Partner Use-Cases

Mansfeld-Südharz, Germany - November 10, 2025

Three early adopters describe what actually broke, what actually worked and what they would never do again

The invitation asked for “war stories, not vanity metrics” and the audience—mostly plant managers, practice managers and one municipal CFO—leaned forward when the lights dimmed. Over the next ninety minutes the speakers forgot the microphones and simply talked across the stage, passing a battered Lenovo laptop that still carried a cracked sticker reading “Living Lab #03.” What emerged was not a parade of ROI slides but a single, continuous narrative about how sovereignty is soldered together in real ducts, real budgets and real collective-bargaining agreements. The following account is stitched from their verbatim transcripts, the only editing being the removal of overlapping sentences and the occasional curse word that the county’s streaming service politely beeped out.

The first voice belonged to Bettina Rohde, operations director at SK-Armaturen GmbH, a family-owned valve manufacturer in Sandersdorf-Brehna that employs 118 people and supplies refineries from Rotterdam to Constanța. SK joined the Alliance in February 2025 because a major customer had added a NIS-2 compliance clause to every purchase order and the company’s existing IT contract capped out at antivirus renewal. Within six weeks the plant’s forty-year-old PLC cabinets were mirrored into a shadow network that runs inside the Alliance’s sovereign cloud, feeding telemetry through a one-directional optical tap Rohde’s team built from off-the-shelf fibre converters and a 3-D-printed bracket that now lives in the plant’s small museum of improvised tooling. The breakthrough, she said, was not technical but contractual: instead of buying licences, SK purchased “federation hours” that could be spent on training, penetration tests or raw compute depending on what the auditors asked for first. When the auditors did arrive in September they spent half a day inside the deception grid, mistaking the honeypot SCADA for the real line and logging seventeen procedural deviations that would never have surfaced against the physical plant. Rohde still laughs at the memory: “We got a clean report and a free red-team exercise for the same invoice.” The only component that failed was the legacy frequency converter whose Modbus firmware could not tolerate the extra three-millisecond jitter introduced by the optical splitter; the Alliance replaced it with a five-hundred-euro industrial gateway and the line was back within the shift. She closed her segment with a piece of advice that became the unofficial motto of the evening: “Start with the cable tray—if you cannot trace the copper, you cannot trade the risk.”

Next came Dr. Franziska König, deputy medical director at Helios Städtisches Klinikum Dessau, a 670-bed hospital that handles everything from routine appendectomectomies to stroke airlifts for northern Saxony-Anhalt. The hospital entered the pilot because ransomware had already encrypted the patient-administration server during the 2024 autumn holidays and the board wanted a solution that did not involve paying consultants every time a new variant appeared. The technical stack was familiar—immutable backups, network micro-segmentation, identity federation with the state’s health-card authority—but the organisational layer was not. König described how the Alliance’s policy-as-code repository became the informal bargaining table between IT, doctors and the works council: every firewall rule was written in Rego and checked into GitLab where clinicians could comment, suggest exceptions or veto ports that would break medical devices. The first pull request took eleven days and 47 comments to merge, but once the anaesthesia department realised they could block Windows-update traffic during surgery hours without filing a ticket, the tone shifted from scepticism to competitive optimisation. The incident that convinced the board arrived in July, when a phishing email spoofed the hospital’s payroll provider and attempted to route salaries to Bulgarian accounts. The forged domain was live for exactly six minutes—long enough for the Alliance’s passive-DNS sensor to harvest the certificate, compare it against the hospital’s legitimate TLS key and trigger an automated revocation that landed in the payroll team’s Slack before anyone had clicked. König’s eyes still widen when she tells the story: “The fastest human response was four minutes, the machine beat us by two, and nobody missed a salary run.” The hospital now pays roughly 0.7 percent of its annual IT budget in federation dues, a line item König defends by translating prevented incidents into intensive-care beds: “One cancelled ransomware case equals three ventilators we don’t have to replace.”

The final speaker, Marcin Lewandowski, founder of the Polish cloud provider NetSilesia, brought a different cadence—he spoke in measured paragraphs about latency arbitrage and export-control compliance, but the emotional core was identical. NetSilesia joined because German customers kept asking for a “sovereign option” that could still peer with AWS and Azure without crossing jurisdictional boundaries. The Alliance offered a federation gateway: a Kubernetes cluster that runs inside NetSilesia’s Gliwice data centre but inherits the same policy-as-code artefacts, the same key-management schema and the same audit language used in Anhalt-Bitterfeld. The technical trick is a mutually signed CRADA that treats the Polish facility as a logical extension of the German node, so data classified as “RESTRICTED” under German law never leaves the cluster, while less sensitive telemetry is mirrored into the shared threat lake. Lewandowski described the moment he realised the arrangement had crossed from pilot to product: a German valve manufacturer—ironically a supplier to SK-Armaturen—requested a disaster-recovery drill that assumed the complete loss of the primary plant. The failover completed in six minutes and forty-three seconds, with all virtual machines rehydrated in Silesia and all cryptographic identities reissued under the same German root CA. The customer’s CFO later calculated that the federated setup saved them 180 000 € in duplicate licensing because the sovereignty layer was already baked into the federation fee. Lewandowski’s takeaway was blunt: “Sovereignty is not a location; it is a contract you can compile.”

"Sovereignty is not a location; it is a contract you can compile."

When the house lights came up, the audience had one collective question: what broke? The answers were refreshingly minor. Rohde admitted that the first optical splitter was installed backwards and took the plant offline for twelve minutes—long enough for the night shift to invent a new dialect of profanity. König confessed that the GitLab interface scared senior physicians until someone painted the hospital logo on the login page, a placebo that reduced support tickets by half. Lewandowski revealed that the initial TLS handshake between jurisdictions failed because the Polish system still preferred Camellia cipher suites abandoned by the German nodes in 2022; a one-line edit in the Envoy proxy fixed it, but the debugging session produced a merge request now cited in training slides as “the fifty-euro comma.” Those scars, openly shared, did more to build trust than any compliance certificate could. By the time the county’s economic minister closed the session, the sign-up sheet for next year’s pilot round carried forty-three fresh names, all written in the same blue ink that once recorded shift schedules in the chemical plant. The bicycle, it seems, is still gathering speed.

The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.

Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.