Cloud & AI Security CTF: What a Two-Hour Treasure Hunt Taught Me About Attack Chains

BSides Luxembourg had a two-hour Capture the Flag workshop and I will be honest — I walked in not knowing what to expect and walked out genuinely excited.

The workshop was called Cloud & AI Security Capture the Flag. The setup was simple in theory. An attack had happened. Our job was to figure out how.

The Attack Chain

An attacker gets into an AI application's front end. From there they start manipulating API calls — probing, testing, pushing the boundaries of what the application lets them do. Then they drop into a shell. From that shell they escalate access, move laterally, and eventually run another shell to do the one thing every attacker is actually after — exfiltrate data straight out of an S3 bucket in the cloud.

It sounds like a lot when you read it like that. In practice it looked like a series of questions on a screen, and somewhere inside the WIZ tool were all the answers.

The Tool

The part I did not expect: the tool had everything. Threat intelligence, API call logs, cloud activity, the full picture of what happened and when. The questions were designed to walk you through the kill chain step by step. You had to find the evidence, connect the dots, and reconstruct the attack from the inside out.

I approached it like a treasure hunt. Each answer unlocked the next piece. Each piece made the attack make more sense. By the end of two hours I had gone from zero familiarity with the tool to actually understanding how a real cloud AI attack unfolds — not in theory, in logs.

What Made This Format Work

For anyone in cloud security or GRC who has not seen WIZ in action, the CTF format was honestly the best possible introduction. It turns what could be a dry forensic exercise into something you can actually follow, investigate, and learn from in real time. You are not being told what happened. You are finding it yourself.

Two hours. One attack chain. Fully reconstructed. That is a good workshop.