Attempt report

Marketing uploaded customer spreadsheet to unsanctioned AI tool — CASB high-risk alert

CybersecurityShadow IT SaaSDifficulty · Medium

Attempt 1 of 1 · cmozc0nnk000159tjiyt5bv4t

← All attempts ↻ Retry this scenario New scenario

Progress vs previous attempt

This is your first attempt for this scenario. Retry the scenario to generate a side-by-side comparison against your previous response.

Progression · Keep practicing

Stay on Medium · Cybersecurity

5 signals are blocking advancement to Hard. Keep practicing at Medium until those areas stabilize. (Track: Cybersecurity)

Track · Cybersecurity

Medium

Sample · 5 recent attempts1 positive5 blocking

Signals helping

Dangerous action frequency. None in recent attempts

Signals blocking advancement

Recent average score. 6 / 100 (need ≥ 80)
Recent pass rate. 0 of 5 passed (need ≥ 66%)
Rubric category coverage. 7% average (need ≥ 60%)
Recent retry improvement trend. Score is regressing (-14.2 pts on later attempts)
Consistently weak rubric areas. Attack understanding, Prioritization, Recovery

Submission · what was sent and how you responded

Shadow IT SaaSDifficulty · mediumHigh asset

[CASB] High-risk SaaS upload — 4.7 MB to ai-summarizer.io

From: CASB <casb@acme-corp.local>
To: soc@acme-corp.com
Date: 2026-04-19 13:32 UTC

CASB flagged an upload from a corporate endpoint to ai-summarizer.io, an unsanctioned AI summarization service. User: jen.kim@acme-corp.com (Marketing Coordinator) Endpoint: JKIM-LT22 (corp-managed) Files: customer-list-q1.xlsx (3.1 MB), campaign-results-q1.xlsx (1.6 MB) Destination: https://ai-summarizer.io/upload (free tier, no SSO) Account: signed up using corporate email on the free tier ToS clause 4.2: "uploaded content may be used to train and improve the Service." Vendor risk score: HIGH (low brand reputation, 6-month-old domain, no SOC 2, retains content for 90 days). Other Marketing users have visited this domain (4 endpoints in last 14 days). Please respond. — CASB / Cloud Security

Evidence

CASB session log + endpoint browser history

# CASB session (jen.kim@acme-corp.com → ai-summarizer.io)
13:18:04  GET   https://ai-summarizer.io/                     200
13:18:51  POST  https://ai-summarizer.io/api/signup            201   (free tier)
13:19:30  POST  https://ai-summarizer.io/api/upload            200   file=customer-list-q1.xlsx (3.1 MB)
13:20:12  POST  https://ai-summarizer.io/api/upload            200   file=campaign-results-q1.xlsx (1.6 MB)
13:20:48  POST  https://ai-summarizer.io/api/summarize         200

# Spreadsheet content type (DLP classifier)
customer-list-q1.xlsx     → contains: customer email + phone + segment + LTV  (PII, ~14k rows)
campaign-results-q1.xlsx  → contains: campaign metrics, no direct PII

# Other marketing endpoints with traffic to this domain (last 14d)
JKIM-LT22, MROSS-LT09, AVO-LT14, PCHEN-LT07

# Vendor record (CASB risk catalog)
ai-summarizer.io  registered 2025-10-12 (privacy-protected registrar)
                  TLS: Let's Encrypt, no SSO, no SOC 2, no DPA available
                  ToS: trains on uploads unless on the paid Pro tier

Affected asset

Name: Marketing dept users + customer-list-q1.xlsx (PII)
Type: Shadow SaaS upload — customer PII to unvetted AI vendor
Owner: Marketing
Level: High

Your submitted response

7 words

i don't know. you figure it out.

Final score

1/ 100

7 words submitted

Verdict · Fail

The response is missing several critical incident response steps. Review the rubric and try again. Score: 1/100. Strongest area: Clarity & structure (12%). Weakest area: Attack understanding (0%) — expand this next time. The response is quite short; aim for a more structured, step-by-step plan.

Category breakdown

Where points came from

coverage × weight = points

Attack understanding0/4 · 0.0 / 15
Asset impact0/4 · 0.0 / 10
Prioritization0/3 · 0.0 / 10
Containment0/5 · 0.0 / 20
Investigation0/5 · 0.0 / 15
Recovery0/4 · 0.0 / 10
Evidence preservation0/4 · 0.0 / 10
Clarity & structure0/2 · 1.2 / 10

Strengths

No category reached 70% coverage.

Missing / weak

Attack understanding
Asset impact
Prioritization
Containment
Investigation
Recovery
Evidence preservation
Clarity & structure

Dangerous actions detected

None detected in your response.

Learning · Coaching

Learn from this attempt

Post-submission coaching for this scenario. Score and verdict are unchanged — these notes are for your next attempt.

