BSidesLuxembourg 2026

Event Strategy & Structure

Core Mission: A 2-day, open-floor "village" dedicated to exploring real-world security risks in Agentic AI, Model Context Protocol (MCP) architectures, and LLM workflows.

Alignment: All content and threat models are strictly aligned with OWASP guidance (LLM Top 10 & AI Security Exchange).

Dynamic Flow: Unlike traditional linear training, this is an exploratory space. The schedule is fluid; organizers will pivot topics, attack scenarios, and deep dives in real-time based on what attendees find most interesting.

Village Logistics

Open Access: The village runs continuously for two days with no fixed start/stop times.
Drop-in Format: Attendees are free to enter, observe, leave, and return at will. This supports the casual, "hallway con" culture of BSides events.
Parallel Tracks: Multiple activities (demos, labs, discussions) happen simultaneously, allowing for natural scaling of depth from beginner to advanced levels.

Organizer Responsibilities (The Blue Team/Red Team)

Live Operations: Organizers act as facilitators, maintaining intentionally vulnerable infrastructure (LLMs, RAG pipelines, Autonomous Agents, MCP Servers).

Interactive Walkthroughs: Instead of formal talks, organizers provide short, continuous breakdowns of attacks, explaining why a specific trust boundary failed or how a design choice created a vulnerability.

Adaptive Defense: Based on audience feedback, organizers will live-patch systems or remove mitigations to demonstrate how security controls impact attack feasibility.

Attendee Experience (The Red Team)
Hands-on Exploitation: Attendees can directly interact with deployed systems to attempt prompt injection, logic-based attacks, and tool abuse.
Feedback Loop: Attendees actively shape the curriculum by voting on which systems to attack next or requesting deeper focus on specific failure modes.
Collaborative Defense: A key component is discussing defenses; attendees can propose architecture changes or guardrails, which organizers can discuss or implement live.

Hands-on Labs & Infrastructure
Self-Paced Playgrounds: Dedicated stations will run continuously for independent learning.
Dreadnode Crucible: Focuses on practical exploitation of LLMs and agents.
Lakera Gandalf / Agent Breaker: Gamified challenges covering prompt injection, goal hijacking, and instruction drift.
Purpose: These labs ensure that even if the live demo is advanced, beginners have a place to start learning fundamentals.

Agenda:

Breaking LLM Systems
Theme: Fundamentals of LLM vulnerabilities and the OWASP LLM Top 10.
Live Targets: Minimalist LLM deployments and chat interfaces.
Deep Dives:
Guardrails: Examining internal mechanics and demonstrating how to bypass practical limitations.
RAG Security: attacking Vector Databases and poisoning retrieval contexts (RAG-specific threats).

Agenda: Agentic AI & MCP Security
Theme: The core focus of the village—Autonomous Agents and the Model Context Protocol (MCP).
Complex Workflows: Demos will feature multi-step agents that can plan, execute, and interact with external tools.
Key Attack Vectors:
Instruction Hijacking: Forcing an agent to deviate from its original goal.
Tool Abuse: Exploiting over-privileged MCP capabilities (e.g., an agent with unrestricted file access).
Trust Boundaries: Analyzing failures in the handshake between Agents and MCP servers.