Skip to main content
So you've been hacked?

Brought to you by 

So you’ve been hacked? –
A Blue Team Battle

Welcome to So You’ve Been Hacked?, a SAINTCON’s blue team contest. In this unique challenge, you will step into the shoes of a corporate security team facing a nightmare scenario: a critical alert indicating a critical developer’s laptop has been compromised during routine development work. With the clock ticking and the pressure on, your mission is to navigate through the incident response process to halt the breach, investigate the attack vector, and ensure the integrity of your build environment before irreversible damage is done, all while trying to help the C-Suite understand what’s happening. 

Everything you need to know…


Participants will be handed an unlocked Windows laptop, simulating a real-world developer’s machine that has been flagged by EDR tools as compromised. This laptop is actively involved in developing code that’s being deployed to a ci-cd pipline environment. It won’t be long before a threat actor actions, so your task is to identify and neutralize the threat, recover the stolen keys, and secure the development environment against a looming ransomware threat orchestrated by the adversary.

What to Bring

  • Your Toolkit: Forensic and incident response tools will be pivotal in your success.
  • A Sharp Mind: The ability to think critically under pressure will be your best tool.

Skills Needed

  • Incident Response: Experience in responding to and managing cybersecurity incidents.
  • Forensic Analysis: Skills in analyzing and understanding the footprint left by attackers.
  • Network Security: Understanding of how to secure network communications and identify malicious traffic.
  • System Administration: Familiarity with Windows environments, CI/CD pipelines, and basic scripting will be advantageous.

Extra Info

Integration with Other Contests: For an added twist, we are coordinating with The Keep and Hacker’s Challenge to provide a dual perspective on the scenario, allowing for a richer learning experience.

Preparation: Brush up on your knowledge of common Windows vulnerabilities, Jenkins, cloud environments, VS Code, and incident response protocols. Familiarity with these areas will serve you well in the contest.

Networking Opportunity: This contest is not only a competition but also a fantastic way to meet and learn from fellow cybersecurity professionals. Don’t miss out on this chance to expand your network!

We can’t wait to see how you tackle “”So You’ve Been Hacked?””. Get ready to test your skills, learn a ton, and maybe, just maybe, save the day. See you at SAINTCON!”


Do I need to be an expert in cybersecurity to participate?

While having a background in cybersecurity will certainly help, the contest is designed to accommodate various skill levels. We encourage participants who are eager to learn and apply their knowledge in a hands-on environment.

Can I participate as a team?

Yes, teamwork is encouraged required! Teams  consist of up to a minimum of three members. Collaboration will be key to navigating the challenges you will face.

What if I identify a vulnerability not related to the scenario?

We focus on the specific scenario provided, but identifying additional vulnerabilities is always appreciated and may earn you extra points for thoroughness.

How will the contest be judged?

Judges will evaluate teams based on their effectiveness in identifying and stopping the breach, the comprehensiveness of their incident response, and the accuracy of their final report detailing the incident and their response actions.


  1. Eligibility: The contest is open to all SAINTCON attendees. Due to a limited number of laptops, teams must consist of a minimum of three members. No individual participants or teams smaller than three will be accommodated.
  2. Registration: Teams must register for the contest by the end of the day on Tuesday. The contest will have a maximum of 20 teams due to the limited number of available laptops.
  3. Contest Schedule:
    Laptop Pickup: Wednesday at 9 AM. All teams start simultaneously.
    Contest Duration: Teams have until Thursday at 5 PM to work on the laptops.
    Report Submission: The final report is due by 7 AM on Friday.
  4. Tools and Conduct: Participants may use any legal, ethical, and non-destructive tools and techniques. Any actions that could damage equipment, the network, or the fair competition between teams are strictly prohibited.
  5. Internet Connection: The provided laptops must maintain an active internet connection overnight to simulate a real-world scenario accurately.
  6. Reporting: Teams are required to submit reports to the executive team every 4 hours from 9 AM to 5 PM. The ability to clearly and concisely communicate findings, actions taken, and recommendations to executive leadership is crucial.
  7. Documentation: The final incident report must document the breach’s identification, analysis, containment, eradication, and recovery processes. This report should be prepared with an executive audience in mind, focusing on business impacts and strategic recommendations.
  8. Ethics and Confidentiality: All participants are expected to adhere to the highest standards of ethical conduct and confidentiality. Sharing detailed findings, vulnerabilities, or exploits with those outside the contest is not permitted.
  9. Laptop Return: All laptops must be returned by the 5 PM deadline on Thursday to ensure fairness and allow for the preparation of the final judging.

Hours of Operation

  • Monday
    Expo Closed Monday
  • Tuesday
    Noon – 5:00p
  • Wednesday
    9:00a – 5:00p
  • Thursday
    9:00a – 5:00p
  • Friday
    9:00a – 11:00a