Topics at hackathon.lu
Topics and Projects at hackathon.lu 2026
A series of topics are available for Hackathon 2026, along with potential task ideas. This list will be regularly updated based on feedback and the projects joining the event.
Cyber Threat Intelligence
Explore innovative ways to collect, analyze, and share threat intelligence to enhance cyber defenses and facilitate proactive responses to evolving threats.
Task - Improve the visualisation of MISP taxonomies and galaxies and make it accessible to a larger community.
| Task CTI-VIS-INFO |
|---|
| Improve the visualisation of MISP taxonomies and galaxies and make it accessible to a larger community. |
| Task Lead |
| MISP Project - taxonomies and galaxy maintainers. |
| References - https://www.misp-galaxy.org/ - https://github.com/MISP/misp-galaxy/ - https://github.com/MISP/misp-taxonomies |
Task - Add MISP workflow action to send messages to nextcloud chat
| Task MISP-WORKFLOW-NEXTCLOUD-CHAT |
|---|
| Task Lead: Jeroen Pinoy - MISP contributor |
| References - Nexctcloud chat API doc |
Task - Add functionality to MISP modules and/or MISP, to keep an audit record of the usage of modules (timestamps + user)
| Task MISP-MODULES-AUDIT |
|---|
| Task Lead: |
| References - MISP modules repo |
Task - Review and update the MISP OpenAPI documentation (especially the allowed arguments), using the real MISP documentation
| Task MISP-OPENAPI-DOC |
|---|
| Task Lead: Jeroen Pinoy - MISP contributor |
Task - Build a set of examples of common cyber threat intelligence sharing scenarios (e.g. malware sample executed by cron job), with resulting MISP encoded version of the scenario data, along with explanations.
| Task MISP-CTI-ENCODING-SCENARIO-SAMPLES |
|---|
| Build a set of examples of common cyber threat intelligence sharing scenarios (e.g. malware sample executed by cron job), with resulting MISP encoded version of the scenario data, along with explanations. |
| Task Lead: Jeroen Pinoy - MISP contributor |
| References - https://www.misp-project.org/misp-training/b.1-best-practices-in-threat-intelligence.pdf - https://www.circl.lu/doc/misp/best-practices/ |
Task - Create MISP incident response playbooks / guidelines
| Task MISP-IR-PLAYBOOKS |
|---|
| The goal is to create documentation for what to look at when trying to answer “Is the user activity of user X on MISP suspicious?”. The doc should contain information on how to interpret logs, audit info… This falls under larger umbrella of how to detect and analyze potential abuse on a MISP instance. |
| Task Lead: |
Task - Review and update the MISP generated Suricata rules
| Task MISP-SURICATA-RULES |
|---|
| Review and update the way MISP generated Suricata rules possibly using datasets feature of stable Suricata versions |
| Task Lead: Eric Leblond - Suricata contributor |
Task - Connect Suricata 8 dataset in JSON format feature with MISP
| Task MISP-SURICATA-DATAJSON |
|---|
| Review and update the way MISP generated Suricata rules possibly using datasets feature of stable Suricata versions |
| Reference - Dataset with JSON format support PR |
| Task Lead: Eric Leblond - Suricata contributor |
Task - Distribute Certificate transparency logs with Cocktailparty
| Task COCKTAILPARTY-CERTSTREAM |
|---|
| Integrate calidog’s certstream watcher/parser in cocktailparty as a new connection/source. Allow for collection from additional log_lists |
| Reference - https://github.com/CaliDog/certstream-server |
| Task Lead: Jean-Louis Huynen - Cocktailparty contributor |
Task - Create admin-defined filters in Cocktailparty
| Task COCKTAILPARTY-ADMINFILTERS |
|---|
| Create admin-defined filters to apply on sources before dispatching to channels. |
