Sitecore Hackathon 2026 Prep: 8 Tips From a Hackathon Vet

Sitecore Hackathon season is back!   After snagging a win with my SPE module (SPExAI) last year and basking in all the glory that comes with it, I'm returning under the Sitecorepunk 2077 banner (with a refreshed logo, too!).

thx NanoBanana

I always encourage annual participation in this event, but for those who haven't experienced it, there are some things worth acknowledging...

The Hackathon is often won before the clock starts.

Putting in some prep work to ensure you're able to spend your time wisely and facilitate smooth development is just as important as the time spent during the 24 hour development marathon.

Here's how I'm prepping for the 2026 Sitecore Hackathon, plus some tips/advice I've been giving a few internal folks at my org who decided to form their own team of three this year.

The "How does it start?" part (because everyone asks)

There's no "opening ceremony" where Akshay descends from the ceiling with a pyrotechnic backdrop and announces: "YOUR CHALLENGE IS...CONTENT GOVERNANCE. GO GO GO!"

In reality, it's all rather...unceremonious:

1. On the week before or of the event, you'll receive an email from the organizers with your team's GitHub repo (and some general participation / Slack / sharing info). 
2. About an hour before kickoff (for me that's around 6 PM CT) you'll receive the email containing the year's categories/ideas. They're intentionally open-ended.
   
   Here are some categories we've seen come through in last few years:
   • Best use of Headless using JSS or .NET
   • Best use of SPE to help Content authors and Marketers
   • The best enhancement to SXA
   • The best enhancement to the Sitecore Admin (XP) for Content Editors & Marketers
   • Best enhancement to SXA Headless
   • Best Enhancement to XM Cloud
   • Best use of AI
   • Best Module for XM/XP or XM Cloud
   • Best Migration Module to move from XP (traditional) to XM Cloud/Content Hub One/Headless CMS
   • Show us what you got!
3. At 8PM STC / 7 PM CST, the clock starts.

That said, there are several ways you can prepare yourself (at least a little bit) ahead of time.

Not by writing a full submission early based on a guess of what the categories might be (absolutely 100% don't be that team), but by doing everything else that prevents you from wasting 4 of your precious 24 hours on unproductive churn.

Some Prep Philosophy

Hackathon time is for ideation, execution, and shipping. It's not the ideal time for troubleshooting why your local Sitecore installation is failing on step 4...

My practical TL;DR prep advice here is basically:

• Pick your likely build lane (Traditional XM/XP Module vs SitecoreAI Marketplace vs Sitecore PowerShell Extensions)
• Pre-flight your local or shared environment 
• Understand the required deliverables (README + video + submission mechanics; see the bottom of https://sitecorehackathon.org/sitecore-hackathon-2026/) 
• Stock the fridge and snack pantry...it's a long 24 hours. 
• Rest up beforehand...again, it's a long 24 hours.

Let's dive in!

---

Tip 1: Decide your lane early (classic module vs Marketplace app)

Up until now, choices for Hackathon development were basically limited to a custom C#, SPEAK app, Chrome extension, CLI tool, or SPE module (I'm sure there are other creative options not listed that teams had ran with successfully, though).

The biggest differentiator in 2026, especially compared against previous years, is that the Sitecore Marketplace is now publicly available; including established development patterns and starter kits.

I expect a good chunk of teams are going to build Marketplace apps (which are often just decoupled Next.js apps that interact with Sitecore APIs) since:

• They're easier to demo
• Easier to package and install
• Don't necessarily require a full local "traditional Sitecore" installation to participate.

Someone asked me, "Can I contribute without being deep in Sitecore development?"

Totally. Especially if your team goes the Marketplace route, someone without a whole lot of Sitecore expertise can absolutely contribute towards:

• API integrations
• UI/UX/FED
• Build pipeline + packaging
• Project/time management
• Quality assurance/testing
• Documentation
• Video production

...all of which can be done without needing a full local XP instance.

You do still need someone on the team to understand the extension points and how the app runs in a hosted SitecoreAI context...but you're not forced into the "I must stand up XP locally or I'm useless" camp.

My likely path this year: Marketplace-first (unless the categories strongly scream for an in-platform module).

---

Tip 2: Machine/Workspace prep

This is where teams self-eliminate during the early stages of the event. If you prep your machine properly, you can avoid unnecessary setbacks.

GitHub readiness checklist

Personally, I've always made sure to accept the invite as soon as it comes through, clone it locally, and confirm I can push a commit before the Hackathon starts. If you need a check list:

• Accept the repo invite
• Clone the repo down locally
• Confirm you can create a branch
• Confirm you can push (a tiny "Initial setup and access verified" commit the day before should do) 
• Confirm you can open a PR (or push directly if your team is living dangerously)
• Confirm your teammates can do the same

Now you know the pipeline works! No surprises at hour 3 when you're trying to figure out why GitHub thinks you don't exist.

Environment readiness: pick one

You need something you can build against and demo.

Option A: Local Sitecore instance

• Docker-based XP/XM setup, or an IIS-based instance you trust
• Verified you can deploy, run, and debug
• Verified you can install your final deliverable cleanly (this matters more than you think since the judges will need to follow those same steps to test your submission).

Option B: Hosted SitecoreAI org / demo instance

• Ideal if you're doing Marketplace app work
• No local XP required
• You still need stable access, a clean demo space, and time to validate the "deploy, run, test, demo" loop

If your team has access to an existing SitecoreAI org, set up a demo site ASAP and make sure it's accessible to your team.  

---

Tip 3: Familiarize on Concepts before Hackathon weekend

If you haven't built a Sitecore Marketplace app before, ideally you aren't waiting for the categories email to start reading docs.

