(By: Carlos González and María José López, RedCLARA) At some point in 2025, CERN’s systems detected a threat. What followed was not the execution of a predefined process: via ELLALink — the submarine cable connecting Europe with Latin America, deployed as part of the BELLA programme — that information travelled from Switzerland to one of RedCLARA’s servers in Latin America. From there, it was distributed to RNP, REUNA, RENATA, RedCONARE, RAU, CUDI and CEDIA – the NRENs of Brazil, Chile, Colombia, Costa Rica, Uruguay, Mexico and Ecuador (respectively) – which either used it or redistributed it to their institutions. Thus, a threat detected in Europe became, in real time, a warning to universities and research centres across Latin America.

This was made possible by the Regional Cybersecurity Group of the Research and Education Networks of Latin America and the Caribbean, eduLACSeg, which is a robust inter-NREN coordination mechanism for cybersecurity, coordinated by RedCLARA. This group is committed not only to the security of its networks and the academic and research organisations that form part of them, but also to its peer networks, to RedCLARA itself and, above all, to the region; this commitment is evident on a daily basis through the permanent working structure from which the main regional cybersecurity initiatives for the academic sector have emerged and are coordinated.

Its origins date back to 2019, when CUDI (Mexico) and CEDIA (Ecuador) began working together on security issues. In the following years, RNP (Brazil) and REUNA (Chile) joined the effort. On 2 September 2021, at the close of the TICAL Conference — the region’s main annual gathering for academic networks — the executive directors of the four networks, together with RedCLARA, signed the Memorandum of Understanding that formalised the group and established its Co-ordination Committee. “RedCLARA and TICAL represent this space for collaboration, where we can learn and grow alongside other networks. The agreement to create the regional telemedicine network at TICAL2020 was a prime example, and now we have the agreement for the Cybersecurity group. We are delighted to be part of this initiative,” said Juan Pablo Carvallo, Executive Director of CEDIA, on 2 September 2021.

Today, in 2026, as we prepare to celebrate the fifth anniversary of eduLACSeg’s creation, the NIRs from Brazil, Chile, Ecuador, Mexico, Uruguay and RedCLARA are actively participating in the group’s regional coordination and organisation. Furthermore, the academic networks of Colombia and Costa Rica take part in specific initiatives or on a regular basis.

“In the nearly five years since eduLACSeg was established, the progress has been remarkable. Collaboration is no longer limited to the region’s NREN networks; with RedCLARA’s support, agreements have been reached with organisations such as LAC4, Red Ciberlac, GÉANT, CERN and AMREN, amongst others, to develop projects, participate in initiatives and exchange cybersecurity threat intelligence. Progress is also evident amongst the region’s NRENs; collaboration flows naturally, with the sharing of knowledge, tools, best practices, training and support for any cybersecurity incident,” says Fernando Aranda, who, from CUDI, has been one of the group’s key driving forces.

It is worth noting that the group has also benefited from the participation of ARIU (Association of University Interconnection Networks) from Argentina, as a guest in initiatives where its expertise has been particularly relevant.

“As is well known, the golden rule in cybersecurity is collaboration, and eduLACSec has undoubtedly enabled us to do just that. Within this framework, we have been able to address issues such as the exchange of technical and regulatory knowledge and experiences, as well as the formation of networks of trust between individuals—which is of the utmost importance in the field of cybersecurity, given the nature of the information handled and exchanged— it is essential to know the counterparts with whom you collaborate, so that, should an incident occur, we can provide rapid mutual support across academic networks”, says Alejandro Lara of REUNA, highlighting the value of collaboration within this group.

At eduLACSeg, leadership is shared and rotates according to the nature of each initiative. RedCLARA and CUDI coordinate the group as a whole, RNP co-leads the maturity assessment process, and CEDIA guides the asset exposure assessments. This distribution is more than just a governance model; it is what makes it possible to move forward collaboratively, which is the group’s defining value.

Sharing knowledge

Since 2020, the group has led the Strategic Cybersecurity Meetings at the TICAL Conference. Panels, technical sessions, workshops, CSIRT meetings: year after year, this forum has been the place where networks compare what they are observing, what they are doing and what they need.

Outside of TICAL, in October 2022 the group organised a series of four webinars featuring speakers from REUNA, CEDIA and CUDI, which reached the academic community across the region.