| Reference - https://github.com/flowintel/cocktailparty |
| Task Lead: Jean-Louis Huynen - Cocktailparty contributor |
Task - Create user-defined filters in Cocktailparty
| Task COCKTAILPARTY-USERFILTERS |
|---|
| Create user-defined filters to apply on channels, before pushing into the websocket. |
| Reference - https://github.com/flowintel/cocktailparty |
| Task Lead: Jean-Louis Huynen - Cocktailparty contributor |
Task - Improve realtime-py for cocktailparty stream consumption
| Task COCKTAILPARTY-PYTHON-LIB |
|---|
| Upstream realtime-py significantly diverged from flowintel’s current fork. The task consists of reviewing the current code, remove supabase-related parts, play with the library or write tests, and most importantly find a new name =) |
| References - https://github.com/flowintel/realtime-py - PR dating before upstream refacto |
| Task Lead: Jean-Louis Huynen - Cocktailparty contributor |
Task - Integrate MISP modules into AIL
| Task AIL-MISP-Module |
|---|
| Task Lead: |
| References - AIL - MISP Modules |
Task HOPLITE-MISP-Modules (AI)
| Task HOPLITE-MISP-Modules |
|---|
| Add MISP modules to provide containerized analysis of data types including but not limited to Video, Images, Audio. Modules should leverage the OpenAPI interface (see reference links below). Modules should extend functionality to MISP/AIL. AI services should be local or on a trusted network. |
| Topic Repo: https://github.com/UCD-CCI/hackathon.lu-2026 |
| References: - https://hoplite-project.eu/about/ - https://github.com/MISP/misp-modules - https://github.com/MISP/misp-modules/tree/main/website - https://www.misp-project.org/openapi/ - https://github.com/MISP/misp-modules-cli |
| Task Lead: Alex Cronin & David Curran from UCD CCI on the HOPLITE Project |
Task — Improve AIL Language Detection for Short Texts
| Task AIL-Languages-Short-Text |
|---|
| AIL currently uses PicoLang for language detection on short texts such as chat messages. - Improve Picolang’s language dictionaries - Add Support for additional languages. |
| Task Lead: Aurelien Thirion - AIL Project |
| References - AIL - PicoLang - Languages dictionnaries |
Task - Improve AIL Language Detection for Long Texts
| Task AIL-Languages-Long-Text |
|---|
| AIL currently relies on CLD3 for language detection on long texts. Propose an alternative to CLD3 for language detection on large text that supports a broader range of languages with improved memory efficiency and performance. |
| Task Lead: Aurelien Thirion - AIL Project |
| References - CLD3 - AIL Languages detection |
Digital Forensics and Incident Response
Delve into tools and methodologies for investigating cyber incidents, uncovering evidence, and responding effectively to mitigate impact.
EDR and Host-Based Detection
Enhance endpoint detection and response (EDR) capabilities with cutting-edge techniques for detecting and mitigating threats at the host level.
Vulnerability Management
Develop and refine strategies and tools for identifying, assessing, and prioritizing vulnerabilities to reduce organizational risk.
Task - Extracting CVE/Vulnerability reference from large datasets such as commoncrawl
| Task VUL-EXTRACT |
|---|
| Extracting CVE/Vulnerability reference from large datasets such as commoncrawl. Adding references into vulnerability-lookup project. |
| Task Lead |
| vulnerability-lookup |
| References - https://www.vulnerability-lookup.org/ - commoncrawl dataset |
Task - Sighting tool for tsunami
| Task VUL-Sighting-Tsunami |
|---|
| Create a new sighting tool for Tsunami |
| Task Lead |
| vulnerability-lookup |
| References - https://www.vulnerability-lookup.org - Existing sighting tools |
Task - Guessing CPE name based on vulnerability description.
