Surface Security Phishing Bypass Challenge — DEF CON 2026
Build a phishing page that slips past our extension in production. No sandboxes, no simulations — real browser automation, real detection engine, real leaderboard.
How it works
Clone a target
Rip a copy of any Surface login portal or SSO page. Style it, host it, weaponize it — however you get it done.
Submit your URL
Drop your phishing page's
URLinto the dashboard. One submission, one shot.We send a live visitor
Our browser automation visits your page with the Surface Security extension installed and active — same as a real employee.
Extension misses it? You're on the board.
If the extension doesn't catch it, the bypass is logged and your handle climbs the leaderboard.
Rules
One URL per submission. Make it count.
Your page must be publicly accessible over HTTPS. No auth walls, no localhost, no expired certs.
No credential harvesting of real users. This is a detection benchmark, not a live phishing op.
No attacking our infrastructure. Target the extension's detection, not our servers.
Submissions targeting private IPs will be rejected outright.
Prizes
Payout details are still being finalized. Every accepted bypass still earns you a permanent spot on the leaderboard — bragging rights ship now, prizes ship soon.