Topics at hackathon.lu
Topics and Projects at hackathon.lu 2025
A series of topics are available for Hackathon 2025, along with potential task ideas. This list will be regularly updated based on feedback and the projects joining the event.
Cyber Threat Intelligence
Explore innovative ways to collect, analyze, and share threat intelligence to enhance cyber defenses and facilitate proactive responses to evolving threats.
Task - Improve the visualisation of MISP taxonomies and galaxies and make it accessible to a larger community.
| Task CTI-VIS-INFO |
|---|
| Improve the visualisation of MISP taxonomies and galaxies and make it accessible to a larger community. |
| Task Lead |
| MISP Project - taxonomies and galaxy maintainers. |
| References - https://www.misp-galaxy.org/ - https://github.com/MISP/misp-galaxy/ - https://github.com/MISP/misp-taxonomies |
Task - Add MISP workflow action to send messages to nextcloud chat
| Task MISP-WORKFLOW-NEXTCLOUD-CHAT |
|---|
| Task Lead: Jeroen Pinoy - MISP contributor |
| References - Nexctcloud chat API doc |
Task - Add functionality to MISP modules and/or MISP, to keep an audit record of the usage of modules (timestamps + user)
| Task MISP-MODULES-AUDIT |
|---|
| Task Lead: |
| References - MISP modules repo |
Task - Review and update the MISP OpenAPI documentation (especially the allowed arguments), using the real MISP documentation
| Task MISP-OPENAPI-DOC |
|---|
| Task Lead: Jeroen Pinoy - MISP contributor |
Task - Build a set of examples of common cyber threat intelligence sharing scenarios (e.g. malware sample executed by cron job), with resulting MISP encoded version of the scenario data, along with explanations.
| Task MISP-CTI-ENCODING-SCENARIO-SAMPLES |
|---|
| Build a set of examples of common cyber threat intelligence sharing scenarios (e.g. malware sample executed by cron job), with resulting MISP encoded version of the scenario data, along with explanations. |
| Task Lead: Jeroen Pinoy - MISP contributor |
| References - https://www.misp-project.org/misp-training/b.1-best-practices-in-threat-intelligence.pdf - https://www.circl.lu/doc/misp/best-practices/ |
Task - Create MISP incident response playbooks / guidelines
| Task MISP-IR-PLAYBOOKS |
|---|
| The goal is to create documentation for what to look at when trying to answer “Is the user activity of user X on MISP suspicious?”. The doc should contain information on how to interpret logs, audit info… This falls under larger umbrella of how to detect and analyze potential abuse on a MISP instance. |
| Task Lead: |
Task - Review and update the MISP generated Suricata rules
| Task MISP-SURICATA-RULES |
|---|
| Review and update the way MISP generated Suricata rules possibly using datasets feature of stable Suricata versions |
| Task Lead: Eric Leblond - Suricata contributor |
Task - Connect Suricata 8 dataset in JSON format feature with MISP
| Task MISP-SURICATA-DATAJSON |
|---|
| Review and update the way MISP generated Suricata rules possibly using datasets feature of stable Suricata versions |
| Reference - Dataset with JSON format support PR |
| Task Lead: Eric Leblond - Suricata contributor |
Task - Distribute Certificate transparency logs with Cocktailparty
| Task COCKTAILPARTY-CERTSTREAM |
|---|
| Integrate calidog’s certstream watcher/parser in cocktailparty as a new connection/source. Allow for collection from additional log_lists |
| Reference - https://github.com/CaliDog/certstream-server |
| Task Lead: Jean-Louis Huynen - Cocktailparty contributor |
Task - Create admin-defined filters in Cocktailparty
| Task COCKTAILPARTY-ADMINFILTERS |
|---|
| Create admin-defined filters to apply on sources before dispatching to channels. |
| Reference - https://github.com/flowintel/cocktailparty |
| Task Lead: Jean-Louis Huynen - Cocktailparty contributor |
Task - Create user-defined filters in Cocktailparty
| Task COCKTAILPARTY-USERFILTERS |
|---|
| Create user-defined filters to apply on channels, before pushing into the websocket. |
| Reference - https://github.com/flowintel/cocktailparty |
| Task Lead: Jean-Louis Huynen - Cocktailparty contributor |
Task - Improve realtime-py for cocktailparty stream consumption
| Task COCKTAILPARTY-PYTHON-LIB |
|---|
| Upstream realtime-py significantly diverged from flowintel’s current fork. The task consists of reviewing the current code, remove supabase-related parts, play with the library or write tests, and most importantly find a new name =) |
| References - https://github.com/flowintel/realtime-py - PR dating before upstream refacto |
| Task Lead: Jean-Louis Huynen - Cocktailparty contributor |
Task - Integrate MISP modules into AIL
| Task AIL-MISP-Module |
|---|
| Task Lead: |
| References - AIL - MISP Modules |
Task - Improve AIL Language detection
| Task AIL-Languages |
|---|
| AIL is using CLD3 and a new version of lexilange to detect chats languages. Improve Lexilang’s language dictionary Propose an alternative to CLD3 for language detection that supports a broader range of languages with improved memory efficiency and performance Propose an alternative to ISO 639-3 for representing unsupported regional languages. |
| Task Lead: Aurelien Thirion - AIL Project |
| References - AIL - Lexilang - AIL Languages detection |
Digital Forensics and Incident Response
Delve into tools and methodologies for investigating cyber incidents, uncovering evidence, and responding effectively to mitigate impact.
