All Games49 games

Read the scenario — only owner should write, group can read. Pick the correct chmod value before the clock runs out.

HTTP response headers appear. One is misconfigured — missing HttpOnly, CSP wildcard, public cache on private data. Click it.

Read the TLS certificate — subject, SAN, issuer, dates. Is it valid, expired, wrong hostname, self-signed, or untrusted CA?

A wall of server logs appears. One line hides an attack — SQL injection, XSS probe, brute force, path traversal, recon. Find it.

MD5, AES-256, RC4, SHA-3, DES — Secure, Deprecated, or Broken? 10 algorithms, no timer. Learn your cryptography.

A breach alert fires. Triage the indicators, identify the attack vector, contain the threat, and write the post-mortem — against the clock.

Match famous vulnerabilities to their year and CVSS score — Heartbleed, Log4Shell, Shellshock, EternalBlue, and more.

Real email or phishing attack? Read the message, click suspicious elements for bonus points, then decide before time runs out.

5 levels of encoded messages — ROT13, Caesar cipher, Atbash, reversed words, Base64. Decode each one with fewer attempts for more points.

Real code snippets with real vulnerabilities. Click the vulnerable line — SQL injection, XSS, hardcoded secrets, path traversal, and more.

5 rounds. Each JWT has a different vulnerability — alg:none, weak secret, expired claim. Identify and exploit them before time runs out.

Decode Base64 clues, crack a hash, decrypt AES ciphertext, forge a JWT, and read the final secret. Escape as fast as you can.

Find vulnerabilities in code snippets before time runs out — XSS, SQL injection, hardcoded secrets, and more.

Allow legitimate traffic, block attacks. Identify port scans, SQL injection payloads, and brute force attempts in real-time.

Break increasingly harder ciphers — ROT13, Caesar, substitution, XOR, and RSA with tiny primes.

Social engineer a helpdesk to extract sensitive info. Learn attack techniques by playing the attacker — then study the defenses.

Reconstruct attack timelines — arrange security events in chronological order across phishing, ransomware, and insider threat scenarios.

Classify file samples as trojan, ransomware, worm, adware, or clean based on behavior and network indicators.

Escalate from low-privilege user to root. Exploit SUID binaries, cron jobs, sudo misconfigs, and kernel vulns.

Read nmap scan results, identify services, and spot vulnerabilities — exposed databases, open SMB, Redis without auth.

Rapid-fire security questions — ports, protocols, CVEs, encryption types, OWASP categories. 15 seconds per question.

Decode Base64, URL-encoded, hex, and double-encoded attack payloads. Identify the attack type hiding inside.

Security tools flash on screen — Metasploit, Wireshark, Burp, Snort. Classify each as offensive or defensive. Fast.

Port number appears — identify the service. SSH, HTTP, MySQL, PostgreSQL, Redis, MongoDB, and more.

Status code flashes — pick the meaning. 200, 301, 403, 404, 418, 429, 500, 503. How many can you get?

Write regex patterns to block SQL injection, XSS, and path traversal — without blocking legitimate input.

XSS, CSRF, SAST, DAST, RBAC, MFA, WAF, IDS, SIEM, SOC — expand them all before time runs out.

AES, RSA, SHA-256, HMAC, ECC, bcrypt — classify each as symmetric, asymmetric, hashing, or MAC.

Crack hashes from MD5 to Argon2. See why MD5 falls instantly while bcrypt takes years. Pick the right password.

Rate vulnerabilities by CVSS severity — Low, Medium, High, or Critical.

Parse server logs, click the attack line, identify the technique.

Classify network packets — normal traffic, recon, exploit, exfiltration, or C2.

Build correct CSP and CORS headers for each scenario before time runs out.

Identify real threats in architecture diagrams — STRIDE methodology.

A hash appears — is it MD5, SHA-1, SHA-256, bcrypt, or Argon2? Identify fast.

Match famous CVEs to affected software — Heartbleed, Log4Shell, EternalBlue.

Vulnerable code appears — pick the correct fix from 3 options.

Classify vulnerabilities into OWASP Top 10 categories as fast as you can.

Decode multi-layered encodings — Base64 inside URL-encode inside hex. Peel the layers.

Attacks come in — pick the right mitigation: rate limit, WAF rule, SYN cookies, fail2ban.

GDPR, SOC2, PCI-DSS, HIPAA — rapid-fire compliance questions.

Ciphertext sample appears — identify: AES-CBC, ChaCha20, RSA, DES, or ROT13.

Advanced phishing emails — spear phishing, whaling, BEC. Spot them all.

Security scenario appears — type or select the right Linux command to handle it.

Find vulnerabilities in API request/response pairs — IDOR, auth bypass, data exposure.

Analyze process lists — find the malware hiding among legitimate processes.

Analyze DNS records — find missing SPF, dangling CNAMEs, and open resolvers.

Code files flash on screen — find leaked API keys, tokens, and secrets fast.

Pick your category and difficulty. Higher stakes = more points — but one wrong answer costs you.