My recommendation here is to:

• Read through the official Sitecore Marketplace docs 
  
• https://developers.sitecore.com/learn/getting-started/marketplace
• Familiarize yourself and run the Marketplace starter kit: 
• https://github.com/Sitecore/marketplace-starter
• https://developers.sitecore.com/learn/getting-started/marketplace/marketplace-starter-kit-nextjs-app-router
• And the Sitecore Marketplace SDK 
• Run and install at least one sample repo
• Make a small change and verify everything still loads.

That's really all you need. You don't need to become a Marketplace wizard to be successful. There will be plenty to learn along the way 🙂

Bonus tip: Sitecore's Hackerspace workshop prerequisites from last year's Symposium might be useful in setting up your workspace with the right tools. If you can complete those ahead of time, you should be fine.

https://developers.sitecore.com/learn/getting-started/marketplace/hackerspace-workshop

---

Tip 4: Prep the whole entry, not just the code

Unfortunately, a good submission isn't just the code.

It's a combination of a:

• Clean, working solution.
• Clean, well-documented README.md.
• Easy to follow installation instructions.
• Strong video demo (5 minutes or less)
• Public link(s)
• Screenshots (optional, but usually worth it)

When you get access to your GitHub repo, carefully review the ENTRYFORM.md and SUBMISSION_REQUIREMENTS.md first and foremost.  Do as it says!

A default README.md will be present in the repo.  Make sure to include all of the necessary sections from the ENTRYFORM.md. It's up to you to make the final README.md impactful. 

Feel free to check out how I formatted my README.md last year - emojis and all 🚀:
https://github.com/Sitecore-Hackathon/2025-Sitecorepunk-2077  

Video: prep the pipeline now

Video production always takes longer than you think. Always.

My past tooling approach has been:

• OBS Studio for recording (screen + mic) - but you can also do something like a Google Meet or Teams recording to obtain demo footage.
• Clipchamp / CapCut / whatever for stitching (intro/outro, trimming, music)

If you want to prep similarly, work on prepping the following:

• OBS installed and tested
• Mic levels tested (seriously)
• You know how to crop your capture area
• You have a YouTube account/channel ready to upload to.
• You've tested uploading an unlisted video

Music note: obviusly don't use random copyrighted tracks only to discover the audio on your uploaded video is muted - or your upload is flagged.  I've always used my own music to avoid the "surprise, your demo is silent" experience.  Adding music is completely optional...extra credit if anything - but if you're in need of something quick, check out Suno to generate something simple.

---

Tip 5: Team strategy

I've done Hackathon in a team of three, but most years I'm solo. Both are totally viable.

If you're a team, you can either be wildly effective together...or you can get in each others way for 24 hours.

If you're solo, you can move extremely fast...right up until you realize you also need to write the README, record/edit/upload the video, update X again, and remember your own name.

First tip: assign ownership

Whether you have 1 person or 3, every major deliverable needs a single "owner."

For example, if you're a team of three

• Builder #1 (project setup, core development): core functionality (the "it works" person)
• Builder #2 (core development,feature developement, polish): UI/UX, integration glue, edge cases
• Producer (Ship It): README.md, screenshots, docuementation, install steps, video, final packaging

If you're solo: you'll still need "roles" (you're just time-slicing them instead)

This is my solo approach: I rotate between Builder Gabe and Producer Gabe. If I stay in Builder mode for 20 straight hours, it can easily fall apart toward the end.

Works for both

• Keep one visible TODO list. If it isn't written down, it doesn't exist.
• Decide how you merge before you start (PRs vs direct pushes).
• Get a demo working early.
• Schedule breaks.

---

Tip 6: Ideation

People get hung up here: "But we don't know the categories yet...how can we plan?"

While you can't pre-build the final solution, you can pre-build the engine that will help you build during the event.

What I like to do in advance

• Keep an idea bank of category-flexible utilities
• Prep reusable scaffolding (config handling, auth patterns, basic UI shell, logging + error display)
• Think in "building blocks" (reporting/insights, author productivity tools, governance helpers, integrations that reduce friction)

Then when categories arrive, you're not inventing a concept from scratch.

---

Tip 7: Physical prep

24 hours is a long time. Having the right balance of food, drink, and comfort is crucial.

For me, that's:

• Drinks (water, caffeine, tea, soda, etc)
• Snacks that won't wreck you at 3 AM
• A solid Spotify playlist ready to go
• Comfortable chair
• A plan for breaks

(Also, the last couple of years I had worked 10+ hours before the start of the Hackathon. 0/10 would not recommend.)

If you can take the day off and actually rest beforehand, do it. Your 24 hours will be better, your decision-making won't be trash, and your final hour won't feel like you're editing a video underwater.

---

Tip 8: Build in public

I like documenting my 24 hours on X as a living TODO list + progress log using the #SitecoreHackathon tag.  

I found that this approach helps keep me accountable and motivated throughout the night.  Is it one extra thing to remember to do every hour/couple of hours while trying build?  Sure, but it also serves as a good pausing point to reflect and understand what my next steps are, all with the added benefit of sharing your experience with the community in real-time.  

Plus, you'll end up with built-in material for a post-event recap 😏

Could you use LinkedIn? I guess you could...just don't expect anyone to see it on their feed for 3 weeks...