| Task VUL-CPE-GUESS |
|---|
| Facilitating the guessing of a CPE name via natural language processing based on vulnerability description. |
| Task Lead |
| vulnerability-lookup |
| References - https://www.vulnerability-lookup.org/ - cpe-guesser |
Task - Guessing CPE name with LLM
| Task VUL-CPE-LLM |
|---|
| Facilitating the guessing of a CPE name with LLM. |
| Task Lead |
| Vulnerability-Lookup |
| References - https://www.vulnerability-lookup.org - VulnTrain |
Task - Predict exploitability with LLM
| Task VUL-EXP-LLM |
|---|
| Estimating the exploitability of a new vulnerability with LLM. |
| Task Lead |
| Vulnerability-Lookup |
| References - https://www.vulnerability-lookup.org - VulnTrain |
Task - Enhanced Vulnerability-Lookup with Code Context
| Task VUL-Sourcecode-LLM |
|---|
| When searching for vulnerabilities, provide relevant code snippets from impacted projects. Extend Vulnerability-Lookup database/dataset by linking CVEs with corresponding source code segments from affected products/repositories. Fine tune CodeBert of CodeT5. |
| Task Lead |
| Vulnerability-Lookup |
| References - https://www.vulnerability-lookup.org - CodeBERT - CodeT5 |
Task - Improving the NLP CWE Classifier
| Task VUL-CWE-Classifier |
|---|
| Improving the NLP CWE classifier (main aspect to improve). |
| Task Lead |
| Vulnerability-Lookup |
| References - https://www.vulnerability-lookup.org - VulnTrain |
Task - Dataset creation script for CERT-FR Alerte and CERT-FR Avis
| Task VUL-Dataset-CERTFR |
|---|
| Dataset creation script for CERT-FR Alerte and CERT-FR Avis. |
| Task Lead |
| Vulnerability-Lookup |
| References - https://www.vulnerability-lookup.org - VulnTrain |
Cybersecurity - Open Data and Open Datasets
Use and create open data and datasets to support cybersecurity research, training, and collaborative innovation.
API and Tooling Interoperability
Focus on creating and improving APIs and tools that enable seamless integration and interoperability between different cybersecurity platforms.
Task - Create MISPerer
| Task: MISPerer |
|---|
| MISPerer leverages Anthropics’s Model Context Protocol (MCP) to bridge Large Language Models (LLMs) with the MISP (Malware Information Sharing Platform & Threat Sharing) system. This simplifies interaction, allowing users and other systems to query MISP’s threat intelligence data through intuitive natural language prompts. |
Mercator
Work on auto-discovery and update of existing objects using the REST API.
Tasks
- Auto-discovery with nmap: Scan the network to identify active devices and retrieve basic information (IP, open ports, OS fingerprinting).
- Update server configuration with SNMP: Collect hardware and software information from discovered devices and update Mercator accordingly.
- Integration with existing inventory data: Cross-reference discovered devices with existing inventory records to update or flag discrepancies.
- Automated tagging and categorization: Assign tags based on device type, OS, and role in the network.
- Web UI enhancements: Display real-time discovered devices and provide an interface for manual validation and corrections.
- Alerting for new/unexpected devices: Notify administrators when unknown or unauthorized devices appear on the network.
Cybersecurity Education
Create and share educational resources (e.g. CTF challenges), training modules, documentation and workshops to advance knowledge and skills in cybersecurity.
Policy and Cybersecurity
Improve open source toolings to support policies, regulations, and frameworks to address the challenges and opportunities at the intersection of governance and cybersecurity.
Lookyloo
Website capture interface
Tasks
- Implement dropdown to select which proxy to use for the capture (by country)
Virgil
Ansible deployment of Lacus, Lookyloo, URL Monitoring and Pandora.
Tasks
- Review the preliminary playbooks
- Test the ansible playbooks on live systems
- Document the installation process
- Pre-configure the modules from a central file
- Validate the updating the services works as expected
IAMI (Identity & Access Management Integrations)
We would appreciate your support in the following areas: (more details in the issues here)
- Integrate New Tools
- Test the security (Pentesting)
- Upgrade to latest versions
- Deploy multiple instances of the same tool
- Create independent SMTP setup
- Documentation
- Bug fixing
IDPS-ESCAPE
The tasks listed below are partially based on the roadmap of IDPS-ESCAPE.
