Varonis Launches Free Entra ID Training Game to Teach Cloud Identity Attacks

Breach at the Beach is a browser-based challenge that walks defenders through the kind of Microsoft Entra ID attacks Varonis researchers say they see in real customer environments.

ThreatVectr Newsdesk· 4 min read
Photoreal editorial shot of a sunlit tropical beach at golden hour with a laptop open on a wooden table in the foreground, screen glowing with abstract blue log
Share

Key points

  • Varonis Threat Labs released a free online training challenge called Breach at the Beach in 2026, focused on attacks against Microsoft Entra ID, the identity system that controls who can log in to a company's cloud apps.
  • Each of the four stages earns players one CPE credit, a professional training credit recognised by security certification bodies, plus a certificate at the end.
  • Researchers Doron Kapah and Mark Vaitsman say every scenario is based on real attacks they have investigated, not made-up examples.
  • The challenge will run in person at Black Hat USA (August 3 to 6, 2026) and DEF CON 34 (August 6 to 9, 2026) in Las Vegas.
  • Players who finish online or on site by August 6 are entered into a draw for a $2,000 Marriott gift card.

Varonis has published a free browser-based training game aimed at teaching defenders how attacks against Microsoft Entra ID actually unfold.

Entra ID is Microsoft's cloud identity service. It decides who gets to sign in to company email, files, and business apps. If an attacker takes it over, they can move almost anywhere.

The game is called Breach at the Beach. Players follow a cartoon cat named Pixel through a fictional intrusion, working from raw log data to figure out what the attacker stole.

What is this training actually trying to teach?

It teaches defenders to spot attacks that abuse features working exactly as designed, rather than obvious misconfigurations.

That matters because most Entra ID break-ins do not involve a broken setting. They involve an attacker using a real, legitimate feature in a way the company never intended. Spotting that is much harder than finding a checkbox someone forgot to tick.

The two researchers behind it, Doron Kapah and Mark Vaitsman of Varonis Threat Labs, say the scenarios come from real cases they worked on for customers.

One focus is what the industry calls non-human identities. In plain English, these are logins that belong to software, not people: automated scripts, connectors between apps, and AI assistants that act on a user's behalf. Companies now have far more of these than they have staff.

"In today's AI era, a lot of identities are non-human identities," Vaitsman said. "If there is a compromise in Entra, a threat actor can pivot themselves into a non-human identity, and it can quickly turn into a stealthy and scalable data exfiltration attempt."

Translation: once an attacker is inside, they can hop from a human account onto one of these machine accounts and quietly pull data out at scale, because nobody is watching a script the way they watch a person.

How the challenge works

Players get access to a simulated environment and have to sift through Entra ID audit logs, the records of who did what and when, to reconstruct an attack. The logs are deliberately noisy, mimicking what a real analyst sees on a Monday morning.

The designers also blocked one modern shortcut. They built the puzzles so that pasting them into a large language model, meaning an AI chatbot like ChatGPT, will not spit out the answer. Kapah and Vaitsman say they want players to actually learn the technique, not speed-run it with AI help.

There are four stages. Each finished stage awards one CPE credit and a themed badge. Finishing all four gets you a certificate you can post on LinkedIn. Anyone chasing CPE credits needs to register with a working email address.

The game is free at breachatthebeach.com. BleepingComputer noted the release as a sponsored launch from Varonis.

Who is it aimed at?

Both offensive testers (red teamers, who simulate attacks) and defenders (blue teamers, who stop them). Kapah says it is also useful for CISOs and threat intelligence staff who rarely touch Entra audit logs day to day but need to understand what their teams are looking at.

Varonis will run the challenge in person at Black Hat USA at booth 2948 from August 3 to 6, and at the Cloud Village at DEF CON 34 from August 6 to 9. Players who complete it online or in person by August 6 go into a draw for a $2,000 Marriott gift card.

© 2026 Threat Vectr