---

TL;DR Prep Checklist

1 week before

• Pick your likely lane (module vs Marketplace)
• Run the starter kit / sample app
• Confirm your toolchain is good

48 hours before

• Repo access confirmed
• README template ready
• OBS + video workflow tested
• YouTube channel ready
• Check that your development environment is still ready
• Check Slack for a #hackathon channel to join

Day of

• Rest
• Eat
• Do not do "one last thing" at work for 10 hours

1 hour before kickoff

• Categories email arrives
• Brainstorm ideas and pick one
• Commit to a plan
• Start building

Final thoughts

There are 32 teams participating this year, which is awesome to see!  The Hackathon is a great opportunity to learn, push yourself, and contribute something useful to the community.  It's also a great excuse to spend 24 hours building something cool and sharing it with the world.

If you're participating this year, drop your team name and which lane you're leaning toward.

Don't forget to capture some team selfies!

Good luck, hackers!

Read the full post →

Sitecore Symposium 2025: In Pictures

Sitecore Symposium is always one of the highlights of my year. My very first two Symposiums were at the Walt Disney World Swan and Dolphin back in 2018 and 2019, so I was genuinely excited to be headed back to Orlando for a third round now 6 years later.

Now, a post like this is pretty atypical since I usually stick to technical recaps, but this experience and all these pictures had to go somewhere.  What better home to share with you all than here? 😉

Day 1: Monday

I was out the door early in Chicago with a carry-on and the Sitecore-tagged suitcase rolling behind me.

Read the full post →

SPExAI GPT: SPE Script Generation, No Module Required

Earlier this year, I built SPExAI Report Builder during the 2025 Sitecore Hackathon, a natural language interface for generating Sitecore PowerShell Extensions (SPE) reports. The concept was simple: use plain English to get real, working scripts. The result? A winning module that turned heads and saved hours. 🙌

But what if your team loves the idea but doesn’t have the time, access, or appetite to install a custom module? Perhaps you just need a script now and then. Or maybe you're working in an environment with limited Sitecore customization privileges.

It would be great if you didn't need to rely on installing a module into your Sitecore instance to benefit from this technology. 

✨ Introducing SPExAI GPT

Introducing a new flavor of SPExAI; not as a Sitecore module, but as a custom GPT. It works entirely outside of Sitecore. No installs. No packages. No patch configs. Just a prompt box and your imagination.

Your prompt:

"Report of all templates (ID, Name, Path) and their usage count."

And SPExAI (the GPT version) responds with a fully working script.  Same quality, same intelligence, now universally accessible.

Simply copy the output, paste it into the Sitecore PowerShell ISE, and run it:

Results!

One benefit you get with the SPExAI GPT over the SPExAI module is that you can continue your chat, which isn't available in v1 of the SPExAI (it's all one-shot), allowing you to prompt beyond your initial prompt.  This is great for getting help with fixing errors you may encounter when using the initially generated script, or even for enhancing an existing script.

🧠 Under the Hood

The GPT version builds on the same core ideas as the Hackathon module:

• 🔍 A system prompt trained to interpret natural-language Sitecore requests and produce accurate PowerShell reports.

• 📚 A curated knowledgebase of common SPE scripting patterns tailored to tasks like item audits, rendering usage, field value searches, and more.

• ⚙️ Designed to speak "Sitecore" fluently, not just ChatGPT syntax, but the nuances of $SitecoreContext, $item.Paths.FullPath, Get-Item, and all the other familiar constructs.

I've adapted the system prompt to better align with ChatGPT’s structure, ensuring cleaner completions, improved formatting, and fewer hallucinations.

🚀 Try It Yourself

If you're looking to generate SPE scripts without touching your Sitecore instance, this GPT-based version might be the way to go. Whether you're prototyping, documenting, or training a team, it removes friction and delivers fast results.

You can find the SPExAI GPT on the Chat GPT store by selecting GPTs in the left-hand panel of ChatGPT, then searching for `spexai`:

You can also access SPExAI GPT directly using this link:

https://chatgpt.com/g/g-684aff1f0b90819190c7c8895b7596bd-spexai-gpt 

If you use it, please take a moment to leave a rating. 
If you have suggestions for improving the GPT, I'm open to them! 😀

Read the full post →

Sitecore Icon Search: 2025 Updates

Sitecore Icon Search recently turned 7! 🎂

Happy Birthday, little app 💖

I'm thrilled to see that it continues to serve the Sitecore developer community worldwide. In just the past month, it saw 191 active users and 152 new users, with the majority coming in through organic search - proof that it still ranks well and fills a need.

The U.S., India, and the Netherlands lead traffic, and even after all these years, developers are still finding their way to it. 

Here's a look at the latest analytics snapshot:

 

Updates 

In addition to keeping up with annual hosting and domain renewals, I've recently applied some long-overdue visual improvements.  

What’s New?

• Modernized Styling: Fonts, borders, spacing, and color usage have been cleaned up for a more consistent and modern feel.
  
  
• Improved Layouts: Improved component alignment and padding to help the content breathe, especially at different screen sizes.
  
  
• Refined Search Bar Experience: Improved the search input styling.
  
  
• Cleaned-Up Header: A few stale links were pruned from the top nav. The essentials remain.
  
  
• Dark Mode! It's about time, right?

• Clipboard Modal Enhancements: Icon copied modal now includes several new random lighthearted titles:

---

Hopefully, just a better, cleaner experience.

Go to Sitecore Icon Search

Happy Searching! 🔎

Read the full post →

SPExAI Report Builder: A Winning Sitecore Hackathon Module

The results of the 2025 Sitecore Hackathon are in...

Look what I got! 😭👇

It's a really decent piece of hardware!

I'm super proud of this accomplishment, given that I was pushing into delirium territory near the end of the event, having been up for 32 hours straight and all...running on mostly caffeine and adrenaline to get it done. 

