Blog Threat Research

Breach At The Beach: The Ultimate Entra ID Training Experience

Discover how Varonis Threat Labs created Breach at the Beach, a unique Entra ID training experience. Enhance your cybersecurity skills through hands-on learning with this CTF.
Lexi Croisdale
4 min read
Last updated June 25, 2026
Breach at the Beach CTF

Contents

    Cybersecurity can feel a lot like the ocean. A sense of calm on the surface, but likely something unknown is lurking underwater.

    Varonis Threat Labs researchers Doron Kapah and Mark Vaitsman know this reality firsthand. Most of their days involve researching how threats exfiltrate sensitive data in cloud-native environments.

    And knowing that AI has evolved identity management and how threats attack organizations, the duo wanted to create an Entra ID training experience that gave other security practitioners first-hand knowledge of what data exfiltration in Entra ID looks like on the frontlines. Thus, Breach at the Beach was born.

    Pixel, Varonis’ threat-detecting cat, is on a beach vacation when she learns of a breach in Entra ID and switches to investigator mode. Players trace the threat actor's steps through Pixel to uncover what sensitive data the attacker is after, hopefully stopping them before it is too late. 

    Continue reading to learn more about the real cases that inspired Breach at the Beach, how AI has evolved threat detection and amplified the need for hands-on education, and how you can earn CPE credits by completing Breach at the Beach. 

    Why Entra ID? 

    Entra ID isn't just an identity provider; it's the control plane for the entire enterprise. It connects users, applications, permissions, automation, and increasingly AI-powered workflows. The rise of non-human identities — AI agents, service principals, automated workflows — has changed what a compromise in Entra ID can look like. 

    "In today's AI era, a lot of identities are non-human identities. f there is a compromise in Entra, a threat actor can pivot themselves into a non-human identity, and it can quickly turn into a stealthy and scalable data exfiltration attempt."

    Mark Vaitsman, Security Research Team Leader at Varonis

     

    The techniques woven throughout Breach at the Beach aren't hypothetical. They reflect cases Doron and Mark have encountered firsthand in real customer environments, making each challenge a lesson grounded in what defenders are up against today.

    “Non-human identities are rapidly outgrowing human identities, expanding the attack surface as a result. Threat actors can gain and scale access while creating major challenges for monitoring and detection,” says Doron. 

    Doron also points out that organizations are caught between the pressure to adopt AI quickly and security infrastructure that hasn’t kept pace with AI, creating complexity that fundamentally changes the defensive approach. 

    Sharing knowledge through the lens of a CTF  

    Knowing that today’s defenders needed awareness of modern attacks in Entra ID, Doron and Mark wanted to give defenders a hands-on experience to show what modern attacks look like.

    With Breach at the Beach, they ensured it taught players the following:

    • How threats abuse features, not misconfigurations: Players aren’t hunting for something that’s broken. They’re learning to recognize when a legitimate functionality is being weaponized.
    • How to detect threats without AI: Doron and Mark deliberately designed the CTF to avoid an LLM's ability to solve challenges, something researchers weren’t thinking about a year or two ago. The elimination of AI assistance helps players absorb the lessons embedded in the experience rather than quickly learning them to compete.
    • How to eliminate noise: Working through raw Entra logs is a reality for most defenders. By creating a complex environment where the data keeps evolving, players are tested to create their own clarity. 

    Beyond the specific lessons, Mark also knows firsthand how hands-on learning gives defenders real-world practice.

    You understand nothing if you are not hands-on the keyboard, clicking around, and seeing how it works. Reading is not enough.

    Mark Vaitsman, Security Research Team Lead

     

    Mark also shared how CTF experiences help players feel the impact, not just understanding it conceptually. 

    "You kind of feel that this is actually really your company with a CTF. If you don't understand the attack flow or the techniques inside, you lose more than just the challenge,” says Mark.

    Built for all cybersecurity professionals 

    Baking in new knowledge on Entra ID and AI was a given for Mark and Doron, and so was ensuring that completing the experience was useful across all security roles, including red teamers, blue teamers, CISOs, threat intelligence roles, and more.

