Hidden-failure debrief
After a short timer, malware is re-enabled and the team only learns why during debrief.
Scenario Lab
Real-world metaphors delivered as down time
Some lessons need more than a slide. This scenario turns incident response into a physical team challenge using a former military-base-style airsoft arena as the map.
The team must contain the breach, protect backups, search the logs, remove persistence, remove malware, block command-and-control, restore from backup and only then reconnect.
Interactive map
Click the labels. Learn the cyber parallel.
The map does not require hover. Labels are buttons, the explainer updates beside the image, and the full sequence is written out below.
Static map labels and cyber parallels
- your response team: Incident response is a team sport: roles, comms, containment, evidence, eradication and recovery.
- Log Server / Ball Pit containing clues: Logs help identify entry point, affected systems, persistence, malware location and command-and-control.
- Malware: Removing malware before removing persistence may only create a short silence before reinfection.
- Backup server: Backups need isolation and controlled restore sequencing during ransomware or destructive incidents.
- Router: Containment starts by controlling inbound and outbound paths.
- Watchdog: Persistence can re-enable malware after cleanup if not found and removed.
- CnC server: Command-and-control must be blocked before reconnection.
- network cables: Routing, segmentation, trust relationships and lateral movement decide how far the incident can travel.
Required sequence
The order matters
Get the order wrong and the scenario may still appear to work, until the debrief explains why the malware came back, the backup became suspect, or the attacker route stayed open.
- Disconnect from the outside world.Containment by cutting external routes before the incident keeps talking to the attacker.
- Disconnect the backup server.Protect backups before investigation or restoration so clean recovery does not become reinfection with nicer branding.
- Search logs for clues.Find evidence of entry point, persistence, lateral movement and command-and-control before randomly poking the bear.
- Eliminate the watchdog.Remove persistence or scheduled reactivation before deleting the obvious malware.
- Eliminate the malware.Remove the active malicious component once persistence is controlled.
- Add the CnC server to the firewall config.Block command-and-control so reconnecting does not invite the attacker back in with biscuits.
- Restore from backups.Recover from a clean, protected restore point after containment and eradication.
- Disconnect the backup server again.Re-isolate backups after restore so the recovery source remains protected.
- Go back online.Reconnect only after containment, eradication, blocking and recovery are complete.
Facilitator debrief
Hidden-failure mechanics, not player spoilers
The main player copy keeps pressure on the task. The debrief explains the failure states after the team has made decisions.
Hidden-failure debrief
Backup integrity is marked compromised or suspect.
Hidden-failure debrief
Scenario can reinfect or fail at go-live.
Hidden-failure debrief
Outside-world connection creates recurrence and triggers failed scenario state.
Hidden-failure debrief
They may attack the wrong target or miss the CnC/watchdog clue.
Run the scenario before the real day gets messy.
Use the whitepaper as the concept note, then talk to everwished about shaping the exercise around your incident response reality.