Here's a snapshot of my real-time X updates throughout the event:

---

Sitecore Hackathon?

It's a virtual community-driven event where teams worldwide (52 teams across 13 countries this year) compete to build the most impactful Sitecore module given a set of categories (e.g., "Best use of AI" or "Best tool for XM Cloud") within a strict 24-hour timeframe.

Typically, the event is held in late February / early March, with teams registering roughly 4-6 weeks in advance. Submissions are then judged by a panel of long-time Sitecore MVPs and community members who review each completed entry, test the functionality, and collectively pick a winner.  

Submission Requirements are clearly laid out in the GitHub repository to which each team is assigned:

Winner Benefits

• 🗣 Name recognition across Sitecore's official channels; the winning team is announced officially at SUGCON Europe and highlighted in the MVP community.
• 🛒 $150 Amazon Gift Card (per team member)
• 🏆 A customized Hackathon trophy

My Past Hackathons

Wasn't my first rodeo! 🤠
Here's a rundown of my past Sitecore Hackathon participations:

• 2018 – Didn't officially sign up...
• But I still used the hackathon timeframe to build sitecoreicons.com during the Hackathon window (which is still used by Sitecore developers across the globe, 7 years later!)
  
  
• 2019 – Team Rosemary Potatoes
• Universal-Less: a Sitecore Universal Tracker installation tool for local environments.
  
  
• 2021 – Team BLAMstack (🏆Best use of SPE to help Content authors and Marketers)
• Sentiment + Keyword Analyzer SPE module using Microsoft Azure Cognitive Services Text Analytics
  
  
• 2024 – Team Sitecorepunk 2077
• Sitecore PowerShell Extensions Text-to-Speech Audio Synthesis Module
  
  
• 2025 – Team Sitecorepunk 2077 (🏆)
• SPExAI Report Generator

The name "Sitecorepunk 2077" is a not-so-subtle reference to

the 2020 video game Cyberpunk 2077 (which, admittedly,

I've barely played, but I liked the play-on-words when I came up with it).

I kinda love that I'm a 2x Sitecore Hackathon winner now 😅

---

The Idea

This year, instead of multiple categories (and multiple winners), the organizer's idea prompt was simply:

"Free for all — you can create your own idea for the Hackathon solution. Show us what you got!" 

It was a huge opportunity to build without barriers, with one winning team to take it all. I've been waiting for an opportunity to bring this idea I've been mulling over in my head for months to life, and this was it. 

Problem Statement

The biggest hurdle for analyzing content and creating reports in Sitecore PowerShell Extensions (SPE) has always been the technical skill needed (PowerShell scripting/syntax + SPE-specific commandlets).  

You'd need to train up; learn how to query items using Get-Item and Get-ChildItem commands, declare an array object to store results, utilize for loops and if conditions, etc.  

And if PowerShell scripting isn't your thing, well...

In the age of generative AI though, this technical skills barrier can be dramatically lifted for non-technical Sitecore authors and admin, and/or drastically reduce the turnaround time for developers tasked with writing custom PowerShell reports.

---

Enter: SPExAI Report Builder

What is it?

SPExAI Report Builder is an installable Sitecore PowerShell Extensions module that allows users to describe their Sitecore report in natural language, which in turn generates a complete and reusable SPE script:

• 🧠💻 Type your prompt
• 📜💾 Generate a PowerShell script and save it
• 🛠️🚀 Run it or modify it

"SPExAI" stands for Sitecore PowerShell Extension x Artificial Intelligence, which combines the power of SPE with modern LLM tech. 

Compatibility

SPExAI Report Builder works with Sitecore 10.x or later.  I tested on Sitecore 10.0, 10.3, and 10.4 during the event, but I'm pretty confident that it would also work with other versions, too.

I didn't get a chance to test this on XM Cloud, but given SPE's flexibility, it is likely compatible.

How about a quick demo?

Say you need to audit template usage across the content tree.

When activating SPExAI from the ribbon, a dialog appears where you set a title, select the root context for the report, and provide a description.

"Report of all templates (ID, Name, Path) and their usage count."

SPExAI generates this clean, complete, and reusable script, which is stored in a dedicated part of the content tree:

Running the generated script without any modifications (which, on its own, included an option to select a root context, making it easily reusable against different parts of the tree) provides an accurate result set!

Another demo!

"Report of all renderings (ID, Name, Path) and their usage count under a selected content root."

SPExAI again generates a clean, complete, and reusable script, stored again using the name provided:

Running the generated script confirms that the script has been correctly generated and provides expected results.  

What's truly amazing is that we can generate 75-100 lines of working PowerShell code in seconds.

The code is appropriately structured, cohesive, error-free, and ready to be run immediately—no developer needed!

---

How SPExAI Works (Under the Hood)

API Settings

Before anything runs, the module looks for a specific Sitecore item:

/sitecore/system/Modules/PowerShell/Script Library/SPExAI Report Generator/API Settings:

There are four required fields:

• API Key – your OpenAI secret key
  
  
• Model – the ID of the OpenAI model to use (e.g. o3-mini-2025-01-31)
  
  
• Knowledgebase – a markdown-formatted reference block full of Sitecore PowerShell examples, documentation, best practices, etc.  
  
  
• System Prompt – the instruction template that tells the model exactly how to behave, respond, etc. 

The module will abort early if any of these are missing.

Model Selection

During development, I tried a few different OpenAI models. The one that gave me the most consistent, one-shot responses was o3-mini-2025-01-31.

If you want to try a different OpenAI model later, simply update the Model field with the name; no code changes are required. (Expanding beyond OpenAI to Anthropic Claude or Google Gemini is also possible as part of a potential future v2.)

