Contest – The Vault

It doesn’t matter what it is. It matters that it’s valuable. And it’s heavily protected.

The Vault is a physical security challenge where teams race against the clock to defeat a variety of defenses, open the vault, and retrieve [REDACTED], earning points for each obstacle—though can you really win if you never learn what’s inside?

Where Is It

Find us next to the AppSec Community. You can’t miss the carnival themed games.

How to Play

You’ll play the games right at our booth, using a provided laptop.

Each game may look simple on the surface, but hidden within each game is a subtle vulnerability. Exploit it to win big.

What to Bring

Just yourself! The booth setup includes everything you need to play.

For more points you’ll want to submit a fix, and you’ll need a device to code that up.

Important Times

The AppSec Carnival runs from Tuesday afternoon to Friday morning.

The Vault is a physical security contest where teams race against the clock to defeat a series of layered defenses and ultimately breach the vault itself.

Each defeated control earns points. The better your team performs, the higher your score. Teams can complete multiple practice runs during open hours to hone their strategy and get familiar with the environment. However, each team gets only one official qualifying run—make it count. Top-scoring teams will advance to the finals, where the challenge remains the same but the pressure is significantly higher.

This contest is designed to simulate the urgency, coordination, and decision-making required in a real-world heist. The vault won’t give up its secrets easily—can your team outsmart the system and walk away victorious?

How to Play Our Contest

You’ll need a ticket to play. These may be handed out during the con or earned by engaging with various other SAINTCON communities.

Redeem your ticket at the booth to take a crack at a game.

You can return and play again if you earn more tickets—each game is standalone and has its own challenge.

Notes

This contest is designed to be fun, welcoming, and hands-on—no gatekeeping here. Whether you’re a first-time player or a seasoned security pro, there’s a game (and probably a janky plush prize) with your name on it.

Come try your luck. Cheat the system. And leave it better than you found it.

Scoring

Partial wins
small points + small prize

Exploit the game
big points + bigger prize

Submit a working fix
even more points and leaderboard climb

Helpful Skills

-Are familiar with OWASP Top 10-style vulnerabilities
(XSS, IDOR, SQLi, etc.)

-Can read and understand code
(games will be in various different languages)

-Can use an LLM

-Aren’t afraid to try weird things and fail gloriously

Frequently Asked Questions:

Is this for individuals or teams?

A: It’s an individual contest—just you and the game.

Do I need to bring a laptop?

A: Nope! It is best to use your own for submitting code fixes, but devices will be provided in case you need one.

How do I get a ticket?

A: Tickets will be floating around the con—keep an eye out at various community booths or events.

What if I’ve never hacked anything before?

A: That’s okay! You can try using ChatGPT or learning about vulnerabilities at the AppSec community. Some games can be partially beaten with a little luck and intuition. Come give it a shot and have fun.

Can I view the game code?

A: Yes! All game source code is open and available on GitHub.

How are winners decided?

A: The top three individuals with the most combined points from successful exploits and submitted fixes will win final prizes.