Welcome to CypSec Group
We specialize in advanced defense and intelligent monitoring to protect your digital assets and operations.
Lessons from open-source communities.
Mansfeld-Südharz, Germany - October 28, 2025
The first time we submitted a merge request to the Alliance’s governance repo, the commit message was signed off by a county clerk, a 19-year-old apprentice, and a retired chemical-plant engineer who still keeps a stack of 1987 PLC manuals in his garage. That is not a vanity signature; it is the closest cyber security has ever come to a town-hall vote. We borrowed the ritual wholesale from the open-source world because we realised that resilience cannot be franchised like a burger chain—it has to be forked, argued over, and ultimately owned by whoever runs the local compiler. The Cyber Resilience Alliance was never meant to be a single, shiny SOC in the middle of a Saxony-Anhalt field; it was meant to be a protocol that lets any county bootstrap its own node without asking for permission from a boardroom whose nearest server farm is three borders away.
The insight started with a mistake. In early 2024 we invited three multinational vendors to pitch turnkey “cyber valleys” to the county administration. Each presentation ended with the same slide: a branded glass building, a fenced campus, and a concierge who would happily badge you in if you signed a five-year managed-service contract. The politicians liked the renderings, but the local sysadmins asked a quieter question: what happens to our logs when your quarterly numbers dip? The silence that followed was the moment we understood that centralisation is not just a technical risk; it is a narrative killer. If the story ends with “and then we outsourced the problem,” the county becomes a spectator in its own defence. Open source won the argument because it is the only licensing model that makes the customer the landlord instead of the tenant.
We therefore re-wrote the entire procurement philosophy into a single sentence: every artifact we fund must carry a licence that allows any European public body to copy, modify and redistribute without legal review. That sounds trivial until you realise that most cyber vendors still embed cryptographic libraries under export-controlled wrappers, or ship threat-intel feeds whose terms forbid republication. By forcing ourselves to publish under EUPL-1.2 or Apache-2.0 we disqualified roughly 60 % of the commercial landscape on day one, but we also reduced the time-to-fork for a new region from eighteen months to the length of a Git clone. South-Tyrol’s first pilot node was stood up by a two-person team who had never visited Anhalt-Bitterfeld; they simply cloned the repository, translated the Ansible variables into Italian, and opened a pull request that merged three days later. The diff was smaller than the average CSS patch.
Money follows the same logic. Instead of issuing traditional grants, we issue “resilience bounties” tied to merged commits: harden the STIX-sharding algorithm, earn 25 000 €; optimise the deception-grid memory footprint below 2 GB per node, earn another 15 000 €. The bounties are funded out of the Alliance’s R&D envelope, but the payout is processed through the European Investment Bank’s open-source incentive facility, which means the reward is taxable income rather than a procurement contract. That distinction matters because it sidesteps the 200-page tender dossier that normally scares universities and SMEs away from public funding. Since January we have paid fourteen bounties totalling 312 000 € to contributors in seven countries, and every euro was linked to a commit hash that anyone can inspect on GitLab. The largest single recipient was a 21-year-old student in Cluj-Napoca who rewrote the log-normalisation layer in Rust, cutting ingestion latency by 43 %. He never had to fly to a steering-committee meeting; he just had to pass CI and convince two maintainers that the code was merge-worthy.
"The county is no longer a customer; it is a maintainer—lose the commit bit, lose the shield."
Governance itself runs on forks. The canonical “charter.md” sits in a separate repo where merge requests require at least one approval from a public-sector badge and one from a private-sector maintainer. The rule forces dialogue between councils that still print agendas on paper and engineers who think paper is a deprecated output stream. The first controversial fork came when Zeeland province wanted to remove the mandatory German data-classification taxonomy and replace it with the Dutch BIR schema. The discussion thread ran for 187 comments, but the compromise that emerged—a pluggable taxonomy loader—now allows any region to inject its own classification without breaking federation. That is the real product: not a taxonomy, but a habit of negotiated compatibility that scales faster than any central standards body.
Even threat intelligence is decentralised. Instead of a single feed that everyone passively consumes, we run a gossip protocol inspired by BGP: each node announces IOCs it has verified, signed with its own cryptographic identity, and every other node chooses whether to import, downgrade or ignore the signal. The result is a mesh where reputation is earned by accuracy rather than brand size. During the July ransomware wave that hit three packaging plants in Poland, the first reliable indicators came from the smallest node—Krapkowice county with 24 employees—because their engineer had seen a similar SSL certificate fingerprint during a tabletop exercise two weeks earlier. The signature propagated across the mesh in 38 seconds, faster than any commercial feed we were paying for at the time. The episode made it clear that survivability is not proportional to budget; it is proportional to the number of eyes that feel responsible for the code.
The hardware layer follows the same philosophy. We publish KiCad files for a 199-euro “resilience node” built around a RockPro64 board, an LTE modem and a tamper-resistant chip that stores cryptographic seeds. The bill of materials is sourced entirely from distributors inside the EU, which means no ITAR headaches and no customs delays when a Greek island wants ten units for its harbour authority. The first batch of 200 boards was assembled by hand in a vocational school in Wolfen; the second batch was forked by a hackerspace in Lisbon who added LoRa radios for fishing-fleet coverage. Both variants feed the same federation API, so diversity becomes strength instead of fragmentation. If a supply-chain vulnerability ever hits one chip vendor, the mesh simply routes around the affected hash and keeps gossiping.
What emerges is a new kind of security vendor: not a company but a protocol, not a headquarters but a pull request, not a contract but a commit hash. The county is no longer a customer; it is a maintainer, and the moment it stops maintaining it loses the upstream benefit of everyone else’s labour. That inversion—responsibility as the price of admission—is the single most powerful incentive for continuous hygiene we have found. It also solves the exit problem that plagues every traditional outsourcing deal: if we ever disappear, the code does not vanish with us; it simply keeps running on whoever’s disk it was cloned to. The ultimate decentralised innovation is not technical; it is legal: a licence that makes the supplier redundant.
The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.
Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.
We specialize in advanced defense and intelligent monitoring to protect your digital assets and operations.
