hackathon.lu - The Open Source Security Software Hackathon – News

Hackathon.lu 2026: a strong year for open cybersecurity collaboration

Fri, 24 Apr 2026 00:00:00 +0000

Hackathon.lu 2026: a strong year for open cybersecurity collaboration

Hackathon.lu 2026, held in Luxembourg on 14–15 April 2026, once again showed what makes this event special: it is not just a place to present ideas, but a place where ideas turn into code, releases, integrations, datasets, pull requests, and concrete roadmaps.

Looking across the Discourse project updates, the overall picture is clear. This year’s edition produced more than thirty concrete project outcome threads, spanning threat intelligence, malware analysis, detection engineering, vulnerability intelligence, graph exploration, forensics, and infrastructure. Some teams shipped releases on the spot. Others used the two days to validate designs, harden code, identify weaknesses, or connect previously separate tools into more useful workflows.

The result is a hackathon that delivered not only new features, but also better interoperability across the open-source cybersecurity ecosystem.

The big picture

Several themes stood out across the projects:

MISP remained a major center of gravity, with work on AI-assisted workflows, graph exploration, export formats, hunts, user experience, privacy-preserving workflows, and engineering tooling.
Detection and runtime visibility improved, especially around Kunai, Kubernetes, rootkit detection, and rule handling.
Vulnerability intelligence workflows became more connected, with improvements around EPSS and forecast such as TARDISight, Tsunami sightings, CPE assignment, and Vulnerability-Lookup integrations.
Hackathon outcomes were not limited to shiny features: documentation fixes, deployment pain points, code hardening, security assessments, and reproducibility work were all part of the story.

That balance matters. A healthy open-source security ecosystem needs both innovation and maintenance, and Hackathon.lu 2026 delivered both.

MISP saw one of the strongest clusters of outcomes

A large share of the visible momentum this year came from projects around MISP and the broader tooling orbit around it.

One of the most ambitious efforts was AIPITCH, a new round of work on a generic MISP AI module. The team spent the hackathon defining use cases, refining architecture, and producing a second proof-of-concept implementation for combining LLM-based NLP tasks with MISP. Just as importantly, the work emphasized guardrails, testing, metadata, and tagging of AI-assisted output, which suggests a careful and practical approach rather than AI for AI’s sake.

Another major milestone was the release of MISP Engineering Bay v1.0, a collection of browser-based authoring tools designed to make it easier to build and maintain MISP data structures. The first release includes an Object Template Creator and a Galaxy Editor, both aimed at reducing the friction of maintaining MISP’s JSON-driven ecosystem.

MISP Workbench also had a particularly productive hackathon. Reported outcomes included:

MITRE ATT&CK Pattern hunts
a new hunts heatmap for coverage visualization
broader work on TTP/MITRE hunts
an LLM-assisted query builder
JA4+ correlations
continued analyst-focused workflow improvements

Taken together, these updates make Workbench look increasingly like a serious operational layer for large-scale indicator analysis and hunting.

There was also steady progress on MISP workflows themselves. One thread added support for misp-module results inside workflow roaming data and introduced workflow environment variables for ad-hoc workflows. Another used that work to prototype privacy-enhancing workflows, specifically a **Private Set Intersection (PSI)** setup that lets separate MISP instances compare attribute intersections without exposing the underlying sensitive data.

On the user-experience side, an Audio Assistant in MISP explored whether event content and summaries can be delivered through speech, including local-model-backed summarization and configurable plugin settings. In parallel, a separate initiative launched user interviews for CTI practitioners, aiming to collect real-world usage patterns and UX personas to feed future MISP development.

Finally, graph and visualization work was everywhere around the MISP ecosystem. Pivotick became a recurring thread across multiple projects:

experimental integration into MISP as a replacement for the correlation graph in the Overmind theme
migration of AIL correlation and relationship graphs to Pivotick
improvements to Pivotick UI and rendering
updates to misp-galaxy graph export to support Pivotick static output and better filtering

This recurring use of Pivotick across projects says a lot: visual exploration of CTI relationships is clearly becoming a shared priority.

Kunai work focused on real-world deployment and detection depth

The Kunai project had one of the clearest “from lab to operations” tracks during the event.

A first line of work explored running Kunai in Kubernetes, resulting in a minimal proof-of-concept configuration and a concrete upstream suggestion to make host UUID handling externally configurable. That was then extended by a second project: a Kubernetes enrichment daemon that connects to the local container runtime interface and generates JSON metadata to enrich process context with container and Kubernetes information such as root PID and labels.

This is exactly the kind of hackathon progression that matters: one topic uncovers a limitation, and a second topic turns that finding into an engineering response.

