It has been six years since the last time that the TF-CSIRT community was welcomed to Stockholm by the Swedish CERT-Forum ( and we were more than happy to come back! The hosting forum was created 10 years ago, so this meeting has served as a birthday celebration with international guests from over 30 countries.

The three-day event began with a series of training sessions, hosted at the SEB bank. The volunteer trainers covered a wide range of topics, including SIM3 (OCF), Enterprise Forensic and Recovery (Truesec), and MISP (CIRL). SUNET CERT organised a cyber crisis exercise, SWITCH-CERT ran a table top exercise ‘Piece of Cake’, and CERT-SE walked the participants through a couple of challenges from their national CtF event. Many members of the community were also interested to attend the CERTS PR Working Group meeting and discuss the topics relevant to PR, marketing specialists and communicators within CSIRT community.

The additional events before the main meeting were extremely popular and overbooked. The need for training is evident and there is a lot of expertise in the community, so a training day will be organised together with the TF-CSIRT events in the future whenever possible. Keep an eye on the upcoming event registrations and if you would like to provide a training session – get in touch with the TF-CSIRT Steering Committee!

The main meeting at Swedbank started with the closed session for accredited and certified teams, and in the afternoon everyone was welcomed to join. Silvio Oertli (TF-CSIRT Chair) welcomed the participants and introduced the new Steering Committee members Věra Mikušová, Dave Monnier, and Vilius Benetis. One of the local organisers, Karin Lindström (CERT-SE), told the participants more about the Swedish CERT-Forum. If you are thinking about starting a similar collaboration in your country, do not hesitate to contact Karin for a chat! The first team update of the meeting was by Huawei PSIRT, who are an accreditation candidate. The team members introduced the PSIRT, its activities and methods. We then heard from Talgat Nurlybayev (KazAcad CSIRT), who gave us a quick geographic and demographic lesson on Central Asia and then provided an overview of the cyber security issues that each country in the region is facing. Kashif Mohammad  introduced their setup and the tools used at OxCERT as the solution to network monitoring requirements – technical and regulatory.

After a short break, Pit Weber (gematik CERT) told the audience about the CtF that they organised for the National Digital Health Agency in Germany – a great example of collaboration aiming on making the ehealth services safer and how gamification can be used to achieve the desired results. Continuing the theme of collaboration, Martin and Matthias shared their experiences of two NRENs (German DFN and Swiss SWITCH) successfully working together – DFN is consuming the DNS RPZ data from SWITCH, the project scope is expected to be expanded in the future, also with other NRENs.

To end the day, there was a traditional Lightning Talks session with only 3 talks this time because of the lack of time. Karl Selin (CERT-SE) used the first few minutes for a team update, Andrea Fried (CODIRES project) invited the participants to collaborate on a research project of Linköping University (see the slides for more info and contact details), and there was as always not enough time for the fascinating talk of Josef Smidrkal on an Open Threat Intelligence Platform (very informative slides kindly provided).

The evening social event took place at an amazing venue – Vasa Museum, started with a tour and then a three-course dinner right next to the world’s only preserved 17th century ship. Those, who came to Stockholm 6 years ago, remember very well that we were then treated with a spectacular dinner at a Nobel Museum. Huge thanks to the local hosts! The Swedes sure know how to leave their guests speechless.

The second day of the meeting started with another team update, this time by Ossi Kuosmanen and Antti Louko from NCSC-FI. Martin Kunc (CSIRT.CZ) shared some stories related to the Stress testing services that they provide to their constituents and Michal Šafranko (IstroCSIRT) introduced another way of fighting ransomware. Eskil Sørensen (DKCERT) was also talking about a service being developed for their constituency, but in this case it was about a warning service to their customers with precise instructions on what needs to be done by them, not a general email sent to just anyone. Konstantin Zangerle (KIT-CERT) presented their netflow monitoring approach with flow pipeline and ELK and Thorben Jändling gave an in-depth intro into all things Elastic – what they do, who is doing it and how it works.

The next TF-CSIRT meeting will take place on 13-15 May 2024 in Copenhagen, Denmark.

Before that, the community is invited to attend the Open Cyber Security Conference in Tenerife on 26 February – 1 March 2024, organised by OpenCSIRT Foundation (OCF) in collaboration with TF-CISRT and FIRST. Call for papers is open until 15 October 2023.

As one of the speakers Pit Weber said, after embarking on a difficult project, their management started questioning why they are doing it and the response was “you didn’t say it was impossible”. Let’s keep working with this attitude – it might be hard, but it can be done. Until we meet again to share our stories.