|
 |
|
|
|
We are exited to announce the launch of hestIA, an enterprise AI assistant designed for organisations that require sovereign, auditable, and access-controlled AI capabilities without relying on external providers.
The name hestIA is drawn from Hestia, the Greek goddess of the hearth. Revered for the goodness of her modest nature and her role as the guardian of the sacred flame, Hestia symbolises a place of safety, stewardship, and trust. In the same spirit, our platform is designed to keep your organisational activities securely within our infrastructure—effectively keeping your work “in our home,” where your data is protected, managed, and always under your control.
hestIA provides a familiar conversational interface — comparable to ChatGPT or Microsoft Copilot — available today as a service hosted on Luxembourg-based infrastructure operated by itrust consulting. Unlike general-purpose AI services, hestIA does not transmit data to external AI providers: all model inference is performed on itrust consulting's own systems.
Beyond general-purpose AI capabilities, hestIA allows organisations to build and maintain structured document collections that the system queries using retrieval-augmented generation (RAG). Responses are grounded in the organisation's own documents and include inline citations, giving users a clear and verifiable link between answers and their sources.
hestIA is hosted on Luxembourg-based infrastructure within the European Union. All processing — model inference, document indexing, and query handling — is performed on itrust consulting's own systems. No data is transmitted to external AI providers, making hestIA designed to support GDPR compliance for organisations processing data within the EU. Organisations using the service beyond the evaluation phase are governed by a Data Processing Agreement (DPA) with itrust consulting, establishing a clear and auditable data processing relationship.
Organisations can create and manage document collections covering any domain of activity. When users pose questions, hestIA retrieves relevant passages from those collections and returns answers with direct citations to the source documents. Supported file formats include PDF, DOCX, XLSX/XLSM, PPTX, TXT, and CSV.
Access to documents is enforced automatically at query time based on classification levels aligned with the organisation's own information governance policies — such as public, internal, confidential, or restricted. Knowledge bases can be shared with partner organisations or other tenants, enabling controlled cross-organisational knowledge exchange while retaining full authority.
The service operates in French, German, and English. Users can interact with hestIA in their preferred language, and document collections can be organised by language to ensure queries are matched against the appropriate content. A full audit trail records all activity, supporting accountability and oversight requirements.
hestIA is live today. Organisations can register for immediate access to the platform for testing and evaluation purposes. Formal use is governed by a Data Processing Agreement (DPA) available upon request. For enquiries, contact info@itrust.lu.
The source code of hestIA will be made publicly available in the near future, allowing any organisation to self-host the platform independently.
The following capabilities are planned for future releases:
Asset inventory management: ISO 55000:2024 and ISO/IEC 27001 aligned taxonomy and ontology enabling asset classification, coherence verification, inventory validation, and lifecycle tracking
Document generation pipeline: efficient production of administrative documents from approved templates and the organisation's knowledge base
Audit assistance agent: AI-assisted auditing against configurable standards and frameworks, covering gap identification, non-compliance detection, and mitigation suggestions
We are happy to announce two new open-source releases that together complete a fully automated, intelligence-driven security operations pipeline, closing the loop on hybrid rule-based and AI-driven threat detection and response.
IDPS-ESCAPE (v0.7 + v0.8) brings the most significant functional leap since RADAR was introduced:
RADAR risk engine — a principled weighted fusion model combining anomaly detection signals, signature-based risk, and live CTI scores into a three-tier automated response: notification, remediation with case creation, and full host isolation
DECIPHER integration — a fully operational client that queries CTI from MISP, fuses scores into RADAR's risk model, and opens structured Flowintel incident cases automatically — no manual SOC intervention needed
SONAR — a multivariate anomaly detection engine for Wazuh, powered by the deep learning algorithm MTAD-GAT, with a YAML-based scenario system for repeatable, code-free detection workflows, and debug mode for offline train-detect cycles without a live Wazuh instance
SATRAP-DL (v0.4) delivers the other side of that integration:
DECIPHER — an open-source REST microservice for automated, IOC-based severity-confidence scoring of security alerts backed by MISP threat intelligence and prioritized Flowintel case creation
PyFlowintel — a clean Python library wrapping the Flowintel API, enabling programmatic case management
One-command deployment of the full stack: DECIPHER + MISP + Flowintel
Together, these two releases close the MAPE-K loop end-to-end: RADAR detects a threat → DECIPHER enriches it with live CTI → a risk score drives the right automated response → a prioritized Flowintel incident case lands in the analyst's queue. Entirely open-source.
