There’s always something new to learn and explore in data security.
We’re excited to introduce Operation Frostbyte — the first-ever Snowflake GOAT, a deliberately misconfigured environment designed for cybersecurity testing and training.
Created by Varonis Threat Labs, this open-source experience was built to help defenders understand how today’s threat actors exploit misconfigurations in Snowflake environments, a growing target for cybercriminals.
The Operation Frostbyte storyline and 8-bit video game theme adds to the challenge, enlisting players as a white-hat agent hired to trace the attacker’s steps and stop a breach from becoming a full-fledged data avalanche.
Continue reading to learn more about how the GOAT was built, lessons learned from the experience, why securing data in Snowflake is so important, and how you can play the game yourself.
Why Snowflake?
Organizations are leveraging cloud data platforms like Snowflake to gain scale, performance, and flexibility. Because Snowflake is used to create a data foundation, power their AI strategy, and develop applications, Snowflake holds sensitive information, including personally identifiable information (PII), financial records, credentials, and GDPR-regulated data.
Enterprise security teams assume they don’t need to take any action to secure their important Snowflake data. In reality, Snowflake data is vulnerable if proper security measures aren’t taken.
“Snowflake often contains the heart of an enterprise’s data. That’s why attackers are targeting it, and why defenders need to understand how to protect it,” said Chen Levy Ben Aroy, a Cloud Security Research Team Leader at Varonis and one of the researchers who built the GOAT.
Alongside Chen is Lior Adar, Security Researcher at Varonis. Chen and Lior both bring robust backgrounds in various cybersecurity domains, including multiple cloud providers and SaaS platforms.
Their idea to create a Snowflake GOAT was born out of necessity. After the targeted campaign on Snowflake in late 2024 and other high-profile incidents, it became clear to Chen and Lior that the security community needed a way to safely explore Snowflake’s attack surface.
Snowflake is unique. It can be completely isolated from other services, which means if an attacker compromises it, they could have access to everything in one place.
Lior Adar, Security Researcher at Varonis
And thus, Operation Frostbyte was born.
Building the GOAT
The duo began by creating a proof of concept to show how Varonis detects and mitigates attacks in Snowflake. But when Chen and Lior started digging, it quickly evolved into something much bigger.
They designed the GOAT to simulate realistic attack paths: excessive permissions, insecure staging, privilege escalation, and more, becoming a mirror of how real attacks happen in the wild.
“We started by asking; What threats do we want to simulate? Who’s going to use this — red teamers, blue teamers, security engineers? Then we built scenarios based on real-world attacker behavior,” said Lior.
“From a small POC, it became a full publication, an upcoming DEF CON workshop, and a full-blown capture-the-flag (CTF) with a beautifully themed website experience. That was all thanks to Lior’s persistence and our shared love of shenanigans,” said Chen.
Lessons learned all around
At its core, Operation Frostbyte is designed to teach.
With that came lessons for the researchers: “We learned a lot about Snowflake, about Terraform automation, how data is managed... and we realized how much we didn’t know going in,” said Chen.
The result of their discoveries became a mature, modular environment that security teams can use to train, test, and improve their defenses. Before Operation Forstbyte, there was no other Snowflake lab for cybersecurity professionals to practice on — until now.
Red teamers get a realistic environment to test their skills and learn Snowflake-specific techniques. Blue teamers get a chance to analyze logs, detect anomalies, and understand how to harden their environments.
It’s a playground for both sides. Red teamers can learn new offensive techniques. Blue teamers can train on detection and mitigation. And everyone walks away smarter.
Chen Levy Ben Aroy, Cloud Security Research Team Leader at Varonis
Why gamers make great defenders
Operation Frostbyte is also more than a lab, it’s a game. And that’s intentional.
Inspired by Varonis’ Matt Radolec, who gave a 2025 RSAC keynote on how gamers make great cybersecurity professionals, the Snowflake GOAT taps into the competitive, puzzle-solving mindset that encompasses both gaming and security.
Chen, who is a gamer himself, highlighted how no matter your role in cybersecurity, you’re always playing a game.
“Every configuration change, every alert rule — it’s all part of the match,” said Chen.
Lior adds that being a defender feels very much like a cat-and-mouse game.
“It's important to remember that an attacker has the advantage, because they only need to find one vulnerability to succeed. Defenders have to secure everything, which is much harder,” said Lior.
Varonis for Snowflake: Built for the Real World
The main takeaway for leaders? Securing Snowflake requires automated data security.
To truly protect your sensitive data in Snowflake, you must be able to identify where it lives, right-size who can access it, and detect how it's being accessed and modified, which can’t happen manually.
With Varonis for Snowflake, you get all the critical data security capabilities in a single platform, addressing the key challenges of sensitive data identification and abnormal access detection.
Varonis specifically helps organizations:
Identify sensitive data
Our advanced AI models and pattern matching automatically discover and classify sensitive data across all Snowflake databases, schemas, tables, and columns. This includes structured data that may not be obviously labeled as sensitive, such as custom fields, derived tables, data that becomes sensitive when combined with other datasets, as well as unstructured data such as free-text fields and file stores.
Ensure users can only access the data they need
Varonis automatically parses through Snowflake's complex role hierarchies and determines effective permissions for every user on every data resource. This automated approach enables organizations to achieve and maintain least privilege, even in complex Snowflake environments.
Ensure access rights aren't misused
Varonis establishes behavioral baselines for every user and system accessing Snowflake, detecting abnormal patterns that may indicate compromise, insider threats, or AI systems accessing data inappropriately.
Ready to see Varonis for Snowflake in action?
The best way to get started is with a free Snowflake Data Risk Assessment. In less than 24 hours, you'll have a comprehensive, risk-based view of your most critical data assets that is yours to keep regardless of your decision to move forward.
Get your assessment started today.
Play Operation Frostbyte today.
Whether you’re on a red team, a blue team, or just Snowflake-curious, this is your chance to learn by doing.
Operation Frostbyte is free and available to play on Varonis’ website today: https://www.varonis.com/frostbyte
When you complete the challenge online, you’ll receive a certificate of completion to share on LinkedIn.
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.
-1.png)
