Featured track
Skyfall: deep dive
A fast-growing AI company with an Arceus cloud environment held together by assumptions. Break in, escalate, and decide how the story ends.
Why it hits hard
Cloud misconfigurations are not edge cases. They are the most common cause of large-scale data breaches in modern infrastructure. Capital One lost 100 million records to an IAM misconfiguration. Misconfigured storage buckets have leaked data from governments, hospitals, and Fortune 500 companies. Skyfall makes you walk the exact path an attacker would, from a misconfigured sign-up flow to full infrastructure compromise, one overlooked default at a time. You run real CLI commands against a live Arceus environment, not a quiz or a simulation. Every command maps to an actual Azure or AWS equivalent. After this track, you will never look at a cloud console the same way again.
What you'll breach
Skyfall puts you inside Arceus, a live cloud platform that mirrors the misconfigurations behind real-world breaches like the 2019 Capital One incident, where a single misconfigured IAM role exposed over 100 million customer records in S3.
You start with a regular sign-up. Within minutes, you discover that the provisioning process has placed you inside ILIAS's production Arceus tenant. From the Arceus Lens log viewer, you find that production monitoring is streaming DEBUG-level output that includes SSH credentials in plain text. Those credentials get you into a deployment VM. A single curl to the metadata service at 169.212.169.212 hands you managed identity tokens. Using the Arceus CLI, you discover a secrets vault, assign VaultReader to your identity, and extract the stored secret. It maps to the DevAI Automation Engine, ILIAS's core AI automation product, whose service principal was granted elevated permissions to keep their pipelines running. You log in as that principal and escalate to directory Owner.
Then you choose. Clean Exit: delete the prohibited data ILIAS never should have stored, including voice clones, user tracking recordings, and robocopy models. Or trigger Skyfall: strip roles from development and management groups, scale every web app and container to maximum, and watch the projected monthly cost explode.
Challenges
From sign-up page to infrastructure owner.
Seven challenges inside Arceus, a fictional cloud platform. Every command you run is a real cloud attack technique.
ILIAS left their monitoring tool in DEBUG mode. Arceus Lens, the platform's log viewer, is streaming SSH credentials in plain text between routine log entries. Find them before they rotate. Verbose logging leaks like this are behind some of the largest cloud breaches on record.
SSH into the deployment VM, then curl to extract managed identity tokens from the instance metadata service. This is the same technique used in the Capital One breach of 2019, where a misconfigured WAF allowed SSRF to the EC2 metadata endpoint and exposed over 100 million records.
Use the Arceus CLI to discover a secrets vault, assign VaultReader to your managed identity, extract the stored secret, and map it to the DevAI Automation Engine service principal. Then log in as that principal and escalate to directory Owner. This mirrors real IAM privilege escalation chains documented by Rhino Security Labs and others.
Clean Exit: delete the prohibited data ILIAS should never have stored, from voice clones to user tracking recordings and robocopy models. Or trigger Skyfall: strip roles from every dev and management group, scale all web apps and containers to maximum, and calculate the projected monthly cost catastrophe. Your call.