Building something real¶
A build-a-thon is a focused, collaborative event where a team spends concentrated time building something real and usable: a detection rule, a response playbook, a sandboxed exercise, a monitoring view, the shared reference that has been needed for months and never quite reached the top of anyone’s list. The output is a thing that works, not a slide about a thing that might.
What separates it from a hackathon is orientation. A hackathon rewards novelty and tends to leave behind prototypes that do not survive contact with production. A build-a-thon is pointed the other way, at what the team will still be using in the real environment after the room empties. The candidates that suit it are genuinely needed, clearly scoped, and buildable in the time by the people present: detection content for a technique a real adversary uses and current monitoring misses; a playbook for a likely scenario, or one the existing procedure handled badly last time; a lab scenario built on real conditions; a small piece of automation the team will actually maintain rather than abandon the month its author is away.
Two things carry it, and both come before the building. The list is drawn from what the team has wanted to build and never had time for, chosen by the people in the room rather than nominated from above, so it reflects what is felt as useful rather than what is assumed to be. And the environment is ready before the start, access granted, documentation to hand, nothing needed left waiting on a permission, since a build-a-thon that spends its first hours getting set up has lost its momentum before the work begins.
The other half is the handover. Anything built needs an owner, a home in the documentation or the repository, and a line on what would signal it needs updating. Groups of two to four, mixed in skill, tend to produce something more grounded than any of them would alone, and a short, functional show-and-tell at the end shares it around. What lives only on the laptop of whoever built it was activity, not capability.
Last updated: 3 July 2026