Program Overview

2026 Peak Incident Response Technical Colloquium

• It's About Time: A Blueprint for Operating Resilient, Sovereign, and Authenticated NTP at Global Scale

  Raphael Sebacher (Open Systems)

  Time synchronisation using the Network Time Protocol (NTP) is a silent dependency for nearly every security control in a modern stack - from TLS certificate validation and MFA to forensic log correlation. Yet, for many organisations, it remains an unmonitored and unauthenticated "set and forget" utility. In 2019, a single, long standing configuration choice - the prefer statement on our local GPS reference clock - exposed how easily this critical foundation can fail. When that clock lost its GPS fix and dropped to Stratum 12, the prefer directive bypassed standard Marzullo consensus logic, leading to a "silent failure" only discovered when a customer noticed the stratum change because their downstream clocks failed to synchronise.

  This session details the journey of Open Systems as we modernize the time synchronisation of over 10'000 globally managed nodes. We move beyond the "set and forget" of the past towards a model of resilient, sovereign, and authenticated time synchronisation.

  The talk provides a reproducible blueprint for transforming time synchronisation into a hardened, sovereign, and fully observed security asset. Key technical takeaways include

  • Time Reference Clock Selection: Considerations for selecting a diverse set of reference clocks to ensure long-term operational resilience and sovereign control over the time foundation.
  • Scaling Time Distribution Globally: How to navigate the real-world hurdles of scaling time synchronisation across a distributed fleet, from ISP-level filtering to the synchronisation quirks of legacy OT hardware, illustrated with a packet capture.
  • Observability as a Security Guardrail: Transitioning from "customer-notified failures" to real-time telemetry and proactive quality monitoring using a modern observability stack, featuring real-world data.
  • The Path to Authentication: An outlook on the deployment of Network Time Security (NTS) at scale, providing strategic pointers and early lessons for organizations preparing for the transition to authenticated time.

  May 6, 2026 13:00-17:00

•  CH

  Open Source Software as Underfinanced Critical Infrastructure

  Christian FoliniChristian Folini (Netnea, CH)

  Open Source software (OSS) is a crucial component of most software and most services these days. Without open source software the internet would come to a halt and mobile phones would shut down. Open source is critical infrastructure.

  Yet OSS is critical infrastructure built on a shoestring budget.

  This has hurt us before and the future may be even more painful. The open nature of the code makes OSS an easier prey for AI adversaries who can easily search vulnerabilities locally. AI agents are also submitting issues to open projects and more and more also pull requests that eat scarce human review resources.

  Developers struggle to keep up and risk to give write access to malicious players that seemingly support the project with reviews and maintenance.

  AI raises the risk for OSS security by eating developer resources.

  We need to come up with practical solutions to finance at least the top tier of critical OSS libraries and the modest widespread building blocks of the digital ecosystem.

  This talk explores the problem based on the example of OWASP CRS, the dominant web application firewall rule set, and points to possible solutions.

  May 5, 2026 13:00-17:00

• Opening Keynote: Securing a Global Insfrastructre

  Stefan Lüders (CERN)

  Perliminary Abstract: CERN is located in Geneva, CERN's detectors are located in Geneva: But scientific work, based on gigantic amounts of collected data are processed globally in independent locations across jurisdictions. Securing this original cloud is a challange and a sucess story.

  May 6, 2026 13:00-17:00

• OpenSource and Open Data, How Those Will Improve Resilience and Strategic Autonomy?

  Mika Lauhde (Luxembourg House of Cybersecurity)

  Governments, humanitarian organizations, and private companies alike must navigate the growing operational difficulties stemming from advances in digitalisation, automation, AI, data flows, and the rise of quantum computing and networking.

  Yet at the same time, access to meaningful cybersecurity data is becoming increasingly critical for ensuring secure operations. To facilitate access to sanitized, relevant, and structured data, Luxembourg has established the Luxembourg Cybersecurity Factory (LCF), powered by 4 engine: Data Space, AI Hub, Quantum Lab and Cyber Commons Office. By offering an open data space for cybersecurity, this initiative makes information security exchange more accessible and stimulates new business opportunities. Building on this approach, the LCF seeks to enhance both national and pan-European resilience and strategic autonomy.

  May 5, 2026 13:00-17:00

• Securing the DNS Infrastructure at Global Scale

  Bill Woodcock (PCH)

  The Domain Name System is a global critical communications infrastructure which cannot be operated by individual states in isolation, nor in an entirely "sovereign" fashion. This talk explores the policy and technical choices which allow states to ensure maximal security and availability for their national top-level domains, and provides an overview of the technical architecture of the largest and oldest DNS service network, detailing the security and availability challenges, and the engineering and operational choices that address them.