The Knowledgebase

This field contains raw reference material to guide the AI's responses. Think of it as an internal code cookbook, mostly pulled from the official SPE documentation and a compiled generic collection of snippets from my private repository of PowerShell scripts.

It includes sample report formats, SPE-specific syntax, and usage patterns that the model should stick to when replicating and generating new reports.

Looks like this:

The System Prompt

This is the master instruction set. Essentially, "You are a Sitecore PowerShell assistant...you do this, this, and that..." with additional specific constraints and formatting rules.

It includes a {0} token that the Knowledgebase content replaces.

Check it out:

A good chunk of the hackathon effort was spent refining the directives that the model should abide by. With every test run, I found myself adding to the list of rules. 

Getting the model to stick to the directives was...challenging to say the least (one-shot prompting definitely has its limitations depending on the model).  

Finding the right combination of rules for the model to consider was tricky, and I'm sure both the base system prompt and the knowledge base content could use even further refinement beyond what I could get done before the deadline.  Either way, I feel like I struck a solid balance for v1.

The good news is that the module was built to easily modify the system prompt in the configuration item without touching the underlying code, hypothetically allowing you to continuously improve the final output. 

UX Flow

SPExAI provides a new button in the Sitecore Ribbon. When clicked, this button surfaces a dialog window for the user's input.  

Users fill out the Report Name, set the Report Scope (tree selector), and the Describe your Report fields.  

It takes only a few seconds for the script to be generated.  

Users are then presented with the following options:

SPExAI Code Breakdown

Here's how the pieces come together behind the scenes:

1. Load the API Settings

The script set the four field values into variables.

2. Present a dialog for user input

The user's inputs from the dialog (report name, scope, description) are stored as global variables.

3. Variable validation

Validate that variables, like the script name, are valid and don't already exist in the saved script location.

4. Invoke the custom `Invoke-OpenAIChat` function

Invoke-OpenAIChat sends a custom one-shot prompt (including merging system instructions, knowledgebase, and user input) to OpenAI’s Chat Completion API and returns the generated response.

5. Save the script to the tree

Upon successful script generation, the module saves all generated scripts under a dedicated folder:  /sitecore/system/Modules/PowerShell/Script Library/SPExAI Report Generator/Content Reports/Reports/SPExAI Generated

6. Open, Run, or Close Dialog

After saving the script item, the module presents a modal dialog with its three choices:

1. Open Script Item – jumps to the new item in the Content Editor

2. Run Report – immediately executes the report using Invoke-Script

3. Close – exits with no action

Check out the full code repo here: https://github.com/Sitecore-Hackathon/2025-Sitecorepunk-2077 

---

Video Demo

As part of the entry, a video demo is required. You can check it out here:

---

Some Final Thoughts

If you haven’t seen it, fellow long-time MVP Rodrigo Peplau compiled a list of this year's submissions - all worth checking out. 

The quality of entries this year made it hard to predict how things would shake out. Winning was unexpected, but also an absolute honor.

Bummed I couldn't be at SUGCON EU to accept the award in person, but luckily the announcement was recorded. 😀  I will cherish this screenshot for all time:

Each year I've participated (whether on a team or solo), I've come away with valuable hackathon experience and a solid module, or at least the beginnings of one, that I could share and expand on further. I've always enjoyed the satisfaction of shipping something interesting and useful to others under competitive pressure. 

If you’re considering participating next year, I highly encourage it.  About 20% of the teams are solo, but it's not for everyone.  I recommend grouping up with others, especially if it's your first Hackathon. 

It’s a great way to push yourself, learn something new, make connections, and contribute to the spirit of the Sitecore community.

Keep on hackin'! 👨‍💻

Read the full post →

Sitecore Container Prerequisites Script Updates

Heads up!  I’ve made some recent updates to the open source Sitecore Container Prerequisites script to keep things aligned with the latest Sitecore versions and development environments.

What’s new:

• ✅ Added support for Sitecore 10.3.2 and 10.4.0

• 🖥️ Improved OS compatibility checks for Windows 10 and 11

• 📄 Refined the README with clearer instructions for installation, usage, and contributing

• 🔗 Updated package download links and references to current installation guides

Sitecore Container Prerequisites script remains a helpful utility for preparing your Windows machine to run Sitecore containerized environments smoothly. 

Feedback and contributions are always welcome!

📍 View the GitHub repo

Read the full post →

Using Sitecore Indexes in PowerShell-Driven Multilist Datasources

If you didn't know, you can point a Sitecore field's datasource to a PowerShell script. It's a super clean way to make dynamic picklists, filtering based on the current item, tags, templates, relationships, you name it.

But if you're pulling a large set of items, you really want to use the search index.

That's where things get weird.

The Find-Item command gives you fast results… but they aren't real Sitecore items. They're search result objects; great for speed, not so great for populating a multilist. Sitecore expects actual items, and when it doesn't get them, your field ends up looking empty.

Luckly, you don't have to abandon the approach completely. The fix is actually a pretty straightforward.

Some Context

For context, you can set the datasource for a multilist to be driven via a script in SPE like this:

In the script definition itself, you can write PowerShell to obtain some set of items from the tree. The resulting list is what shows as applicable for selection on the field.

In theory, you should be able to also utilize the Find-Item commandlet to obtain a list of items from the index. In my case was necessary due the performance implications of running a Get-ChildItem against a massive subtree.

First attempt looked something like this:

So far, so good. You get back a list of items. Or do you?

The Catch

The objects in the $list variable returned by Find-Item are not Sitecore items. They're dynamic search result objects that look like items, walk like items, but won't work in your multilist unless they quack like items.