A third Kunai thread focused on detection quality. Work on LinkPro eBPF rootkit analysis confirmed that Kunai already detects most suspicious activity associated with the published samples, and the team assembled a 12 GB dataset of potential eBPF malware samples for further analysis and future detection improvements.

On the build and deployment side, Kunai also benefited from a simplified Dockerfile and reduced container size, with a pre-built container published for easier testing and deployment.

Altogether, the Kunai outcomes show a project maturing across detection, packaging, and cloud-native operations at the same time.

Vulnerability intelligence and asset context got tighter integration

Hackathon.lu 2026 also produced several outcomes that improved the flow between asset identification, vulnerability metadata, and shared observations.

For Vulnerability-Lookup, a new EPSS importer was added to fetch daily EPSS data and store per-CVE metadata for later use. That is a practical step toward making exploit-likelihood context more immediately available in open vulnerability workflows.

A second contribution, TsunamiSight, extracts vulnerability-related observations from Google Tsunami Security Scanner plugins and publishes them as sightings to a Vulnerability-Lookup instance. This is a strong example of the kind of bridge-building that hackathons are ideal for: taking useful signals that already exist elsewhere and feeding them into a broader knowledge ecosystem.

Asset management also saw a useful improvement through the integration of CPE Guesser into Mercator. Users can now search and assign CPE identifiers directly from Mercator’s cartography forms, making the path from component inventory to vulnerability exposure assessment more direct and less error-prone.

Related work on CPE Editor looked at how collaborative CPE editing could evolve within the GCVE context, including questions around UUID allocation, relationships between vendors and products, and metadata structure. This was more foundational than user-facing, but it points toward the longer-term problem of maintaining better shared product metadata in open ecosystems.

Releases, hardening, and maintenance were equally important outcomes

One of the healthiest signs in the Discourse activity is how much work was devoted to maintenance, fixes, review, and validation, not just feature announcements.

BSimVis v0.1.0 was released with an API and web interface for binary similarity analysis, function diffing, tagging, filtering, and visualization. That is a tangible shipping outcome.

The IDPS-ESCAPE / SATRAP-DL / PyFlowintel cluster also reported a productive hackathon, including validation of deployment scenarios, unified configuration work, a prototype management GUI, unit tests, deployment artifact updates, and follow-up changelog entries.

SSLDump work focused on code quality and resilience: testing a proposed patch, starting a fix to neutralize control characters in output, refining OpenSSL 3 compatibility work, and integrating bounds-checking improvements identified during review.

The Sysdiagnose Analysis Framework (SAF) saw issue fixes, a new case management library, and parser-related improvements, while AIL/MISP contribution work surfaced deployment friction, resulting in documentation clarifications and discussion around removing or replacing confusing legacy installer material.

Even more valuable was the explicit vulnerability assessment of DnsLiar. Instead of simply adding features, one thread documented fuzzing, stress testing, logic review, and several concerns: IP leakage behavior, post-forward filtering inefficiency, lack of DNS amplification protections, and risky unwrap usage in Rust. In parallel, the DnsLiar project itself started work on a whitelist mechanism to improve reproducibility across deployments. Together, those two threads show the kind of constructive, security-minded feedback loop that a good hackathon should encourage.

Experimental ideas also moved forward

Not every successful hackathon project ends in a release. Some of the most useful outcomes are prototypes, datasets, design explorations, or proof-of-concept repositories that define the next phase of work.

That was the case for location-based document tagging, where discussion around geolocation terminology and Bloom filters led to work-in-progress code in the fastopic repository.

It was also visible in Rulezet, which explored how detection rules and bundles could be exported into MISP as structured objects and events, and in the Meluxina thread, which documented practical steps and lessons around using HPC infrastructure and batch jobs for model fine-tuning.

The Forensics Training – Bad out of Hell topic similarly focused on a concrete training scenario around hidden data in FAT32 and the behavior of forensic tooling, which is exactly the sort of practitioner knowledge that benefits from collaborative experimentation.

Additional work and research in the area of image correlation was initiated with the team from UCD CCI, especially on how to enable correlation between Lacus, LookyLoo, and AIL. Different algorithms were reviewed and gathered, which may lead to an additional publication soon.

What the 2026 edition tells us

The strongest conclusion from the 2026 project roundup is that Hackathon.lu is operating as an integration engine for open cybersecurity.

