of OSINT, Web Security, Forensics and Log Analysis, Cryptography and Steganography, and GRC.
Sharing RNP Brasil's experience in promoting CTF (Capture the Flag), this exercise integrates technical and strategic areas to test knowledge of offensive and defensive security and compliance in a controlled and gamified environment, uniting teams from academic networks in Europe to complete the challenges.
Objective: Sharing RNP Brasil's experience in promoting CTF (Capture the Flag), this exercise integrates technical and strategic areas to test knowledge of offensive and defensive security and compliance in a controlled and gamified environment, uniting teams from academic networks in Europe to complete the challenges.
Details: The CTF (Capture the Flag) challenge is a cybersecurity competition where teams or individuals search for vulnerabilities in systems and networks to find "flags," which are secret texts or point accumulations, functioning like a hacker game to develop practical skills in areas of OSINT, Web Security, Forensics and Log Analysis, Cryptography and Steganography, and GRC.
Our CTF is configured in Jeopardy mode (Challenges by categories and scoring).
For Security Days, we will assemble teams of 3 to 4 people, where mixed profiles are recommended.
We will divide the challenges into 5 pillars. The idea is that all flags require security reasoning, but not all require knowing how to program or use Kali Linux tools.
Together with the Geant team, we will still define whether to execute the following modes:
• Standard Challenges (Static and Regex): Participants submit a "flag" for validation.
• Unlockable Challenges: Allows creating dependencies between challenges. A challenge only becomes visible or accessible after a prerequisite has been met.
• Multiple Choice Questions: Ideal for checking theoretical knowledge.
For the CTF, we are requesting 3 hours (30 minutes setup + 2:30 hours for the competition). However, we can adjust the time according to the Geant team's instructions.
Intended audience: This presentation is intended for professionals in the global research and education community who work to strengthen cybersecurity and risk management practices. It will be particularly relevant to research and education network security technical teams (NRENs), cybersecurity incident response team (CSIRT) members, risk management specialists, and technical leaders responsible for protecting digital infrastructure.
DDoS attacks are a constant reality for research and education networks. The attacks keep getting bigger, the infrastructure behind them keeps evolving, and the threat actors just won't chill. This track brings together security teams, network engineers, and researchers dealing with this on the front lines.
We'll look at real attack data and what it tells us about current traffic patterns. We'll cover automated approaches for hunting threat actor infrastructure. And we'll dig into the surprising sources powering modern attacks. From IoT botnets to cheap Android TV boxes turned into DDoS machines.
Three talks, real experiences, practical takeaways. This is about understanding the current landscape, sharing what works and staying ahead of the next wave. If you're defending networks against DDoS, this track is for you.
Most sites with a mature DDoS defense strategy have a number of historical assumptions baked into how traffic dynamics happen in and around the larger NREN community. These assumptions are necessary for the development of mental models and understanding for security teams, but it is important to periodically walk through real attack data and make sure that these critical assumptions still reflect how packets are getting to you.
This talk will take several examples of lessons learned from GEANT and use them to explore potential sources of exposure involving not only commodity transit, but also (public) internet exchanges, private peerings, some complex relationships with "upstream" communities, and the hyperscalars that we all know and ... peer with.
Historically traffic between NRENs has been assumed to be legitimate workflow activity. This has been largely supported by observations on intrer-NREN traffic patterns and other empirical measures. We will also explore some trends regarding this as well.
Finally I will present some examples of what happens when the assumptions we make do not end up reflecting reality. This could be because of a failure of mental models, or misconfiguration in equipment. This failure mode is important to think about and look for. Accidents happen, and if we don't look for those while examining the data it is easy to intemperate the results as attack traffic when it is not.
Summary:
- It is critical to periodically examine real attack traffic to determine if mental models are correct in terms how traffic is behaving within the network
- This is particularly true for non-commodity transit
- Misconfigurations can look like hostile traffic
Threat actors continuously evolve their C2 (command and control) infrastructure, making manual tracking unsustainable for security teams. This talk presents C2Collection, our in-house automated system for discovering, tracking, and monitoring threat actor infrastructure at scale.
We'll demonstrate how to combine commercial scanning services (Censys, Shodan), malware feeds and sandboxes (VirusTotal, Triage), and direct C2 server fingerprinting into an automated pipeline that continuously identifies new infrastructure. Using real-world examples from campaigns like Contagious Interview (Lazarus), we'll show how automated sample feeds, YARA rules, and infrastructure correlation transform individual malware samples into comprehensive SOC intelligence and high confidence detection.
Attendees will learn how to build their own infrastructure tracking capabilities, including techniques for C2 server fingerprinting, automation strategies for scaling collection, and practical approaches for integrating findings into detection pipelines.
