Secure-Coding Hackathon

Mansfeld-Südharz, Germany - December 10, 2025

An open invite to break, build and badge your code inside the county that turns policy into compile-time warnings

The doors of Hall 12 will open at 18:00 sharp on Friday, 14 March 2026, and close again forty-eight hours later with the same mechanical finality that once sealed the shift at the Buna rubber works. This time, however, the product is not synthetic tyres but synthetic trust: small teams must ship a working micro-service that survives a live red-team, a compliance lint-suite and a sovereign-cloud deployment gate before the clock runs out. No slides, no pitch decks, no mercy—only the code you commit and the logs you leave behind. We call it the Secure-Coding Hackathon, but the branding is less important than the constraint: every line must be explicable to an auditor who has never written a function, and every dependency must be traced to a EU-hosted repository whose GPG keys are pinned in policy-as-code. If that sounds harsh, remember that NIS2 will fine your future employer four percent of global turnover for the kind of shortcut that earns you a coffee here; the weekend is simply the dress rehearsal.

The architecture brief is deliberately boring: a ticket-reservation API that lets users hold, pay and refund seats for a regional theatre. The threat model is not. Each team receives a sealed envelope containing the adversary’s shopping list: privilege escalation on the payment callback, secret leakage through env-vars, dependency confusion in the CI pipeline, and a timed ransomware note that will drop if the service reloads slower than three seconds. These are not theoretical puzzles; they are sanitised incidents that occurred in European cultural institutions during 2024, donated to us under non-disclosure and replayed on an isolated k3s cluster whose nodes live on renewable power in the same cooling ducts that once carried ethylene. Contestants therefore code under the cognitive weight of real consequence—every failed health check triggers an actual pager, every mis-pushed secret is harvested by a volunteer purple-team who immediately opens a GitHub issue tagged “regulatory breach”. The effect is pedagogical adrenaline: within the first six hours last year, one group rewrote their entire OAuth flow because the linter warned that PASETO was acceptable but JWT with RS256 without key rotation was not; they later admitted they had never read a RFC until the CI gate refused to green-light their pipeline.

Compliance is not a slide—it is a stage. The build environment runs inside a confidential-computing enclave provided by the county’s new sovereign-cloud zone, which means that memory dumps are encrypted at the hardware level and the purple-team cannot exfil source even if they wanted to. Contestants must declare their data model in a machine-readable GDPR manifest that the cluster automatically translates into SQL policies: if you forget to tag the “email” column as “special-category”, the schema simply refuses to migrate and the red-team gains an instant kill-point. The same mechanism enforces NIS2 supply-chain rules: any container image without a signed SBOM attesting SLSA level-2 is rejected by the admission controller, forcing teams to recompile base images rather than pulling convenience layers from Docker Hub. By Saturday noon, most tables are littered with the same realisation: security is not a feature you add at the end; it is a build-breaker you satisfy before the next coffee, exactly the rhythm that production will demand of them once NIS2 enters national statute in October 2026.

Sunday morning introduces the final twist: a live incident war-room. Organisers replay a tailored ransomware variant that encrypts the cluster’s persistent volume and demands a Monero ransom. Teams must coordinate recovery using playbooks they authored overnight, while a public clock streams the outage duration to a mock press room staffed by journalism students who fire GDPR questions every fifteen minutes. The exercise ends when the last user transaction is verifiably restored and the county’s data-protection officer signs a legally binding incident report that the students themselves drafted. Last year the fastest recovery took four hours and thirty-seven minutes; the slowest exceeded eight and was ruled a regulatory failure, earning applause anyway because the post-mortem was so candid that the DPO later admitted it helped her refine the real county contingency plan.

"We do not test whether you can build secure code; we test whether you can still explain it after it has been broken."

Winners are decided by a scoring function that weights code quality (30 %), recovery time (25 %), audit trail completeness (20 %), and post-mortem clarity (25 %). There is no single heroic exploit; the podium goes to the team that best balances velocity, verifiability and honesty. Prizes are intentionally vocational: a twelve-month mentorship with the Alliance’s senior architects, guaranteed desk space in the county’s upcoming Secure-Tech Incubator, and a fast-track interview for the EU Cyber-Security Reserve pilot intake. No venture capital, no glossy cheques—just a direct corridor into paid work that continues the same muscle memory they exercised over the weekend. Remarkably, every participant leaves with a badge that is recognised by the local IHK as evidence of “advanced secure-programming competence,” a credential that exempts graduates from the theory portion of the ISO 27001 Lead Implementer exam and counts toward the 120 CPD hours required for German CISSP equivalency.

Applications open on 1 December 2025 and close once 120 coders have passed the two-stage screening: an automated CTF that tests basic secure-coding hygiene and a short essay explaining how they would handle a coercive ransom demand directed at their own family business. We do not care about GPAs; we care about temperament under pressure and the willingness to document mistakes in public. If that sounds like you, bring a sleeping bag, a toothbrush and a GPG key that you are prepared to stake your reputation on. The factory gates will clang shut at 18:00 on 14 March; forty-eight hours later they will reopen to release not just tired bodies but a small cohort of engineers who have already lived through the failure modes that NIS2 will fine the rest of Europe for ignoring. The rubber that leaves this plant will not roll on roads; it will wrap around the continent’s next generation of code, elastic enough to absorb shock, transparent enough to let auditors see every seam.

The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.

Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.