CybersecurityeasyPhishing
Employee reported a suspicious 'CEO' email and entered credentials
High asset
Scenario Catalog
Browse every shipped scenario.
54 incident scenarios across Cybersecurity, Network Engineering, and Cyber × Network Fusion tracks. Four difficulty tiers. Deterministic rubric grading. Filter, search, or start at random.
Total54Cybersecurity20Network12Fusion14Cyber · E/M/H/XH5/5/5/5
Showing 54 of 54
CybersecurityeasyQR Code Phishing
Finance employee scanned 'Free Parking Validation' QR poster in lobby — entered M365 credentials on look-alike page
High asset
CybersecurityeasyMFA Fatigue / Push Bombing
Helpdesk tech approved MFA push at 02:14 UTC after a flood of prompts — Singapore sign-in now active
High asset
CybersecurityeasySuspicious USB Device
Receptionist plugged in USB labeled 'Q2 Bonus' — EDR flagged PowerShell launch
Medium asset
CybersecurityeasyDevice Loss
Sales rep reports company laptop left in airport taxi overnight
High asset
CybersecuritymediumBusiness Email Compromise (Vendor Invoice)
AP received 'updated wire details' invoice from longstanding vendor — sender domain is one-letter look-alike, $48,250 payment scheduled tomorrow
High asset
CybersecuritymediumBrute Force
Brute-force on VPN gateway admin account — 1 successful login
Critical asset
CybersecuritymediumInsider Data Leak
Departing engineer downloaded full customer export 36h before resignation effective date
High asset
CybersecuritymediumShadow IT SaaS
Marketing uploaded customer spreadsheet to unsanctioned AI tool — CASB high-risk alert
High asset
CybersecuritymediumMalicious OAuth Consent
Marketing user clicked Allow on 'Mail Reader Pro' OAuth consent — Mail.ReadWrite + Files.Read.All granted; 47 emails read in 30 min
Medium asset
CybersecurityhardSuspicious Outbound
4.8 GB outbound from production web server to low-reputation IP overnight
Critical asset
CybersecurityhardRansomware (Early Stage)
FILE-SRV-04 encrypting shares, ransom note dropped, lateral SMB scans starting
Critical asset
CybersecurityhardWeb Shell + Lateral Movement
Public-facing IIS server hosting unfamiliar .aspx — w3wp spawned cmd.exe + net use to internal file server
Critical asset
CybersecurityhardSupply Chain Package
Typosquat npm package `lodahs` beaconing during CI build — secrets at risk
Critical asset
CybersecurityhardDNS Tunneling Exfiltration
Workstation issuing ~5,000 long-subdomain DNS queries / hour to one 4-day-old TLD — no matching TCP/UDP outbound, design CAD files accessed
Critical asset
Cybersecurityextremely-hardIdentity Federation Token Theft
Cloud sign-ins succeeding with valid SAML tokens but no matching IdP auth or MFA events — suspected token-signing key compromise
Critical asset
Cybersecurityextremely-hardInsider + External Collusion Data Theft
Departing privileged admin staging data to personal cloud with signs of external coordination — legal hold, do-not-tip-off, chain-of-custody under pressure
Critical asset
Cybersecurityextremely-hardLiving-off-the-Land Persistence
Fileless persistence on a jump host — WMI event subscription + scheduled tasks driving signed system binaries, ambiguous admin-vs-attacker, ~30-day dwell
High asset
Cybersecurityextremely-hardMulti-Stage Ransomware (Double Extortion)
Staged exfiltration for days, then a partial encryption trigger and a leak-threat note — backups may be tampered, scope still unknown
Critical asset
Cybersecurityextremely-hardThird-Party Vendor Breach Pivot
Trusted MSP's RMM agent pushing unexpected commands across managed hosts — pivot from a compromised provider, ambiguous legit-maintenance vs malicious, cross-org coordination
Critical asset
Network EngineeringeasySTP Loop
Building 3 access switches at 99% CPU — intermittent connectivity loss
High asset
Network EngineeringeasyDHCP Failure
New conference room: 12 users cannot get an IP address
Medium asset
Network EngineeringeasyVLAN Misconfig
New intern's PC is on the production-server VLAN by mistake
High asset
Network EngineeringmediumNAT/Firewall Path
New CRM API outbound calls time out — return path bypasses stateful firewall
High asset
Network EngineeringmediumOSPF Flap
OSPF adjacency between core routers flapping every ~2 minutes
Critical asset
Network EngineeringmediumTrunk Native Mismatch
Trunk between distribution switches: native VLAN mismatch causing traffic leak
High asset