This session is designed for security operations teams, threat intelligence analysts, and incident responders who want to move from reactive IOC consumption to proactive infrastructure hunting.
Key takeaways:
In October 2025, Nokia Deepfield observed a 33 terabits-per-second DDoS attack against a gaming provider—a volume exceeding the total capacity of many national internet backbones. Terabit-scale attacks are now a daily occurrence, with 78% of campaigns concluding in under five minutes. The era of IoT botnets has given way to something far more insidious: residential proxy networks commanding an estimated 100 to 200 million consumer endpoints.
The attack surface has shifted. Budget Android TV boxes—sold for as little as $30 on mainstream marketplaces—increasingly ship with malware pre-installed at the factory or embedded in unofficial firmware updates. These devices arrive backdoored—not through user negligence, but compromised supply chains. The malware activates silently, enrolling each device into distributed attack infrastructure while the owner streams content unaware.
This presentation examines Kimwolf, a sophisticated botnet we analyzed extensively in a controlled laboratory environment, which exemplifies this new threat model. Unlike traditional botnets that scan for vulnerable IoT devices, Kimwolf recruits its army through a different vector: uncertified Android TV boxes, mobile phones with "free" VPN applications, and backdoored home routers. These devices sit behind NAT, invisible to external scanning, yet capable of generating attack traffic that dwarfs what security teams prepared for even two years ago.
Why should the R&E community care? Because these devices are already on your networks. Budget streaming boxes in student housing. Mobile devices running apps with embedded proxy SDKs. None of these require user error to become compromised—they arrive that way. Every affected device becomes a node in attack infrastructure that may target your own institution, or turn your network into an unwitting participant in attacks against others.
Our Kimwolf analysis revealed a multi-vector threat: UDP floods exceeding 500 Mbps from single nodes, credential stuffing campaigns against Microsoft and Instagram, and active recruitment into the PacketStream residential proxy network. The malware uses Ethereum Name Service (ENS) for resilient command-and-control, receives campaign-specific attack orders, and evades detection through sophisticated anti-analysis techniques.
What will attendees learn?
The research and education community has historically been both target and unwitting participant in DDoS attacks. As residential proxy botnets blur the line between attacker and victim infrastructure, NRENs must evolve from reactive defense to proactive identification of compromised endpoints within their constituencies. This session provides the threat intelligence and practical detection approaches needed to begin that transition.
The presentation will include examples of captured attack traffic, C2 communication patterns, and detection signatures derived from our research.
Format: Presentation (25-30 minutes)
Track: Security Operations / Technical Deep Dive
Keywords: DDoS, botnets, residential proxies, threat intelligence, IoT security
Many companies rely on training, awareness campaigns and technical controls for human centred security – but one crucial moment is often underestimated: the first day of new employees. This is precisely when the security culture becomes tangible – or not. A well-designed onboarding process not only ensures compliance but also invites new employees to understand security as part of their daily work – and to live it. For new employees, human-centred security does not begin with an introductory training course, but with a clear, inviting and well-thought-out onboarding process.
This presentation will contribute to the GÉANT Security Days by showing how a well-designed onboarding process can make a decisive contribution to human-centred security – beyond campaigns and training courses. Many relevant foundations are laid during the first few days at a new company. Not only the content conveyed, but also the way it is conveyed influences the perceived importance of the topic and has a lasting impact on how employees deal with information security during their induction and their membership within the organisation. The aim of the presentation is to inspire information security professionals to understand processes as a security tool: How do you design an onboarding process that introduces new employees to the company's security policies in a way that is understandable, inviting and comprehensive?
The presentation will address the importance of onboarding for security culture, outline the elements and roles that must be incorporated into an effective onboarding process, and use a concrete example from practice to illustrate how we have revised our onboarding process and what we have learned from it.
To this end, the term ‘security culture’ will be critically reviewed during the presentation and embedded in the context of human-centred security. The typical elements of an onboarding process will be examined in detail and the relevant stakeholders in the organisation will be introduced. Supporting documents and complete documentation of the process are also important components. The example from our organisation covers practical topics: communication surrounding the first day of work was analysed to find out where information on information security can be appropriately placed. Of course, security introductions when handing over work equipment also play an important role, with important tools such as password managers and VPNs being introduced. In addition, it was important to identify relevant contact persons for the new employees, such as their team leaders, and to support those persons with appropriate assistance in answering questions from the new employees. In addition, important stakeholders for the design of the process were identified and cooperation with them will be explained.
Finally, the audience is given specific take-home points that they can implement directly in their own organisations, such as how to plan communication around the start of employment or how to get in contact with relevant stakeholders to start adapting the onboarding process.
The presentation is aimed at information security professionals who are already familiar with human-centred security and are looking for practical approaches to not only communicate security, but also to embed it sustainably in an organisation.