EDR and Host-Based Detection
Enhance endpoint detection and response (EDR) capabilities with cutting-edge techniques for detecting and mitigating threats at the host level.
Vulnerability Management
Develop and refine strategies and tools for identifying, assessing, and prioritizing vulnerabilities to reduce organizational risk.
Task - Extracting CVE/Vulnerability reference from large datasets such as commoncrawl
| Task VUL-EXTRACT |
|---|
| Extracting CVE/Vulnerability reference from large datasets such as commoncrawl. Adding references into vulnerability-lookup project. |
| Task Lead |
| vulnerability-lookup |
| References - https://www.vulnerability-lookup.org/ - commoncrawl dataset |
Task - Guessing CPE name based on vulnerability description.
| Task VUL-CPE-GUESS |
|---|
| Facilitating the guessing of a CPE name via natural language processing based on vulnerability description. |
| Task Lead |
| vulnerability-lookup |
| References - https://www.vulnerability-lookup.org/ - cpe-guesser |
Task - Guessing CPE name with LLM
| Task VUL-CPE-LLM |
|---|
| Facilitating the guessing of a CPE name with LLM. |
| Task Lead |
| Vulnerability-Lookup |
| References - https://www.vulnerability-lookup.org - VulnTrain |
Task - Predict exploitability with LLM
| Task VUL-EXP-LLM |
|---|
| Estimating the exploitability of a new vulnerability with LLM. |
| Task Lead |
| Vulnerability-Lookup |
| References - https://www.vulnerability-lookup.org - VulnTrain |
Task - Enhanced Vulnerability-Lookup with Code Context
| Task VUL-Sourcecode-LLM |
|---|
| When searching for vulnerabilities, provide relevant code snippets from impacted projects. Extend Vulnerability-Lookup database/dataset by linking CVEs with corresponding source code segments from affected products/repositories. Fine tune CodeBert of CodeT5. |
| Task Lead |
| Vulnerability-Lookup |
| References - https://www.vulnerability-lookup.org - CodeBERT - CodeT5 |
Cybersecurity - Open Data and Open Datasets
Use and create open data and datasets to support cybersecurity research, training, and collaborative innovation.
API and Tooling Interoperability
Focus on creating and improving APIs and tools that enable seamless integration and interoperability between different cybersecurity platforms.
Task - Create MISPerer
| Task: MISPerer |
|---|
| MISPerer leverages Anthropics’s Model Context Protocol (MCP) to bridge Large Language Models (LLMs) with the MISP (Malware Information Sharing Platform & Threat Sharing) system. This simplifies interaction, allowing users and other systems to query MISP’s threat intelligence data through intuitive natural language prompts. |
Mercator
Work on auto-discovery and update of existing objects using the REST API.
Tasks
- Auto-discovery with nmap: Scan the network to identify active devices and retrieve basic information (IP, open ports, OS fingerprinting).
- Update server configuration with SNMP: Collect hardware and software information from discovered devices and update Mercator accordingly.
- Integration with existing inventory data: Cross-reference discovered devices with existing inventory records to update or flag discrepancies.
- Automated tagging and categorization: Assign tags based on device type, OS, and role in the network.
- Web UI enhancements: Display real-time discovered devices and provide an interface for manual validation and corrections.
- Alerting for new/unexpected devices: Notify administrators when unknown or unauthorized devices appear on the network.
Cybersecurity Education
Create and share educational resources (e.g. CTF challenges), training modules, documentation and workshops to advance knowledge and skills in cybersecurity.
Policy and Cybersecurity
Improve open source toolings to support policies, regulations, and frameworks to address the challenges and opportunities at the intersection of governance and cybersecurity.
Lookyloo
Website capture interface
Tasks
- Implement dropdown to select which proxy to use for the capture (by country)
Virgil
Ansible deployment of Lacus, Lookyloo, URL Monitoring and Pandora.
