Will you protect your bank's $20 billion in assets? Cybercriminals, aka Red Team, are hot on your heels, and your clients' trust rests solely on how you respond to the attacks that are coming. You don't know when, or how, but they'll arrive any minute now. You have a few tens of minutes to get oriented, and the curtain is going up, the show is beginning! Guardians Competition 2026 brought many innovations and we are quite flattered that even seasoned veterans among the finalists were ultimately surprised by what we had prepared for them.
Cybersecurity is a never-ending process of continuous improvement. It is therefore perhaps no surprise that the Guardians final also featured significant use of AWS cloud services and Microsoft 365 with Entra ID, and their integration into a traditional on-premise banking environment. The result was a realistic hybrid model of three banks, where security incidents did not occur in isolation, but across networks, identities, applications, and cloud roles.
The simulated banks operated within a segmented architecture divided into multiple distinct network zones – a DMZ with both publicly and internally accessible services such as the bank's website, an application for processing loans and related operations, and a backend system responsible for financial transactions. The perimeter was secured by an enterprise-grade firewall, with the ability to utilise its functionalities remaining with the players. In its basic mode, it only logged attacks, meaning the decision of what to block, isolate, or patch remained exclusively with the defenders.
At the heart of the defence was a SIEM, which aggregated logs from Windows servers (Sysmon, Winlogbeat), Linux systems (Filebeat, Auditbeat), DNS requests, and cloud events from both AWS and M365/Azure. Crucially, however, not everything was visible automatically. Some scenarios required manual forensic analysis, data correlation, and a technical understanding of the context. Exactly as in a real SOC.
The cloud layer added another dimension of complexity. An attacker could move from the DMZ into AWS, exploit IAM roles, manipulate highly available cloud databases (DBaaS), or exploit a compromised identity in Microsoft 365. The line between infrastructure and application incidents practically disappeared this year. The cloud significantly shuffled the deck and surprised some teams literally.
Banking chatbot in the service of hackers and “leaked credentials”
Perhaps it's not surprising that our Red Team was truly well-prepared, and as is often the case in the real world, our attack scenarios covered the full spectrum of modern threats. From exploiting a vulnerability in an application server (remote code execution via a vulnerable Tomcat) and subsequent privilege escalation, through the theft of AWS keys and the creation of persistence in IAM, to compromised credentials in Microsoft 365 and the exfiltration of documents from SharePoint. While the technical details were important, the core of most attacks was surprisingly „human“. Attackers weren't just looking for infrastructure vulnerabilities, but also for mistakes in decision-making, attention, and processes.
An example of a human error with a significant impact on the bank was user Magdalena Nemec. She presumably wasn't careful at some point in the past, and her login details appeared for sale on the dark web. An attacker simply used them, logged into the corporate environment via M365, and began downloading sensitive documents from SharePoint.
An elegant demonstration of modern threats was the attack on a bank's chatbot. Our hackers „chatted“ with it for so long that it accidentally revealed internal data, including a token and a secret key for the administrator account. An ironic, but very real, exploitation of a customer assistant tool to gain access to the bank's cloud. Subsequently, the attackers changed passwords, shut down an internal application, and modified database access. Seemingly harmless functionality = a serious operational problem.
The bank's perimeter also came under fire. The firewall contained known, but unpatched vulnerabilities. The attackers initially quietly downloaded its configuration and then began to restart the device. This left the bank cut off from the internet for a few minutes. This attack was not about data theft, but about availability and reputation.
The attacks also targeted GitLab's developer infrastructure and container environment. Although not all attempts were successful, the scenario showed that a modern bank must also protect its development tools. And alongside all this, the daily „digital life“ continued. Simulated employees clicked on ads, logged in, forgot passwords. Brute-force attempts, scans, and minor incidents.
Three banks, one trophy
The teams that submitted best performance in the qualification CTFd, Following the allocation into three finals, we assigned banks Alpha (Team 1), Bravo (Team 2), and Charlie (Team 3) for protection. To make the final game experience as realistic as possible, we created a scoring system that reflected „public trust“ through the amount of managed funds.
Negative events such as successful attacks, service outages, or prolonged system unavailability diminished public trust. As trust declined, clients began to withdraw their funds. Conversely, the successful detection and cessation of attacks increased public trust and, at the same time, capital inflow.
The bodies were judged on speed of detection, quality of response, and level of investigation. It wasn't enough to just stop the attack. It was necessary to accurately document who attacked, how, what the impact was, and what measures were needed for the future.
Charlie Bank: courage, technical intuition, but also an unpleasant hard lesson
The cybersecurity team at Charlie Bank surprised with their ability to identify even the preparatory activities of an attacker. For example, this included scripts with excessive permissions or anomalies that were not direct attacks. They were the only ones to update the firewall, thereby preventing the vulnerability from being exploited again.
However, the team paid the price for one strategic decision: a misjudged incident led to a long-term server quarantine, significantly lowering the score for a large part of the game. Furthermore, some alerts, such as the AWS credentials leak, were recorded but not responded to quickly enough.
However, it would be unfair not to mention that it was the youngest team in the final. Their performance confirmed that seniority doesn't play a role when working with a complex hybrid infrastructure, and their level was comparable to professional SOC teams.
Alpha Bank: strong documentation and technical accuracy
The defenders reacted slower to the initial incident, but subsequently picked up the pace significantly. The team demonstrated very good ticket management. Each detected incident had its own record with a description of the steps taken and recommendations.
Alpha excelled at mapping vulnerabilities to specific CVEs and proposing patching measures. Devices were not held in quarantine longer than necessary, which minimised the negative impact on service availability. In some cases, they could have gone into greater depth of analysis, but overall they delivered a highly professional performance.
Bravo Bank: Consistency and team maturity
The victorious team particularly excelled in disciplined communication and the division of roles. Decisions regarding facility quarantine were not made impulsively, but after a brief internal discussion and consideration of the impact on service availability. Their reactions were proportionate to the situation. They underestimated nothing, nor did they act excessively restrictively.
A strong point was the handling of cloud incidents. They were able to correctly interpret AWS events, work with IAM roles, and database password changes in RDS. Although some mitigations took longer, they were always backed by analysis and proposals for systemic measures. Stable team dynamics were also a significant factor. A drop in scores didn't faze them, and they maintained their pace until the end.
Guardians 2026 – Realistic training at its hardest
Training in the environment BinConf RANGE wargame simulator. reflects the latest trends. Brand new infrastructure enriched with cloud services, realistic user behaviour, and more sophisticated attack scenarios have brought an even more faithful simulation of current threats.
Experiencing the reality of a cyber attack is a fundamental experience for people working in cybersecurity. Only the time pressure and the responsibility for the functionality of the systems truly test the team as a whole. It reveals.
At Guardians, contestants will experience a volume of attacks that many don't see in an entire year. They learn not only to detect and stop them, but also to correctly document them, assess their impact, and take measures that reduce the risk of recurrence. It is precisely these capabilities of security teams that determine whether an organisation can handle a real incident without fatal consequences.
The European Cybersecurity Competence Centre (ECCC) supports this project via grant agreement 101128075
In partnership with
