The Labs
Every lab is a fully realized fictional company. Multiple services, real defenses, real exploit chains. Pick your difficulty.
Parcel
GridMark is an Austin-based property listing startup that launched in 2023. The platform lets home buyers browse, search, and save listings across the city. A recent internal audit flagged part of the platform as "needs review" — but the ticket was never prioritised. Meanwhile, the ops team has been taking shortcuts to make their lives easier. You've been brought in for a black-box assessment. The application looks clean on the surface. Dig deeper.
DocketHive
DocketHive is a Portland-based event ticketing SaaS. You've been handed a scope document and told to take a look at their platform before it goes to a wider audience. Create an account and start exploring.
Intertie
VoltLatch is a Denver-based electric utility grid operations SaaS provider supporting substations across the western US. Their internet-facing stack spans four subdomains: an operations dashboard, a GraphQL data API, a field meter management portal, and a dispatch coordination system. You have been engaged to assess their external attack surface. Start at app.voltlatch.io and chain every weakness you find until you reach the NERC CIP audit result cached in the dispatch backend.
Swatch
RenderParlor is an Austin-based startup building SaaS tools for architectural visualization studios. Their platform lets designers manage projects and deliver rendered images directly to clients. A pentest engagement has revealed concerns about their API — specifically how project data is accessed. Your job is to investigate whether any client project data can be accessed without authorization.
Fixture
ScoutLens is an Amsterdam-based sports analytics SaaS used by professional clubs across Europe. Their platform spans a scouting portal, a developer API, a PDF reporting service, and an internal analytics backend. You have been granted a standard analyst account for a security review. Dig into the platform and see how far a legitimate user can reach — across services, databases, and internal infrastructure.
Role Riptide
RoleRiptide is a role-based workflow tool used by professional services teams to manage engagements, approvals, and client deliverables. An account manager claims they briefly saw a client record they shouldn't have access to, then it disappeared. The team suspects a subtle authorization edge case rather than an obvious breach. Your task is to audit the app from the outside, confirm whether cross-role visibility is possible, and demonstrate the maximum impact if the issue is exploitable.
Zipline
Zipline is a document exchange portal used by a small law firm to deliver case files to clients and external counsel. A client alleges they accessed another party's documents without intending to, which triggered an internal compliance panic. The firm needs a definitive answer on whether the portal can leak data across cases or users. You've been brought in to test the portal's access boundaries, validate the claim, and determine how far an attacker could go if the weakness is real.
Tricky Tunnels
TrickyTunnels provides a tunneling service that developers use to expose local apps for demos and integration testing. A customer discovered configuration artifacts being shared publicly and the company is worried that diagnostic tooling might be exposed. You've been hired to evaluate the platform's web surface and any supporting services that power provisioning and status reporting. The goal is to show what an attacker could enumerate or control, and to produce evidence the engineers can use to harden the system.
Token Tomb
TokenTomb is an operations console used by a payments startup to manage refunds, disputes, and automated settlement jobs. Following a routine credential rotation, the team noticed "impossible" activity in their audit logs--actions that don't match the roles of the users who performed them. They suspect token handling and session logic may be at fault. Your objective is to investigate the console as an external attacker and determine whether privileged actions or protected resources can be reached through auth and session edge cases.