incident-response-trainer
Mock scenarios · Rule-based grading
CatalogOverviewSnapshot
Incident

Marketing uploaded customer spreadsheet to unsanctioned AI tool — CASB high-risk alert

CybersecurityDifficulty · Medium
← New scenario
Retry in progress
You have 1 previous attempt for this scenario. Submitting again will create a new attempt and show a comparison against your most recent response.
Shadow IT SaaSDifficulty · mediumHigh asset
[CASB] High-risk SaaS upload — 4.7 MB to ai-summarizer.io
From
CASB <casb@acme-corp.local>
To
soc@acme-corp.com
Date
2026-04-19 13:32 UTC
CASB flagged an upload from a corporate endpoint to ai-summarizer.io, an unsanctioned AI summarization service. User: jen.kim@acme-corp.com (Marketing Coordinator) Endpoint: JKIM-LT22 (corp-managed) Files: customer-list-q1.xlsx (3.1 MB), campaign-results-q1.xlsx (1.6 MB) Destination: https://ai-summarizer.io/upload (free tier, no SSO) Account: signed up using corporate email on the free tier ToS clause 4.2: "uploaded content may be used to train and improve the Service." Vendor risk score: HIGH (low brand reputation, 6-month-old domain, no SOC 2, retains content for 90 days). Other Marketing users have visited this domain (4 endpoints in last 14 days). Please respond. — CASB / Cloud Security
Evidence
CASB session log + endpoint browser history
# CASB session (jen.kim@acme-corp.com → ai-summarizer.io)
13:18:04  GET   https://ai-summarizer.io/                     200
13:18:51  POST  https://ai-summarizer.io/api/signup            201   (free tier)
13:19:30  POST  https://ai-summarizer.io/api/upload            200   file=customer-list-q1.xlsx (3.1 MB)
13:20:12  POST  https://ai-summarizer.io/api/upload            200   file=campaign-results-q1.xlsx (1.6 MB)
13:20:48  POST  https://ai-summarizer.io/api/summarize         200

# Spreadsheet content type (DLP classifier)
customer-list-q1.xlsx     → contains: customer email + phone + segment + LTV  (PII, ~14k rows)
campaign-results-q1.xlsx  → contains: campaign metrics, no direct PII

# Other marketing endpoints with traffic to this domain (last 14d)
JKIM-LT22, MROSS-LT09, AVO-LT14, PCHEN-LT07

# Vendor record (CASB risk catalog)
ai-summarizer.io  registered 2025-10-12 (privacy-protected registrar)
                  TLS: Let's Encrypt, no SSO, no SOC 2, no DPA available
                  ToS: trains on uploads unless on the paid Pro tier
Affected asset
Name
Marketing dept users + customer-list-q1.xlsx (PII)
Type
Shadow SaaS upload — customer PII to unvetted AI vendor
Owner
Marketing
Level
High
0 words

Grading is rule-based. Response is compared against a pre-written rubric.