2025-10-21 –, Europe
CSIRT.SK’s cybersecurity approach emphasizes proactive vulnerability management through Achilles, system which performs non-invasive scanning of public administration systems to detect security flaws while minimizing disruption. This model enables real-time risk assessment without impacting system availability, in line with NIS2. To enhance threat-driven assessments, CSIRT.SK integrates cyber threat intelligence, mapping active threat campaigns to known exploits. This fusion of CTI and vulnerability scanning enables targeted security enhancements and faster mitigation of emerging threats.
Further key NIS2 innovation at CSIRT.SK and its constituency, is structured vulnerability disclosure, where public organizations must publish clear guidelines for reporting security issues. This shifts responsibility from researchers to system operators, ensuring efficient triage and response while fostering trust with security researchers.
The presentation showcases Slovakia’s model of scanning, contrasting it with alternative approaches, and provides actionable insights for CSIRT teams on scalable vulnerability assessment, ethical hacking engagement, and intelligence-driven security operations.
The NIS2 directive allows CSIRTs to carry out active, non-intrusive scanning of publicly accessible networks and information systems of entities. In Slovakia, proactive vulnerability scanning is already a cornerstone of government unit CSIRT.SK activities within its constituency, exemplified by the Achilles project. The recently amended Slovak Cybersecurity Act further clarifies that all CSIRT units have the legal authority to conduct non-invasive vulnerability detection and assessments within their scope. These assessments explicitly avoid negative impacts on the networks, systems, or services being evaluated, maintaining a balance between proactive security and minimal disruption.
From the perspective of the Slovak CSIRT.SK, Poland's draft Cybersecurity Act under NIS2 introduces a more invasive approach, allowing Polish CSIRTs to bypass system protections for security assessments, resembling red teaming. For Slovakia to conduct similar assessments, clear legal frameworks (including mandates, consent protocols, and GDPR compliance), technical capabilities (such as secure testing environments and skilled personnel), and organizational structures (governance, risk management, and cooperation protocols) would be essential.
In the area of coordinated vulnerability disclosure mandated under Article 12 of the NIS2, Slovak law already contains an obligation for public organizations to publish rules for reporting vulnerabilities on their website. The idea behind this legal regulation is based on the fact that it does not directly oblige researchers but entities responsible for the operation of information systems and technologies of public administration. They are obliged to publish rules on how security research can be carried out and the procedure for responsible publication of vulnerabilities. We believe it is appropriate to issue a framework policy for responsible vulnerability disclosure as a generally binding legal act. In addition, it is appropriate to use proper reporting channels. For this purpose, it is possible to use the security.txt concept.
The vulnerability assessment process is intertwined with cyber threat intelligence, as it relies on up-to-date insights into emerging threats and adversary tactics. Threat intelligence analysts populate the MISP (Malware Information Sharing Platform) with data on threat actors, their tactics, techniques, and procedures (TTPs), as well as known vulnerabilities exploited in active campaigns. The vulnerability assessment team uses this intelligence to prioritize assessments, focusing on specific threat actor campaigns and the vulnerabilities they exploit, thereby enhancing proactive defense measures and risk mitigation strategies.
The presentation examines how these approaches reflect the broader goals of proactive cybersecurity and security research while addressing the challenges of harmonization and trust in public-private partnerships. Additionally, it concludes with recommendations for CSIRTs to balance proactive assessments with legal and ethical considerations, including developing clear testing policies, ensuring transparency with affected entities, and fostering collaboration through secure information-sharing frameworks.
Michal is a lawyer at the Slovak Government CSIRT unit (CSIRT.SK), where he provides legal advice on cyber security and regulation. He is a PhD. student and lecturer at the Institute of Information Technology and Intellectual Property Law at the Faculty of Law of Comenius University in Bratislava.
Michal is the author of several scientific articles focused on information technology law and cybersecurity. He is also co-author of the university textbook "Law and Artificial Intelligence". In his practice and academic research he focuses on cybersecurity, AI and criminal law. He is a member of ISACA Slovakia Chapter and also a certified Cyber Security Manager.
Alexander is the Head of Analytical Department at Government Unit CSIRT.SK at Ministry of Investment, Regional Development and Informatization of the Slovak Republic. He focuses on network security and security monitoring and has been working at CSIRT.SK since 2021. He teaches the basics of network technologies at Faculty of Informatics and Information Technologies Slovak University of Technology (STU) in Bratislava.