Tasks
- Review the preliminary playbooks
- Test the ansible playbooks on live systems
- Document the installation process
- Pre-configure the modules from a central file
- Validate the updating the services works as expected
YALTF (Yet Another License Tool and Framework)
Tasks: (Click for more details)
Expanded OS & platform support (Windows, macOS)
- Extend linux support: Extend support to further Linux distributions, particularly Debian and its derivatives that are most used. Explore compressing license data for efficient scanning (additional feat)
- Windows (SSH-Based): Enable scanning of software on Windows systems accessible via SSH.
- Windows (native): Implement native scanning on Windows using the WinRM protocol.
- macOS support: Extend scanning to macOS, including Homebrew-managed packages.
- Docker compatibility:Support scanning of Docker images to detect license and security issues.
Enhanced UI (viewer) (advanced filters, better visualization)
- Redesign the UI with modern web technologies for a better user experience.
- Introduce advanced filtering, classification, and compliance-checking features.
- Display scan summaries and elegantly visualize composite license structures.
Expand package scanning capabilities (Flatpak, Snap, npm ...)
- Scan software installed via distribution-independent package managers (e.g., Flatpak, Snap).
- Support CLI-based application package managers (e.g., Go modules, npm) for deeper license analysis.
Error handling & logging
- Improve logging with detailed and actionable diagnostic messages.
- Display errors and warnings directly in the scan report for better visibility.
Interoperability with other tools (ORT, CSV, SML, SPDX...)
- Enable integration with existing license scanners. Provide outputs compatible with industry-standard tools like ORT for seamless report generation.
- Support additional output formats, including CSV, XML, SPDX, and more, alongside the existing JSON.
Advanced configuration/parameters (Custom output names, locations...)
- Expand configuration settings to allow custom output directories, report names, and other preferences.
Improved accuracy and security (Validation, Vulnerability Detection...)
- License data validation: Cross-check scan results against online sources to ensure completeness and detect outdated or missing license information.
- Vulnerability detection: Identify known vulnerabilities (CVEs) in scanned software by referencing security databases. Potentially leveraging lookup service from CIRCL.
- Weak or insecure configuration detection: Analyze server, database, and software configurations for security misconfigurations that could lead to potential exploits.
Testing & QA (Automated test suits)
- Develop automated test suites for YALTF to ensure accuracy, reliability, and robustness.
IDPS-ESCAPE
Tasks partially based on the roadmap of IDPS-ESCAPE focusing on the ADBox subsystem
Tasks
- Suggest (or add) new reusable anomaly detection use case scenarios, i.e., other than the ones geared towards resource usage monitoring
- Brainstorm on tailoring the underlying ADBox algorithms to specific SOC operations, e.g., to improve the detection of specific types of anomalies, such as those related to user behavior, network traffic, or system performance
- Enhance the existing Wazuh ADBox integration: improve the visualization and reporting capabilities of ADBox to provide more meaningful insights into detected anomalies
- Suggest approaches for automating the creation of incident response cases based on ADBox detections, e.g., via the OpenCTI Wazuh connector or the MISP API
- Improve the scalability and performance of ADBox to handle larger volumes of ingested data
- Simplify the ADBox engine as well as the training and prediction pipelines
- train new models for anomaly detection using large amounts of data to assess the performance and accuracy of the underlying anomaly detection algorithm(s)
- Suggest or add new automated response mechanisms aimed at preventive measures directly integrated into Wazuh, towards the SOAR goal of IDPS-ESCAPE
- Suggest simulation specifications for pairs of attack scenarios and automated response mechanisms, e.g., to assess the impact of response mechanism suites
- Algorithmic agility (choosing between multiple algorithms for the same functionality): Integrate different AD algorithms into the ADBox engine to benchmark their performance and accuracy in the context of IDS
- add efficient algorithmic multiplexing (choosing between multiple implementations of the same algorithm)
SATRAP
Tasks partially based on the roadmap of SATRAP-DL
Tasks
- Identify sets of preconditions commonly used to establish correlations (if-then scenarios) to convert to inference rules in SATRAP
- Implement new inference rules for SATRAP in TypeQL
- Automate data ingestion from MISP into the SKB of SATRAP: Design and implement a stream-oriented module for retrieving IOCs and other data from a MISP instance and running the SATRAP ETL process on this data, while keeping time and space complexity under control
- Identify candidate high-level functions to be added to the SATRAP
CTIAnalysisToolbox - Integrate functions of SATRAP with existing CTI playbooks, similar to the use of PyMISP and pycti, e.g., the threat actor profiling playbook by MISP
- Suggest performance-related improvements for the SATRAP ETL (Extract-Transform-Load) subsystem, at an algorithmic level
- Explainable inference: Study the integration of visual explanations in Jupyter Notebooks
- Add support for ingesting STIX 2.1 custom and metadata objects
- Reverse ETL: Transform TypeQL results into STIX2.1 objects