Just a few weeks ago, CoolBank was quite literally a cool financial institution. A stable infrastructure ensured standard processes and a steady inflow of satisfied customers in everyday operations. Until the moment when nothing was guaranteed anymore… At one point, strange things began happening at CoolBank. Here and there, a user with a suspicious profile logged into the email service, cloud services that were supposed to run at 100% suddenly slowed down, and unusual data transfers started burdening the infrastructure. An attentive “security specialist” could not have missed the subtle signals that someone who shouldn’t be there was likely present in the network.
“Digital heist at CoolBank”
The CTFd qualification GUARDIANS 2026 was a comprehensive simulation revolving around a cyberattack on a fictional financial institution. Participants had to uncover traces of a sophisticated hacking group that progressed through five destructive phases:
1st Phase: Breaking in (Identity theft)
It all started, as is often the case today, with human error. The attackers purchased leaked login credentials belonging to an HR employee named Lea Ciger on the dark web. This allowed them to bypass the first line of defense. They logged directly into her work accounts (Outlook, Teams), masking their location through suspicious IP addresses (e.g., from Bangladesh).
2nd Phase: Backdoor (Server compromise)
The attackers found a weakness in a loan application server running on a vulnerable version of Apache Tomcat. Without hesitation, they exploited a fresh vulnerability (CVE-2025-24813) and uploaded malicious code (a web shell), gaining access to the server. At this stage, the attackers were inside.
3rd Phase: Cloud heist (Data theft and crypto mining)
Why steal money from a vault when you can steal data in the cloud? From the server, the attackers moved into the bank’s AWS cloud. They launched cryptocurrency mining (XMRig) on servers to overload the bank’s cloud services—a proven distraction tactic. While the IT department dealt with resource exhaustion, the attackers quietly exfiltrated sensitive personal data of loan applicants from S3 storage.
4th Phase: Silent movement across the network (Lateral Movement)
The hackers did not stop in the cloud—they needed to go deeper. They created hidden tunnels (using tools like ligolo-ng and by abusing legitimate software such as AnyDesk), allowing them to move undetected between segmented parts of the network (from the DMZ into the internal network). Along the way, they compromised an FTP server and sent internal documents to a server in Brazil.
5th Phase: Destructive finale (Ransomware)
The final stage of the attack was devastating. The hackers reached the “crown jewel” of the network—the Domain Controller (adc2ofc), which manages the entire network. To cover their tracks and extort the bank, they deployed the infamous Akira ransomware. They deleted security backups (Shadow Copies) and encrypted critical systems.
Participants in CTFd GUARDIANS 2026 were tasked with uncovering the fictional incident from the very first suspicious login. Banks typically invest above-average amounts in cybersecurity compared to other sectors, driven by both financial incentives and external regulations. One of the providers of training for banks is Binary Confidence. In Slovakia, the banking sector consistently ranks first compared to other industries according to regular reports from the National Security Authority. Even so, this does not guarantee that a similar incident cannot happen in reality.
The entire story is described in detail in a well-crafted Incident Report by the DTCS team: CoolBankIncidentReport_DTCS_team
A record-breaking year 2026
After ten years of the competition, we can proudly say that, according to all statistics, this was the most successful round in its history, with a total of 284 registered users and 144 registered teams.
During the qualification CTF, the platform recorded a total of 26,313 submissions, of which 10,439 were successful and 15,874 unsuccessful. Such a volume of attempts clearly shows that teams did not give up after the first failure and returned to the challenges repeatedly—just as happens during real incidents.
Ratio of correct and incorrect answers
The scope of environments was unprecedented. Tasks were divided into ten categories, ranging from HR and external perimeter, through AWS cloud, Microsoft 365, Azure, DMZ, and Active Directory, all the way to loan systems and the final incident report. In the Loan category alone, players solved 41 tasks, in HR 38, and in AWS 37.
At the same time, it became clear “where the breaking point is.” The most difficult tasks from the DMZ category were solved by only a few teams. Task DMZ29, in which participants had to determine what command the attackers used in Velociraptor to create a privileged user, barely reached double digits in correct answers. Task HR13 in the opening phase of the story recorded hundreds of unsuccessful attempts, clearly showing how challenging it was for many players to correctly identify the compromise of our fictional “Lea Ciger” in an environment that at first glance appeared “clean.”
Cheating doesn’t pay off in fair play
This year, we introduced a new element to Guardians in the form of cloud technologies. It was a new environment not only for participants but also for us as creators, especially from the perspective of designing and implementing attacks. The main challenge was choosing the right format so that tasks remained realistic, balanced, and technically engaging.
As early as the first week, some players managed to successfully solve all tasks. Throughout the competition, we observed a continuous increase in newly registered participants.
We also recorded several attempts at cheating. In one case, a registered user “submitted” answers in the CTF within intervals of just a few dozen seconds. For future editions, we welcome only players who respect the rules of the game. One of the core values we stand by as organizers is fair play, and any attempt to cheat will result in disqualification.
The finals will take banking sector defense to a new level
The CoolBank story does not end with the CTFd qualification. The Guardians final will take the training of banking sector defense—and any other sector—to a completely new level. Finalists will meet in the realistic BinConf RANGE wargame simulator.developed and provided for a wide range of clients by Binary Confidence Research. The simulator does not offer just isolated task investigation but a full live operational environment. Players will become administrators of a real infrastructure for several hours, with systems running and active users present. They will receive real logs for analysis. Attacks, based on real-world experience, will not occur one by one but in parallel—just as in real conditions.
In this environment, it will no longer be just about the technical knowledge of individuals. What will matter most is teamwork, incident prioritization, communication, and the ability to make decisions under time pressure and with incomplete information. At this stage, Guardians definitively transforms from a CTF into a full-fledged cyber defense simulation.
European Cybersecurity Competence Centre (ECCC) supports this project via grant agreement 101128075
In partnership with