“The knowledge-generation efforts within eduLACSeg are fundamental because they help to build a regional vision of the challenges facing cybersecurity. Beyond sharing technical information, these forums promote the exchange of experiences, collaboration between professionals and the development of new capabilities that benefit the academic and research community,” emphasises Javier Valena from RAU.

This collaboration on raising awareness also extends to Europe. Since 2022, RedCLARA has been participating in GÉANT’s Cybersecurity Month, the European academic network’s annual cybersecurity awareness campaign. In 2022, eduLACSeg contributed the expert insight of Emilio Nakamura, CISO of RNP, who delivered the presentation “Strengthening security and privacy culture in Latin American NRENs” to the global community.

For Erika Viviana Casas, Director of Technology and Infrastructure at RENATA, “participating in eduLACSeg means being part of a trusted community where we share experiences, best practices, lessons learnt and technical capabilities that strengthen the security of our member institutions. Thanks to this cooperation, the region’s academic networks have been able to access high-impact initiatives, establish strategic partnerships with international organisations and respond in a more coordinated manner to the growing challenges of cybersecurity. A tangible example of this value is the collaboration established with CERN for the exchange of threat intelligence. Thanks to the coordinated efforts of eduLACSeg and RedCLARA, RENATA is able to receive early warnings about threats and attacks identified at an international level and share this information promptly with its member institutions, enabling them to strengthen their prevention and response mechanisms. This demonstrates how regional and international cooperation translates into concrete benefits for our academic communities.”

And, speaking of cooperation, in 2025, as part of the continental AMREN initiative—a working group of networks in the Americas: RedCLARA (Latin America and the Caribbean), Internet2 (United States) and CANARIE (Canada)—and as part of Cybersecurity Month, on 7 October eduLACSeg shared its expertise with the Americas through the expert contribution of Jorge Merchán, from CEDIA, at the opening of the Ciberbridges webinar series. The session, which focused on the impact of deepfakes, social engineering and CSIRT response strategies, attracted more than 180 participants. The Ciberbridges series comprised four cybersecurity webinars running through to December; the session led by the CEDIA expert proved to be the most successful in terms of audience numbers. Jorge Merchán himself views this experience very positively: “Threats do not require visas nor do they recognise borders; faced with this, the question is not whether we collaborate, but how quickly and with how much confidence we are able to do so. Therein, for me, lies the true significance of Ciberbridges. The name says it all: it was not just a series of talks; it was a bridge connecting the knowledge from the north of the continent—Internet2, CANARIE—with the experience and challenges of the south, and it did so in Spanish, Portuguese, English and French, respecting the diversity of our region rather than erasing it. That is no minor detail: it democratises access to cutting-edge knowledge for institutions which, on their own, could never sit down to discuss Zero Trust or identity management with a CISO from a US university. For a network like CEDIA, which provides VOC, SOC, CSIRT and GRC services to a broad ecosystem of higher education institutions, initiatives like this multiply our capacity.”

Surveying, measuring and improving

In 2023, the group coordinated the first regional cybersecurity survey aimed at higher education institutions, with support from Ciberlac (an IDB initiative). A total of 189 institutions from Chile, Uruguay, Brazil, Ecuador, Colombia, Costa Rica, Mexico and Guatemala took part, representing an estimated student population of two million people.

The results were revealing: 67 per cent of participating institutions did not have a security plan, and fewer than 20 per cent offered any academic programme in cybersecurity. The most critical skills gaps were concentrated in forensic analysis, secure development and vulnerability management, and 28 institutions that did not offer cybersecurity programmes expressed an interest in doing so — a clear sign of latent demand that the ecosystem could address.

Ivan Benevides, from RNP, explains the importance of carrying out these assessments through the survey: “Assessment is a crucial step that enables us to understand the current situation of each network and its scores, identifying the steps needed to achieve the desired strategic developments, transforming cybersecurity from a reactive cost centre into a proactive strategic pillar, and aligning technological protection with continuity objectives.”

Using the survey’s findings as a starting point, the group adopted GÉANT’s Security Baseline framework to measure the cybersecurity maturity of national networks. The model assesses four organisational dimensions: policies, people, threats and operations, and enables results to be compared between networks in the region and with European networks that also implement it.

