
Building a Backdoor
Velodraft Systems runs its release pipeline on a self-hosted TeamCity server that was left accessible from the internet on an unpatched build. An attacker exploited an authentication-bypass flaw to create a rogue administrator without credentials, harvested stored VCS secrets and cloud keys, then planted a malicious build step in the production release pipeline. When the next scheduled build fired, both CI build agents pulled and executed an implant that beaconed out to an attacker-controlled domain. Reconstruct the intrusion chain from the TeamCity audit trail and the build-agent XDR data.
Launches in 5 days
Tuesday, July 14, 2026 at 9:00 AM
Pro unlocks this operation at launch.
Training Tools
What you'll investigate
7 objectives unlock when this operation goes live.
Be first when it launches
Create your account and grab Pro before launch. The moment this operation goes live on Jul 14, 2026, you can jump straight in.
Get Started FreeNo credit card required — free forever