Cybersecurity threats continue to evolve at an unprecedented pace, yet organisations across Europe struggle to translate regulatory mandates into sustainable, impactful awareness-raising initiatives. The human factor remains the critical link in cybersecurity defences. Building a strong cyber-aware culture is complex, resource-intensive, and often neglected. AR-in-a-Box, ENISA's practical methodology and toolkit, offers a proven, EU-wide solution to this critical gap.
The regulatory landscape has shifted dramatically. NIS2 Directive, GDPR, DORA, and the Cyber Resilience Act now mandate that organisations design and implement robust cybersecurity awareness programmes—yet many lack the tools, guidance, and structured approach to do so effectively. Public sector institutions, critical infrastructure operators, financial entities, and SMEs are scrambling to build programmes from scratch, often duplicating effort and missing best practices.
AR-in-a-Box bridges this gap by providing a comprehensive, methodology-driven framework that transforms compliance obligations into actionable, engaging awareness initiatives.
Developed by ENISA, AR-in-a-Box is a free, open, and scalable toolkit comprising:
Preparing for the Next Cyber Crisis: Insights from Exercises Across Europe
This session explores how cyber crisis exercises can strengthen real‑world readiness across organisations and communities. You will hear practical insights from recent large‑scale exercises such as Cyberfortress and TALON, including lessons learned. The session also highlights how collaborative and story‑driven tabletop exercises can engage people in different roles, support better decision‑making, and make security work more meaningful. We also take a closer look at the structure and key quick wins from the TALON exercise, followed by a discussion on how these types of exercises can continue evolving within our community.
In this presentation we will present Restena's approach to train staff members for potential future crisis. In March 2026, Restena participated in two crisis exercises, the national "cyberfortress" exercise and TALON organised by Geant. In this presentation we will highlight our experience as an exercise participant from a planner and player perspective as well as the lessons learned from the exercises.
Our incident handling capabilities will always rely on people who are able to collaborate, improvise and make good decisions effectively – and collectively. Preparedness exercises with participation across organizations (and sectors) are however less common, because they quickly get complex in both planning and execution.
The talk presents takeaways from deploying national cyber exercise campaigns in the Nordics/Baltics, where 8000 people who are responsible for IT, security and preparedness from 5000 companies have participated in events based on our concept since last year. We will describe key findings from discussions and input across a wide range of sectors, roles and locations participating, to help business continuity and reduce risk across entire communities of organizations, and also their supply chains.
Since storytelling is key to effective security communications – and training, the session will also discuss the potential of using exercises outside of just incident response and crisis management teams. This is based on a research project done in collaboration with NTNU, Institute for Design, in Norway. We will therefore exemplify how interactive tabletop exercise sessions can be used to unlock active participation from people having any kind of roles, responsibilities and level of security knowledge.
This includes how activities like identification of assets, threats, vulnerabilities and requirements can become both fun and more accurate by the active involvement of people through good storytelling in context of a cyber exercise, resulting in better awareness, knowledge and a mutual feeling of responsibility for looking out for both their company and colleagues. We will also explore how scenarios can be adapted to serve various learning objectives, and of course audiences – including across multiple organizations for securing the sector and/or entire supply chain. Which may be much more useful and rewarding than filling out static compliance spreadsheets!
During this presentation, we will:
• Present the aims and setup of TALON
• Share the top 5 quick wins we learned from this exercise*
• Let a few different exercise leaders from the participating NRENs present how the exercise went on their side and what they gained from it
• Discuss with the room where we can go with these kinds of exercises in our community: what should be the next step?
Getting the facts straight is paramount when assessing compliance, but documentation and contracts only tell part of the story. At SURF Vendor Compliance, we dig deeper by applying security investigation techniques to uncover how systems really handle data.
In this interactive workshop, you’ll join compliance experts to perform a simulated tech analysis on a fictional system. Using common technical analysis methods we’ll identify potential compliance risks and learn to translate technical findings into legal and organisational insights.
Expect an interactive session where you, in groups, are hunting for clues, mistakes and leads within information that's shared with you in a cascading fashion. Sharpen your investigative and analytical skills, see compliance from a technological perspective, and discover how technical deep‑dives can strengthen your privacy and security posture alike.
This workshop was already part of CPDP Conference 2025, SURF Security & Privacy Conference 2025 and Benelux Security & Privacy meetup Luxembourg 2025.
The rise of generative AI has changed how cyberattacks work, placing human judgement and attention at the centre of the threat landscape. From deepfakes and voice cloning to emotionally targeted phishing and synthetic identities, AI-driven deception exploits trust, attention, and decision-making.