We are excited to announce C5-DEC CAD v1.2 - our open-source, AI-enabled toolkit for computer-aided secure system design, development, and evaluation.
C5-DEC CAD unifies Common Criteria (CC) tooling, SSDLC traceability, compliance workflows, cyber-physical system security assessment, cryptography, and resource management in one repository-centric platform.
C5-DEC CAD helps teams run a complete secure-by-design workflow in one place:
Common Criteria engineering support with structured knowledge and specification workflows
End-to-end requirements, design artifacts, tests, and traceability built on our SpecEngine subsystem
Practical SSDLC tooling for compliance, threat modelling, risk analysis, documentation, and evidence generation via our DocEngine
What’s new in v1.2:
CRA compliance module: Annex I checklist, Annex VII technical documentation generation, Annex V EU Declaration of Conformity, with support for Default, Class I, Class II, and Critical classes
SBOM lifecycle management: Syft-based generation (CycloneDX/SPDX), validation, diffing, traceability, and CRA cross-verification
Native cryptography module: PQC, SHA-256 integrity checks, GnuPG signing/encryption, Shamir’s Secret Sharing, and digital signatures
Expanded CPSSA: threat model generation (OWASP pytm/Threagile-compatible), FAIR-based quantitative risk analysis, STRIDE-based reporting
SpecEngine and DocEngine enhancements: richer traceability visualization, interactive specification browser, traceability statistics, Mermaid rendering pipeline, design artifact hygiene utilities, and CRA-ready report/presentation templates
Also in v1.2: completed CC:2022 knowledge base content, stronger Docker hardening, and a significantly expanded test suite.
The NIS 2 law and a resilience law have finally been voted today, unanimously, by the parliament of Luxembourg. From the 10th May on, all private entities considered as important or essential (up to them to find out, see link below) and all public entities (all, including municipalities, inter-municipal association, ministries…) MUST have a top-management-approved risk assessment and risk treatment plan and several policies enforcing cybersecurity, such as asset management, Human Ressource security, access control, … A huge task for which itrust consulting is prepared to help. Here our tactic: First a high-level risk treatment plan to get compliant after a week, then a fine-tuned an improved version for reporting to the regulator, both work to be achieved thanks to our free tools OpenTRICK and OpenARIANA.
Interview with LG magazine, translation by itrust consulting.
Are local authorities prepared to tackle the challenges of cybersecurity and the NIS2 Directive? How should they handle it? An interview with Lynn Pinto, DPO; Camar Houssein, SECaaS Manager; and Carlo Harpes, Managing Director of itrust consulting s.à r.l. and Chair of the (Luxembourg) Security Standards Committee.
How have public authorities been preparing for this new challenge?Carlo: The text of the NIS2 Directive has been published since 2022; Luxembourg has opted for a transposition that is as simple and minimalist as possible; all entities involved in public procurement are covered; they will be required to manage cybersecurity risks, report their dependencies and security status as well as the outcome of their risk assessment to ILR. In addition, they must report incidents and, if necessary, will receive instructions from ILR on how to manage risks.