If you try to return them as-is from your script, you'll find that, even if items were found in the index, the multilist fails to render the items for selection.

The fix? Pretty simple actuallu: Transform the search results back into legit Sitecore items.

Put it all together and you're golden

Now your multilist knows what to do. The search is lightning fast thanks to the index, and authors can pick from relevant matches without sifting through the entire tree.

Why This Matters

This pattern shines when you're working with large content trees or complex tagging structures where traditional item traversal would be painfully slow. By using the index, you're offloading the heavy lifting to Solr, gaining serious performance without sacrificing editor experience.

But more importantly, it calls out a subtle, easy-to-miss SPE gotcha: not all objects returned from PowerShell helpers are Sitecore items. If you're using Find-Item, you'll almost always need a second pass to resolve those results into actual items before they'll work in a field context.

Fail to do that, and you might spend hours wondering why your multilist is coming up empty, despite the index finding exactly what you wanted.

Happy datasourcing! 🚀

Read the full post →

Sitecore Security: Are These 2023 CVEs Still a Risk?

Security in Sitecore is always evolving, and if you're not keeping an eye on the latest CVEs, you might find yourself on the wrong end of a security bulletin scramble.

Recently, a set of CVEs related to Sitecore PageDesigner have resurfaced with an increased severity rating from NIST (National Institute of Standards and Technology, the U.S. agency responsible for maintaining the National Vulnerability Database and setting cybersecurity standards), prompting the question:

Are these vulnerabilities already covered in Sitecore's official security bulletin SC2024-001-619349?

The short answer: not entirely. But let's break it down.

The CVEs in Question

Back in March 2023, security researchers uncovered a set of zero-day vulnerabilities in Sitecore PageDesigner that could allow attackers to exploit weaknesses in how Sitecore handles file paths and serialized data.

These vulnerabilities were later classified under three CVE (Common Vulnerabilities and Exposures) IDs:

• CVE-2023-27066 - Directory Traversal: Allows authenticated attackers to download arbitrary files via UrlHandle.
  
  
• CVE-2023-27067 - Directory Traversal: Allows remote attackers to download arbitrary files via a crafted request to download.aspx.
  
  
• CVE-2023-27068 - Deserialization of Untrusted Data: Enables remote attackers to execute arbitrary code through ValidationResult.aspx

How These Vulnerabilities Work

The original Sitecore PageDesigner flaws were discovered in how Sitecore handled URL parameters and session values within specific backend pages. Here’s a breakdown of the two primary attack vectors:

First: Directory Traversal (CVE-2023-27066 & CVE-2023-27067)

The download.aspx page in Sitecore allowed attackers to manipulate file paths using ../ sequences, potentially granting access to sensitive files like web.config.

Normally, Sitecore prevents direct user input in these cases.

However, a flaw in Sitecore’s internal UrlHandle mechanism made it possible for an attacker to forge requests that bypassed these protections.

Second: Insecure Deserialization (CVE-2023-27068)

Sitecore PageDesigner’s session handling stored data in an unprotected format, allowing an attacker to inject malicious serialized objects.

This vulnerability could lead to remote code execution (RCE) if exploited correctly, making it the most severe issue among the three.

Why These CVEs Matter Now

At the time of discovery, the recommended fix was to upgrade to Sitecore 10.3.0 rev. 008463 or later. However, as of January 28, 2025, the severity rankings for these three CVEs has been increased.

Sitecore’s Response

After reaching out to Sitecore Support, I got clarification specifically regarding CVE-2023-27067:

CVE-2023-27067 is related to bug #390129, which was fixed in Sitecore 10.3.

Sitecore classifies this issue as low priority because it requires an authenticated user to exploit, meaning there is no risk of an anonymous attack.

This CVE is NOT included in Security Bulletin SC2024-001-619349 (KB1003408).

So, while CVE-2023-27067 is real, Sitecore does not consider it critical enough to be included in an official security bulletin.

Workarounds & Mitigation

If upgrading to Sitecore 10.3 isn't an immediate option, Sitecore provides a simple workaround:

🔧 Delete the following file:

• /sitecore/shell/Applications/Layouts/PageDesigner/PageDesigner.xaml.xml

This file is tied to a deprecated layout editor (used for editing ASPX markup), and removing it does not impact any core Sitecore functionality.

For those running older Sitecore versions <10.3, this is a quick and effective way to mitigate risk until an upgrade is possible.

Final Thoughts

It’s easy to assume that a security bulletin will cover every vulnerability, but in this case, SC2024-001-619349 (KB1003408) does NOT include CVE-2023-27067. However, the issue was addressed in Sitecore 10.3, and for those who haven’t upgraded yet, removing a single deprecated file provides an immediate workaround.

If you haven't yet, check your environment, apply the necessary mitigation, and as always, stay on top of those Sitecore security bulletin updates!

Happy securing! 🔐

Read the full post →

Sitecore CDP Certification Practice Exams: A Free Study Companion

Earlier this year, I introduced the Sitecore XM Cloud Developer Certification Practice Exams app, a free resource that seemed to resonate well with the Sitecore developer community. The community's feedback online and offline during the 2024 Sitecore Symposium has been inspiring, and I’m excited to build on that momentum.

Today, I’m proud to unveil the Sitecore CDP Developer Certification Practice Exams app — another cost-free resource to help you confidently prepare for certification and excel as a Sitecore professional.

Expanding Access to Certification Prep

The Sitecore CDP Developer Certification Practice Exams app shares the same goal as its XM Cloud counterpart: providing high-quality, no-cost tools to prepare developers for their certification journeys. By simulating the exam environment and focusing on critical knowledge areas, these tools remove the financial and logistical barriers that often come with traditional study materials.

