The Short Version
This is my April-May cloud security update.
I am currently global #22 on the Wiz Ultimate Cloud Security Championship leaderboard with 11/12 challenges solved and 220 points. The final challenge is still pending, so the run is not complete yet. But reaching this point has already been one of the best cloud security grinds I have done.
No flags are published anywhere in my blog. The writeups focus on attack paths, root causes, and lessons.
Current Standing
| Signal | Status |
|---|---|
| Player | Vasanthadithya |
| Country | India |
| Global rank checked | #22 |
| Challenges solved | 11/12 |
| Points | 220 |
| Final challenge | Pending |
This matters to me because the championship is not one category. It moves across AWS, Azure, Kubernetes, Terraform, reverse engineering, supply chain, incident response, and web security. It is a proper test of whether I can adapt under pressure.
Challenge Progress
| # | Month | Challenge | Points | Main lesson |
|---|---|---|---|---|
| 1 | June 2025 | Perimeter Leak | 10 | AWS / Data perimeter |
| 2 | July 2025 | Contain Me If You Can | 20 | Containers / Linux / PostgreSQL |
| 3 | August 2025 | Breaking The Barriers | 10 | Azure / OAuth / Entra ID |
| 4 | September 2025 | Needle in a Haystack | 20 | OSINT / Web / Client-side security |
| 5 | October 2025 | Game of Pods | 30 | Kubernetes / Privilege escalation |
| 6 | November 2025 | Malware Busters! | 10 | Reverse engineering / Malware |
| 7 | December 2025 | State of Affairs | 20 | Terraform / IaC security |
| 8 | January 2026 | Confession Booth | 30 | Web / Race condition |
| 9 | February 2026 | Trust Issues | 20 | Incident response / Supply chain |
| 10 | March 2026 | Happy Birthday | 20 | AWS / S3 / SNS |
| 11 | April 2026 | Split Horizon | 30 | Kubernetes / Cloud networking |
The difficulty curve is visible from the shape of the tasks. The early challenges rewarded fast enumeration and cloud fundamentals. Later challenges became more layered: AWS metadata and S3 policy reasoning turned into Kubernetes overlay routing, CI supply-chain investigation, Terraform state poisoning, incident response, and reverse engineering.
What Changed In My Approach
The first few challenges rewarded sharp enumeration. Later challenges demanded more system-level thinking.
For AWS challenges, I had to keep identity and network path separate in my head. A request can have the right credentials but come from the wrong place. A service can be private but still reachable through a trusted component.
For Kubernetes, the big lesson was that the API is not the whole cluster. Services, DNS, pod CIDRs, node metadata, kubelet paths, and overlay networks all form separate layers. If one layer blocks you, another layer may still leak enough information to continue.
For incident response and reverse engineering, the work became slower and more forensic. Instead of running one exploit, I had to understand timelines, package behavior, encrypted artifacts, config files, and protocol details.
Why I Am Writing These Notes
I want this blog to be a serious dev/security portfolio, not just a list of projects. Recruiters and security engineers should be able to see how I think:
- how I enumerate systems
- how I move from clue to hypothesis
- how I avoid leaking flags or private details
- how I explain root cause instead of only showing commands
- how I connect CTF lessons to real cloud security
The ordered writeups are available here:
Bug Bounty And Security Profile
Alongside CTF work, I am also active on bug bounty platforms:
I keep bounty metrics private here and focus the blog on methodology, proof of work, and lessons that transfer into real security engineering. One public signal I do want to keep visible: I am listed at #59 in Vercel Open Source Hall of Fame / thanks.
Waiting For The Final
At 11/12, the final challenge becomes psychological too. It is easy to rush because the belt is almost complete. But the better move is the same one that worked for the previous stamps: enumerate cleanly, validate assumptions, write notes, and avoid tunnel vision.
One challenge left.
Still learning. Still building. Still hunting.