Filter by platform, tier, difficulty, or search by keyword.
Investigate a ransomware incident where a critical S3 bucket was wiped, leaving only a ransomnote.txt behind.
Unusual outbound DNS from a private subnet. An EC2 instance is reaching a known cryptomining C2. Time to dig in.
Amazon SES is sending thousands of unexpected emails. Your SOC flagged it and now investigate the campaign behind it.
A static site was quietly taken over and a backdoor planted in the environment. Trace every step of the attacker's path.
A developer pushed a routine container update to the AWS EKS cluster. Security monitoring detected unusual network activity: outbound connections to suspicious domains and unexpected resource consumption.
Automation accounts are great for automating things. Like data exfiltration. Can you spot the abuse?
Learn KQL fundamentals through challenges using Entra ID logs — filtering, JSON parsing, and aggregation from scratch.
An exposed port becomes an attacker's entry point. Investigate the lateral movement and persistence that followed.
Function apps used as a persistence mechanism. Investigate code, execution history, and how the attacker got there.
Threat actors love OAuth and service principals as much as developers do. Can you find the malicious application?
The CISO of Northwind Secure is in a panic. They enabled MS Entra ID Protection but the security team is now drowning in alerts. Investigate and help prioritize.
Malicious mailbox rules can silently redirect sensitive email externally. Investigate suspicious rule activity in M365.
A full BEC attributed to Storm-1167. Mass deletions, alert suppression, Graph API abuse. Multi-stage intrusion from start to finish.
Follow the lure: OAuth consents, new forwarding rules, and a suspicious SharePoint upload. Map the full attacker trail.
A Sentinel alert fires on a Scattered Spider IOC. Investigate what actions were taken across the entire attack chain.
After reading a terrifying blog post about OAuth abuse, your client's IT Director decided to audit their environment. Analyze OAuth grants, categorize by permission levels, and distinguish Shadow IT from high-risk exposure.
A routine threat intelligence sweep of Telegram channels has flagged a senior developer's account at SkyForge Robotics. What begins as a single leaked credential unfolds into a sophisticated multi-cloud intrusion by Laundry Bear, a state-nexus actor targeting European defense technology.
A colleague named James shared a suspicious PDF via Google Drive, triggering alarms company-wide. Despite MFA and a secure password, James's account was hijacked, revealing the mechanics of a Browser-in-the-Middle attack that stole active session tokens.
DataGoblin42 has posted on a major hacking forum claiming to possess medical records for "half the world." The source: a misconfigured Google Cloud Storage Bucket at VitalHealth Diagnostics. A critical permission flaw allowed the actor to list and exfiltrate tens of thousands of sensitive patient reports.
No labs match your filters.
Hands-on cloud incident response training built by practitioners who've worked real breaches. Pick your tier, pick your platform.