Featured track

Human Factor: deep dive

No exploit needed, just a convincing story. The Human Factor is where you learn to breach a system by breaching its people.

Every lock has a key. Every key has a person. In The Human Factor, you follow the money trail from Bits n Bites into Banco Maximus, a bank that markets itself as a security-paranoid fintech but places its trust in its staff. Your attack surface is not code, it is habit, ambition, and the basic human need to be helpful. You will run open-source reconnaissance, build target dossiers, craft tailored lures, and execute a full social-engineering campaign that blends classic pretexting with modern techniques like supply chain analysis and AI prompt injection.

Why it matters

The 2020 Twitter hack, in which attackers social-engineered employees via phone calls to gain admin access to accounts belonging to Barack Obama, Elon Musk, and Joe Biden, was not a code vulnerability. It was a people vulnerability. No firewall, no WAF, no SIEM stopped it. In 2018, the event-stream npm package was compromised with a targeted backdoor that reached millions of installations before anyone noticed. Today, AI-powered email assistants introduce a new attack surface: prompt injection payloads hidden in ordinary-looking messages that trick the model into leaking data it was designed to protect. Social engineering remains the most common initial access vector in real breaches precisely because it bypasses every technical control. The Human Factor combines OSINT, supply chain analysis, document weaponisation, and AI prompt injection into a single campaign because that is how modern attacks actually work. Understanding how attackers build and exploit trust across all of these surfaces is no longer optional for developers. It is the gap between a team that ships code and a team that ships security.

What you'll practice

The mission is Banco Maximus, a target that believes its technical stack makes it impenetrable. It does not. Your job is to become a recruiter, a colleague, a voice they want to trust.

You start with open-source intelligence: scraping the Banco Maximus website for org structure, extracting employee names from PDF metadata, and profiling three targets across GitHub, Mastodon, DeviantArt, and Medium. Once your dossiers are complete, you craft a three-message outreach campaign that an AI judge evaluates for psychological effectiveness, and then choose which employee to target.

Mike is the technical path. You analyse a malicious npm package hidden in a software bill of materials, build a convincing phishing lure, and harvest CI/CD pipeline tokens. Aisha is the weaponisation path. You build a macro-enabled document that chains URLDownloadToFile into WinExec, craft the pretext that convinces her to enable macros, and then implement hybrid AES-256 and RSA encryption to lock the exfiltrated data. Koen is the long game. You create geo-tracking links masked behind Calendly invites, cross-reference IP geolocation with known office locations, and craft prompt injection hidden in 1px white text that hijacks an AI email assistant into leaking credentials.

Every path ends with a choice that tests how far you are willing to push an operation. Three paths, two endings each, six outcomes in total.

Challenges

Three targets. Three paths. Six endings.

Build a full social engineering campaign from OSINT to execution. Every path uses different real-world techniques, and every path ends with a choice that changes the outcome.

16 challenges3 branching paths6 possible endings

Scrape the Banco Maximus website for org structure, extract employee names from PDF metadata using tools like `exiftool`, and build dossiers by cross-referencing GitHub repos, Mastodon posts, DeviantArt portfolios, and Medium articles. This is how real red teams map a target before a single email is sent.

Analyse a software bill of materials, identify a malicious npm package hidden in the dependency tree, and trace its redirect infrastructure. Then harvest CI/CD job tokens from the compromised developer's pipeline. Inspired by the `event-stream` (2018) and `ua-parser-js` (2021) supply chain attacks that hit millions of downloads.

Build a macro-enabled document that calls `URLDownloadToFile` and `WinExec` on open. Craft the social engineering pretext that convinces your target to enable macros. Then implement hybrid AES-256 and RSA encryption for the exfiltrated data, the same key management scheme used by modern ransomware families like LockBit and Conti.

Create geo-tracking links masked behind Calendly invites using services like Grabify. Cross-reference IP geolocation with known office locations. Then craft a prompt injection payload hidden in 1px white text inside a business email that manipulates an AI email assistant into leaking credentials to an attacker-controlled mailbox. This is the bleeding edge of social engineering.

Attack chain

OSINT recon

Scrape the Banco Maximus website for org structure, extract employee names from PDF metadata the company forgot to scrub, and profile three targets.

Outreach campaign

Craft a three-message outreach strategy for psychological effectiveness. Each message must use personal details from your dossiers to hook the target with a dream job offer they cannot ignore.

Choose your target

Select one of three employees: Mike (technical, supply chain compromise), Aisha (document weaponisation and ransomware-grade encryption), or Koen (long-game social engineering with AI prompt injection). Each path uses fundamentally different attack techniques.

Execute the attack

One of the targets requires the creation of geo-tracking links masked behind invites, cross-reference IP geolocation with office locations, and craft prompt injection hidden in 1px white text that hijacks an AI email assistant.

Final choice

Each path branches into two endings, six in total. Crash a CI/CD pipeline or watch from the shadows. Lock files with encryption or demand a ransom. Leak data publicly or recruit an insider. How far you go is up to you.

OWASP Top 10 (2025) coverage

A03Software Supply Chain Failures

Analyse a software bill of materials to identify a malicious npm package with embedded redirect infrastructure, mirroring attacks like event-stream (2018) and ua-parser-js (2021).
Harvest CI/CD job tokens from a compromised developer's pipeline configuration to gain persistent access to the build system.

A05Injection

Build macro-based payloads that call URLDownloadToFile and WinExec to download and execute remote binaries when a target opens a laced document.
Craft prompt injection payloads hidden in 1px white text that manipulate AI-powered email assistants into forwarding credentials and personal data to an attacker-controlled mailbox.

A06Insecure Design

Extract employee names and roles from PDF metadata that the organisation forgot to scrub before publishing.
Create geo-tracking links masked behind legitimate Calendly invites and cross-reference IP geolocation with known office locations to map a target's physical environment.