Why points were deducted

Containment0% coverage
Combine CASB block + vendor takedown + DLP tightening; blocking the URL alone leaves the already-uploaded data on their servers.
Attack understanding0% coverage
Name the failure mode: shadow-IT SaaS upload of PII to a vendor whose ToS permits training on free-tier content — not just `someone used an AI tool`.
Investigation0% coverage
Define which files / rows / fields actually left, identify the other 4 visiting endpoints, and read the actual ToS clause — do not guess the legal exposure.

Model answer outline

Situation

Jen Kim (Marketing) signed up for ai-summarizer.io on the free tier with her corp email and uploaded customer-list-q1.xlsx (~14k rows of PII) and campaign-results-q1.xlsx (no direct PII). The vendor's ToS clause 4.2 lets them train on uploads on the free tier, the domain is 6 months old, no SOC 2, no DPA, and four other Marketing endpoints have visited the domain in the last 14 days. This is a privacy / shadow-IT incident with regulator-relevant scope, not a phishing case.

Prioritization

Treat as a P1 privacy / data-leak incident because customer PII left the boundary — shadow-IT framing must not water down the priority.
Sequence through Privacy / Legal / DPO before any user-facing or vendor-facing message.
Loop in Marketing leadership so the response is unified, not user-shaming.

Containment

Block ai-summarizer.io at CASB / proxy and add it to the unsanctioned-AI category at the egress tier.
Open a vendor takedown / right-to-erasure request against the uploaded files, citing GDPR / CCPA as relevant; close the free-tier account.
Tighten DLP so PII-classified spreadsheets (customer email + phone + LTV columns) cannot be uploaded to unsanctioned hosts on managed endpoints.

Investigation

Define scope precisely: which files (`customer-list-q1.xlsx` PII, `campaign-results-q1.xlsx` no direct PII), how many rows, which fields.
Identify the other 4 endpoints that hit the domain in 14 days and check whether any of them also uploaded — repeat-offender check.
Pull CASB session logs, browser history on JKIM-LT22, and DLP classifier output to confirm content type and timing.
Read the vendor's ToS / privacy policy / retention statement carefully so the legal exposure assessment is grounded in their actual terms, not a guess.

Recovery

Stand up an approved-AI vendor allowlist (with SOC 2, DPA, no-train default) and route Marketing's real summarization need into a sanctioned tool.
Run targeted Marketing awareness on shadow-IT / AI-tool risk, focused on `if it can read the file, the vendor can train on it`.
Tune CASB risk scoring so 6-month-old privacy-protected domains with no DPA are blocked by category, not relying on per-incident review.

Evidence preservation

Preserve CASB session log, the upload metadata, DLP classifier hits, and the browser history for JKIM-LT22 with hashes / timestamps.
Save a screenshot / archive of the vendor's ToS clause 4.2 (training on free-tier uploads) at incident time, in case they edit it later.
Capture vendor correspondence (deletion request, vendor reply) as part of the case file.

Communication

Brief Privacy / Legal / DPO first; let them decide the customer-notification threshold under GDPR / CCPA.
Explain the issue to Jen factually — `the vendor's ToS allows training on uploads` — without making the conversation punitive.
Communicate the new approved-AI allowlist to Marketing so the legitimate need is met instead of pushing it underground.

Dangerous actions to avoid

Do not re-upload the spreadsheet to demonstrate the issue.
Do not act unilaterally without Privacy / Legal — customer notification is their call.
Do not treat this as `just marketing being marketing` — PII left the boundary.
Do not skip vendor takedown because `the data is already out` — written deletion confirmation is part of the legal record.

How to improve next time

Free-tier AI tools usually pay for themselves with your data — read the actual ToS before reasoning about exposure.
Always pair a CASB block with a written vendor takedown; without the deletion confirmation, the legal record is incomplete.
When you find one offender, look for the cohort — `4 endpoints in 14 days` is a Marketing-team pattern, not an isolated user.
Solve shadow-IT by giving the team a sanctioned alternative; pure prohibition just pushes the next upload underground.
Snapshot the ToS at incident time — vendors edit retroactively when bad cases hit.

AI · Supplemental review

Request an AI review of this attempt

This AI review is supplemental coaching. It does not change your official score or verdict. The review is only kept for this page session and is not saved permanently.

Review languageEnglishKorean

AI Tutor · Explains your result

AI Tutor

This tutor explains your result. It does not change your score. Pick a question to see how the deterministic grading reached your verdict and where to focus next.

Generated deterministically from your graded result — no AI model was called.

Why did I get this score?

Your verdict was Fail at 1/100. That total is the sum of deterministic rubric points across 8 categories — each scores how much of its expected, ordered steps your answer covered, not an opinion about your writing. Your strongest coverage was Clarity & structure (12%). Points were held back mostly in Containment (0%), Attack understanding (0%), Investigation (0%).

Rubric focuscontainmentattackUnderstandinginvestigation

Next study step

Re-read the containment expectations for this scenario and list the concrete steps you missed.