    "There is no way you can be a good or perfect red teamer if you're not familiar with the blue team side, and you probably will not be able to be a good CISO if you're not familiar with the attacker side,” says Mark. 

    Doron also highlighted that when it comes to AI and auditing visibility gaps, this isn't something every security practitioner gets exposed to in their daily jobs. Including that in the CTF helps identify any gaps they may be missing.

    "Not every security professional is exposed to audit logs from systems like Dataverse, Copilot, or to the underlying mechanics of how these AI systems operate. This CTF gives them a chance to see how challenging it is to build a defensive approach when working with AI agents. "

    Doron Kapah, Security Researcher at Varonis

     

    "It also helps them understand what good identity hygiene looks like and how to implement least privilege in their own environments," adds Doron.

    Early in the development of Breach at the Beach, the team took it to the Cloud Village at RSAC 2026. Feedback shared from players highlighted how it didn't feel like a task, but a creative challenge that kept them entertained and inspired.

    "We got feedback that the challenge was tough, but also very educational. Even seasoned CTF staff at the booth told us they learned something new,” says Doron. 

    Play Breach at the Beach today  

    Whether you’re on a red team, a blue team, or needing to gain CPE credits, this is your chance to learn by doing.

    Breach at the Beach is free and available to play online: https://breachatthebeach.com

    Completing each stage of the CTF awards players with 1 CPE credit and a themed badge. Once all four stages are complete, players receive a certificate of completion to share on LinkedIn. If you intend to earn CPE credits, please use an active email address.

    Doron and Mark are also heading to Las Vegas for Black Hat USA and DEF CON 34, where they will elaborate on how the CTF was built and help players through the exercise in person. Find the details for those events below.

    Play at Black Hat USA 2026:

    • August 3-6, 2026 
    • Located in the Varonis booth (#2948) 
    • Online players and Black Hat attendees who complete the CTF by August 6 will be entered into a drawing for a $2,000 USD gift card to Marriott Hotels 
    • More details on Varonis at Black Hat 

    Play at DEF CON 34 in the Cloud Village 

    • August 6-9, 2026 
    • Las Vegas Convention Center 
    • More details on the Cloud Village
    • Attendees will have the chance to compete with others in the Cloud Village’s Capture the Flag challenges, with top players being eligible for an array of prizes 
    • Registration to play at DEF CON will open prior to the event

    What should I do now?

    Below are three ways you can continue your journey to reduce data risk at your company:

    1

    Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

    2

    See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

    3

    Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

    Lexi Croisdale
    Lexi Croisdale Lexi Croisdale is a global content marketing expert. She enjoys writing about the latest cybersecurity trends and insights to help companies protect their data.

    Try Varonis free.

    Get a detailed data risk report based on your company’s data.
    Deploys in minutes.
    Get started View sample

    Keep reading

    Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

    mybait:-why-we-lured-attackers-to-encrypt-our-cloud-mysql
    MyBait: Why We Lured Attackers To Encrypt Our Cloud MySQL
    mybait:-why-we-lured-attackers-to-encrypt-our-cloud-mysql
    Gil Weizman
    June 19, 2026
    Varonis Threat Labs deployed MySQL honeypots across GCP, AWS, and Azure. Only GCP was compromised. Here’s what it means for cloud database security.
    searchleak:-how-we-turned-m365-copilot-into-a-one-click-data-exfiltration-weapon
    SearchLeak: How We Turned M365 Copilot Into a One-Click Data Exfiltration Weapon
    searchleak:-how-we-turned-m365-copilot-into-a-one-click-data-exfiltration-weapon
    Dolev Taler
    June 15, 2026
    Varonis Threat Labs discovered SearchLeak, a critical vulnerability chain in Microsoft 365 Copilot Enterprise that allows an attacker to steal sensitive data — MFA codes, email messages, meeting details, and private organizational files — with a single click.
    zero-trust-for-ai-agents:-how-to-enforce-anthropic's-framework
    Zero Trust for AI Agents: How to Enforce Anthropic's Framework
    zero-trust-for-ai-agents:-how-to-enforce-anthropic's-framework
    Nolan Necoechea
    June 10, 2026
    See how a Zero Trust framework for AI agents can enhance your organization's security posture and mitigate data risks effectively.