Ana Alves, an expert from the pan-European network, states that “for GÉANT, initiatives such as this are of fundamental strategic value. Collaboration with RedCLARA not only strengthens ties between regions but also significantly expands our ability to understand diverse cybersecurity challenges from multiple perspectives. This type of intercontinental cooperation enables the two-way sharing of knowledge, enriches approaches and accelerates the adoption of best practices that benefit all the communities involved”.

The first phase, carried out in 2024 in collaboration with GÉANT’s GN5-1 project (funded by the European Union), involved RNP, CEDIA and REUNA. In the second phase, currently underway in 2026, these three networks are supporting the others in their own assessment process. The aim is for all networks to assess their maturity annually, compare themselves with one another and with Europe, and draw up joint improvement plans. The first consolidated results were presented at TICAL 2025, which showed a clear improvement in the maturity of the networks from the first phase and 100 per cent adoption of the framework by the region’s networks.

A key conversation that spanned the Atlantic

Whilst the group was developing its first regional initiatives, a conversation at TICAL2021 opened up a new possibility. CERN was invited to take part in a conference session, where it presented its work on threat intelligence sharing. The meeting led to a regional collaboration agreement and the launch of an initiative that several networks began to implement in parallel. ARIU, the Argentine university network, made the fastest progress, and this practical leadership made it the benchmark that guided the other networks through the installation and roll-out process.

Today, the system operates as follows: CERN detects actual attacks or potential risks and sends this information, via ELLALink, to RedCLARA’s central server. RedCLARA receives it and distributes it to the participating national networks, which in turn redistribute it to their institutions in accordance with their own policies. The protocol that makes all this possible is MISP — open-source threat intelligence sharing software — and the collaboration forms part of the CERN SAFER project.

In addition, the group has access to pDNSSOC, also developed by CERN, which enables threats to be blocked automatically via DNS. The system is available to networks wishing to implement it.

From sharing knowledge to building capacity, not just transferring it

A constant feature of the group’s work is its commitment to building capacity within the networks and their institutions. This is clearly reflected in the collaboration with LAC4, the Cyber Competence Centre for Latin America and the Caribbean, funded by the European Union.

Through this partnership, the group has organised high-impact training programmes. In March 2024, RedCLARA and LAC4, with the support of eduLACseg, ran the course ‘Training on the creation and operation of CSIRTs in the academic sector’, which brought together 85 participants from nearly 60 organisations across 18 countries. The programme was led by an expert in Security Governance and included case studies presented by the NREN cybersecurity leads themselves, who are members of the Group: Jorge Merchán (CEDIA), Fernando Aranda (CUDI), and Ivan Tasso and André Landim (RNP). The aim was to empower the academic sector in both technical and legal and regulatory aspects related to the work of CSIRTs. The course had an immediate impact: the Universidad Autónoma del Carmen (UNACAR) in Mexico used what it had learnt to present a proposal to its senior management to set up its own CSIRT. The group has also organised a session for 56 participants on artificial intelligence and cybersecurity (2024) and a seminar on cybersecurity indices for NREN and institutions (January 2025).

At TICAL 2025, the group also ran a face-to-face and virtual workshop on how to plan and carry out cyber incident simulation exercises (tabletop exercises). The workshop was facilitated by a NATO specialist in collaboration with LAC4, and brought together 31 professionals from eight countries.

The approach was the same: rather than conducting a single exercise, the aim was to train the networks so that they could design and facilitate their own.

Danny Silva, an expert from RedCONARE, speaks very highly of the activity organised by eduLACSeg as part of TICAL in Costa Rica in 2025: “The workshop added immense value to the infrastructure of public universities, and the reception from RedCONARE was excellent, with a truly remarkable participation rate. What made the difference was the practical approach: the workshop didn’t just stick to theory, but provided us with technical tools, methodologies and directly applicable material. The fact that we got to work on real-life scenarios (hands-on) was crucial for highlighting the current threat landscape. It made the urgency of standardising processes and the critical importance of operating within a joint framework to strengthen our security posture very clear to us.”

What the system means

Let’s go back to the beginning. When CERN detects a threat and that information reaches Latin American universities in real time, what is happening is not just a data transfer: it is the realisation of something that did not exist five years ago. What the group has built is a collective capability that amplifies what each network does on its own: threat intelligence arrives in real time via a trusted network that took years to build. This is possible because the networks decided to work together, and because there is a structure — eduLACseg — that turns those intentions into something concrete and sustainable.

