Skip to main content
DEF CON 2026 · Live CTF

Surface Security Phishing Bypass Challenge — DEF CON 2026

Build a phishing page that slips past our extension in production. No sandboxes, no simulations — real browser automation, real detection engine, real leaderboard.

How it works

  1. Clone a target

    Rip a copy of any Surface login portal or SSO page. Style it, host it, weaponize it — however you get it done.

  2. Submit your URL

    Drop your phishing page's URL into the dashboard. One submission, one shot.

  3. We send a live visitor

    Our browser automation visits your page with the Surface Security extension installed and active — same as a real employee.

  4. Extension misses it? You're on the board.

    If the extension doesn't catch it, the bypass is logged and your handle climbs the leaderboard.

Rules

One URL per submission. Make it count.

Your page must be publicly accessible over HTTPS. No auth walls, no localhost, no expired certs.

No credential harvesting of real users. This is a detection benchmark, not a live phishing op.

No attacking our infrastructure. Target the extension's detection, not our servers.

Submissions targeting private IPs will be rejected outright.

Prizes

Prizes — TBA

Payout details are still being finalized. Every accepted bypass still earns you a permanent spot on the leaderboard — bragging rights ship now, prizes ship soon.

Ready to try to slip one past us?