Best of JCUN 6th edition

What is JCUN?

JCUN stands for Jornada de Ciberseguridad de la Universidad Nacional de Colombia [National University of Colombia Cybersecurity Conference]. It's the country's most important university-level infosec conference, and one of the few in Latin America with these characteristics: it's completely free, student-organized, and open to anyone—whether or not they're affiliated with the university.

Since 2018, JCUN has been held at the National University of Colombia's Bogotá campus under a motto that has remained unchanged across six editions: "Building a digitally secure community."

Origins

Behind JCUN are three interconnected groups from the university's Faculty of Engineering:

• UQBAR is the infosec research seedbed. Founded in 2017, they describe themselves as a "hacker cradle" and are the driving force behind the event.

• TLÖN is the research group focused on dynamic telecommunications networks and distributed programming languages. They provide the academic backing.

• UnsecureLab rounds things out with applied IT security research.

Two of these three research groups share more than just a faculty—their names come from the same short story. Tlön, Uqbar, Orbis Tertius by Jorge Luis Borges (1940) tells the story of discovering a fictional region called Uqbar in a mysterious encyclopedia. It's a tale about how ideas can reshape reality. And for a group of hackers trying to change Colombia's security culture, the name couldn't be more fitting.

UQBAR: Follow the white rabbit

If JCUN is the event, UQBAR is the heartbeat that keeps it alive.

The seedbed was born in 2017 as a Student Work Group within the Department of Systems and Industrial Engineering. Their mission is clear: to contribute to research, training, and the promotion of infosec culture in Colombia. Their vision for 2030 is to become the country's leading infosec research seedbed.

Their mascot is a white rabbit, and their signature hashtag is #SigueElConejoBlanco. The reference is twofold: Alice in Wonderland and The Matrix. Following the rabbit means venturing into the unknown and discovering new things. It's the group's philosophy.

As Juan Wilches, a former seedbed coordinator, put it: "Uqbar was the place where I discovered my passion and met friends I could share it with."

That passion is what has brought the rabbit to where it is today: UQBAR has over 750 members on Meetup with a 4.8-star rating, they're official Hack The Box ambassadors, and every year they organize a free conference that draws hundreds of attendees.

6th edition: JCUN 2025

The sixth edition of JCUN took place from November 6–8, 2025. Three days of action: workshops on Thursday and Friday, talks on Saturday.

The format stayed true to tradition: a single track of talks (no FOMO—everyone sees everything), completely free admission, and a livestream for those who couldn't attend in person.

This formula delivered the highest numbers in the conference's history: 265 attendees at the talks, 151 workshop participants, 37 CTF players, and 652 live viewers during the event.

Side Quests

At JCUN, beyond the talks, there were plenty of activities around the main stage to round out the experience.

Workshops

The workshops were free but had limited capacity and required prior registration. This year there were five, all recorded and streamed live, covering both Red Team and Blue Team topics. Best of all, the content is now available on UQBAR's YouTube channel for anyone who couldn't get a spot.

One of the most popular workshops—and my personal favorite—was led by Gerardo Eliasib, CEO of Spartan Cybersecurity: "Taller Ofensivo y Defensivo en Entornos Cloud (AWS y Azure)" ["Offensive and Defensive Workshop in Cloud Environments (AWS and Azure)"]. It was three hours of intense content, ranging from modern Device Code Phishing attacks to compromise Office 365, to SSRF exploitation, and capping off with stealing an AI model from AWS Bedrock. Gerardo also shared his famous Cloud "Hacking Bibles" for further learning and put together an exclusive guide for the workshop with step-by-step instructions, commands, and key concepts.

CTF

Over two days of competition, 37 players tackled 42 challenges prepared by UQBAR across 14 categories.

JCUN's CTF is in-person and has a twist: some flags are hidden within the talks themselves, or you have to hunt them down around the venue. If you're not paying close attention, you'll miss flags scattered throughout the event.

At the end of the final day, the top three teams were awarded prizes including Spartan Cyber Security courses and Hack The Box VIP licenses.

Wardriving

Wardriving—the practice of detecting and mapping WiFi networks while moving around the city—returned to JCUN after its debut in 2024. For first-timers, there was a prep workshop led by Luisa Ossa, the activity coordinator. Then came the competition: a bus cruising through Bogotá with participants armed with antennas, phones, laptops, and mapping devices. While some only managed to detect around 10,000 networks, the winner picked up over 40,000 unique networks and took home a $100 cash prize.

Academic Posters

In line with its university roots and academic rigor, JCUN has a Call for Posters with a formal review process conducted by a committee of PhD and master's-level professors from the university, along with allied researchers. Submissions require a 4-page paper in Springer format (LNAI/LNCS) that includes an A0 visual design, creating a formal space to discuss methods, technical results, and findings with the community. It's the bridge between practice and academic research—a space for students and faculty to present ongoing work or research results.

The Talks

After the workshops and activities on Thursday and Friday, Saturday featured 10 speakers in a single track. Eighty percent of us were Colombian speakers, with international participation from Argentina and France.

But before the individual talks, the day kicked off with something different.

Panel: AI in cybersecurity

The day opened with a panel bringing together academia, industry, and government. Moderated by Professor Jorge Eduardo Ortiz Triviño (director of TLÖN and UQBAR), the panelists included Michael Rivera from Fluid Attacks, Diego Ademir from Platzi, Francisco Gómez from the National University, Camilo Lozada from the Council of State, and Kenn Bro, a security researcher and the only panelist wearing a mask.

The topics were direct: developers becoming dependent on AI, the accelerating loss of privacy when using LLMs, the advantage attackers have with deepfakes and voice cloning. And the inevitable question: is this all a bubble? Most agreed it is, and some even expressed hope it would burst soon to clean up the market.

My favorite talk: The hidden face of facial recognition — Kenn Bro

My favorite talk of the day was given by the same enigmatic researcher who had participated in the AI panel. Kenn Bro, swapping his mask for a full white rabbit costume, spoke about mass surveillance and how governments can connect our static data (ID photos) with our dynamic data (opinions, emotions, religion).

He showed examples from China and Argentina, and mentioned that Colombia is already implementing facial biometrics in stadiums and public transportation like TransMilenio.

Beyond the profound message he wanted to convey, the most memorable—and controversial—part was the demo. Kenn Bro attempted to recognize faces live using DeepFace and Python, and the code worked correctly, though not in every case. Then, suddenly, an attendee named Freddy Zavala interrupted the presentation, criticizing Kenn Bro's implementation. He went up on stage, took control of the computer, and modified the code to use nine simultaneous models instead of one. Against all odds, it worked and successfully recognized his own face.

In the end, it was revealed that the whole thing had been orchestrated, but the stunt brilliantly captured the audience's attention and drove home the talk's message perfectly. The point was: "the impossible just takes a little longer."

See you in 2026

On Thursday, I arrived following the sound of drums from a cultural showcase. On Saturday, a white rabbit took the stage and talked to me about the threats of facial recognition. JCUN was definitely full of surprises, and I'm glad I got to experience it.

See you at the 7th Edition of JCUN in 2026!