Behind the Making of Operation Frostbyte: The First Snowflake GOAT

There’s always something new to learn and explore in data security. 

We’re excited to introduce Operation Frostbyte — the first-ever Snowflake GOAT, a deliberately misconfigured environment designed for cybersecurity testing and training.  

Created by Varonis Threat Labs, this open-source experience was built to help defenders understand how today’s threat actors exploit misconfigurations in Snowflake environments, a growing target for cybercriminals. 

The Operation Frostbyte storyline and 8-bit video game theme adds to the challenge, enlisting players as a white-hat agent hired to trace the attacker’s steps and stop a breach from becoming a full-fledged data avalanche. 

Continue reading to learn more about how the GOAT was built, lessons learned from the experience, why securing data in Snowflake is so important, and how you can play the game yourself.  

Why Snowflake? 

Organizations are leveraging cloud data platforms like Snowflake to gain scale, performance, and flexibility. Because Snowflake is used to create a data foundation, power their AI strategy, and develop applications, Snowflake holds sensitive information, including personally identifiable information (PII), financial records, credentials, and GDPR-regulated data. 

Enterprise security teams assume they don’t need to take any action to secure their important Snowflake data. In reality, Snowflake data is vulnerable if proper security measures aren’t taken. 

“Snowflake often contains the heart of an enterprise’s data. That’s why attackers are targeting it, and why defenders need to understand how to protect it,” said Chen Levy Ben Aroy, a Cloud Security Research Team Leader at Varonis and one of the researchers who built the GOAT.  

Alongside Chen is Lior Adar, Security Researcher at Varonis. Chen and Lior both bring robust backgrounds in various cybersecurity domains, including multiple cloud providers and SaaS platforms.  

Their idea to create a Snowflake GOAT was born out of necessity. After the targeted campaign on Snowflake in late 2024 and other high-profile incidents, it became clear to Chen and Lior that the security community needed a way to safely explore Snowflake’s attack surface. 

And thus, Operation Frostbyte was born. 

Building the GOAT 

The duo began by creating a proof of concept to show how Varonis detects and mitigates attacks in Snowflake. But when Chen and Lior started digging, it quickly evolved into something much bigger. 

They designed the GOAT to simulate realistic attack paths: excessive permissions, insecure staging, privilege escalation, and more, becoming a mirror of how real attacks happen in the wild.  

“We started by asking; What threats do we want to simulate? Who’s going to use this — red teamers, blue teamers, security engineers? Then we built scenarios based on real-world attacker behavior,” said Lior. 

“From a small POC, it became a full publication, an upcoming DEF CON workshop, and a full-blown capture-the-flag (CTF) with a beautifully themed website experience. That was all thanks to Lior’s persistence and our shared love of shenanigans,” said Chen. 

Lessons learned all around 

At its core, Operation Frostbyte is designed to teach.  

With that came lessons for the researchers: “We learned a lot about Snowflake, about Terraform automation, how data is managed... and we realized how much we didn’t know going in,” said Chen. 

The result of their discoveries became a mature, modular environment that security teams can use to train, test, and improve their defenses. Before Operation Forstbyte, there was no other Snowflake lab for cybersecurity professionals to practice on — until now.  

Red teamers get a realistic environment to test their skills and learn Snowflake-specific techniques. Blue teamers get a chance to analyze logs, detect anomalies, and understand how to harden their environments. 

Why gamers make great defenders 

Operation Frostbyte is also more than a lab, it’s a game. And that’s intentional. 

Inspired by Varonis’ Matt Radolec, who gave a 2025 RSAC keynote on how gamers make great cybersecurity professionals, the Snowflake GOAT taps into the competitive, puzzle-solving mindset that encompasses both gaming and security. 

Chen, who is a gamer himself, highlighted how no matter your role in cybersecurity, you’re always playing a game.  

“Every configuration change, every alert rule — it’s all part of the match,” said Chen.  

Lior adds that being a defender feels very much like a cat-and-mouse game.  

“It's important to remember that an attacker has the advantage, because they only need to find one vulnerability to succeed. Defenders have to secure everything, which is much harder,” said Lior.  

Varonis for Snowflake: Built for the Real World 

The main takeaway for leaders? Securing Snowflake requires automated data security.  

To truly protect your sensitive data in Snowflake, you must be able to identify where it lives, right-size who can access it, and detect how it's being accessed and modified, which can’t happen manually.  

With Varonis for Snowflake, you get all the critical data security capabilities in a single platform, addressing the key challenges of sensitive data identification and abnormal access detection.  

Varonis specifically helps organizations: 

Identify sensitive data 

Our advanced AI models and pattern matching automatically discover and classify sensitive data across all Snowflake databases, schemas, tables, and columns. This includes structured data that may not be obviously labeled as sensitive, such as custom fields, derived tables, data that becomes sensitive when combined with other datasets, as well as unstructured data such as free-text fields and file stores. 

Ensure users can only access the data they need 

Varonis automatically parses through Snowflake's complex role hierarchies and determines effective permissions for every user on every data resource. This automated approach enables organizations to achieve and maintain least privilege, even in complex Snowflake environments. 

Ensure access rights aren't misused 

Varonis establishes behavioral baselines for every user and system accessing Snowflake, detecting abnormal patterns that may indicate compromise, insider threats, or AI systems accessing data inappropriately. 

Ready to see Varonis for Snowflake in action? 

The best way to get started is with a free Snowflake Data Risk Assessment. In less than 24 hours, you'll have a comprehensive, risk-based view of your most critical data assets that is yours to keep regardless of your decision to move forward.  

Get your assessment started today. 

Play Operation Frostbyte today. 

Whether you’re on a red team, a blue team, or just Snowflake-curious, this is your chance to learn by doing.  

Operation Frostbyte is free and available to play on Varonis’ website today: https://www.varonis.com/frostbyte

When you complete the challenge online, you’ll receive a certificate of completion to share on LinkedIn.  

Chen and Lior are also heading to Las Vegas for Black Hat USA and DEF CON, where they will elaborate on how the GOAT was built and help players through the exercise in person. Find the details for those events below.  

Play Operation Frostbyte at Black Hat USA 2025:  

• Wednesday, August 6 and Thursday, August 7 

• Located in the Varonis booth (#2751).  

• Attendees who complete the challenge during Black Hat will have a chance to win a Nintendo Switch 2 

• More details on Varonis at Black Hat 

SnowGoat: Exposing Hidden Security Risks and Leaking Data Like a Threat Actor 

• Friday, August 8 at 9:00 a.m. PT  

• Las Vegas Convention Center - L2 – Workshops 

• Attendees will explore common Snowflake misconfigurations and risks through a fun and interactive CTF style attack scenario 

• More details on Snow GOAT at DEF CON