The event is not only helping individual tools improve in isolation. It is creating connections between projects:

MISP with AI modules, workflows, and graph tooling
Kunai with Kubernetes context and malware analysis
Mercator with CPE Guesser and Vulnerability-Lookup
Tsunami plugins with sightings publication
Privacy-enhancing techniques with operational CTI workflows

Just as importantly, the event keeps making room for the unglamorous but essential work: fixing deployment pain, reducing container size, adding tests, reviewing architecture, documenting issues, and identifying security weaknesses before they become bigger problems.

That is the real outcome of Hackathon.lu 2026. Not a single flagship announcement, but a broad, visible acceleration across a whole ecosystem of free and open-source cybersecurity tools.

And that is probably the best measure of success for a hackathon like this: when the community leaves not just inspired, but with code merged, releases cut, bugs found, workflows connected, and a clearer map of what to build next.

https://www.youtube.com/watch?v=GPqe-sJkyg8

hackathon.lu 2026 announced

Thu, 19 Mar 2026 00:00:00 +0000

The hack.lu team and CIRCL announce the new hackathon.lu 2026 event.

hackathon.lu 2026: Open Source, Security, and Collaboration — with an Open Conference Morning on 14 April

Luxembourg, April 2026 — hackathon.lu returns on 14–15 April 2026, bringing together developers, security professionals, researchers, and Open Source enthusiasts for two days of hands-on collaboration, experimentation, and knowledge sharing in the Grand Duchy of Luxembourg.

Designed as a community-driven Open Source hackathon, hackathon.lu focuses on building, improving, and challenging real-world tools and ideas — particularly in the areas of security, engineering, and interoperability. The event welcomes participants of all backgrounds, from experienced practitioners to curious newcomers.

A Conference Morning to Kick Things Off

To open the event, hackathon.lu will host an integrated conference morning on Tuesday, 14 April 2026, from 09:00 to 12:00.

This informal, breakfast-style conference is open to the public and brings together speakers from Open Source and security communities to share short, focused talks. Rather than polished product pitches, the emphasis is on practical experience, lessons learned, and ideas that invite collaboration.

The conference morning is designed to:

Set the tone for the hackathon
Spark discussion and cross-pollination of ideas
Inspire projects that participants can explore during the hackathon itself

From Ideas to Action

Following the conference morning, registered hackathon participants will spend the remainder of 14–15 April working in small, self-organizing teams on Open Source projects, prototypes, tooling, documentation, and experiments.

There is no pressure to “finish” — learning, collaboration, and shared progress are the primary goals.

Open, Inclusive, and Community-Focused

hackathon.lu is built around the values of:

Open Source and open collaboration
Knowledge sharing over competition
Practical, real-world engineering
Building bridges between communities

The event is closely aligned with the spirit of hack.lu, Luxembourg’s long-standing security conference.

Registration

Attendance for the conference morning and participation in the hackathon is open via registration:

👉 https://hackathon.lu/practical/

Participation in the hackathon requires registration.
The conference morning is open to interested members of the public.

👉 Please register a talk through our CfP system: https://pretalx.com/hackathon-2026/cfp

Submissions will be reviewed by a program committee, which will select the talks for the conference morning.

About hackathon.lu

hackathon.lu is an Open Source–focused hackathon held in Luxembourg, bringing together people who want to build, break, fix, and improve technology collaboratively. It provides a space where ideas can be discussed over coffee in the morning — and turned into code by the afternoon.

Successful Outcomes from the Hackathon.lu 2025 in Luxembourg

Fri, 11 Apr 2025 00:00:00 +0000

Press Release: Successful Outcomes from the Hackathon.lu 2025 in Luxembourg

Luxembourg, April 9, 2025 – The Hackathon 2025, held from April 8 to 9, has successfully brought together a global community of more than 50 cybersecurity experts, developers, and innovators, all working toward advancing the realm of free and open-source software (FOSS) in cybersecurity. Hosted in Luxembourg, the hackathon focused on building cutting-edge tools and improving existing systems to enhance security in a rapidly evolving digital world.

Organized as part of the renowned hack.lu event series, Hackathon 2025 saw remarkable collaboration across teams, resulting in the successful implementation of several key software updates, tools, and features. The event underscored the power of open-source technology in driving advancements in cybersecurity, and participants demonstrated the vital role of innovation in strengthening digital defenses.

We would like to thank all the participants who contributed their time and creativity to make this hackathon a success, as well as our sponsors, POST Luxembourg and Conostix, for providing the infrastructure support.

Looking ahead, the hackathon.lu team is already planning the next edition of the event, scheduled for April 2026. As a reminder, the hack.lu security conference—one of Europe’s leading cybersecurity events—will take place from October 21-24, 2025, at the Alvisse Parc Hotel in Dommeldange, Luxembourg. Early bird tickets are still available for a few more days at https://2025.hack.lu/info/. Additionally, the hack.lu Call for Papers (CFP) is open, and cybersecurity experts are encouraged to submit their proposals at https://pretalx.com/hack-lu-2025/. For those looking to support the event, there are still a few sponsoring opportunities available at https://2025.hack.lu/sponsoring/.