  PCH is the intergovernmental treaty organization which operates the noncommercial DNS service network supporting three-quarters of the world's national top-level domains, many of the root nameservers, and many critical infrastructure domains. It's directly connected to thousands of other networks at more than 440 Internet exchange points in 135 countries, and answers hundreds of millions of queries per second, with better than six-nines of uptime over the past thirty-two years.

  May 6, 2026 13:00-17:00

• The Invisible Infrastructure: DNS Security from Authentication to Availability

  Branko Mijuskovic (Proton)

  DNS is simultaneously the backbone of email authentication and a primary attack surface for adversaries. This presentation explores the dual reality of DNS in operational security: how it enables email trust through SPF, DKIM, and DMARC, and how attackers exploit these same mechanisms for abuse and disruption. We begin with a brief overview of email authentication protocols, then reveal a sophisticated attack vector that exploits the reusability of DKIM signatures - verified through DNS-published public keys - to bypass authentication controls: the DKIM replay attack. We'll examine why this attack is particularly difficult to defend against at scale. From detection to defense, we'll cover industry-standard DKIM replay mitigation and detection practices, open-source anomaly detection approaches, eBPF-based abuse mitigation strategies, and the operational tradeoffs of TTL tuning across DNS layers. Drawing from production experience, we'll share real-world lessons on caching behavior, prefetching implications, and the latency pitfalls of CNAME-delegated DKIM records. Attendees will gain actionable insights for detecting email attacks that leverage DNS, and tuning their DNS infrastructure for resilience without sacrificing availability.

  Key Takeaways:

  • Recognize the dual nature of DNS as both a defense mechanism and an attack surface
  • Implement detection pipelines using open-source tools
  • Apply industry-standard DKIM replay mitigation practices in your environment
  • Implement resilient DNS infrastructure that withstands abuse while serving legitimate traffic.

  May 6, 2026 13:00-17:00

• The Role of Formal Verification in Isolating Critical Services

  David Cock (Neutrality)

  This talk will give an overview of the threat environment that motivated the design of Neutrality's Atoll verified hypervisor, and where we see those conditions applying to organisations in the field. We will discuss the ways in which formally-verified isolation mechanisms represent a qualitative improvement over the status quo when it comes to operating critical infrastructure. We will further cover the challenges in deploying verified software in real-world systems, and where its higher assurance guarantees change the tradeoffs for operators.

  May 6, 2026 13:00-17:00

• Visibility, Blocking, and Impact: Operationalizing DNS Cybersecurity at Scale in the Swiss Context

  John Todd (Quad9)

  DNS telemetry offers a ground-level view of the threat landscape that few other data sources can match — high volume, exceptionally wide user communities, and geographic attribution. This talk presents a practical account of DNS-based cybersecurity as implemented through Quad9's public resolver infrastructure, with a focus on what that data reveals about Swiss and EU user communities. We examine the pipeline from IOC ingestion to blocking action, discuss how campaigns and attacker infrastructure become visible in DNS query patterns, and present example statistical findings drawn from Swiss endpoint data. Particular attention is given to the practical deployment of DNS security tooling within Swiss NGOs — organizations that often operate with constrained resources but face real threat exposure. The session bridges conceptual foundations (how DNS blocking works and where it fits in a defense stack) with empirical findings (what Swiss users are actually encountering), offering both orientation for those new to DNS security and concrete data points for practitioners already operating in this space, from the perspective of Swiss-based Quad9, one of the largest open recursive resolvers in the world.

  May 5, 2026 13:00-17:00

• What the Fuzz? Thorough Testing of Systems and Configurations

  Mathias Payer (EPFL (HexHive))

  The Internet's backbone relies on increasingly complex software stacks: routing software, DNS resolvers, service daemons, orchestration systems, and virtualization layers running in large-scale cloud environments. Ensuring that these components are secured and behave correctly have become a major headache for network operators.

  Fuzz testing is the most effective technique for uncovering software vulnerabilities. Over the past decade, fuzzers have discovered hundreds of thousands of bugs across all layers of critical infrastructure. Yet fuzzing remains mostly used by bug hunters and software engineers, not by the practitioners who deploy and operate these systems.

  This talk introduces fuzzing from a practitioner's perspective. We will explain why fuzzing is so effective, how it applies to network infrastructure, and how it can help uncover not only memory-safety bugs but also subtle configuration and logic errors. The goal is to show how fuzzing can become a practical tool for improving the robustness of the systems that keep the Internet running.

  May 6, 2026 13:00-17:00

• 2026 Peak Incident Response Technical Colloquium
  • Program Committee
  • Call for Speakers
  • Registration
  • Program Overview
  • Venue Details
  • Sponsorship Opportunities