Cloud Security Office Hours Banner

Cloud CTF Challenges

Hands-on capture-the-flag challenges for AWS, Azure, GCP, Kubernetes, and AI security — from quick browser-based puzzles to full vulnerable environments you deploy yourself.

About This Collection

CTF challenges are one of the best ways to build real cloud security intuition. This page collects free and open-source challenges covering the major cloud providers, Kubernetes, identity, AI/LLM safety, CI/CD, and incident response. Difficulty ranges from beginner-friendly browser challenges to multi-stage vulnerable environments you deploy in your own cloud account.

Know of a CTF we're missing? See how to contribute or run python3 tools/submit_ctf.py.

🏆 Wiz Cloud Security Championship

A 12-month series of cloud security challenges from Wiz research, running June 2025 – May 2026. Points vary by difficulty; track your score on the Championship leaderboard.

Jun 2025 Preview

Perimeter Leak

Extract secrets from a hardened AWS data perimeter. 10 points.

CTF AWS IAM
Jul 2025 Preview

Contain Me If You Can

Escape the container and extract the flag from the host filesystem. 20 points.

CTF Containers
Aug 2025 Preview

Breaking The Barriers

Exploit OAuth and Entra ID misconfigurations to reach restricted resources. 10 points.

CTF Azure IAM
Sep 2025 Preview

Needle in a Haystack

Use recon techniques to uncover hidden infrastructure and extract sensitive data. 20 points.

CTF Recon
Oct 2025 Preview

Game of Pods

Escalate privileges in Kubernetes and capture the flag. 30 points.

CTF Kubernetes
Nov 2025 Preview

Malware Busters!

Reverse the malware and extract the flag. 10 points.

CTF Reverse Engineering
Dec 2025 Preview

State of Affairs

Exploit Terraform automation running inside a container to extract the flag. 20 points.

CTF IaC Containers
Jan 2026 Preview

Confession Booth

A "safe space" for hackers. What could go wrong? 30 points.

CTF Cloud Security
Feb 2026 Preview

Trust Issues

Investigate a breach and uncover how company data was exfiltrated. 20 points.

CTF Incident Response
Mar 2026 Preview

Happy Birthday

Celebrate S3's 20th birthday by finding the hidden present. 20 points.

CTF AWS
Apr 2026

Mystery Challenge

Details coming soon. Check the Championship portal for updates.

CTF TBA
May 2026

Mystery Challenge

Details coming soon. Check the Championship portal for updates.

CTF TBA

🧩 Wiz Standalone Challenges

Always-available Wiz CTFs outside the monthly Championship.

Preview

Wiz CTF Portal

Central hub for all Wiz CTF challenges, with leaderboards and progress tracking.

CTF Cloud Security
Preview

EKS Cluster Games

Start inside a vulnerable EKS pod; exploit misconfigurations to capture flags.

CTF AWS Kubernetes
Preview

The Big IAM Challenge

AWS IAM privilege escalation and permission boundaries. Browser-based, no AWS account.

CTF AWS IAM
Preview

K8s LAN Party

Network misconfigurations and vulnerabilities in a Kubernetes cluster, with leaderboard.

CTF Kubernetes
Preview

The Cloud Hunting Games

Incident-response CTF: investigate a suspicious breach at a fictional startup.

CTF Incident Response AWS
Preview

The Prompt Airlines AI Security Challenge

Exploit prompt injection and AI logic flaws to get a free flight from a chatbot.

CTF AI/ML

☁️ AWS CTFs

Preview

flAWS

Original six-level AWS CTF teaching common misconfigurations. Browser-based.

CTF AWS
Preview

flAWS2

Serverless-focused AWS CTF with both Attacker and Defender tracks.

CTF AWS Serverless
Preview

CloudGoat

Deliberately vulnerable AWS deployment for learning cloud penetration testing.

CTF AWS
Preview

IAM Vulnerable

31 AWS IAM privilege-escalation attack paths, deployed via Terraform.

CTF AWS IAM
Preview

CloudFoxable

Vulnerable AWS scenarios designed to be enumerated with the CloudFox tool.

CTF AWS
Preview

ServerlessGoat

OWASP project with a deliberately vulnerable AWS Lambda app.

CTF AWS Serverless
Preview

Damn Vulnerable Cloud Application

Intentionally vulnerable AWS application for learning privilege-escalation techniques.

CTF AWS

🪟 Azure CTFs

Preview

BadZure

Deliberately vulnerable Azure and Entra ID environment for learning identity attacks.

CTF Azure IAM
Preview

EntraGoat

Six vulnerable Entra ID attack-path scenarios with documented solutions.

CTF Azure IAM
Preview

CONVEX

Modular Azure CTFs you deploy into your own tenant with create/teardown scripts.

CTF Azure

🔶 GCP CTFs

Preview

Thunder CTF

GCP CTF challenges covering IAM, Compute Engine, and Cloud Functions.

CTF GCP
Preview

GCP Goat

Intentionally vulnerable GCP environment for learning GCP security.

CTF GCP
Preview

Secure Kubernetes (KubeCon NA 2019)

GCP-based Kubernetes CTF with guided workbook and bonus challenges.

CTF GCP Kubernetes

⎈ Kubernetes CTFs

Preview

OWASP EKS Goat

20+ attack-defense labs on AWS EKS covering RBAC, IAM, and pod breakouts.

CTF AWS Kubernetes
Preview

Kubernetes Goat

Interactive Kubernetes security learning platform for GKE, EKS, AKS, or local K3S.

CTF Kubernetes Multi-Cloud
Preview

Bust a Kube

Offline VMware VMs with vulnerable Kubernetes clusters for local practice.

CTF Kubernetes
Preview

Kube Security Lab

14 vulnerable Kubernetes cluster configs deployable locally via Docker + Kind.

CTF Kubernetes

🌐 Multi-Cloud CTFs

Preview

CNAPPGoat

Multi-cloud vulnerable environment for testing CNAPP capabilities across AWS/Azure/GCP.

CTF Multi-Cloud

🎯 AI, Secrets, and CI/CD CTFs

Preview

AIGoat

Deliberately vulnerable AI infrastructure for learning AI/ML security.

CTF AI/ML AWS
Preview

OWASP Wrong Secrets

40+ challenges on secrets management anti-patterns across AWS, GCP, Azure.

CTF Secrets Management Multi-Cloud
Preview

CICDont

Deliberately vulnerable CI/CD pipeline for learning DevSecOps.

CTF CI/CD

Contribute a CTF

Found a cloud CTF we haven't listed? Open a pull request or use our submission tool:

python3 tools/submit_ctf.py

See the CTF contribution guide for details on the card format, sections, tags, and the submission script.