NorthSec | Interview with Gabriel Tremblay

InfoSec Conference Spotlight Series

We shine a spotlight on selected Cyber Security Conferences, event categories,
niches, talk to founders and generally learn more about security events

First Published: , by Henry Dalziel
(updated typically every three - six months)

NorthSec is without a doubt one of (if not “the”) best Cybersecurity Conference in Canada. Taking place in Montreal I’m a big fan of the event and am delighted to have been able to interview founder Gabriel Tremblay.

If you’re an InfoSec Professional living and working in Canada then yes, you should become familiar with this Canadian security event which encompasses a lot of content. Every NorthSec event has a breakdown of various activities which include: training, a massive CTF competition (which lasts 47 hours!) and of course the talks. The entire event lasts a week so it’s one of the longest events that we list in our directory.

Event Details

NorthSec Conference
May 10th, 2020
This Event is Now Over
Cryptography, Offensive Security (Malware), and Training

Review of the event within our directory:

Attended by more than 1000 professionals around the world, you’ll surely leave the conference satisfied with the amount of information you learned. They have different activities which include CTF and training sessions and also talks from high-quality speakers in their respective field.

The Interview

I interviewed Gabriel Tremblay, founder of NorthSec and asked him a bunch of questions, here they are!

What prompted you to start NorthSec?

We used to run a CTF competition team called the CISSP Groupies in Montreal. One of our biggest challenge was to recruit talent and even if we did so province-wide, we still struggled to find properly trained people with CTF experience. By looking at the local ecosystem of contest and conference, we realized that there was no event hard enough or well structured enough to help people become talent in that space. A year or two before NorthSec existed, there was a properly good CTF in a smaller Quebec town called Hackus. Their event was eventually cancelled but part of their team were already participating with our small competition team to other CTF. With the help of a part of Hackus staff, we then decided to create our own CTF that would be built from scratch to be the hardest CTF possible, while still staying enjoyable for newcomers with sufficient experience.

We really wanted to have an event “by the community, for the community”, so we decided to make it a non-profit.

With technical elitism, mental trauma and bleeding noses in mind, our CTF was born.

During the years that followed, it became clear that we would need more money to scale the event. With our strict guidelines on sponsorship, banning any company with known dubious morals, intelligence agencies, people who exploits the image of women’s, and weapons dealers we had to find ways to stay alive. Logically, the next step was to start a conference with a slightly higher price point to fund the CTF. This approach worked really well and spawned what is now a 2 days 350+ attendee conference, mainly targeted at industry specialists.

And eventually, the different perks we offered at both the conference and the CTF, such as open microbrew bar all event long and our electronic badge started to drill holes in the budget. To solve this issue, we decided two years ago to spawn two days of professional trainings before the conference. This approach also proven itself worth the investment, as we now attract trainers from all around the world. And this is where we are today.

Your CTF competition looks amazing. How would you like see the CFT improve/ evolve in 2018? (By the way we love the dual functionality of a practical CTF combined with talks).

Our CTF is really one of a kind.

With over 400 participants spread across 50 teams trying to break around 200 challenges for more than 48Hours, it is the largest on-site CTF worldwide. It covers most of the fields of infosec, whether it be Web, exploitation, malware, reversing, crypto, forensics, hardware (with electronic badges for every participant), lockpicking, social engineering and more. This requires a crazy infrastructure where we simulate an Internet for every single team hosted in about 12 000 linux containers, using 10 000 BGP routers, and almost 4M IPv6 table routing entries. This wouldn’t be possible without the invaluable time investment by an incredible team of more than 40 volunteers that help make this event come to life. Every year, we also make sure to create a special ambiance in line with the scenario, which makes an on-site CTF much more appreciable, like cooking sourdough bread for everyone or having custom-crafted passports & voting booth that participants must find vulnerabilities into.

At the growth rate we have, with attendees coming from around the globe, 2018 is probably going to be our biggest year ever. Our technical infrastructure is very good and still has room for more capacity, thanks to our great sponsors that provide us with the high-end equipment this kind of event requires, but we are eventually going to reach our immense room’s physical limit and will be looking for a bigger venue that allows us to scale this to even bigger proportions in the coming years.

The one thing we need now, is more volunteers to help us during the event and throughout the year. We also need dedicated challenge designers that are able to work with the team during the year and deliver high quality & interesting security challenges for the attendees to solve.

How much does NorthSec cost for students and non-students? The reason we ask is because I am sure a lot of young people would love to get involved with the CTF aspect of NorthSec.

The CTF costs USD 100 and the Conference+Workshops USD 220 for professionals. Students get 50% OFF for the entire event (USD 50/110) and we also have multiple Early Bird pricing rebates. This very affordable pricing reflects our objective to train better infosec professionals and make the event accessible to everyone whatever their budget. Most student associations are able to front the costs and send a full team to the competition.

What criteria do you look for when selecting speakers? Do you allow any vendor-related presentations or is NorthSec strictly to demonstrate research based security concepts?

NorthSec is an applied security event, therefore speakers are selected based on the quality of the subject presented and its practical use in the infosec world, generally spread across three different fields: Application & Infrastructure Security, Cryptography and Society & Ethics. We do not allow vendor-related/sponsored presentations and are very concerned with keeping a highly technical content for the presented talks and workshops during the conference. Attendee feedback is very important and we want to make sure they get the most out of the time and money they spend to attend the event. We thrive in selecting the most talented experts for the event in order to bring attendees slightly out of their technical comfort zone and acquire new knowledge, whether it is for the conference, workshops, or the exclusive professional training sessions we propose during NorthSec.

How would you like to see NorthSec evolve over time: more towards the speaking side or the CTF/ ‘practical tech’ side?

The two biggest challenges of NorthSec remains the same since day 0: Stay cutting-edge in term of security/technology and avoid going bankrupt. For that, I think one the best solution is to scale the whole operation as much as we can. To stay on top of our game, we need to keep attracting new talented challenge designers and people who can give their time to our event. Scaling and reaching more people help in recruiting those much needed volunteers. I don’t see the CTF existing in it’s format, and size, without the framework that we built around it with the rest of the event. It goes the same with the conference and the trainings. I see NorthSec becoming much bigger, in all it’s aspects, and certainly not easier.

Lastly, what’s the best way for people to follow you and NorthSec? Do you have a Twitter handle or Facebook page you’d like to share here?

The best way to connect and stay in touch is through our Twitter account @northsec_io but we also have a Facebook page and our Website is at where we publish news about the event.

In Summary

We wish the team at NorthSec the best of luck for 2021 and beyond, as as stated, the event is absolutely worth attending if you’re in the North American region.