In this live incident response simulation, the audience will be randomly divided into three teams, each representing a cloud environment: AWS, Azure, or GCP. Each team receives a curated breach scenario reconstructed from anonymized real-world cryptomining activity. Datasets include IAM traces, billing anomalies, container workload artifacts, and intentionally misleading signals to simulate realistic investigation challenges.

The objective: be the first team to correctly identify the cloud resource — an EC2 instance, GKE pod, or AKS container group — responsible for unauthorized cryptocurrency mining.
No vendor tooling, no product demo — just a hands-on exercise focused on attacker behavior in cloud-native environments

This session is a practical, time-limited investigation focused on identifying differences in visibility, telemetry, and detection across AWS, Azure, and GCP. Each team works with real-world logs, connects observed behaviors, and supports their findings with evidence.