Choose between our Basic and Premium labs. All labs are designed by people with real life cloud incident response experience.
Perfect for beginners or curious explorers
Level up your cloud incident response skills with premium labs
Master complex cloud security scenarios with our advanced labs
In this lab you will investigate a ransomware that was discoverd, because a very important S3 bucket contained only one file...a ransomnote.txt
A developer reported unusual outbound DNS traffic from a private subnet. An EC2 instance makes an HTTP request to a known cryptomining C2 domain. Time to investigate!
Your Security Operations Center has flagged unusual email activity from your AWS account. Amazon SES is showing thousands of outbound emails and employees are reporting receiving "company communications" they didn't expect.
You've probably heard of OAuth applications and service principals. You're not the only one, threat actors love them too. Can you find the malicious app?
Automation accounts are great for automating things. For instance, data exfiltration!
Function apps are a great persistence method in the cloud, but have you ever investigated their code, execution history and how they ended up there?
Scattered Spider has been very active and you've just identified an alert in Sentinel for an Indicator Of Compromise (IOC) related to this group. It's your task to investigate what actions were performed, can you do it?
Threat actors often exploit mailbox rules to silently manipulate email flow, hiding legitimate messages, or forwarding sensitive content externally. You'll act as a security analyst investigating suspicious mailbox rule activity within a Microsoft 365 environment.
This isn’t just mailbox rules, it’s a full-blown BEC. A DLP sweep flags mass deletions and odd forwarding in the Finance department, but users deny it, and intel points to the BEC actor known as Storm-1167. You’ll investigate a multi-stage intrusion with persistence, alert suppression, and Graph API abuse.
Learn essential KQL fundamentals through hands-on challenges using Entra ID logs. Start from the basics, build queries, filter data, parse JSON structures, and aggregate results. Perfect for beginners to get familiar with Azure's query language.
This isn’t just mailbox rules, it’s a full-blown BEC. A DLP sweep flags mass deletions and odd forwarding in the Finance department, but users deny it, and intel points to the BEC actor known as Storm-1167. You’ll investigate a multi-stage intrusion with persistence, alert suppression, and Graph API abuse.
These scenario labs simulate real-world campaigns by known threat actors so you can practice end-to-end investigation and response in a safe environment.
Simulates a social-engineering and developer tooling compromise leading to cloud credential abuse and crypto theft in a hybrid environment.
Simulates DNS tampering and credential interception to pivot into cloud resources and disrupt critical services.
Simulates OAuth consent phishing and mailbox rule abuse to launder access and exfiltrate sensitive data from cloud accounts.