Theory, Practice, and AI: Our highlights from HackingLab Day 2026

Fabienne Bühler
Fabienne Bühler

CPO

Location: START Global Campus, St. Gallen In collaboration with: Programming Group from University of St. Gallen (HSG) & Gobugfree AG

Security isn’t just about writing resilient code, it’s about understanding the evolving landscape of law, artificial intelligence, and incident response. Last week, ZITADEL had the pleasure of sponsoring HackingLab Day at the START Summit Campus in St. Gallen. The event brought together a sharp mix of students, researchers, and industry pros to bridge the gap between academic theory and "in-the-trenches" cybersecurity. Here’s a look at what we took away from the day.

⚖️ The legal & ethical side of hacking

We kicked things off by diving into the legal side of ethical hacking. For companies and researchers alike, the "Rules of Engagement" are the most important part of any security audit. We discussed how platforms like Gobugfree create a safe harbor for researchers, ensuring that finding a vulnerability leads to a patch and a bounty, rather than a legal summons.

🤖 The new frontier: Hacking AI

With AI being integrated into everything from customer support to automated DevOps, the attack surface is shifting. The sessions on Hacking AI were a wake-up call for many. We explored how LLMs introduce unique vulnerabilities: Prompt Injection: Tricking models into bypassing safety filters. Data Poisoning: How manipulated training data can create long-term backdoors. Agentic Risks: The danger of giving AI "tools" and API access without robust Identity and Access Management (IAM).

🚩 CTF: Putting skills to the test

No HackingLab Day is complete without a Capture The Flag (CTF). The energy at the START Summit Campus was high as participants tackled challenges ranging from web exploitation to cryptographic puzzles. Participants couldn't just rely on their keyboards. To secure certain flags, they had to pick up the phone, adopt a persona, and call a live target to extract information. It’s always inspiring to see the creative, "outside-the-box" thinking that the next generation of security talent brings to the table.

🛡️ How ZITADEL handles the unexpected

During our session, we shared a peek behind the curtain at how we handle security incidents at ZITADEL. When you're providing identity infrastructure for thousands of organizations, your incident response (IR) is crucial. We operate on the principle that "Silence ≠ Security": no published vulnerabilities doesn't mean there aren't any, but rather that a lack of honest and frequent advisories undermines trust and can indicate a lack of detection capability. We aim to bring as much as possible to the surface, understanding that frequent advisories are a sign of a mature security posture and a security-first culture. This proactive approach extends beyond our code; we also manage the Supply Chain (e.g., Go, Open Source libraries).

A huge thank you to the University of St. Gallen and Gobugfree AG for organizing such a high-impact day.

Liked it? Share it!