Benguerir – Morocco’s first live hacking event kicked off yesterday at the Mohammed VI Polytechnic University (UM6P) 1337 campus in Benguerir, bringing together cybersecurity enthusiasts, ethical hackers, and students from across the country.
NULLHAT Morocco 2025, organized by ELITES Security Club (EliteSec) in collaboration with HackerOne, continues today with competitions and expert sessions.
The two-day national cybersecurity event features live hacking demonstrations, a Capture The Flag (CTF) competition, and expert talks. Forty teams comprising 120 students from Moroccan universities are participating in the CTF, tackling challenges across eight domains, including web security, cryptography, forensics, reverse engineering, and AI hacking.

Cybersecurity is becoming a key pillar in Morocco’s digital transformation. The event plays an essential role in developing local cybersecurity talent, raising awareness, and building collaboration between universities, institutions, and professionals.
By giving students access to real-world hacking experiences and expert mentorship, NULLHAT helps prepare the next generation of ethical hackers who will strengthen Morocco’s cybersecurity ecosystem and contribute to a safer digital future.
The event is co-organized with 1337 Coding School and UM6P–SOLE (Student Organization for Leadership Engagement), with HackerOne as the official sponsor and partner.
Event created to showcase Moroccan talent
Hamza Barrak, a student at 1337 and organizing member of NULLHAT Morocco, spoke about the event’s origins. “Our club has been quite active in organizing similar events, but we wanted to do something that would have a better impact by contacting bigger organizations,” Barrak said.

He described HackerOne as “an amazing opportunity for us.” The team built on their experience with other cybersecurity platforms like Hack the Box, one of the leading platforms in the field, before approaching HackerOne for support. According to Barrak, the company was “quite supportive” and provided access to their network and resources.
The organizers are responding to recent cybersecurity challenges in Morocco. “Morocco has been dealing with some challenges with cybersecurity, specifically lately,” Barrak noted. Their goal centers on spreading “more awareness of cybersecurity in the country” while positioning the university and the club as “a national cybersecurity hub.”
Their vision extends beyond the current event. Barrak described plans to “continue what we’re doing” with ongoing efforts to help students “develop their skills” and “network with cybersecurity professionals.”
He stressed the importance of “prioritizing Moroccan talents” because “this event is about Moroccan talent.” The long-term goal involves establishing the club, school, and university as a center for hosting similar events and spreading cybersecurity awareness.
Barrak identified several obstacles facing cybersecurity talent in Morocco. “I think it’s a mix of all things,” he said. He pointed to the scarcity of training programs, noting that “you don’t really have good training programs in Morocco” and the few that exist “are not available to everyone.”
Job opportunities present another challenge, as they “are not plentiful or not as many as the ones you could find abroad.” Legal concerns also affect practitioners, as security testing can sometimes lead to “legal issues if you’re just practicing.” According to Barrak, the main barriers remain “job opportunities and also training programs.”
The event represents a significant step toward addressing these challenges by creating opportunities for students to learn directly from industry professionals and gain hands-on experience. By bringing together universities, industry experts, and students, NULLHAT Morocco aims to build a foundation for a stronger cybersecurity ecosystem in the country.
NULLHAT’s timing is particularly important given the increasing digital transformation across Morocco’s public and private sectors. As more services move online, the need for cybersecurity expertise has never been more critical, making events like this essential for developing homegrown talent capable of protecting Morocco’s digital infrastructure.
The event’s name reflects its philosophical approach to cybersecurity. “NULLHAT is more than just a cybersecurity event; it’s a mindset,” the organizers said in a press statement. “In the world of hacking, people are often labeled as white hats, black hats, or gray hats. But at NULLHAT, we believe hacking is not about the color of your hat, it’s about intent, creativity, and exploration.”
Renowned ethical hacker shares experience
Yassine Aboukir, an application security consultant and ethical hacker at HackerOne, is one of the event’s star speakers. “I’m Moroccan. I’ve been involved in cybersecurity for over a decade now,” Aboukir said. His work involves finding “security vulnerabilities in high-profile companies, say, Apple, Google, Facebook, and then in a legal way.” Companies pay him for identifying these vulnerabilities.

