Gamified threat hunting project - find flaws, earn glory¶

Project description:

This interactive programme transforms vulnerability reporting into an engaging team sport. Through bug bounty simulations, capture-the-flag challenges, and friendly competition, employees will develop threat-hunting skills while improving organisational security. No prior expertise required - just curiosity and competitive spirit.

This project description is open source. Feel free to use it.

Project structure¶

Duration: 4-week programme (1-2 hours weekly engagement)

Format: Blended (self-paced challenges + live team events)

Audience: All employees, with separate tracks for technical and non-technical staff

Weekly schedule¶

Week 1: threat hunting basics

• Introduction to vulnerability types (web, mobile, physical, social)

• How bug bounty programmes work (e.g., HackerOne, Bugcrowd)

• Activity: “spot the flaw” - analyse mock systems for obvious vulnerabilities

Week 2: the hunter toolkit

• Basic tools for technical staff (Burp Suite, Nmap walkthroughs)

• Non-technical hunting (social engineering recognition, physical security checks)

• Challenge: “first blood” - first person to report a planted vulnerability wins

Week 3: live team competition

• Capture-the-flag challenge with realistic corporate environment simulation

• Special categories: most creative find, best documentation, quickest response

Week 4: red team vs blue team showcase

• Optional exercise based on 2022 Uber breach (external contractor credentials misuse)

• Awards ceremony with “security champion” certificates

Resources required¶

• Vulnerable by design applications (e.g., OWASP Juice Shop)

• Mock corporate environment (test instance of internal tools with planted flaws)

• Reporting portal for submissions (can use modified ticketing system)

• Cheat sheets for common vulnerability types

• Physical security checklist cards

Key activities¶

1. “Vulnerability bingo”

   • Participants receive cards with different flaw types to discover

   • First to complete a line wins (e.g., XSS, misconfigured permissions, phishing email)

2. Red team vs blue team exercise

   • Based on 2023 LastPass phishing attack

   • Red team attempts to plant fake credentials in mock systems

   • Blue team hunts for and reports these implants

3. “Report like a pro” challenge

   • Teams compete to write the most effective vulnerability report

   • Judged on clarity, reproducibility and risk assessment

Rewards system¶

• Digital badges for different achievement levels

• “Security champion” certificates for top performers

• Leaderboard showing most valuable finds

• Non-monetary rewards (e.g., security-themed merchandise)

Implementation notes¶

• For technical staff: Focus on code review and system testing

• For non-technical staff: Emphasise physical and social engineering finds

• Ensure all activities occur in test environments only

• Include “responsible disclosure” training component

This project proves security can be both serious and fun - where every participant becomes an extra layer of defence.

Methodology inspired by Google’s Vulnerability Reward Program and Pwn2Own competitions.