Tasks
- Web-based management interface for our Ansible-based RADAR deployment solution
- New detection and response scenarios via hybrid correlation (signatures + RRCF + SONAR anomalies)
- SONAR production scenarios validation
- Automatic model retraining in SONAR (schedule-based, drift-triggered)
- Automated SONAR-RADAR integration
- Integrate Wazuh ruleset as Code (RaC) added into RADAR to complement its already existing DaC-based model
SATRAP-DL
The tasks listed below are partially based on the roadmap of SATRAP-DL.
Tasks
PyFlowintel
- Share feedback on Flowintel with the respective team and define updates on PyFlowintel according to the discussion
- Release an update supporting the incomplete functionality in DECIPHER concerning the use of templates
DECIPHER
- Update the deployment artifacts to support selecting the Flowintel version to deploy
- Discuss and study refinements to the CTI scoring formula based on other available taxonomies in MISP, object grouping and MISP decaying models
- Design and implement an analyzer for a selected threat scenario
MONARC Task 1 - AI Copilot for FrontOffice (ISO Assistant).
Context
For Information Security Officers (ISOs), modelling assets and structuring an analysis in MONARC FrontOffice can be difficult without experience and clear guidance.
Challenge
Build an AI-powered chatbot integrated with MONARC FrontOffice that helps ISOs with tool usage, modelling decisions, and risk reduction recommendations.
Example questions:
- “I am modelling the context for the analysis. Where should I start?”
- “What are the next steps after the context establishment?”
- “Where should I place this asset, under which primary asset?”
- “What secondary assets structure would you suggest?”
- “Should this asset be global or local for this particular scenario?”
- “What context would you suggest for this asset?”
- “What risk reduction recommendations would you suggest?”
Expected solution
- A chat UI embedded in or connected to MONARC FrontOffice.
- A trained model and/or a knowledge base covering MONARC usage, MONARC best practices, and ISO/IEC 27005 method guidance, so that even non-experts can use the tool effectively.
- Use of the MONARC Object Sharing Platform (MOSP) API (https://objects.monarc.lu/) for necessary data fetching, correlation, and reuse.
- Use of an on-premise LLM to interpret user questions and generate clear, comprehensive answers.
- Basic guidance mechanisms (ask clarifying questions, avoid hallucinations, provide examples).
Requirements
- Integration within or alongside MONARC FrontOffice.
- Open-source technologies only.
- LLM deployable on-premise (no external API dependency).
MONARC Task 2 - AI Chatbot for Risk Evaluation (Data-Driven Suggestions).
Context
Risk evaluation in MONARC often depends on expert judgment and sector-specific knowledge, which can lead to inconsistency and long analysis cycles. This topic explores how AI can assist risk analysts with data-driven risk evaluation suggestions.
Challenge
Build an AI chatbot that supports users in qualifying risks by suggesting evaluation values (e.g. threat probability, likelihood and impact levels) based on sector-specific statistics.
The chatbot should:
- Use sector(s) of activity selected for the analysis.
- Suggest risk evaluation values using aggregated data (averages/ranges per sector).
- Provide clear explanations (“why is this value proposed?”) and optionally a confidence indicator.
Expected solution
- Data aggregation pipeline (what exactly - sector averages/ranges, in which way - daily basis aggregated collection, or when the analysis is finished).
- Chat interface to query the assistant.
- On-premise LLM that analyses the aggregated statistics and generates explanations.
- Optional / Bonus: compare user input vs sector-based suggestions.
Requirements
- Open-source technologies only.
- LLM deployable on-premise (no external API dependency).
- Conceptual or technical integration with MONARC.