This lightning talk introduces the 2025 GÉANT Cybersecurity Campaign, which addresses this challenge through the concept of digital mindfulness. Under the tagline “Be Mindful. Stay Safe.”, the campaign shifts cybersecurity awareness from fear-based messaging to reflection, critical thinking, and informed action.
The talk highlights how the campaign uses AI responsibly, including ethical voice cloning for multilingual accessibility, to counter AI-enabled threats. It showcases strategic messaging, multilingual resources, social media animations, and a webinar series featuring experts in cognitive cybersecurity. The talk demonstrates how storytelling, behavioural science, and ethical AI can converge to support the conference theme, “Securing Tomorrow Together,” by strengthening collective human resilience against AI-driven deception.
Cybersecurity detection in research and education networks operates under conditions that are often extreme rather than ideal: high traffic variability, partial visibility, heterogeneous infrastructures, and rapidly evolving threats. For National Research and Education Networks (NRENs) and large-scale research infrastructures, the challenge is not to assume perfect data, but to make the most of the data that is actually available, even when conditions are adverse. In this context, understanding how detection models can perform at their best under extreme conditions becomes a critical research and operational question.
This lightning talk presents a cybersecurity use case developed within the ExtremeXP Horizon Europe project, with direct relevance to the GÉANT community. We demonstrate how the ExtremeXP experimentation platform is used to generate fit-for-purpose scenario datasets from extreme data, enabling the training of detection models that achieve maximal performance given realistic constraints.
In this work, fit-for-purpose datasets do not refer to artificially clean or idealised data. Instead, they are datasets extracted and constructed from experimental conditions that are explicitly extreme: high noise levels, sparse or incomplete observations, intense or stealthy attacks, and stressed infrastructures. Using ExtremeXP, we orchestrate large-scale experimental campaigns where multiple parameters attack dynamics, network configurations, monitoring fidelity, data loss, and labeling uncertainty are systematically varied across extreme ranges.
The ExtremeXP platform enables automated exploration of these high-dimensional experimental spaces, allowing us to identify parameter combinations where meaningful signals can still be extracted despite adverse conditions. From these experiments, we generate datasets that capture the most informative representations of threats under stress. These datasets represent fit-for-purpose learning opportunities within extreme environments: they show how well detection models can perform when the available data is exploited optimally, even when conditions are far from ideal.
This approach is particularly relevant for cybersecurity, where operational datasets are often constrained by privacy requirements, performance limitations, and incomplete visibility. Rather than treating these constraints as purely negative factors, ExtremeXP allows us to study how different experimental configurations influence the learnability of threats. By comparing datasets generated across extreme conditions, we can distinguish between scenarios where detection performance is fundamentally limited and those where improved experimental design or data handling can unlock better results.
The resulting fit-for-purpose datasets are used to train machine learning based detection models for various cybersecurity threats, such as anomalous network behavior or intrusion patterns. Training on these datasets allows us to evaluate the upper performance bounds achievable with the data at hand, rather than under hypothetical ideal conditions. This provides valuable insight into model robustness, sensitivity to extreme parameters, and practical deployment expectations.
For the GEANT Security Days audience, this methodology offers a structured way to reason about detection capabilities across heterogeneous and stressed environments typical of research and education networks. It supports evidence-based decisions about monitoring strategies, data collection trade-offs, and model selection, grounded in systematic experimentation rather than isolated benchmarks.
This lightning talk will introduce the ExtremeXP platform, explain the notion of fit-for-purpose datasets derived from extreme data, and present key lessons learned from applying this approach to cybersecurity detection. Ultimately, it shows how extreme-scale experimentation can help cybersecurity practitioners and researchers extract maximum value from imperfect data turning extreme conditions into a source of insight rather than uncertainty.
The evolution of R&E network design has shifted focus from connectivity, to performance in the early 2000s, to reliability, and most recently, to security. Nowadays, reliability and security are integrated due to increased cyber threats and physical sabotage.
In 2025, a group of experts from the global NREN community, as part of the GNA-G (Global Network Architecture Group), held around 10 workshops focused on the question: what is the state of our networks, what are the weeks spots and what can you do about it?
Unfortunately there is no silver bullet and in this presentation we would like to present some of the challenges we faced.
Abstract:
Security and privacy are intrinsically connected. Every security incident has privacy implications, and every privacy decision relies on underlying security controls. In research and education environments, where openness, collaboration and data sharing are core values, this connection is even more pronounced. Yet in practice, security and privacy professionals still often operate in parallel, rather than together.
This lightning talk uses the Benelux Security & Privacy Meeting as a concrete example of how this gap can be bridged.