As a web application penetration tester and a seasoned bug bounty hunter, he has been active since 2014 and ranked among the Top 20 hackers worldwide on HackerOne.
He has won prestigious competitions, including H1-303 Most Valuable Hacker, and secured 1st place. Between 2017 and 2019, he also served as a HackerOne Triage team member, helping to secure global platforms. Yassine embraces a digital nomad lifestyle, having spent over five years traveling across more than 40 countries.
Aboukir described the difference between ethical and malicious hacking. “Ethical hacking is when you do it within a legal framework. So basically, you have the permission for the company to actually perform the hacking,” he said.
Unlike “black hat activities” with “malicious intent” aimed at “stealing data” or “breaching the company,” ethical hacking involves “good intentions.” The process involves finding vulnerabilities and then going to “responsibly disclose it to the company” to “give them time to actually get it fixed.” Companies often “reward you” for this service.
He discussed how regulatory differences affect the cybersecurity landscape. “Companies, from my experience, they’re not really giving much importance to the cybersecurity aspect” in Morocco, Aboukir said.
User data is “more neglected as opposed to abroad,” where regulations compel companies to prioritize data security. “In Europe, we talk about the GDPR. So any user’s personal identifiable information leakage would actually get the company fined,” he noted, adding that “we need more regulations here in Morocco.”
Local incentives remain limited for cybersecurity professionals in Morocco. Aboukir pointed out that “a lot of the companies don’t have any bug-bounty program” in Morocco. “I cannot really name any Moroccan company that has a bug-bounty program,” he said.
The contrast with international practices is stark, as “in the US, a lot of the Fortune 500 companies have a bug-bounty program.” This creates a situation where professionals are “more motivated to actually work with those companies than work here locally.”
Aboukir shared his personal journey into ethical hacking. “I started from a young age,” he said, crediting cousins who “were also into IT” as “a good influence.” His passion for code and “tinkering with software” led him to search for vulnerabilities “without having any incentive” initially.
Everything changed when he “read about this company called HackerOne” that provided a legal framework to work with companies and “get paid for it.” Since then, he has used his “skill set to find security vulnerabilities in these companies and get paid for it.”
He sees events like NULLHAT as vital for talent development. “I’ve spoken at many conferences abroad. This is my second conference here in Morocco,” Aboukir said. He believes “we need more conferences like this” because “there is a lot of talent here in Morocco” with “very good skill sets that could do very well in cybersecurity.”
The main issue is that “they don’t have the guidance.” These conferences provide “the guidance for these talents” and “give them inspiration.” Aboukir was modest about his role, noting “I’m not saying that I have anything special” and acknowledging that “there are probably more talented people in this conference than me, but they just lack the guidance.”
For Morocco’s cybersecurity future, Aboukir envisions more local events. “We do need in Morocco more conferences, more practical workshops,” he said, encouraging “other engineering schools to follow the example of the university here.”
He compared NULLHAT to international standards, mentioning “DEFCON… BSides, Black Hat, all those international, very renowned conferences.” His question – “Why can’t we have the same here in Morocco?” – points to his belief that “we have the infrastructure. We have the talent. We have everything that we need.” The missing element is initiative from “more engineering schools, maybe companies to organize conferences like this.”
Promoting bug bounty hunting as a career
Soufiane El Habti, a cybersecurity engineer and bug bounty hunter, participated in the live hacking component of NULLHAT. “I am a bug bounty hunter and a cybersecurity engineer,” El Habti said.

He finds “vulnerabilities for famous companies worldwide on the HackerOne platform.” At NULLHAT, organized by “the club EliteSec,” El Habti joined other hackers “from around the world to hunt for vulnerabilities on HackerOne,” which presented “two companies to hack ethically and find vulnerabilities on.”
The event created significant educational value. El Habti described how they “had the opportunity to connect with various students” to showcase “bug bounty hunting.” Participants exchanged “information, expertise,” and presented to students from multiple institutions about “what bug hunting is and what we do and how we find vulnerabilities.”
El Habti stressed the career potential in this field. A critical question for students was “Are we getting paid by this?” which he called “the critical thing here.” Students learned that “bug hunting can be a career, can be something that you can dream of becoming, and something you can be proud of and a passion.”
The event continues through today with ongoing efforts to “find more vulnerabilities” and “give a bright image of the Moroccan community and Moroccan talent in cybersecurity.” El Habti expressed hope for “larger events and more events hosted here in Morocco” in the future.
The local cybersecurity landscape faces several challenges. “If we’re talking about bug hunting when it comes to Moroccan companies, we’re still at the phase where Moroccan companies don’t have the confidence” to publicly request ethical hacking services, El Habti noted.
The event aims to “present us as a community to Moroccan companies, to show that we exist,” and to demonstrate how they “can help companies secure their assets.” El Habti also mentioned a long-term goal to “create our own public bug bounty platform.”
Some progress is visible in the local scene. El Habti mentioned “two ambitious friends” who have launched “a bug bounty platform that is Moroccan.” The hope is that “Moroccan companies generally gain the confidence” to engage publicly and “facilitate the process of reporting bugs to them.”
Motivation for bug hunters extends beyond financial rewards. El Habti explained that they sometimes “find bugs not for monetary reasons” but “to help the companies.” Different hunters have different “goals” and “vision of how we report,” with some reporting bugs simply “to help Moroccan companies.” His community includes a lot of colleagues who work with major international companies like Amazon and Microsoft.
El Habti expressed optimism about Morocco’s cybersecurity future. “Let’s hope that one day we will find a bigger community than now,” he said, looking forward to having “a lot of local Moroccan bug bounty hunters that can participate in a local event about bug bounty hunting.”
A first for Morocco
The CTF competition at NULLHAT Morocco tests participants’ skills across eight challenging domains, including cryptography, PWN (exploitation of memory corruption vulnerabilities), reverse engineering, miscellaneous puzzles, web security, forensics, AI/ML security, and OSINT (Open Source Intelligence).
These competitions require participants to break ciphers, exploit system-level security flaws, disassemble binaries, solve creative puzzles, test web applications, analyze digital evidence, attack machine learning models, and gather intelligence from open sources.
In collaboration with HackerOne, the world’s leading ethical hacking platform, Moroccan security researchers are performing live vulnerability discoveries during the event – showing how real hackers identify and report security flaws responsibly.

This marks the first live hacking event ever held in Morocco, giving students a unique opportunity to watch professional bug hunters in action and learn directly from HackerOne ambassadors who are recognized globally for their expertise.
The live hacking experience is part of a comprehensive 7-day program: 5 days online followed by 2 days onsite at UM6P. Participants have the exceptional opportunity to meet with HackerOne ambassadors who review their reports and provide expert guidance.

Join on WhatsApp
Join on Telegram