Network EngineeringhardBGP Leak
Customer prefix 203.0.113.0/22 announced from unintended AS — suspected BGP route leak
Critical asset
Network EngineeringhardRoute Redistribution
Redistribute mistake: 750k external BGP routes flooded into OSPF
Critical asset
Network EngineeringhardAsymmetric Routing
TCP sessions intermittently fail across new dual-ISP design — return path different
Critical asset
Network Engineeringextremely-hardVPN/Firewall Policy Regression
After a firewall/VPN policy push, tunnels drop intermittently and an unexpected outbound flow appears
Critical asset
Network Engineeringextremely-hardMulti-Fault Backbone Brownout
Backbone brownout: three overlapping faults interact and the first-noticed symptom is misleading
Critical asset
Network Engineeringextremely-hardSegmentation Failure (Suspected Intrusion)
Segmentation drift found during a suspected intrusion — VLAN/ACL gap with a monitoring blind spot
Critical asset
Cyber × Network FusioneasyRogue Wireless AP
Evil twin SSID 'ACME-Corp' near the cafe — auto-connect captured employee credentials
High asset
Cyber × Network FusioneasyRogue DHCP MITM
Guest VLAN: rogue DHCP redirecting users to a fake SSO portal
High asset
Cyber × Network FusioneasyVLAN Leak + Cred Exposure
Office VLAN bridged to prod-mgmt — SNMP communities and SMBv1 broadcasts visible
High asset
Cyber × Network FusionmediumNMS SNMP Tamper
NMS server compromised — SNMP write activity tampered config on three core routers
Critical asset
Cyber × Network FusionmediumNAC Bypass + Pivot
Unauthorized host on prod VLAN — 802.1X bypass via printer MAC spoofing
Critical asset
Cyber × Network FusionmediumVPN Brute + OSPF Pivot
VPN admin compromised — attacker added a static route + redistributed it into OSPF
Critical asset
Cyber × Network FusionhardBGP Hijack + DNS Exfil
Customer prefix hijack + abnormal DNS volume from internal resolver to attacker AS
Critical asset
Cyber × Network FusionhardTri-Domain: Identity → Routing → Cloud Pivot
Federated sign-in with no upstream login, a route that should not exist, and a cloud admin role assumed across the gap
High asset
Cyber × Network FusionhardInternal CA MITM + C2
Internal CA key possibly exposed + ARP poisoning + outbound C2 from server VLAN
Critical asset
Cyber × Network FusionhardIoT Botnet DDoS
Internal IoT segment compromised — outbound DDoS to external target, ISP abuse complaints
Critical asset
Cyber × Network Fusionextremely-hardTri-Domain: Control-Plane, Fabric & Cloud Crisis
Entangled cloud control-plane changes, a flapping core fabric, and an ambiguous privileged identity under decaying telemetry
Critical asset
Cyber × Network Fusionextremely-hardBrownout-Masked Intrusion
Intermittent backbone brownout masking an active intrusion under noisy, decaying telemetry
Critical asset
Cyber × Network Fusionextremely-hardNetwork Appliance Firmware Implant + Fabric Pivot
Suspected core-switch firmware implant + lateral movement across a segmented fabric
Critical asset
Cyber × Network Fusionextremely-hardFederation Token Theft + Routing Redirect
Valid federation tokens with no upstream login + a /32 redirect pulling auth traffic off-path
Critical asset
Cloud InfrastructureeasyExposed Cloud Management Port
Admin/SSH/RDP port open to the internet on a production instance
High asset
Cloud InfrastructureeasyPublic Object-Storage Exposure
Public object-storage bucket exposed — customer files world-readable
High asset
Cloud InfrastructuremediumCloud Audit-Logging Gap
Cloud audit logging disabled in a region — detection blind spot
High asset
Cloud InfrastructuremediumOver-Permissive IAM Role
IAM role grants wildcard permissions far beyond its workload
High asset
Cloud InfrastructurehardExposed Cloud Backup Snapshot
Backup snapshot shared publicly — recovery + data-exposure incident
Critical asset
Cloud InfrastructurehardLeaked Cloud Access Key
Static access key leaked and used from an anomalous location
Critical asset
Cloud Infrastructureextremely-hardCloud Control-Plane Identity Pivot
Cloud control-plane intrusion — leaked CI credential pivots across IAM roles while audit logging is partially blind
Critical asset
Cloud Infrastructureextremely-hardCloud Backup-Tamper Recovery Crisis
Destructive cloud incident — objects deleted and snapshot/backup lifecycle tampered, recovery source must be trusted
Critical asset