At The Red Guild, we share periodic public updates on what we've done, what we're up to, and what's to come. This helps us stay accountable and committed to our work while we open ourselves to the community.

In case you missed the last one, you can find all our updates here:

In today's menu, we've got:

Our first trial of internships at The Red Guild
News from the development front: updates on devcontainers, a new tool to facilitate their use, and progress on The Phishing Dojo.
Latest articles and research on environment isolation and VSCode extensions
Recent collaborations, featuring a new video in our YouTube channel for the spanish-speaking community.
Preparation work for upcoming events, such as Devconnect and ETHCon.
More updates on funding, design, logistics, etc.

Internships

We're executing the first internship of The Red Guild. We’ve been wanting to do this for a while, but the time wasn’t quite right for us. Being such a small team, with the amount of uncertainty that we handle, and the amount of things that we did, we felt whoever was going to join us in our quests deserved a better prepared party.

But with dantesito everything was different. We already knew him, and he knew us —well, at least he knew matta from up close— so he knew what he was getting into (we hope 😅). He has worked alongside us, participating as a volunteer in some of the events we did with GEERS, showing a lot of interest from the beginning, and being one of the top contributors to these local events.

He started helping at Nodo Serrano too, an Ethereum Hub that just opened, where he lives, in which we also participate as advisors. Another random fact: he was selected for a SEED Latam scholarship to attend the past Devcon in Bangkok, and we had the chance to hang out together.

Originally, we wanted to participate in the EF's summer internships, but we eventually withdrew. Fortunately for us, the same week we heard Dante had some spare time between his studies, and was thinking about putting some work. That’s when it was a no-brainer for us.

Everything resulted just right! He's been making key contributions to The Red Guild and many of the initiatives we're sharing in this update.

Development

We've been working hard to continue and expand our research on best security practices for web3 developers. Last months found us updating and improving our devcontainer suite.

The Red Guild's devcontainer

We've continued to develop and improve our devcontainer repository. It offers a variety of devcontainer configurations, each tailored for a specific security or development workflow. These configurations range from a basic, lightweight setup for quick development to isolated environments for security-sensitive tasks. Here's what you'll find:

Air-gapped: This configuration is designed for network isolation. It uses a temporary file system (tmpfs) to help prevent data from being saved and includes essential tools like Git and GitHub CLI. It is suited for tasks that need to be performed without an internet connection.
Paranoid: An experimental configuration that prioritizes extensive security hardening. It features a read-only file system and an ephemeral workspace, which helps ensure that changes are not saved and the environment is reset for each session.
Hardened: A balanced option that provides a security-focused environment while maintaining network connectivity. It includes key security tools and extensions, making it suitable for security analysis while allowing access to external resources.
ETH Security Toolbox: This configuration is specifically tailored for smart contract auditing, incorporating a selection of tools recommended by Trail of Bits. It is a focused toolkit for security researchers.
Auditor: A specialized environment for smart contract audits and security analysis. It supports Docker-in-Docker, which can be useful for running containers within the devcontainer for complex testing and research. It includes some auditing tools.
Minimal: This is a streamlined environment for basic development. It includes only the core tools (Foundry, Hardhat) needed to get a Solidity project started, without missing the fundamentals of security considerations.

We're also including additional configurations that provide some broader functionality or specific platform support, such as a version of the ETH Security Toolbox that is optimized for use with GitHub Codespaces, offering the same set of tools in a cloud-based environment.

⚠️

By using DevContainers (containers too), you will potentially create a safer "isolated" environment, but you are not by any means unexposed to threats. It would never occur to us to run something like malware inside of them. And by using VSCode, your threat surface increases a lot. Be aware of this.

Devcontainer Wizard

Because configuring devcontainers can sometimes be quite tedious and error-prone, we created a cool CLI-based wizard to help you out.

Through a series of steps, the wizard guides you to create your own devcontainer with your custom flavor! And if you don’t want to, you can simply launch any of our pre-built devcontainers from our official repo.

We've published the wizard as a public NPM package - already seeing some traction!

Articles and more research

On the release of the devcontainer wizard, we've published an article with more details about it for those interested in the topic:

We also continue researching threats related to VSCode extensions, as well as the usefulness of VPNs, when to use them, how, and under which threat models. A follow-up article is in the making, showcasing how easy it is to escape the container 😱

The Phishing Dojo

After its soft-release in ETHCC, The Phishing Dojo continues to be one of the core projects at The Red Guild. We keep investing time, effort, and resources to push it forward.

Although we've faced significant setbacks over the past few months. The part-time lead developer developing the project left due to personal issues, right in the middle of a large refactor to stabilize and professionalize the platform. In parallel, we had attempted to onboard and work with a specialized Project Manager, but the relationship wasn't as fruitful as we'd have expected, and he also retired. Our personal relationships with them are in good spirits. Still, we had invested a lot into building these relationships, and now we are left in a rather uncomfortable place, which we're learning to deal with.

Nowadays, our main focus is on cleaning up the code, un-vibing whatever was AI-coded for the first MVP. That should allow us to stabilize the platform and bring it to a reasonable set of limited but working functionalities that we're happy with. We're aware of our limitations as a product development team, so we're learning a ton from all the challenges we're facing. We've organized our work into roadmaps and are handling most tasks for the project management in GitHub issues and projects.

In the meantime, we've got new part-time developers jumping into the project to contribute to specific refactors and features.

As we undergo these changes (both in code and team), we aim to create two new sets of free and public trainings for the whole community to learn about email security, as well as best (and worst) practices when signing with hardware and software wallets.

