The third edition of Cyber On Board opens today on the Giens Peninsula: three days of scientific conferences, panel discussions, and exchanges centered on embedded cybersecurity, the resilience of critical systems, and technological sovereignty.

The opening day sets the tone. Following the official welcome by Patrick Radja, VP Cybersecurity Director at Naval Group, the program moves into a keynote on AI and cybersecurity in embedded environments, followed by two substantial panels: one on technological sovereignty in the face of the rise of embedded AI, featuring representatives from NVIDIA, Valeo, and the French Gendarmerie; the other on regulation and cooperation at the heart of critical systems (rail, naval, aerospace), with SNCF, Alstom, and the French Navy’s General Staff.

When Security Tools Become the Attack Vector

The timing of this edition is especially telling. This past March, the cybersecurity community experienced a shock that captures, on its own, the very issues being addressed at Cyber On Board. On March 19, 2026, Trivy, one of the most widely used open-source vulnerability scanners in the world, developed by Aqua Security, was compromised in a sophisticated software supply chain attack. In other words, a tool designed to protect the software supply chain became the vehicle for its compromise.

The mechanism is striking. Attackers force-pushed malicious code to 75 of the 76 version tags of Trivy’s official GitHub Action, turning the security scanner into a credential-stealing tool. In practice, the malicious code ran silently before the legitimate scanner, so workflows appeared to complete normally. Yet this tool runs at the heart of thousands of CI/CD pipelines, on every pull request, every merge, every deployment, with access to pipeline secrets by design. The outcome: cloud credentials, SSH keys, and Kubernetes tokens exfiltrated within hours.

This episode reflects a deeper trend that the industry leaders gathered at Giens know well: attackers are moving upstream, increasingly targeting trusted tools, dependencies, and infrastructure rather than end applications. In this environment, relying solely on vendor metadata or version matching is no longer enough. It has become essential to analyze what actually runs in production.

Tomorrow: Jonathan Brossard’s Presentation

This is precisely the challenge that Jonathan Brossard, Founder and CTO of MOABI, will address in his talk on Wednesday, May 27, at 11:30 a.m., in the Software & Drone scientific conference session. His topic: practical vulnerability management under regulatory constraints for modern PSIRTs.

This has become a structural challenge for product security teams. With more than 40,000 CVEs published in a single year, that is over a hundred new vulnerabilities every business day, and regulations such as the Cyber Resilience Act, NIS2, and DORA imposing remediation deadlines of 24 to 72 hours, traditional methods are reaching their limits. This is all the more true in embedded and industrial environments, where source code is sometimes no longer available, where firmware has been modified, and where life cycles span several decades.

The Rest of the Week: Sessions Worth Watching

Wednesday, dedicated to scientific conferences, brings together several major defense players. ArianeGroup will present its work on software obfuscation in industrial contexts and its integration into the development life cycle. Thales will speak on black-box analysis of security components, a subject closely related to MOABI’s own. Airbus Defence & Space will share lessons learned from the SOC dedicated to Airbus Helicopters products, while Naval Group will address the security evaluation of real-time embedded systems.

Thursday continues this momentum with a strong focus on compliance and defense. Black Duck Software will open the day with the concrete impacts of the Cyber Resilience Act on R&D organizations, echoing directly the regulatory constraints raised by Jonathan. At 10:00 a.m., the MBDA x Alcyconie case study, presented by Stéphanie Ledoux, will focus on preparing embedded systems engineering teams for cyber crisis management, beyond the CERT perimeter alone. The French Navy will outline its approach to cyber training in the face of an exponentially growing threat, and KNDS will offer lessons learned from adopting post-quantum cryptography in vehicle computers and weapon systems.

It is a program that confirms a fundamental shift: embedded cybersecurity is no longer a purely technical matter. It has become a regulatory, industrial, and strategic constraint for the entire sector.

A full article covering Jonathan’s presentation and the discussions from these three days will follow later this week.