What if you could understand the consequence of a vulnerability in your web application before it is being introduced? As part of our security awareness month, our company website was cloned and several vulnerablities were intentially introduced. We then let a selection of our developers attack our website in order to have them see our website from the attacker’s point of view. This presentation will demonstrate the methodology used, how the methodology was applied as well as advantages in running a capture the flag event in the context on your company’s own website.