The Return of Hot Dogs and Hacking, with a side of Shadow Health

The grills were sizzling, and so were the exploits, at the highly anticipated return of Hot Dogs and Hacking. Presented by OWASP DC and supported by a global network of dedicated Cyber Rangers, the event delivered more than just hands-on training. It sparked spirited competition, fostered meaningful conversations, and united participants around a common goal: tackling real-world security challenges through immersive, engaging experiences

This wasn’t just another virtual training session. It was a chance for cybersecurity professionals, students, and curious newcomers to dive headfirst into a vulnerable environment designed to simulate one of the most targeted and fragile sectors in the digital world: healthcare. And it delivered on all fronts.

The Healthcare Sector Takes Center Stage

This year’s cyber range event focused on the healthcare sector, one of the most frequently targeted industries for ransomware attacks. Not only is medical data valuable, the stakes are high - making the industry particularly vulnerable. When healthcare systems go down, it’s not just business continuity that suffers, it’s patient care, safety, and trust.

Participants stepped into Shadow Health, a simulated healthcare web application designed to imitate the complex and flawed environments of real-world systems, including exposed patient data, insecure business logic, and secrets buried in places like image metadata.

From the very first click, it became clear: this wasn’t just about capturing flags. This was about understanding how everyday vulnerabilities can escalate into full-blown security incidents. The realistic environment was chaotic in all the right ways, providing a high-intensity blend of exploration, technical challenge, and security storytelling.

Real Risks, Real Lessons

At the core of the experience was the Shadow Health platform, a purpose-built, intentionally vulnerable environment designed to reflect common misconfigurations and security gaps in actual healthcare systems. This wasn’t limited to basic security issues. While participants encountered well-known threats like Cross-Site Scripting (XSS) and SQL Injection, the range went much deeper.

Players had the opportunity to exploit misconfigured APIs, unravel flawed authorization logic, and manipulate business logic paths to achieve outcomes like rewriting prescriptions, exposing staff and patient data, and even executing phishing attacks. Every action connected technical skills to real-world consequences.

This immersive environment was powered in part by the “nefarious” Illumistrami hacking collective, and the crwd-ctrl generals, CMD+CTRL’s automated guidance system. They offered guided nudges to participants who needed help, striking a perfect balance between structured instruction and open-ended challenge. Whether you were a seasoned penetration tester or a first-time participant, the Shadow Health range offered you a path forward.

But while the hacking exercises were fun, they also provided practical lessons. Every simulated exploit was grounded in real-world context. During the event, proctors shared case studies of attacks that cost hospitals over $600 million, as well as incidents where healthcare networks were offline for weeks, delaying surgeries, compromising care, and putting lives at risk.

It’s one thing to only see security through the lens of compliance or risk reports, but the Shadow Health cyber range made it personal. By the end of the night, participants walked away not just with a score on the leaderboard, but with a deeper understanding of what’s at stake when systems fail.

Early Access, High Scores, and Community Moments

As a surprise bonus, members of the CMD+CTRL Slack Community received early access to the range before the official start of the event. That head start led to some impressive (and entertaining) results.

• Tempest led the charge, racking up over 5,000 points before the event even began. They went on to solve 27 of the 45 available challenges, finishing with a commanding 7,350 points and securing the top spot on the leaderboard.
• ElleF made waves on the scoreboard but left an even bigger impression with a story shared during the event, a personal, slightly embarrassing moment that reminded everyone: even seasoned professionals can overlook simple flaws. It was a great example of leadership through vulnerability and helped reinforce the night’s lessons.
• THolmes, a first-time participant, surprised everyone with a Top 5 finish, showing that curiosity and a willingness to learn often outweigh experience. It was a standout moment that reminded us why we host these events, to create entry points for future cybersecurity leaders.
• And, of course, the “Handle of the Night” went to hummusMaster4141, whose username caught the attention (and admiration) of the event proctor, known for his love of smashed, seasoned chickpeas. While the hummus may not have been real, the impact was. These fun touches help build community and make each event memorable.

Beyond the points and handles, what stood out most was the level of collaboration. Participants helped each other, shared insights, and reflected on the broader implications of what they were learning. The Slack community stayed active well into the night, with players continuing to test out attacks and explore the platform long after the main session ended.

Not Just a Summer Fling

While Hot Dogs and Hacking was a one-night event, it’s part of something much bigger: the Summer of Cyber Ranges, a season-long series of interactive, hands-on training events hosted by CMD+CTRL.

Each cyber range is designed to tackle a different industry, platform or configuration, providing fresh challenges and relevant scenarios for learners at every level. Whether you’re brushing up on fundamentals or trying to stay sharp in a fast-changing threat environment, there’s something in this series for you.

Upcoming Highlights Include:

• Finance and Fraud Scenarios – Explore the vulnerabilities that power modern financial threats.
• Cloud Misconfigurations – Navigate the dangers of improperly secured cloud infrastructure and identity overreach.

Each event is open to individuals and teams, and designed to scale with your experience level. Even better, they’re designed to be fun. Because let’s face it, cybersecurity is serious work, but learning doesn’t have to be dry.

Acknowledgements and What’s Next

A huge thank you to OWASP DC for graciously hosting and supporting this event. Their commitment to education, community building, and secure development continues to raise the bar for local chapters and professional groups across the country.

If you’re in the DMV area, don’t miss the chance to connect with OWASP members at upcoming meetups, and be sure to mark your calendar for OWASP 2025 Global AppSec USA, taking place this November in Washington, D.C.

And if you’re eager to keep hacking, learning, and leveling up your skills, we’ve got you covered. Register now for the next Summer of Cyber Ranges event for free hands-on training.

Stay in the Loop!

• Follow CMD+CTRL on LinkedIn for updates and insights
• Join our Community Slack to connect with other learners and professionals
• Visit our website to learn more and explore resources
• Register for the Great British Hack Off on August 14th at 1 pm ET to test your skills against your mates across the pond.

Until then: patch your systems, check your EXIF data, and be careful where you click, especially if you're using a healthcare app.

Happy Hacking!