Boss of the SOC V at .conf20

BREAKING NEWS: Register for BOSS OF THE SOC at .conf20 HERE

TL;DR Even a pandemic doesn’t stop Boss of the SOC (BOTS). We will be going globally virtual for .conf20 on Monday, October 19th. New datasets, new questions, and a whole new world. And it's FREE!! FREE FREEE FREE TO PLAY! FREE LIKE BEER (NA or 10%), NOT LIKE PUPPIES! FREE!

For the fifth year, we will be bringing you BOTS at .conf. Sadly, we can’t be in person to shame people for MIFI, but don’t worry – we still plan to make it exciting. You will once again be roleplaying as Alice Bluebird, our plucky defender of Frothly. This year has been just as strange for Alice and Frothly as it has been for you, and our BOTS data reflects that. We have everything from a (BOTS) traditional APT scenario to robotic toads to Zoom data to James Brodsky-esqe steganography (it can’t be a CTF without some steganography).

Now some of you may be wondering “in a virtual world how will this all work?” Well, let me put your minds to ease. Over 24 hours we will be running 3 individual 4-hour blocks of BOTS. Customers from places as diverse as Australia, Austria, and Alberta will be able to compete against each other. We are hoping for THOUSANDS of you (so don’t let us down). Just like .conf20, this is a free event! Just register for .conf and mark that you are interested in Boss of the SOC. We will be opening up unlimited* registration for BOTS itself in mid-September. If you registered for .conf and expressed interest, you’ll get an email. Otherwise look for tweets, telegraphs, and hypnotoads passing the information! No matter what you will need to register for .conf20, but we will make sure that happens (no reg, no play).

No matter where you are in the world, markdown October 19th as the date to play the world’s largest Boss of the SOC!

So What is “BOTS”?

Boss of the SOC (otherwise known as BOTS) is a hands-on, self-paced, blue-team exercise that uses Splunk to defeat threats. It’s a jeopardy-style, capture-the-flag-esque (CTF) activity where participants answer a variety of questions about security incidents that have occurred in a realistic but fictitious enterprise environment. It's designed to emulate how real security incidents look in Splunk and the type of questions analysts have to answer.

We first developed Boss of the SOC because we were tired of showing up at security conferences and finding the CTFs to be entirely red-team oriented. There are other Blue Team CTFs out there—including the grandfather to them all, SANS DFIR NetWars—but few (or none) of them attempt to recreate the life of a security analyst facing down an adversary at all stages of an attack. BOTS, however, is designed not only for the seasoned Splunk security professional but also for customers who want to try a new activity in a stress-free environment. And hey, it’s virtual. No one is there staring at you, give it a shot!

For BOTS, we work very hard to ask questions that not only require contestants to know Splunk but also know how to research open-source intelligence (OSINT) and think outside of the “Splunk” box.


Every year the BOTS team tries to create data that is new, exciting, and educational for participants. This year is no different. We spent 2020 attending hundreds of hours of security conferences and have brought some of the most interesting adversary techniques that have ever been seen to the BOTS 5.0 dataset. From Sysmon to GCP and Azure to Zoom, we’ve got it all. We are even changing how BOTS is played this year and highlighting Splunk Enterprise Security and Splunk Phantom as their own little microCTFs!


As with previous years, we know that it can be scary to see new datasets that you’ve never been exposed to. With that in mind, we will be starting to release blogs, webinars, videos, and more to help you level-up to meet these new challenges. Follow @splunk on Twitter, and subscribe to Splunk Blogs for updates and webinar announcements. For extra points, follow @meansec, @daveherrald, @james_brodsky, and @stonerpsu on Twitter for “special” announcements. To be clear, these blogs will be VERY relevant to BOTS 5.0 at .conf20, so we highly recommend reading them. And of course, don’t forget our handy dandy blog series, "Hunting with Splunk: The Basics,” which was inspired by the questions customers have asked at BOTS events all over the world!

Finally, you can try out or practice these new techniques using our cloud-hosted “Security Datasets Project” that has the BOTSv1 dataset and more. If you’d rather set up a home lab and really dig into BOTS data, try out our BOTSv1, BOTSv2, and BOTSv3 open-source dataset and CTF scoring server app. If those seem scary, check out the work done by CyberDefenders. They have no affiliation with us, but they seem to have stood up an awesome instance of BOTS data for everyone in the world to play and learn from!

Okay. Should I Play BOTS?

Probably! Seriously, if you’re reading this blog and you've gotten this far, you’re almost certainly a great fit for BOTS. To hold your own, we usually tell folks they need to know a little about Splunk and a little about security. However, all you really need is the desire to learn something new, and the desire to have a lot of fun. If you are a newbie, don't worry we are setting up a special table just for you! Finally, BOTS is a team sport, so be sure to bring along your crew to join you in the fun!

Fine, You Convinced Me! How do I Register?

It’s pretty easy. If you’ve already registered for .conf20, then watch your inbox for a note on how to sign up for Boss of the SOC. BOTS is best experienced as a team, but you can fly solo too. The maximum team size is four participants. Once you and your teammates register for BOTS, you’ll be able to easily create or join a team using our new streamlined self-service team formation system. It is critical that each member of your team register for BOTS individually. Your individual registration will not reserve space for your teammates!

Welp, after all that, I hope we’ve managed to convince you. If you have any questions feel free to email bots[@]splunk[.]com. We’re very excited to virtually host you for the 5th annual Boss of the SOC competition at .conf20!

* 10k? If we get more than 10k we will limit it.

Follow all the conversations coming out of #splunkconf20!

Ryan Kovar
Posted by

Ryan Kovar

NY. AZ. Navy. SOCA. KBMG. DARPA. Splunk.

Show All Tags
Show Less Tags