Features That Mirror the XM Cloud App Success

Authentic Exam Experience: Just like the XM Cloud app, this new tool features randomized 30-question exams and a 60-minute timer to simulate real CDP exam testing conditions.

Competency-Focused Questions: Drawn directly from Sitecore’s documentation, the questions hone your understanding of CDP-specific concepts like architecture, real-time decisioning, data ingestion, and privacy compliance.

Time Management Training: With a timer to mimic the real exam, you’ll develop the pacing skills necessary for success.

Whether you’re familiar with the XM Cloud app or just discovering these resources, you’ll find the CDP version equally intuitive and impactful.

If you're already familiar with the XM Cloud Practice Exams app, you'll find familiarity in the Sitecore CDP Practice Exams app with CDP-specific questions to level up your knowledge in preparation for the exam. 

Built for the Community, Designed for Accessibility

The XM Cloud practice exam app was born from a personal need and a vision to empower developers to pass their exams and earn Sitecore certification badges. With over a decade in the Sitecore ecosystem, I’ve seen how access to high-quality learning tools can unlock opportunities for developers at every level. This app continues that mission, focusing on the expanding world of Sitecore CDP.

Certification should be about your skills and commitment, not your wallet. That’s why this tool, like its predecessor, is 100% free.

Ready to Tackle the Sitecore CDP Exam?

Dive into the Sitecore CDP Developer Certification Practice Exams app and take the next step in your Sitecore journey. With no cost, no risk, and plenty of learning, it’s the perfect added companion for your exam preparation.

👉 Start Practicing Today!

Got feedback? Suggestions? Success stories? 

Drop me a line on LinkedIn or X - or share the app with your network.
I’m always down to hear how these tools are helping developers like you.

Happy learning, and good luck on your certification journey!

Read the full post →

Sitecore MCP 2.0 Roles and Responsibilities Matrix Decoder

TL;DR

I built an app to help me understand the differences in roles and responsibilities between MCP 1.0 and MCP 2.0, and I think it may be helpful for others.  I wanted an easy way to search or browse the different roles and responsibilities and get a clear answer. 

Check it out here:

Sitecore MCP 2.0 Roles and Responsibilities Matrix Decoder App

Navigating the complexities of the Sitecore Managed Cloud PaaS 2.0 roles and responsibilities matrix isn't particularly exciting, especially for those new to the platform or customers moving from MCP 1.0. While I discovered that the roles and responsibilities in MCP 1.0 and MCP 2.0 are fundamentally similar, MCP 2.0 introduces more detailed and specific tasks related to modern cloud infrastructure management and security enhancements.

This week, I built a learning/reference app to help Sitecore customers, developers, architects, operations administrator/support teams, and account/project managers (and myself 😏) easily reference the different roles and responsibilities defined in MCP 2.0. 

The tool sets out to simplify the process of familiarizing oneself with new tasks and responsibilities, making searching and browsing through the matrix far more digestible. Whether transitioning from MCP 1.0 or diving into MCP 2.0 for the first time,

First, let's highlight the key differences between MCP 1.0 and MCP 2.0 roles and responsibilities I noted during my research. 

The RACI Model

The MCP roles and responsibilities matrix is structured using the RACI model, a framework that defines various stakeholders' involvement in completing project tasks or deliverables. Understanding this model is important for effectively navigating the roles and responsibilities within Sitecore Managed Cloud PaaS 2.0.

What is the RACI Model?

RACI stands for Responsible, Accountable, Consulted, and Informed. Each role in the matrix is assigned one or more of these labels to specify their level of involvement in a given activity. 

• Responsible (R): The person or people who do the work to complete the task. They are responsible for action/implementation. Responsibility can be shared.
  
  
• Accountable (A): The person who is ultimately answerable for the correct and thorough completion of the task. This role is often called "the one who signs off on the work," and only one person can be assigned to this role for each task.
  
  
• Consulted (C): The people who provide information for the project and with whom there is two-way communication. These are typically subject matter experts.
  
  
• Informed (I): The people who are kept up-to-date on progress, often only on completion of the task or deliverable, and with whom there is just one-way communication.

Applying the RACI Model in Sitecore Managed Cloud PaaS

Sitecore applies the RACI model to delineate roles and responsibilities among Sitecore, customers, and partners within the MCP 2.0 environment to ensure all stakeholders understand their part of the bargain.

Here are some examples of how the RACI model is applied:

• Activation and Termination: For activating the Sitecore Managed Cloud, Sitecore is Accountable (A) and Responsible (R), while the customer/partner is Informed (I).
  
  
• Provisioning of Environments: Sitecore is Responsible (R) and Accountable (A) for creating new environments while the customer/partner is Consulted (C).
  
  
• Application Design and Implementation: The customer/partner is Responsible (R) and Accountable (A) for planning Sitecore software upgrades, while Sitecore is Informed (I).
  
  
• Infrastructure and Server Management: Sitecore handles the initial provisioning checks as Responsible (R) and Accountable (A), with the customer/partner being Informed (I).

