Welcome to CypSec Group
We specialize in advanced defense and intelligent monitoring to protect your digital assets and operations.
A talent pipeline for the region.
Mansfeld-Südharz, Germany - October 17, 2025
The email arrives every February, written in the urgent half-sentences of a seventeen-year-old who has just discovered that the school firewall can be bypassed with a four-line Python script. We answer with a train ticket and a waiver form: spend the last weekend of March in Hall 12, eat free pizza, and try to steal a flag that is really nothing more than a text file sitting on an outdated WordPress plugin. If you succeed, we hand you a voucher for a twelve-week apprenticeship that starts the following Monday. No grade average, no CV, no letter of recommendation—just proof that you can turn curiosity into a working exploit. That is the entire recruitment philosophy behind the Cyber Resilience Alliance CTF series, and after three editions it has become the most reliable talent funnel we have ever measured.
The format is deliberately low-threshold. We run two tracks in parallel: a beginners’ lane where flags are hidden in HTML comments and a single SQL injection is enough to reach the podium, and an advanced lane that simulates the production network of a regional chemical supplier—VLANs, industrial firewalls, a real Siemens PLC that controls a miniature dosing plant. Participants can switch lanes at any time, but they cannot share flags between lanes, which forces them to decide how far they are willing to step outside their comfort zone. The scoring engine is open-source, hosted on a cluster of Raspberry Pis sprayed matte-black and bolted to a wall so that everyone can see the blinking LEDs that represent their rank in real time. First-time visitors usually stare at the wall as if it were a contemporary art installation; by hour six they are arguing about endianness and buffer boundaries with the same fluency they bring to football scores.
What makes the competition regional instead of merely local is the transport layer. Deutsche Bahn sponsors a weekend ticket valid across the entire state of Saxony-Anhalt for anyone under twenty-one who registers before the cut-off date. Last year 42 % of the 312 participants arrived from districts that have no formal computer-science curriculum, which means the ticket is not a convenience—it is a social equaliser. Once they arrive, we confiscate smartphones and issue burner laptops with a frozen Kali image; the absence of personal devices removes the invisible hierarchy of who owns the faster GPU and restores the primacy of thinking. Parents sometimes worry about the confiscation until they see the final presentation, where each team must explain its attack path on a whiteboard without slides. Watching a sixteen-year-old explain privilege escalation to a room that includes the county’s head of economic development is a pedagogical spectacle that no glossy brochure could replicate.
Winning is only the secondary objective. The primary goal is to generate artefacts we can grade objectively: write-ups. Every flag must be accompanied by a short technical narrative, typed in Markdown and submitted through a Git repository we create on the spot. The repository becomes the applicant’s portfolio when they apply for the summer apprenticeship programme. We deliberately publish the judging rubric months in advance: 40 % for technical depth, 30 % for clarity, 20 % for ethical reflection, 10 % for humour. The last category keeps the tone human; if you can make us laugh while explaining how you back-doored a Redis instance, you are probably the kind of mind we want defending our waterworks. Last year the winning write-up contained a haiku about race conditions; the author now works part-time in our SOC while finishing his Abitur.
"Break, fix, document, present—then go home and patch the network that heats your school."
The apprenticeship itself is where the pipeline earns its keep. Winners spend twelve weeks inside the real Alliance infrastructure—not a demo lab—under a supervision model we call “one ticket away.” They receive their own Jira queue of low-risk alerts, and every decision they make is reviewed within two hours by a senior analyst. The first two weeks are spent reading only: packet captures, forensic images, policy documents. By week three they are allowed to press the “close” button on an incident; by week six they are expected to write a detection rule in Sigma format and push it to the shared Git. The progression is calibrated so that the worst possible mistake is an embarrassing false positive, not a false negative that could let ransomware through. At the end of the cycle we hold a public demo day where local employers—chemical plants, hospitals, municipal utilities—sit in the front row. Placement rates for the last cohort: 87 %, average starting salary 28 % above regional median for under-twenty-two-year-olds. One graduate declined three corporate offers and instead founded a non-profit that teaches elderly citizens how to recognise phishing; we granted him desk space and free bandwidth, because keeping him inside the ecosystem is worth more than any recruitment fee.
Critics sometimes argue that gamification glamorises offence, but we design the scenarios to reward defence. Flags hidden in backup scripts can only be reached if the team first enables logging that was switched off; the PLC that releases a “toxic” flag stops responding unless someone patches a timing vulnerability in the Modbus parser. The narrative arc is always the same: break, fix, document, present. By the time participants reach the podium they have lived through the full incident life-cycle, which means they understand that attack is merely the opening chapter of a longer story called recovery. That mental framing is what distinguishes our pipeline from university courses that still treat ethical hacking as a curiosity. Here, exploitation is not the end zone; it is the scouting report that tells you where to reinforce the wall.
Sustainability is baked into the economics. The entire event costs less than 70 000 €: venue is donated by the county, laptops are refurbished lease-returns, prizes are vouchers for further training rather than cash. Sponsors cover half the budget; the other half is recouped through optional commercial training we run for local SMEs the following week, using the same lab setup. The cycle is therefore self-licking: every euro we spend on teenagers is repaid by adults who want to understand how their own networks were just broken by a sixteen-year-old with a hangover. The county’s marketing department likes to call it “circular cyber education,” but the simpler truth is that curiosity is a currency that inflates when shared.
We schedule the next edition for 27–29 March 2026. Registration opens on 1 December and closes at 1 000 applicants or 14 February, whichever arrives first. There are no academic prerequisites, no age limits, and no restriction on team size; we even accept solo players, because some of the best attackers we have ever met prefer to work alone in hoodies. The only requirement is the willingness to sign a simple pledge: “I will use what I learn to protect the place I live.” That sentence is printed at the top of every scoring sheet, and it is the final flag we ask everyone to capture. So far, nobody has failed.
The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.
Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.
We specialize in advanced defense and intelligent monitoring to protect your digital assets and operations.