Full proposal: see attached
A presentation of gamification in the field of cybersecurity. How to teach people about various cybersecurity topics in a fun and simple way. The presentation will demonstrate that tasks do not have to be only on paper or on a screen, but how to introduce tactile actions and stimulate interest. The presentation will show several types of "tasks" that game organizers can adapt to the topics they want to teach participants. This is a practical example of how to teach participants about topics such as cryptography, steganography, viruses, digital trace, web applications, and other.
Audience will get insight and new ideas for their own cybersecurity awareness activities that will help them promote security ideas and strengthen general public.
With over 600 connected organisations of varying size, skills and resources, creating a sense of community among cyber security professionals to ask questions, share threat intelligence, host webinars and advertise cyber-related vacancies was the vision that led to the creation of the Jisc Cyber Security Community. In this talk we will give an overview of how the Jisc Cyber Community has grown to over 3000 professionals (and counting...) the value it brings and how simple it was to create and maintain. We hope that sharing our experience will encourage others to give it a go and encourage those who already have, to share experiences of their own.
See File attached for proposal content (my formatting did not work)
We propose a lightning talk about the GÉANT Security Innovation Lab, what it is and how to join.
The GÉANT Security Innovation Lab is a new initiative designed to strengthen and accelerate security-related innovation across the European research and education networking community. Positioned as an incubator, the Lab provides a shared environment where security research projects from NRENs and other GÉANT members can connect, gain visibility, and receive access to specialized network hardware that is typically unavailable outside production environments. This talk touches on the concept, tells how to get access and calls on the community to actively participate.
Hearing the first time about cybersecurity is exciting! You will learn how to hack things and learn how to defend against hackers. Red team, blue team and even purple team, but no one has told me that I will become more aware of security, or rather, become more aware of the lack of security in my surroundings. This awareness can grow into something much more than just being aware – “being paranoid”.
Adversaries move faster than our blocklists. A growing share of malicious infrastructure is transient: domains are registered, abused for phishing or C2, then dropped within hours. Many disappear before they ever appear in daily zone file snapshots or threat intelligence feeds. For our community, this activity is effectively invisible to standard reputation systems.
In this lightning talk I introduce Zonestream, a live threat intelligence feed developed at the University of Twente as part of the OpenINTEL project and running in production for about a year. I show how we combine Certificate Transparency logs with active RDAP and DNS measurements to identify newly registered and newly deleted domains in near real time. Attendees will see how to access these open Kafka streams to catch short lived abuse and integrate zero hour signals into existing SOC workflows.
A mental model is the internal map we use to understand how something works. It allows us to predict outcomes, see connections, and make better decisions, especially in complex environments. Without a coherent mental model, we rely on isolated rules; with one, we can reason, adapt, and develop a stronger sense of self-efficacy.
As a practitioner I’ve realised, that many people don’t have a coherent basic mental model of the digital world we live in, which has considerable consequences not just for their safety, their organisations security but also to digital citizenship and our collective future. In 5 minutes, I’ll just cover why we’ve come up with this workshop, how we’ve developed it in co-creation with our community and how anyone can use it with their constituents.
About the GÉANT Digital Safety Fresco
The GÉANT Digital Safety Fresco is a collaborative, card-based workshop that helps non-technical participants build a clear mental model of the digital world through four pillars: data, devices, software, and networks. By making the system visible, including its hidden layers, the workshop enables participants to better understand why security practices matter and how they can be safer online.
The GÉANT Digital Safety Fresco was co-created in a workshop of the Swiss Security and Learning Community in collaboration with the GÉANT Awareness Task Force for the Security Awareness Community.
Across our campuses, cyber‑physical systems (building management, HVAC, access control, lab automation) have quietly become part of our critical infrastructure. But while these systems keep our universities running, they were never designed for a threat landscape where attackers can pivot from a thermostat to a domain controller… or from a building sensor to a research network.
In five minutes, I’ll show how small misconfigurations in CPS can create risks, why traditional IT security models don’t map cleanly to operational technology, and what practical, low‑friction steps education institutions can take to reduce exposure.
Operationalizing security: from controls to decisions
This session is about making security truly actionable. Across three talks, we will follow the same journey: turning security controls into concrete outcomes.
Abstract:
Higher education institutions increasingly face sophisticated cyber threats while operating with limited visibility into their external attack surfaces and constrained security capabilities. To address this systemic challenge, the Ecuadorian NREN, CEDIA, Designed and implemented DALIA (Spanish name), an integrated security initiative whose name stands for Advanced Detection and Localization of Threat Indicators. DALIA combines automated External Attack Surface Management (EASM), Threat Intelligence, Brand Protection, and a progressive adoption framework for a managed Security Operations Center (SOC) tailored to universities with diverse maturity levels.
Within its first 18 months, DALIA delivered measurable, ecosystem-wide impact:
• 194,826 compromised accounts detected and coordinated for remediation across participating institutions.
