You know that feeling after a good conference week.
You talk to smart people doing impressive work. You find one or two talks that really hit home. You fly back motivated, notebooks full, head buzzing. For the next two or three months, your energy is back. And sometimes, weeks later, one of those ideas actually turns into a real project.
Thatâs exactly what happened to me on my flight home from BSidesLV, Black Hat, and DEF CON week.
An idea turned into reality.
Together with Vanessa, I gave our first joint talk. Not a deep technical session. Not a tool demo. A story. One about security culture, AppSec programs, Security Champions, and team topologies. And about the mistakes most of us make while trying to scale security in growing organisations.
The Talk: Alex, the Lone Security Person
This talk was born during DEF CON. Vanessa and I were talking about challenges we were both facing at work.
Her perspective came from building and scaling a Product Security program. Mine from years of working with Security Champions and platform teams, and from seeing what actually breaks once organisations grow past a certain point. Six years of struggles, failures, workarounds, and small wins, wrapped into a single narrative.
Thatâs how Alex was born.
Alex is a full-stack developer. One day, Alex volunteers to fix a broken CSP header. Alex knows what OWASP means, so suddenly Alex becomes âthe security personâ. Alex builds scanners, dashboards, and a one-person security platform. Technically impressive. Practically unused.
As the company grows, Alex tries different AppSec team models:
- Centralised AppSec
- Embedded security engineers
- Security as a platform
- Security Champions programs
Alex experiences the pros and cons of each model first-hand. What scales. What doesnât. Where friction appears. Where trust is built. And where good intentions quietly fail.
What surprised us most was the response.
The story resonated. A lot.
Almost everyone in the room could identify with Alex, or with parts of Alexâs journey. If you listen closely, you start hearing the same patterns again and again. Different companies, different industries, same structural problems.
For me personally, this was very different from my usual technical talks. But it was incredibly rewarding to share a message, and yes, also a bit of a personal pain story, in a way that connected emotionally instead of just intellectually.
This really feels like Part I of Alexâs story.
đ„ Watch the recording
The CCC media team uploaded the recording on the same day. You can watch it here:
The Training: AppSec That Actually Works at Scale
The German OWASP Day itself was, once again, excellent.
2024 was my first time attending, and I already knew Iâd be back. In 2025, I returned multiple times: with a workshop I first ran at DEF CON in Las Vegas, and with the Alex talk.
Compared to huge conferences, this event is exactly my thing. Around 200 participants. Personal. High-quality conversations. No rushing from room to room. Easily one of my favourite conference formats, and Iâm very likely back again in 2026, then in Karlsruhe.
The pre-day training was fully booked.
Time flew by. As always, we had to move faster through some topics than I originally planned, but for a good reason. The discussions were excellent. People asked the right questions. Not âhow does this tool workâ, but âhow do we apply this in our organisation at scaleâ.
Thatâs the core of this workshop.
Yes, there are hands-on exercises. But the real value comes from discussing how these ideas translate into real companies, with real constraints, legacy systems, and organisational politics. Thatâs where participants take the most value home.
Looking ahead, 2026 is shaping up to be interesting:
- A refined 8-hour version of the training
- A new 2-day training focused on proactive security engineering and AppSec architecture
Iâm curious to see where this goes next.
One thing is clear though: conferences are still one of the best catalysts for turning vague ideas into something real. And sometimes, all it takes is a story that feels uncomfortably familiar.
If youâre Alex, or if youâve worked with Alex, you know exactly what I mean.