That is what the group has built: not a centralised service, but a platform where the capacity of each network is multiplied by that of the others.

The group’s cumulative work has generated concrete capabilities that are available to the networks and their institutions:

• Organisational maturity assessment using the GÉANT framework, with 100% of the networks using it to improve their cybersecurity posture.
• An operational threat intelligence-sharing system with Europe, backed by regional expertise in its implementation and use.
• The design and facilitation of cyber-incident simulation exercises, with several networks already trained to lead them.
• A network of partnerships with GÉANT, CERN and LAC4, with a track record of effective collaboration.

The Regional Cybersecurity Group is, above all, a collective endeavour of Latin America’s academic networks. What exists today — the intelligence system connected to Europe, maturity assessments comparable with networks worldwide, incident response capabilities established across dozens of institutions, and spaces for dialogue and co-creation — was not designed by anyone from above: it arose from the decision by the NREN to work together and from the conviction that academic cybersecurity in the region is a shared responsibility.

For academic institutions in the region, belonging to an NREN that is a member of the group means access to this ecosystem: tools, training, threat intelligence and a community of practice that grows with every initiative. For external organisations and partners, RedCLARA and the group are the natural point of contact for any project seeking to engage with the Latin American academic sector on cybersecurity matters.

The value of eduLACSeg in the voice of its members

Jorge Merchán, CEDIA: “The group transformed security teams that were working in isolation – each tackling the same problems on their own – into a genuine regional community that knows, communicates with and looks out for one another. Before eduLACSeg, cooperation on cybersecurity amongst the region’s academic networks consisted of goodwill and loose contacts. Today it is structured; we have a framework to develop our CSIRTs, to drive the creation of SOCs, to train our people through programmes such as the Security Baseline Bootcamp, and to bring the voice of the regional academic community to high-level forums, such as the EU-LAC Digital Alliance dialogues. We have moved from reacting individually to building resilience collectively. And the most valuable aspect of all this is trust. That capital of trust, built up meeting by meeting, exercise by exercise, over almost five years, cannot be bought or improvised. It is, for me, the most important asset the group has created, and the one that makes everything else work.”

Fernando Aranda, CUDI: “eduLACSeg is a group that prioritises collaborative work and supports the integration and growth of more cybersecurity teams within the Latin American National Research and Education Networks (NREN) and their members. Through all its activities, eduLACSeg drives the development of the cybersecurity ecosystem in the region’s education and research sectors.”

Ivan Benevides, RNP: “From my perspective, the most valuable thing the group has achieved through this work is transforming a discipline that is often abstract and reactive (cybersecurity) into a tangible, measurable and proactive strategy through requirements gathering.”

Alejandro Lara, REUNA: “One of this group’s achievements has been the establishment and evaluation of a cybersecurity maturity baseline (Security Baseline), in collaboration with GEANT and RedCLARA. This assessment has enabled us to understand our current level of maturity and identify opportunities for improvement to raise this standard.”

Erika Viviana Casas, RENATA: “I believe that the most valuable achievement of eduLACSeg has been to build a trusted regional community capable of transforming collective knowledge into concrete capabilities for academic networks and their institutions. Beyond specific tools and projects, the greatest achievement has been to demonstrate that regional cooperation generates tangible and sustainable results. eduLACSeg has created an ecosystem where the capabilities of each network are multiplied through joint efforts, strengthening the digital resilience of the academic sector in Latin America.”

Javier Valena, RAU: “In my view, the group’s greatest achievement has been to build a regional community based on trust and collaboration in cybersecurity. I also think it is important that eduLACSeg helps to establish the idea that cybersecurity in Latin American academia is a regional challenge and not merely an institutional one; the group helps knowledge and capabilities to circulate between countries rather than remaining concentrated amongst a few actors.”

Danny Silva, RedCONARE: “In my view, the greatest contribution has been to consolidate communication channels and achieve genuine joint operational coordination between universities. At a technical and management level, it is easy for each institution to operate in isolation, but the group has made it possible to break down those silos. We have managed to exchange intelligence, align strategies and realise that tackling infrastructure challenges and vulnerabilities in a coordinated manner is far more effective than trying to resolve them independently.”