• A 20-point reduction in external risk exposure, improving the average score of 80 institutions from 58/100 to 78/100.
• 31 universities deploying managed SOC capabilities, enabling real-time visibility, correlation, and coordinated response led by CEDIA.
DALIA demonstrates how an NREN can accelerate national cyber resilience through a cooperative, cost-efficient, and fully replicable model aligned with international standards (ISO/IEC 27001, EGSI, ISO/IEC 27701, and data protection frameworks). This presentation will detail DALIA’s architecture, automation pipelines, operational methodology, lessons learned, and a roadmap for adoption in other regions. Attendees will gain a practical blueprint for scaling cybersecurity capabilities across distributed academic ecosystems, which are highly relevant for NRENs seeking to elevate their security posture with sustainable resource investment.
Keywords:
NREN Security, EASM, Threat Intelligence, SOC-as-a-Service, Higher Education Cybersecurity, CSIRT Collaboration, Brand Protection, Cyber Resilience, Automation, Academic Networks.
The GÉANT cloud framework - OCRE 2024 - is very successul in terms of adoption among SURF's institutions. As part of our SURFcumulus service, we perform compliance checks on the OCRE 2024 vendors available in The Netherlands. A requirement on the vendors is that they are ISO 27001 compliant.
Compliance reports on information security, particularly reports from American hyperscalers, are hundreds of pages in size. Many of the institutions we serve lack the resources and expertise to analyze these reports. We centralized the effort, leveraging the expertise from SURF's Vendor Compliance team.
In our presentation we discuss what we learnt from our analysis of ISO 27001, SOC 2, C5, and CSA STAR reporting from the 4 vendors that have the most usage in The Netherlands. We discuss our approach, our engagement with the vendors, the high-level results and our reporting to our user community. Along the way we learn that diving into the details of information security compliance leads to valuable insights into the different approaches that vendors take to information security and compliance.
Doing more with less! Explore how members of the community improved their security with limited resources.
This session includes talks that are technical, focus on team structure and solutions to security problems big and small entities are facing.
Objective: Sharing RNP Brasil's experience in using the Fusion Teams concept for delivering projects and solutions, bringing greater integration with the teams and reducing the gaps that exist between the internal areas of information security and IT.
This concept also manages to produce a more agile and functional delivery, encompassing aspects such as governance, processes, and documentation, something that is usually lacking in the deliverables of technical teams.
Details: In 2025, the Information Security team (CAIS RNP) introduced a new concept for project management, team management, and value delivery: Fusion Teams.
This concept integrates different technical areas of CAIS RNP to work collaboratively and agilely to deliver results, working towards the evolution of monitoring and incident response capabilities, governance, and information security architecture.
With this approach, we were able to carry out 3 projects where we had members working from the following teams:
• Blue Team
• GRC
• Red Team
• Architecture
• Projects
• CSIRT
• SOC
This work gave the members a sense of "ownership." Allowing not only for delivery with greater operational excellence, but also for delivery with documents, processes, and regulations from the GRC team, continuous improvement processes by the Blue Team, offensive security validation processes by the Red Team, full infrastructure validation and network design by the Architecture team, incident response planning by the CSIRT, and constant monitoring by the SOC.
In this way, we demonstrate the strategic and operational value of the Fusion Teams approach to accelerate innovation, project delivery, and digital transformation, enabling synergistic collaboration between Information Security professionals and even other areas, since we will now expand this concept to have joint deliveries with the entire RNP (Brazilian National Research and Education Network).
The operational advantage of Fusion Teams is the ability to deliver a project or system/tool implementation involving members from all areas. This allows for a more complete delivery, as it involves multiple areas, and also enables more detailed delivery with processes and governance structures already in place.
Intended audience: This presentation is intended for professionals in the global research and education community who work to strengthen cybersecurity and risk management practices. It will be particularly relevant for research and education network security managers (NRENs), members of cybersecurity incident response teams (CSIRTs), risk management specialists, and technical leaders responsible for protecting digital infrastructure. It is also suitable for decision-makers, researchers, and technology vendors interested in adopting a practical approach to cybersecurity management in research and education networks.
As a result of the ongoing project sponsored by GARR My GARR Page I will talk about a field-tested approach to using Retrieval-Augmented Generation (RAG) on top of Elasticsearch to transform raw security logs into an interactive and analyst-friendly investigation tool.
In this presentation I would like to walk through the design and implementation of Elasticsearch inside a University environment where constraint such as limited budgets, heterogeneous data sources and small to no security teams are the norm. Rather than focusing on the AI hype I would like to talk about the limitation encountered during this project and the effort required to implement this solution instead of relying to commercial solutions.
