BSidesLuxembourg 2026

Incident response isn't just about knowing your tools - it's about coordinating under pressure, communicating when things go sideways, and making calls with incomplete information. Traditional training focuses on isolated techniques, missing the collaborative reality of actual incidents. And most tabletop exercises? Painfully dull. Participants zone out, give checkbox answers, and leave having learned little.

This workshop introduces Malware & Monsters (https://malwareandmonsters.com), a framework that turns IR training into something people actually enjoy. Think tabletop role-playing meets creature-collection mechanics, where teams "hunt and contain" digital threats through story-driven gameplay.
Game-based learning works - research shows it beats traditional instruction for skill building and retention. M&M makes participants actively discover concepts instead of sitting through lectures. Scenarios include organizational pressures, evolving threats, and stakeholder drama, turning abstract security concepts into tangible problems.

You'll experience the full methodology: learn the mechanics, build custom scenarios based on real malware families (mapped to MITRE ATT&CK), and run live simulations. Participants take specialized roles - Hunter, Analyst, Forensicator, Communicator, Coordinator, or Researcher - experiencing how security functions actually collaborate during incidents.

The framework includes legacy malmons from malware history—because history always repeats itself, and understanding past threats reveals patterns in current attacks. The "type effectiveness" system teaches strategic thinking about matching defenses to threats. Evolution mechanics show how attacks escalate when containment fails.

Participants walk away with ready-to-use materials and facilitation techniques for training that actually works.

Best of all? M&M is free to play in most cases.

You've identified the vulnerability, tested the exploit, and written the report. But they just don’t see the urgency. Now what? This 4-hour, hands-on workshop bridges the gap between technical mastery and boardroom influence. We'll move beyond simply reporting risks to crafting compelling narratives, quantifying value, and building the relationships necessary to drive meaningful security improvements.

This isn't your typical "compliance" training. We'll delve into the psychology of decision-making, explore adversarial communication tactics (used against you), and arm you with practical strategies to become a trusted advisor who can effectively advocate for security and get things done.

Tired of security training that puts your team to sleep? What if I told you the most powerful training tool in cybersecurity has been sitting in your game room all along? Welcome to the world of game-based learning, where the proven power of play transforms how professionals master complex skills.

Research shows that humans learn best when working together, yet traditional training methods keep pushing isolated, theoretical learning. Game-based learning flips this approach on its head, creating environments where people forget about office politics and actually engage with the material. Through structured play and collaborative storytelling, participants don't just memorize concepts—they live them, breaking down professional barriers and building genuine understanding through experience.

I'll show you the compelling evidence behind why using roleplaying games work, and demonstrate how to transform resistant learners into engaged participants. Using compelling examples, you'll discover how tabletop role-playing mechanics can turn your most challenging training scenarios—from incident response to zero trust architecture—into adventures your team actually looks forward to.

Join me to learn why adding roleplaying games to your professional development isn't just about making training fun—it's about making it work.

Every day, millions of data points about YOU, whether public, leaked, scraped, or sold, quietly feed into a largely legal ecosystem of personal information. For modern threat actors, Artificial Intelligence (AI) is no longer just a buzzword; it is a tool used to weaponize this data at scale against both individuals and their organisations. What once required a non-trivial skillset in OSINT and social engineering can now be executed by anyone with a prompt and a scraped data set (or worse, an autonomous team of AI agents).

This talk explores the intersection of privacy and offensive security, demonstrating how exposed personal information is harvested and amplified by AI to create highly convincing phishing, deepfake scams, and automated fraud. We will break down how your digital footprint becomes an attack surface and build a defensive strategy to counter it.

We will focus on helping individuals and security leaders identify the human exposure, human attack surface, and cyber risk. We will tie this into Cyber Threat Intelligence (CTI), with actionable techniques for the individual and the SOC alike. We’ll discuss practical tips to deal with exposure, limit data leakage, spot AI-driven targeting and explore actionable privacy practices, such as email masking, and ways to operationalize techniques and services to exercise your GDPR right to be forgotten. Attendees will leave with a clear understanding of the emerging threat landscape and the defensive techniques to remove or reduce the "fuel" attackers use in order for individuals and organizations to protect themselves.