Behind the scenes at BruCON, a European hacker conference

Setting up a local conference seems to be a popular way for infosec pros that haven’t got the time or means to travel to bring the people they want to meet and the knowledge they want to attain to their doorstep. An example of such an event is BruCON, a security and hacker conference that takes place annually in Belgium since 2009.

“BruCON was started by a group of security enthusiasts lead by Benny Ketelslegers,” Xavier Mertens, the co-organizer of the conference, tells me. “A few years later Benny left the organization for personal reasons, but the core crew is still present.”

And seven years later, they still keep at it – BruCON 2015 is scheduled to take place at Ghent University from October 5th to the 9th (registration is still open).

From the very beginning, the conference was not set up to earn money (apart from the funds needed to keep the ball rolling), but to enable the exchange of knowledge and the creation of bonds between individuals in the security world. That hasn’t changed with time.

“The primary goal was to remain accessible to most people. To achieve this, we must keep tickets cheap,” says Mertens, adding that it was easy a few years ago to get a visit to such a conference financed by your employer, but that today more and more people pay for the trip and the entrance fee out of their own pocket, and take off-days to attend such events.

Not wishing to make the ticket prohibitively expensive for enthusiasts, the BruCON team naturally had to turn to sponsors.

“The first edition was really a big challenge: how to convince sponsors to put some money on the table without any ROI warranty? But we managed somehow, and thanks to them, the tickets and some goodies like T-shirts we sell every year, we are able to get enough money to keep the event going,” he shared.

The interesting thing about BruCON is that the organizers avoid giving free slots to sponsors so that they can present/market their own products.

Sponsors are sorted into gold/silver/bronze categories. They get some visibility during the event: from a booth for the gold ones to a presence in the brochure. They get codes for free and/or cheaper tickets that they are free to redistribute to their customers, organized challenges, etc.

“We are not a marketing event and sponsors will never sell services or goods at BruCON, but they make new contacts and they collect interesting resumes,” says Mertens.

Another source of revenue is based on the trainings organized before the conference.

The con’s first edition elicited a huge amount of positive feedback. The format – a full week that starts with (mainly offensive security) trainings provided by recognized trainers, followed by two days of talks (single track, so that attendees don’t miss any – if they don’t want to!), and hands-on workshops where where attendees can really practice security – was a good choice.

“Attendees really appreciate being active and not only passively listening to the speaker,” Mertens points out. “The day before the conference, we also organize specific events like a CTF tournaments. And, when it comes to the talks, we try to keep a good balance between technical talks and generic ones, but they are always about infosec.”


Another thing that attendees can look forward to is the absence of big, impersonal crowds. The organizers put a limit of 500 attendees to keep the conference at a “human size”.

“The biggest challenge for us remains to make people happy: they must take part into a nice event with a relaxed atmosphere, but they must also broaden their knowledge and have opportunities to network,” Mertens notes. “There is nothing more frustrating than seeing people going outside during breaks. Our big plus is the atmosphere and the big main area where people can relax, have drinks, food and chat with old, and easily make new friends and contacts.”

Despite the relatively small size, organizing such an event requires much time and effort. BruCON’s key team members – who are not professional organizers, but simply security enthusiasts – have split specific domains (network, catering, sponsors, etc.) between them, and are counting on volunteers to help them (they get a free pass to the event for their work).

“We open a ‘Call For Volunteers’ via social media and a dedicated mailing list. People are free to register for different slots/tasks and we pick up them when needed,” Mertens explains. “Volunteers can be local or can come from abroad but we don’t pay any of their expenses. Instead, for their work of a few hours per day, they get to attend the conference without having to pay the entrance fee. The offer obviously seems fair to most of them, as they return to volunteer again and again.”

Another very positive aspect of being involved in the organization and execution of such an event is that it increases the person’s visibility, which can benefit his or her career. Being involved can open doors that one didn’t know existed.

Mertens’ reason for joining in at the very first stop of the BruCON line was as simple as “I found the idea awesome!” He ended up becoming the con’s “network guy”.

“During the year, I’m taking care of online resources (the websites, mailing lists, wikis, etc.), internal as well as external. And during the BruCON week, we deploy the network from zero and maintain it,” he explains his tasks. “The infrastructure did not change much with the years, but we needed more bandwidth and more controls as the years passed.”


“For me, this is really good experience on how to operate a wild network. Operating a network during a security conference is quite challenging but also fun: I compare it to walking through a jungle full of predators,” he noted.

As an example of keeping “predators” at bay, he offered a situation he was faced with last year, when they deployed a so-called “Wall Of Sheep”. The Wall showed the contents of the intercepted unencrypted Internet traffic generated by users at the conference, and some visitors took it upon themselves to fill it with adult-themed pictures.

The move generated a small war of wits and skill between Mertens and the “attackers” – a war that he seems to have enjoyed. “Taking part in the organization must remain fun,” he pointed out, “and it does not affect my everyday life, except of course a few weeks before the event when the pressure is growing.”

Incidents like disconnecting a wrong cable and cutting Internet access for all attendees for a few minutes, or believing that they are collecting network data for statistic purposes but finding out that the process crashed and that no data was gathered for hours – yes, it happened – sounds less fun, but were definitely experiences from which Mertens learned something.