Collaborations

aprendecripto.org

In close collaboration with SOLOW and their aprendecripto.org learning platform, we've published a talk on web3 threats. The goal is to continue raising awareness in the Spanish-speaking community, sharing our insights with those who may not be too technical and are eager to enter the ecosystem.

DeFi Security Summit

Another edition of the DeFi Security Summit is coming for Devconnect, and we couldn't be more excited. This year, we're participating in the steering committee, especially reviewing talk submissions, providing our feedback and comments to the organizers.

We've already done one round of reviews - lots of great content from amazing security researchers (and lots of AI-generated submissions too 😓). We're looking forward to continuing to contribute, and expect this year's event to be even better than the previous one 🔥

Funding

As you may know already, our guild is a security team dedicated exclusively to working for the public benefit of the ecosystem. So far, this has been possible thanks to the sustained financial support of the Ethereum Foundation. Their ESP grants have been fundamental for The Red Guild to exist and flourish.

While throughout these years we've explored alternative sources of funding, we've fallen short at securing equally sustainable and reliable sources of income to support our team and operations while exclusively doing public-good work.

With recent changes in the Ethereum Foundation, it seems like future ESP grants have all been put on hold. We're afraid that's dropped an unpleasant veil of uncertainty in The Red Guild's future. Our commitment and dedication to our work haven't changed at all, though – we're still working under a grant from the EF. But once it finishes, at the end of the year, our team will gather and decide if and how we continue to work in 2026.

In the meantime, we're exploring some other potential sources of grants, such as the RetroPGF Dev Tool from the Optimism community.

Design

We continue working with a great designer who's helping on many fronts: revamping the identity of the guild, preparing brand kits, designing new swag, drafting UIs for the Dojo, creating assets for our landing pages, etc.

Just as an example, we've started to design new elements and assets for a new edition of our swag. To close 2025 on a high note, we're preparing some special stickers, pins, and other cool stuff to give away in our talks and workshops. Here are some of the ideas we're entertaining:

Early ideas for pins of The Red Guild and The Phishing Dojo.

Some early drafts and ideas for stickers. Any favorites?

Events

Security awareness campaign @ DevConnect

The date's getting closer and closer. Devconnect in Buenos Aires is just around the corner, and so is our security awareness campaign! I wish we could reveal all the things we're preparing - but of course, we cannot. Otherwise, we'd be spoiling the surprise 😄

If you know nothing about it, here's a refresher:

There are lots of things happening internally at The Red Guild to get this campaign going. Meetings, brainstorming sessions, roadmaps, tasks, volunteers, and a large etc. Of course, there's also been some last-minute surprises that have made us pivot our original ideas and activities. But in any case, we're already adapting and coming up with cool activities to raise awareness in the community about realistic threats in live events.

EthCon

On November 18th, there’s an event called ETHCon Day Argentina—an Argentine Ethereum-based community-driven conference. It’s Argentina’s local conference inside Devconnect.

Ethcon Argentina 2025 – Evento Oficial Devconnect

ETHCon is an experience specially designed for students, developers, entrepreneurs, companies, and institutions who want to explore, use, and build on Ethereum. It will be the main conference for Spanish speakers during Devconnect.

We are still deciding how we’re going to participate, but as Spanish-speaking members of the community, we will be supporting the initiative regardless.

Remember: this conference requires a special ticket, so if you want to attend, go to https://tickets.ethcon.ar to get yours. Hope to see you there 🙌

Mozilla Festival 2025

As November approaches, with Devconnect in it, so does Mozilla's Festival!

This year, one of us drew the short end of the stick, so we are sending that person in representation of the guild! Participating here was suggested by the EF through some members of the Next Billion program and other peers we are in contact with, to allow builders and educators from our ecosystem to represent Ethereum at places where we are underrepresented!

Have you already spotted who we sent? 😆

We need to start leaving our bubble from time to time, otherwise it will always end up being Web3 folks shilling stuff to Web3 folks.

Our work outside our ecosystem is as equally important to the one inside of it!

Thank you for being one of the few that came to my calling! https://t.co/cJQXsA3XV0
— matta ⚡🪷 (@mattaereal) September 18, 2025

By using the code MAA-WRANGLER, you will automatically get a discount on your festival ticket! https://mozillafestival.org/attendRecent collaborations, featuring a new video on our YouTube channel for the Spanish-speaking community.

We are expecting 270+ sessions, installations, and cultural experiences across three days in Barcelona, including:

109 talks 🎤
58 Forums 💬
38 labs 🔬
37 installations 🎭
12 debates and plenaries 🗣️
as well as showcases, booths, and other activities!

From bold debates to interactive workshops, youth-led activations to the Brave Futures Film Festival, MozFest 2025 is where technologists, artists, activists, and builders come together—to unlearn defaults and make what’s next.

Check it out at https://schedule.mozillafestival.org/!

What's next

The next weeks will find us:

Developing The Phishing Dojo, stabilizing the platform, cleaning up code, doing QA testing, and crafting the new training we're planning.
Organizing logistics and creating MVPs of all our planned activities for Devconnect. We'll also be sharing these with the organizers to request specific support we might need from them.
Wrapping up research in security and threats of VSCode extensions, sharing content about it.
Preparing travel logistics, content and collaborating with event organizers to contribute to Mozilla Festival, Devconnect, Ekoparty, and other side-events and meetups that might pop-up in the near future.

The state of The Red Guild #18