Skip to main content
CybersecurityHacking

Varonis Launches Breach at the Beach, a Hands-On Entra ID Training Experience

People stand on a beach with a subtle network infrastructure pattern in the background.

“Non-human identities are rapidly outgrowing human identities, expanding the attack surface as a result. Threat actors can gain and scale access while creating major challenges for monitoring and detection,” says Doron Kapah, Security Researcher at Varonis.

Why Entra ID is the control plane defenders need to understand

Varonis Threat Labs framed Breach at the Beach around a single premise: Entra ID is more than an identity provider — it is, in the words of the developers, "the control plane for the entire enterprise." The CTF focuses squarely on how that control plane connects users, applications, permissions, automation and AI-powered workflows, and how compromises can unfold when non-human identities such as AI agents, service principals and automated workflows are involved.

Mark Vaitsman, Security Research Team Leader at Varonis, summarized the risk succinctly: "In today's AI era, a lot of identities are non-human identities. f there is a compromise in Entra, a threat actor can pivot themselves into a non-human identity, and it can quickly turn into a stealthy and scalable data exfiltration attempt."

How the CTF recreates real-world exfiltration scenarios

Breach at the Beach was built from cases the authors say they encountered in customer environments. The experience uses a narrative device — Pixel, Varonis’ threat-detecting cat — to guide players through an investigation of an Entra ID breach. Players trace an attacker’s steps through Pixel to determine what sensitive data is being targeted and how the actor moves through non-human identities and automation.

Varonis emphasizes that the techniques embedded in the challenges are not hypothetical: Doron Kapah and Mark Vaitsman designed each stage to reflect techniques they have seen "on the frontlines" in cloud-native environments, particularly how threat actors weaponize legitimate functionality rather than relying on simple misconfigurations.

Design choices: weaponized features, raw logs, and deliberate limits on AI help

Three explicit design choices shape the learning experience. First, the CTF teaches players to spot "features, not misconfigurations" — the weapons are built-in behaviors being repurposed by attackers. Second, players work with raw Entra logs in an evolving environment so they learn to "eliminate noise" and create clarity from realistic, shifting telemetry. Third, the creators intentionally prevented large language models from solving the challenges for players so that people must learn the underlying mechanics rather than relying on AI to complete tasks for them.

As Mark Vaitsman put it, hands-on practice is essential: "You understand nothing if you are not hands-on the keyboard, clicking around, and seeing how it works. Reading is not enough." The CTF was explicitly tuned so that the embedded lessons survive — and are absorbed — without AI shortcuts.

What this means for red teamers, blue teamers, and CISOs

Red teamers: The CTF aims to sharpen offensive understanding by forcing players to work the blue-team perspective; Vaitsman said a red team cannot be "good or perfect" without familiarity with defenders' telemetry and controls.

Blue teamers: The exercise exposes defenders to audit logs and AI-related telemetry they may not see day to day, including systems like Dataverse and Copilot, helping defenders to identify visibility gaps and build detection strategies around non-human identities.

CISOs: The experience is positioned as an operational learning tool to highlight gaps between rapid AI adoption and security infrastructure that "hasn't kept pace," a disconnect the creators say fundamentally changes defensive approaches and identity hygiene requirements.

How to play, earn CPEs, and meet the authors in person

Breach at the Beach is free and available to play online at https://breachatthebeach.com. Each of the CTF’s four stages awards 1 CPE credit and a themed badge; completing all four stages yields a certificate of completion suitable for sharing. Players who intend to receive CPE credits are asked to use an active email address.

Varonis brought the CTF to the Cloud Village at RSAC 2026, and the creators report player feedback that the challenge is both educational and engaging. Doron and Mark will also be at Black Hat USA 2026 (August 3–6) at the Varonis booth (#2948) and at DEF CON 34 in the Cloud Village (August 6–9) to elaborate on the build and assist players. Online players and Black Hat attendees who complete the CTF by August 6 will be entered into a drawing for a $2,000 USD Marriott gift card. DEF CON attendees will be able to compete in the Cloud Village CTFs and prize pool, with registration opening prior to the event.

For defenders who want to see how identity-based compromises can scale via AI and automation, Breach at the Beach offers a hands-on classroom where audit logs, least-privilege practice, and detective controls are the curriculum. The next step Varonis proposes is simple and practical: sit at the keyboard, play the scenarios, and measure whether your visibility and identity hygiene hold up when non-human actors become the central vector.

Original story: https://www.bleepingcomputer.com/news/security/breach-at-the-beach-play-the-ultimate-entra-id-ctf/