In particular, starting from normalized security logs indexed using the Elastic Common Schema I would like to explain how I leverage Elasticsearch Semantic Search on top of the existing operational knowledge base owned by each Text Generation AI model to output a reasonable and context-aware interpretation of security events, without building or maintaining a dedicated or fine-tuned knowledge base.
The RAG pipeline operates on an embedded version of the raw logs collected by the SIEM, combining a semantic vector search with traditional keywords such as source/destination IP addresses, source/destination email addresses, user identities, severity level, error code, log description and timestamps.
Once an operator interacts with the system, the RAG pipeline provides a natural language summary that links technical indicators to known adversarial tactics and provide insight on how to respond to the analyzed incident.
Finally, the presentation can broaden the perspective by discussing how AI/ML are increasingly used in offensive cybersecurity scenarios, not only as defensive tools as I discussed in a speech in GARR Security Days 2025. I will briefly explore how adversaries leverage generative models for scalable phishing, social engineering, and reconnaissance, and how these techniques influence the design assumptions and threat models of defensive RAG-based systems
Building a cybersecurity capability from scratch in an academic environment presents unique challenges and opportunities. Academia, with its open culture, diverse stakeholders, and limited resources, requires a tailored approach to cybersecurity that balances security, usability, and educational needs.
This presentation shares AGH University of Krakow’s firsthand experience in building an internal cybersecurity team, detailing the process from initial planning to operational execution. What problems have we encountered? What mistakes have we made? What successes do we have? These are the questions that will be answered here. Lessons learned from real-world implementations and strategies for continuous improvement will be highlighted, providing actionable guidance for institutions seeking to develop or enhance their cybersecurity posture, aligning with this year theme – “Securing Tomorrow Together”.
At SURF, we've been pilotting several types of offensive security testing for a few years now. This ranges from attack surface mapping, vulnerability scanning and cloud configuration assessment all the way to SOC-chain tests, pentests and red teaming. We are planning to group some of these efforts in a service to our members, also taking some roles in gathering fidings, making sure others can learn from those and managing follow-up by our members.
We would like to brainstorm with other NRENs how we can serve our members with this type of service. We imagine a session where several NRENs can share what they do, why and how (products, setup, governance) to then split into groups discussing specific topics. Questions we are facing that might be a start:
- When doing vulnerability scans, who has an up-to-date list of assets?
- What does a business case for doing this as an NREN look like? How do you pay for it?
- What open source tools can be used for the different types of tests, how do you host/procure them?
- Are our members ready for full-fledged red teaming exercises?
- How do we relate this to crisis exercises?
With the introduction of quantum computers we will be able to tackle problems that are difficult for our current computers. Unfortunately these difficult problems also include ones that we rely on for cryptographic algorithms, for example for digital signatures. The good news is that there is already a lot of work done on new post-quantum cryptographic (PQC) algorithms that cannot easily be broken by quantum computers. However, these new algorithms are not drop-in replacements due to their different properties with regard to, for example, key sizes, signature sizes, and/or computation times for signing and verification. This means that our systems and protocols might need to be (partly) redesigned to accommodate these new properties.
This is also the case for DNS, where we rely on cryptographic signatures in DNSSEC to determine whether data was not modified by a, potentially malicious, third party. DNS has been around for a long time already and is everywhere. As a result it is not easy to make changes to it and any change can take a long time before it is adopted at scale.
As the properties of the post-quantum algorithms vary so much, they have a different impact on different parts of DNS, for example due to the changes in size of the network packets or the time needed to sign or verify data. It is therefore important that we not only consider the theoretical impact of the different algorithms when deciding which ones to standardise for DNSSEC but also to determine what the practical impact would be for different types of operators. For an NREN the impact might not be the same as for a top-level domain operator.
In order to determine the practical impact, SURF works together with SIDN Labs (part of SIDN, the operator of the Dutch top-level domain .nl) to build a testbed in which we can experiment with post-quantum algorithms. The testbed is split over the two organisations in a way that is comparable with the roles they have in practice. At SIDN the nameservers run that provide the top-level domains, such as .nl. At SURF we run the nameserver for zones such as surf.nl, as well as the resolver that is used by end-users to request DNS-records. This setup allows us to experiment in a realistic setting with traffic that is comparable to our production traffic to see what the impact of different algorithms would be on our respective systems. This allows us to prepare ourselves and our members for the expected impact of the new algorithms and at the same time share our experiences as input for the standardisation process for DNSSEC.
In this presentation we will show the potential impact of new post-quantum cryptographic (PQC) algorithms (in this case with relation to DNS), we will do this by starting with a general introduction of PQC and then show how this applies to DNS. We will also discuss the setup of the testbed and (hopefully) the results of our experiments to show the practical impact for NRENs. The goal of this talk is to make the audience aware of the potential impact of PQC algorithms on an NREN as well as give them handholds to start their own experiments or join ours using the open source tooling we used in our testbed to get a more diverse view from within the NREN community.
