Monthly CTF — May 2026

Scenario

You're a SOC analyst at Northgate Financial, a mid-size finance company. The endpoint security platform — Elastic Defend — has lit up overnight on one of your finance-department workstations. The on-call analyst dismissed the alerts as routine noise and went back to sleep. It's morning, and the alert pile has grown to multiple rules across persistence, defense evasion, and command-and-control.

The CIO wants a definitive answer before market open: was this a real intrusion, what did the attacker accomplish, and is there anything that needs to be ripped out of the environment right now?

Your tools

How this CTF is structured

28 questions across 6 categories:

Category Q Pts Focus
Initial Detection 4 4 Orient yourself in the Security app
Process Investigation 6 12 Reconstruct the execution chain
Persistence 5 10 What did the attacker leave behind?
Network & C2 5 12 Where did the implant phone home?
Defense Evasion 5 12 How did the attacker hide from us?
Advanced Hunting 3 15 Beyond the alerts — go find what rules missed

Total: 65 points. A competent SOC analyst should score 70-80% in ~4 hours.

Rules of engagement

A few hints

Good hunting.