LMS API Storm
March 21, 2026. State-wide Canvas tenants see burst `/api/v1` traffic copying rubric exports. You correlate developer key logs with a wayward LTI integration.
Briefing
Canvas is a widely deployed LMS; this scenario does not reproduce any single 2026 vendor incident. Instead it encodes a common failure mode: long-lived API keys paired with an LTI tool domain takeover. Students and faculty data move through those APIs faster than humans can read CSVs.
Your role
SRE for a regional education authority’s learning stack.
Objective
Prove credential misuse on the Canvas edge: identify the token, follow API export traffic, tie it to an LTI domain failure, then verify revocation.
Terminal environment
- user
- responder
- host
- lti-siem-01
- cwd
- /home/sre/canvas-trace
- steps
- 8
Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.