This talk will highlight the outcome of a Threat Landscaping workshop held with community experts in March 2026. Including our top ten threats, hot off the press!
Crises are inevitable, and when they happen the ability to respond effectively under pressure is what makes the difference between recovery and chaos. Most organisations understand this, yet very few have the opportunity to practice their response in a realistic setting. Awareness alone is not enough, preparedness comes from doing. This workshop is designed to provide exactly that: a chance to sit together with a group of peers, some familiar and some new, and work collaboratively to solve an invented crisis scenario.
During the workshop the audience will do the PAW exercise, a simplified and reusable exercise format developed in GN5-2 by the GÉANT community. PAW was created to make crisis exercises accessible to any organisation, regardless of size or resources. It uses a pre-built scenario and role-play elements to create an engaging, realistic experience without requiring extensive preparation or budget. Participants will experience the urgency and complexity of a real crisis in a safe environment, where they can test their skills, learn from others, and understand the dynamics of decision-making under pressure.
A lot of effort and expertise has gone into creating this exercise and its predecessor CLAW. CLAW, the full-scale physical workshop, has become one of the most anticipated events in the GÉANT community and is always fully booked within days. This popularity shows how valuable these exercises are but it also means many people never get the chance to participate. By bringing PAW to Security Days, we want to give more exposure to this initiative and offer participants the opportunity to experience a simplified version of CLAW. It’s also a great way to reuse the materials we’ve developed and demonstrate how easy it is for others to adapt and run similar exercises internally or for their constituents.
The workshop will start with a short introduction to the basics of crisis management covering roles, communication, and decision-making principles before moving into the hands-on exercise. After the scenario, we will debrief together, sharing lessons learned and discussing how PAW can be adapted for different organisational contexts. This is not just about improving individual skills; it’s about empowering organisations to strengthen their preparedness without overburdening their teams.
The target audience for this session is anyone interested in practising their crisis management skills or providing hands-on crisis exercises to their organisation internally or to their connected institutions. It is particularly relevant for community representatives from Communications, NOC, CSIRT, and Information Security Management, as well as anyone responsible for organisational preparedness within NRENs and their communities.
Security Days is the perfect place for this session because crisis management is an essential part of security, yet it is often overlooked due to resource constraints. Bringing this workshop to Security Days allows us to address that gap in a practical, community-driven way. It is an opportunity for participants to practice together, exchange ideas, and leave with something tangible that strengthens resilience across the R&E community.
Join us for a hands‑on deep dive into modern honeypot technologies!
We’ll kick off with a brief overview of the GEANT HoneyNet initiative (Mikołaj Dobski) before moving straight into a practical HUGO session led by Václav Bartoš and Pavel Valach. In just 30‑40 minutes you’ll learn how to spin up your own HUGO honeypot, connect it to the data sharing platform, launch a simple attack against it, and explore the rich data it generates—from live traffic to the results of your own test intrusions.
The second part the workshop then turns to an alternative to the HUGO solution - the T‑Pot platform, where Maciej Miłostan and Michał Ślusarczyk will guide you through deploying acknowledged honeypots (Cowrie and Dionaea), finally augmenting them with next‑generation, LLM‑driven decoys, and browsing the collected data in real time.
As such you will learn about the current scene of honeynets, their features as well as operational quirks.
In the final sandbox segment you'll put everything into practice: let the honeypot capture a suspicious file using pre‑crafted HTTP/FTP scenarios, feed it into a snadbox analysis engine and examine the forensic output.
What you’ll walk away with: Exclusive two‑week sandbox access, a month of dedicated honeynet resources, and an invitation to graduate into the GEANT‑wide Honeynet (subject to legal clearance and threat‑intelligence maturity). Spaces are limited to 20 participants—reserve your seat now and become part of the next wave of cyber‑defense innovators.
DDoS attacks keep evolving, and they're not getting any easier to deal with. For research and education networks, it's less about fighting yesterday's battles and more about figuring out what's coming next. This sidemeeting is a chance for security people, NOCies, researchers, and anyone making decisions about network defense to get together, compare notes, and figure out how we can do this better: Together.
We're keeping the same two-part setup that worked well last time. First up, colleagues from European research and education networks will walk through what they've been working on lately: the technical stuff, what's actually working in operations, and the things that didn't go as planned. Real experiences from the field.
Then we switch to open discussion. This is where it gets provocative. Round table, panel format, whatever works for the room. The whole point is getting people talking. Bring your experiences, your questions, your "why doesn't this work better" frustrations. The best stuff usually comes from these conversations.
We'll keep going as long as it's useful with a hard stop at 17:00.
