Hack The Government 2025, as a student

26 November 2025 · events ctf

A couple of months after BruCON, I got to take part in Hack The Government 2025 (HTG2025), the Belgian ethical hacking program run by the Centre for Cybersecurity Belgium (CCB). Two weeks of legally poking at Belgian government and police websites, followed by a shared final day in Brussels. Saying I got to do this as a student still feels a little unreal.

How I even ended up there (spoiler: BruCON again)

I didn't mention this in my BruCON post, but one of the most important things that happened to me there didn't happen in a talk. It happened in the room with all the stands. We were walking around, got talking to a teacher from Howest, and somewhere in the conversation he told us that Howest was still looking for a few students to take part in HTG2025. He asked if we were interested, and pointed us straight at the CCB stand, right there at the event, since they were the ones organising it. A short conversation, an email later, and suddenly I was on the participant list.

If I hadn't shown up at BruCON, I would have missed that entirely. Cons matter. Random conversations at a stand matter. Teachers who nudge you in the right direction really matter.

What HTG2025 actually is

Short version: the CCB invites ethical hackers, professionals and students, to legally test a scoped set of Belgian public-sector websites and systems over a two-week window, under the Coordinated Vulnerability Disclosure framework. Anything you find gets reported responsibly through the CCB. On the final day, everyone gets together in person to share findings, swap techniques, and celebrate the results.

A few numbers from the CCB's own wrap-up:

71 participants total, 39 professionals and 32 students.
266 vulnerability reports submitted, with 74 unique ones validated by the time of the closing event.
Systems in scope included FPS BOSA, ONVA/RJVA, AFMPS/FAGG, the CCB itself, Federal and Local Police, and Belgian Defence.
News coverage in VRT NWS and an FAQ PDF were published around the event.

That's a serious scope. Reading the list of organisations I had clearance to poke at still feels surreal.

My experience, honestly

I'll be upfront: I didn't find much. For a first-time participant, still in school, walking into a scope that big and that well-tested, that was always a realistic outcome. And you know what, that's fine. The point of showing up wasn't to top a leaderboard. The point was to experience what this kind of work actually looks like, and to learn from people who are much further down the road than I am.

What I did get out of it:

A real-world target, not a lab. There's a different kind of focus that kicks in when you know the thing in front of you is a production system that actual people use. Lab VMs are forgiving. This wasn't.
A much better feel for what "recon" really means when the surface is that large, and how quickly you can burn hours going down the wrong rabbit hole if you don't structure your approach.
Respect for the people who do this full-time. Watching professionals work next to you is humbling in the best way.
Confirmation that I'm on the right track. Whatever doubts I had about "is this really the field for me?", HTG2025 answered them.

The final day

Speaker on stage at the HTG2025 final event — Closing event in Brussels.

The closing event in Brussels was easily my favourite part. Two weeks of everyone working individually, and then suddenly we were all in the same room, sharing what we'd found, what we'd tried, and what we'd given up on. Sitting around a table with other hackers, students and pros, swapping ideas about other ways into systems we'd all been staring at, is the kind of conversation you just can't have solo on your laptop at home. New approaches, new tools I hadn't heard of, war stories from people who had clearly done this many times before.

Being in a room full of people who think about this stuff the same way I do, but know so much more, is exactly the kind of environment I want to spend more time in.

Takeaways

Apply even if you feel underqualified. "Student who probably won't find anything big" is still a seat at the table.
The final-day community part is the payoff. Don't skip it, don't leave early.
Trace the chain backwards. HTG2025 happened because of BruCON, which happened because I showed up somewhere I wasn't sure I belonged. That's been the pattern all year. Keep showing up.

Huge thanks to the CCB team for running HTG2025, for opening it up to students, and for making a first-timer feel welcome. Already hoping to be back next year, ideally with something on the board this time.