community
event
community
ethical hacking

SecLabs Mobile Edition: 40 Professionals Learn Mobile Ethical Hacking in Madrid

Secra and Secur0 bring together 40 professionals in Madrid for a mobile ethical hacking day with real hands-on cases on startup applications.

Javier ParadeloApril 25, 20268 min read

When we started kicking around the idea of SecLabs Mobile Edition, we had one thing very clear in our heads: we wanted to put on the kind of event we would have wanted to attend back when we were starting out in this field. No paywall, no artificial filters, no empty slide decks. A day where anyone with the will to learn could sit down, open their laptop and actually hack things alongside people who do this for a living.

On April 25, 2026, 40 people came together at the Digitaliza Madrid Innovation Centre to do exactly that. And what happened that morning and that afternoon confirmed something we already suspected: Madrid's cybersecurity community has far more depth than it gets credit for from the outside.

Group photo of attendees at SecLabs Mobile Edition in Digitaliza Madrid

Why this training

Serious offensive security training in 2026 is still, for the most part, expensive, English-only and aimed at people who are already inside the industry. That leaves out a lot of people with real potential: students in their last years of university, IT professionals who are curious, people looking to switch tracks, individuals who got certified on their own and have nowhere safe to apply what they learned.

SecLabs was born from that idea: free, in-person, technical spaces where people who are still learning can work shoulder-to-shoulder with people who are already in. We dedicated this April edition to mobile security (Android and iOS) with Secur0 as co-organisers.

Having the Community of Madrid host the event at the Digitaliza Madrid Innovation Centre was key. It's a venue designed for exactly this: getting innovation out of regular offices and bringing it in front of a real audience. We brought the technical content and the trainers; they provided a space with an auditorium, breakout rooms and desks with enough power outlets for 40 laptops running for six hours straight.

The opening: Alejandro Las Heras

Having a free ethical hacking event opened by the CEO of the Cybersecurity Agency of the Community of Madrid is not something that happens every day. And honestly, until the day before, we weren't entirely sure how it was going to play out.

It went well. Alejandro Las Heras Vázquez dedicated the opening minutes of the event to talking about what he sees from his position: a region that has moved from treating cybersecurity as a cost line to treating it as a strategic capability, and a local business ecosystem that's growing faster than most people perceive. It wasn't a courtesy speech. There were data points, there was positioning, and there was a clear invitation for the technical community to push from below what institutions are trying to push from above.

Alejandro Las Heras Vázquez, CEO of the Cybersecurity Agency of the Community of Madrid, opening SecLabs Mobile Edition

For those of us organising, it was an uncomfortably useful reminder that these events aren't just "community activities". They're part of something bigger: the technical muscle that a region needs if it wants any kind of digital sovereignty.

The morning: ethical hacking of mobile applications

After the coffee break, the technical part kicked off. Three solid hours of Android and iOS application pentesting, with methodology, tooling and real demonstrations. No generic slides: the content was the same (adapted to the event format) that we use on client projects when we audit mobile apps for companies.

We covered the blocks that actually matter in this kind of audit:

  • Lab setup on a rooted AVD with Magisk, and installing the Burp certificate at the system level. If you're interested in the full step-by-step, we published it on a separate post: how to root an Android AVD for pentesting with Burp Suite.
  • Static analysis: APK extraction, decompilation with jadx, hardcoded secrets hunting, manifest analysis and reviewing exported components.
  • Dynamic analysis: HTTPS interception, SSL pinning bypass with Frida and Objection, runtime instrumentation, detection and evasion of anti-root and anti-debugging controls.
  • iOS approach: practical differences from Android, Frida on jailbroken devices, tooling like Cycript and Objection in Apple's ecosystem.

Javier Paradelo delivering the technical mobile ethical hacking training during SecLabs Mobile Edition

What I enjoyed the most, and I'm saying this from the seat of the person standing at the front, were the questions. They were good questions. Not the "what's that for?" kind, but the "okay, but if the app verifies binary integrity before running, how do you tackle it?" kind. When you start fielding those questions in a room of 40 people that's supposedly there to learn, you know the average skill level in this field is going up.

The afternoon: Hacking Startups

The session that really set us apart, the one a lot of attendees signed up for, was "Hacking Startups" in the afternoon. The idea is simple to describe and extremely tricky to execute: have people work on real startup applications, with prior authorisation from the companies, in a controlled environment, hunting for real vulnerabilities in code that is actually in production.

This isn't something that happens in standard training. Most mobile pentesting courses give you a toy vulnerable app (DVNA, InsecureBank, MobSecurity Lab) that was built precisely so you can find what the course author hid in there. It's useful for learning the mechanics, but it doesn't resemble in any meaningful way what happens when you open an app that someone wrote to make money, not to be audited.

Attendees working on real startup applications during the Hacking Startups session at SecLabs Mobile Edition

Putting this together was the trickiest part of the whole event. We had to close agreements with startups willing to put their apps through a group audit session, define scope very carefully (what could be touched and what couldn't), prepare isolated test environments and lock everything down legally before anyone fired off a single request.

It was worth it. Attendees walked away with, without exaggeration, the closest thing to a real working day of a mobile pentester that you can fit into four hours. Some of the things that came up in the room:

  • API endpoints exposed without proper authentication that returned other users' data by tweaking an id in the URL.
  • Session tokens stored in shared preferences without additional encryption.
  • Root and debug checks that could be neutralised with a three-line Frida hook.
  • Communication with third-party services where the client secret was travelling inside the binary.

All of this, to be clear, with explicit authorisation and within a controlled environment. The important part of an event like this isn't just finding flaws: it's understanding how to report them, how to prioritise them and how to translate them into a report that the company can act on the following Monday.

The takeaway

40 people. Mid-to-senior technical level. Zero incidents. The ratio of attendees with concrete questions vs. attendees who were just "watching from the side" was unusually high. There were exchanges between attendees during the breaks that in several cases turned into collaborations, job offers or simply useful career connections.

For us as organisers, the main takeaway is one: there is real demand for this format. There are people who want to learn seriously and who can't find anywhere reasonable to do it, let alone for free. The combination of "trainers who do this every day" + "real cases with authorisation" + "a decent physical venue" + "community present in the room" works.

If you missed it

There will be more SecLabs editions. We don't have a fixed calendar (we'd rather each edition be justified by its content than fill an artificial schedule) but we're already working on the next one. Future editions will probably touch on cloud, modern web and red team, in some order.

If you want to know when we open registrations for the next SecLabs:

  • LinkedIn for Secra Solutions: that's where the official announcement goes first.
  • Secra's website and our blog: we keep a banner up during the weeks leading to each edition.
  • Contact us if you represent a company willing to offer their app for a future "Hacking" session, or if you want Secra's team to deliver private training for your organisation.

Thanks to everyone who came by Digitaliza Madrid on the 25th, to the Cybersecurity Agency of the Community of Madrid for the opening, to Secur0 for co-organising, and to the startups that stepped up so we could pull off an afternoon like "Hacking Startups". See you at the next one.

About the author

Javier Paradelo

Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.

Meet the team →

Share article

👋Hi! Have any questions? Write to us, we reply in minutes.

Open WhatsApp →