VYPR
researchPublished Jul 13, 2026· 1 source

Varonis Launches 'Breach at the Beach' CTF to Educate on Entra ID Threats

Varonis Threat Labs has released a free, hands-on Capture the Flag event designed to teach cybersecurity professionals how attackers exploit Microsoft Entra ID and its growing non-human identities.

Varonis Threat Labs has introduced "Breach at the Beach," a free Capture the Flag (CTF) event aimed at educating cybersecurity defenders on the evolving landscape of Microsoft Entra ID attack techniques. Developed by researchers Doron Kapah and Mark Vaitsman, the CTF provides participants with practical, hands-on experience in realistic scenarios, allowing them to understand firsthand how attackers compromise cloud identity systems and exfiltrate sensitive data.

The initiative stems from the researchers' direct experience with threats targeting cloud-native environments. They observed the increasing complexity introduced by AI and the proliferation of non-human identities—such as AI agents and service principals—which have expanded the attack surface within Entra ID. The CTF is designed to demystify these threats, offering a proactive approach to improving defensive capabilities against sophisticated cloud identity attacks.

"Breach at the Beach" uses a narrative where players, embodying Varonis's threat-detecting cat mascot Pixel, trace an attacker's steps through an Entra ID environment. The goal is to uncover the sensitive data targeted by the threat actor and prevent its exfiltration. This engaging storyline immerses participants in the challenges defenders face, making the learning process more impactful and memorable.

Entra ID, as the central control plane for enterprise identity, applications, and permissions, has become a prime target. The rise of non-human identities presents unique challenges, as a compromise in Entra ID can allow threat actors to pivot stealthily and scale their operations for data exfiltration. The CTF specifically addresses how legitimate functionalities within Entra ID can be weaponized by attackers, rather than focusing solely on misconfigurations.

A key design principle of the CTF is to teach defenders how to detect threats without relying on AI assistance. This deliberate choice encourages participants to deeply understand the attack flows and the underlying data, mirroring the reality for many defenders who work with raw logs. By eliminating AI shortcuts, the CTF ensures players absorb the lessons embedded within the experience, fostering critical thinking and analytical skills.

The hands-on nature of the CTF is emphasized as crucial for effective learning. Researchers stress that "You understand nothing if you are not hands-on the keyboard, clicking around, and seeing how it works. Reading is not enough." This approach helps participants not only grasp technical concepts but also feel the real-world impact of a breach, reinforcing the importance of robust identity security.

"Breach at the Beach" is built to be valuable for a wide range of cybersecurity professionals, including red teamers, blue teamers, CISOs, and threat intelligence analysts. The CTF highlights the interconnectedness of offensive and defensive security, underscoring that familiarity with both perspectives is essential for effective security leadership and operations. It also aims to expose participants to the complexities of auditing visibility gaps in AI systems and implementing least privilege principles.

Feedback from early testers at events like Cloud Village at RSAC 2026 indicates that the CTF is both challenging and educational, even for seasoned professionals. Varonis aims to equip the cybersecurity community with the knowledge and practical skills needed to defend against the increasingly sophisticated threats targeting cloud identity infrastructure.

Synthesized by Vypr AI