What remains to be done by the organizations?Camar: We agree with ILR that the NIS2 Directive requires nothing more than a designated security officer. However, it imposes a human resources security policy, a (formalized) access and asset management – that is to say, an inventory, with classification and assignment of responsibilities for these assets – and, most challenging of all, a risk assessment and management process that takes into account current norms, which are virtually unknown in the sector. We can easily train someone to assess risks, but such assessment remains uncertain, even for an expert. My manager always says that conducting a risk analysis is an art rather than a science, as this process must produce well-reasoned and ‘reproducible’ results.
Do organizations that are already GDPR-compliant have a head start?Lynn: Clearly yes, and yet we still come across organizations that are badly prepared: with no record of processing activities, or incomplete ones; with no privacy notice easily available to data subjects; despite the law having been in force for seven years and the CNPD having hired over 60 officials to monitor and provide guidance. Recently, we have again come across municipal secretaries who are also DPOs, and are, therefore, in a conflict of interest, highlighting the decision-makers’ disregard for compliance, laws and regulations.
Who is responsible for this?Carlo: The College of the Mayor and Aldermen – although we often feel sympathy for them, given how overwhelmed they are by such demands. Note that more than 100 local politicians have resigned since the start of their terms, three years ago. They cannot master every technical field, and the existing staff are reluctant to embrace change, sometimes refusing to accept responsibilities, despite enjoying exceptional job security. Added to this is overly rudimentary support from institutional bodies, with municipalities' autonomy serving as a partially valid excuse. And for NIS2, a poorly drafted list of requirements from the regulator.
Could you explain this particular feature of Luxembourg?Camar: NIS2 requires us to follow current security standards in order to identify the appropriate safeguards. We are very familiar with these measures, and they are often already implemented by our clients: these include ISO/IEC 27002 for general security measures, 27001 for management and governance, 27701 for data protection, and 22301 for business continuity, now referred to as resilience. This knowledge is not included in the risk analysis tool promoted by ILR, and each entity will have to study and add it manually. Whilst one could allow free choice of tools, as the CSSF does, ILR imposes a very specific format, defined by a Luxembourgish tool and guidance that shows signs of immaturity. Electricity operators in Germany have committed to independent certifications based on ISO 27001, 27002 and 27019, carried out by state-accredited bodies. This creates an ecosystem with well-established control mechanisms (via OLAS), at similar prices, but with guarantees and a level of security far superior to our self-assessments.
How can we strengthen our collaboration?Carlo: One model of collaboration is our joint project for Diekirch and Ettelbruck, which involves sharing the costs of our CISO support and which is already in place for the utilities sector. Some other municipalities wish to share a CISO role, just as some already share the municipal police service.
What remains to be done for NIS2, given that the GDPR has already been implemented?Lynn: All that is ‘needed’ is to extend the incident management procedure and to plan or create a security management system. In other words, an organization should ideally appoint an internal or external CISO to monitor security across IT and business units, to train senior management, to implement a few additional security policies based on norms and tailor them to the needs of a small organization. And, finally, to document and manage risks.
What is the cost of complying with NIS2?Camar: It is easy to become ‘compliant’, provided that: 1. staff are willing to take on new responsibilities; 2. are available for an average of one day to undergo training, read the documentation, and help to identify and rectify issues. And, 3. provided there is a budget of €15,000 to €30,000 for external support to create initial documentation, coach staff, and guide managers in managing risks.
What experiences have you had?Carlo: Having submitted 15 analyses to the ILR, we are familiar with their methods and requirements. Having implemented data protection measures in 15 municipalities with limited budgets, we understand the context and have successfully brought them into compliance.
And is artificial intelligence (AI) useful in this context?Lynn: As part of the CyFORT initiative, we will soon be offering a free AI tool to assist local authorities to inventory their IT assets and documentation improvement, aiming at fostering interoperability between municipalities rather than with multinationals.
What are the biggest challenges in cybersecurity?Carlo: Compliance is not security. It is easy to achieve compliance; it is difficult and costly to secure an infrastructure. We advocate quick wins: staff training, independent checks on system configurations, the use of open-source software, and thus investment in local skills rather than in IT licenses for poorly utilized IT products.