Highlights of the Successful Projects and Contribution:

MISP Fleet Commander Release
The MISP Fleet Commander, a new management interface for MISP instances, was launched with the goal of streamlining the operational management for security analysts. This tool significantly reduces the complexities involved in maintaining multiple MISP instances, thus improving overall efficiency in threat intelligence sharing.
Read more on Discourse | GitHub Repository
Lacus v1.13.1
Lacus, a data analysis platform, saw an impressive update with version 1.13.1. The new release enhances the tool’s capabilities in managing and processing large sets of security data, providing users with more efficient and comprehensive data analysis.
Read more on Discourse | GitHub Repository
Lookyloo v1.28.1
Lookyloo, a tool for visualizing web infrastructure, was upgraded to version 1.28.1, introducing new functionalities that provide deeper insights into web structures. This tool aids cybersecurity professionals in mapping out potential vulnerabilities in web applications, ensuring proactive security measures are in place.
Read more on Discourse | GitHub Repository
Flowintel Enhancements
Flowintel, a platform for network traffic analysis, received vital improvements, making it more effective at detecting and analyzing cyber threats in real time. These enhancements bolster the tool’s capabilities in identifying unusual patterns in network data and provide better insights for responding to incidents.
Read more on Discourse | GitHub Repository
Kunai-Sandbox v0.1.4 Release
The Kunai-Sandbox, a malware analysis tool, introduced new updates aimed at improving the efficiency of malware detection and analysis. This release brings enhanced sandboxing capabilities, providing a more secure environment for analyzing suspicious files and activities.
Read more on Discourse | GitHub Repository
Pykunai v0.1.5
Pykunai, a tool designed to improve security operations and integration with Kunai, received a new update with version 0.1.5, which focuses on enhancing the tool’s functionality for cybersecurity professionals. This update streamlines several processes, making threat identification and response faster and more effective.
Read more on Discourse | GitHub Repository
Vulnerability-Lookup Enhancements
The Vulnerability-Lookup platform received key updates that enhance its ability to manage and identify vulnerabilities across various systems. These improvements ensure that security teams have timely and accurate information when responding to potential security threats.
Read more on Discourse | GitHub Repository | Release v2.8.0 including hackathon.lu contribution
New MISP object summariser-output added in MISP
In the objective to extend AI-support in MISP, a new summariser-output object template has been added. During the hackathon, a new pipeline to support RSS gathering and AI-summarisation was developed. Read more on Discourse | GitHub Repository
Virgil v0.1.0 Launch
The introduction of Virgil, a new security analysis tool, marked a significant milestone in the hackathon. Designed to enhance the analysis capabilities of security professionals, Virgil promises to become an essential tool in the fight against cybercrime.
Read more on Discourse | GitHub Repository
MISP OpenAPI Documentation
Another key accomplishment was the development of an improved comprehensive documentation for MISP’s collections endpoints. This new documentation aims to make it easier for users to implement MISP’s powerful features, fostering wider adoption of the platform across the cybersecurity community. Various updates were done on the OpenAPI specification.
Read more on Discourse | GitHub Repository
MISP MCP: Natural Language Interface
A groundbreaking development was the integration of natural language processing (NLP) into MISP via the MISP MCP (MISP Cloud Platform). This feature allows users to interact with MISP using natural language, enabling non-technical stakeholders to query and manage cybersecurity data more easily.
Read more on Discourse | GitHub Repository
Flowintel Docker Fix
Flowintel also saw a crucial update, resolving Docker compatibility issues, ensuring that the platform runs seamlessly in containerized environments. This fix allows users to deploy Flowintel in a more flexible and scalable manner.
Read more on Discourse | GitHub Repository
Sysdiagnose Submissions
A new tool was introduced for automating the submission of sysdiagnostic information from mobile phone, improving incident response by enabling faster troubleshooting of system issues and providing richer context to cybersecurity teams.
Read more on Discourse | GitHub Repository
AIL Geospatial Analyst Module
The AIL (Analysis Information Leak) platform introduced a new Geospatial Analyst module, enhancing the ability to map and analyze geographic information within cybersecurity operations. This addition greatly improves the visualization of threats and incidents based on location.
Read more on Discourse | GitHub Repository
MISP Lite OpenSearch Integration
A notable update was the integration of MISP Lite with OpenSearch, enabling faster and more efficient querying of threat intelligence data. This improvement strengthens MISP Lite’s role in smaller-scale security environments that rely on performance and scalability.
Read more on Discourse | GitHub Repository
Embedded Device Feed for MISP
A new feed was added to MISP specifically for tracking vulnerabilities in embedded devices. This feed aims to address the growing concerns around Internet of Things (IoT) security by providing timely and relevant intelligence on potential threats.
Read more on Discourse
ADBox Algorithmic Multiplexing
ADBox, a tool for Active Directory auditing, received a major update with the addition of algorithmic multiplexing, improving its ability to process and analyze large datasets. This enhancement makes ADBox more efficient at detecting malicious activities in complex networks.
Read more on Discourse | GitHub Repository
Suricata Rules Generation Enhancement for MISP
MISP’s capabilities were further improved with an update focused on generating better Suricata rules. This change allows MISP users to produce more accurate and effective rules for intrusion detection systems, strengthening network defenses.
Read more on Discourse | GitHub Repository
Certificate Transparency Support in Cocktailparty
Cocktailparty, a tool for streaming cybersecurity data feed, added support for certificate transparency, enabling more efficient detection of certificate-related threats. This update will help teams stay ahead of potential security risks linked to certificate mismanagement.
Read more on Discourse | GitHub Repository
Codeclarity Sends Sightings to Vulnerability Lookup
Codeclarity, a platform for vulnerability analysis, introduced a new feature that automatically sends sightings to the Vulnerability Lookup platform. This integration allows teams to rapidly identify and respond to potential security threats by correlating findings with an updated vulnerability database.
Read more on Discourse | GitHub Repository
Replacement of Redis with Valkey in AIL Project