Key Differences Between MCP 1.0 and MCP 2.0 Roles and Responsibilities

While both MCP 1.0 and MCP 2.0 maintain a similar structure and overall responsibilities, MCP 2.0 introduces several new and detailed tasks that reflect advancements in cloud infrastructure management and security. Here are the main differences:

Provisioning of Sitecore Environments

MCP 1.0:

• Create new environment, installation, and initial set up: Sitecore (R, A)
• Delete existing environment: Sitecore (R, A)
• Reset existing environment: Sitecore (R, A)

MCP 2.0:

• Provision Sitecore Managed Cloud production Hub-spoke environment(s): Sitecore (R, A)
• Provision Sitecore Managed Cloud non-production environment(s): Sitecore (R, A)
• Provision Sitecore Managed Cloud disaster recovery Hub-spoke environments(s): Sitecore (R, A)
• Provision Sitecore Managed Cloud “custom customer-owned” Spoke environment: Sitecore (R, A)
• Delete existing environment: Sitecore (R, A)
• Reset existing environment: Sitecore (R, A)

Infrastructure and Server Management

MCP 1.0:

• Perform initial provisioning check: Sitecore (R, A)
• Scale infrastructure services (Web App, Solr, Azure SQL, Redis cache, and so on): Sitecore (R)
• Initial Web Application Firewall - deployment and configuration: Sitecore (R)
• Set up initial security (Azure SQL firewall): Sitecore (R, A)
• Set up network firewalls and post-deployment security: Customer/Partner (R, A)
• Set up third-party services (DevOps tools, CDN, databases, and so on): Customer/Partner (R, A)
• Custom domain setup: Customer/Partner (R, A)
• Initial setup and configuration of backup services (blobs, database): Sitecore (R, A)
• Customization of backup schedules and services: Customer/Partner (R)
• Consolidation of billing: Sitecore (R, A)
• Infrastructure performance optimization: Customer/Partner (R, A)

MCP 2.0:

• Initial Azure Front Door with Web Application Firewall - deployment and configuration: Sitecore (R)
• Network security groups and initial security setup (Azure SQL firewall): Sitecore (R, A)
• Network firewalls and post-deployment security setup (Azure SQL firewall): Customer/Partner (R, A)
• Set up third-party services (DevOps tools, CDN, databases, and so on): Customer/Partner (R, A)
• Custom domain setup: Customer/Partner (R, A)
• Initial setup and configuration of backup services (blobs, database): Sitecore (R, A)
• Customization of backup schedules and services: Customer/Partner (R)
• Consolidation of billing: Sitecore (R, A)
• Infrastructure performance optimization: Customer/Partner (R, A)

Security: Azure Platform

MCP 1.0:

• Configure encryption at rest and in motion: Sitecore (R, A)
• Configure and perform disaster recovery: Sitecore (R, A)
• Configure host security - hardened OS: Sitecore (R, A)
• Operating system (PaaS): Sitecore (R, A)
• Sitecore Cloud operations change management (via ServiceNow): Sitecore (R, A)
• Azure DDoS standard initial setup: Sitecore (R, A)
• Azure DDoS standard post-provisioning: Customer/Partner (R)
• Define basic Web Application Firewall requirements - rule management: Customer/Partner (R, A)
• Initial deployment security hardening of Sitecore product: Sitecore (R, A)
• Ongoing security hardening of Sitecore product: Customer/Partner (R, A)

MCP 2.0:

• Configure encryption at rest and in motion: Sitecore (R, A)
• Configure infrastructure security logging via Azure Defender for Cloud: Sitecore (R, A)
• Configure and perform disaster recovery: Sitecore (R, A)
• Configure CD App service for Azure Zone Redundancy: Sitecore (R, A)
• Configure host security - hardened OS: Sitecore (R, A)
• Configure initial network security – Network security groups: Sitecore (R, A)
• Configure initial network security – VNET and subnets: Sitecore (R, A)
• Configure initial network security – private link / private endpoint (App service, SQL, Key Vault): Sitecore (R, A)
• Configure Azure Bastion service: Sitecore (R, A)
• Implementation of Azure S2S VPN: Sitecore (R, A)
• Ongoing S2S VPN configuration and client-side management: Customer/Partner (R, A)
• Operating system (PaaS): Sitecore (R, A)
• Sitecore Cloud operations change management (via ServiceNow): Sitecore (R, A)
• Azure DDoS standard initial setup: Sitecore (R, A)
• Azure DDoS standard post-provisioning: Customer/Partner (R)
• Define basic Web Application Firewall requirements - rule management: Customer/Partner (R, A)
• Implement initial Web Application Firewall configuration and rule management (Front Door): Sitecore (R, A)
• Initial deployment security hardening of Sitecore product: Sitecore (R, A)
• Ongoing security hardening of Sitecore application: Customer/Partner (R, A)

Why I Built This App

The roles and responsibilities matrix is a critical component of the Sitecore Managed Cloud PaaS 2.0 offering, providing essential information about the tasks and duties of different team members. However, the sheer volume of information can be overwhelming. 

My goal was to create an intuitive and user-friendly tool that would streamline familiarizing oneself with these roles, ultimately enhancing productivity and understanding.

Key Features of the App

The web app is designed to be straightforward and efficient, offering several key features:

• Search Functionality: Users can quickly search for specific roles or responsibilities using keywords. This feature significantly reduces the time spent sifting through documents.
• Browse Capability: For those who prefer to explore, the app allows users to browse through the roles and responsibilities in a structured manner, making it easy to find relevant information.

How to Use the App

Using the app is straightforward. Simply visit Sitecore MCP 2 Roles and Responsibilities Matrix Decoder, where you can start searching or browsing through the various roles and responsibilities.

Conclusion

Whether you are a new user trying to understand your role or an experienced professional looking for specific responsibilities, this tool is designed to help you find the information you need quickly and easily.

For a detailed look at the roles and responsibilities, refer to the official Sitecore documentation provided in the app. Feel free to reach out if you have any feedback or suggestions for improvement.

Read the full post →