As many projects aim to maintain a fully open-source stack, a proposal has been made to replace Redis with Valkey in the AIL project.

Pull-request
LexiLang language detection improved in AIL Project

Pull request was made during the hackathon.lu for the LexiLang project (used by the AIL Project) introduces the following changes: To improve language detection, it includes a major cleanup and refinement of language dictionaries to reduce false positives. It also enhances accuracy by removing ambiguous or low-quality entries from the dictionaries. This is a significant improvement for AIL, enabling better language detection with fewer false positives.

For more details: LexiLang improvement

Summary: The Hackathon 2025 in Luxembourg showcased an impressive array of innovative open-source cybersecurity tools and updates, developed in just two days by a global community of experts. Participants collaborated intensively to create impactful solutions, enhancing threat intelligence sharing, vulnerability detection, and network security. The event highlighted the power of open-source collaboration in driving rapid advancements in the cybersecurity field.

Looking Ahead: The Hackathon 2025 demonstrates the power of collaboration, community-driven development, and open-source technology in advancing cybersecurity. With these new tools and updates, cybersecurity professionals are better equipped to combat the growing range of cyber threats in today’s interconnected world. The event has successfully illustrated the critical role of innovation in keeping digital infrastructures safe and resilient.

Participants, organizers, and contributors from around the world are already looking forward to future editions of the hackathon, where they can continue to push the boundaries of cybersecurity and build stronger defenses for global digital ecosystems.

For more information about the Hackathon 2025 and the projects developed, please visit hackathon.lu.

hackathon.lu 2025 announced

Tue, 24 Dec 2024 00:00:00 +0000

The hack.lu team and CIRCL announce the new hackathon.lu 2025 event.

This 2-day physical Hackathon, held in Luxembourg on April 8th and 9th, 2025, focuses on the development of free and open-source software for cybersecurity. We aim to convene diverse developer groups to collaborate on complex programming challenges within key cybersecurity areas, such as information sharing, threat intelligence, network and system forensics, data mining, network and computer exploitation, and defense techniques. The hackathon’s objectives include improving existing open-source security projects, enhancing interoperability and integration between different security tools, and driving the creation of innovative new solutions.

The hackathon will emphasize tackling complex challenges, whether by enhancing existing projects or creating new ones, with a focus on how in-person collaboration and interaction can help overcome specific obstacles. We encourage activities both before and after the hackathon to maximize productivity and ensure the event is a catalyst for impactful progress. We aim to foster collaboration with both existing and new projects while building stronger trust within collaborative groups.

Many open-source security projects will be at the hackathon, including the MISP Project, AIL Project, Kunai, Flowintel, Lacus, Lookyloo, Pandora, Vulnerability-Lookup, OISF and Suricata. If you’d like to join us or propose a specific project for the hackathon, feel free to get in touch!

Ready to join? Register here: https://hackathon.lu/practical/.

If you’re leading a project, we encourage you to submit your proposal. We’re enthusiastic about expanding our project list for the hackathon.