Infrastructure Scenario Tests

The external OAuth2/OIDC identity provider (Okta) is experiencing a major outage. All SSO login attempts fail because the authorization endpoint is unreachable. Users cannot authenticate to any application that relies on Okta for SSO, affecting the entire organization.

A JWT signing key rotation was performed on the authentication service, but the new public key was not distributed to 4 of 7 microservices that validate tokens. These services are rejecting all tokens signed with the new key, while the auth service has stopped issuing tokens with the old key.

An automated vulnerability scan discovers a critical CVE with a CVSS score of 10.0 affecting the production web server software. The vulnerability allows unauthenticated remote code execution and has a known public exploit. The affected software is running on 15 production servers.

A quarterly security audit discovers that 23 production services are still offering deprecated cipher suites including RC4, DES, and 3DES. Several services also support TLS 1.0 and 1.1. This fails PCI DSS Requirement 4.1 and multiple CIS benchmarks.

An external penetration test discovers a critical remote code execution vulnerability in the production API through an unsanitized file upload endpoint. The pentester demonstrates full shell access to the application server and lateral movement to the database server.

A weekly CIS benchmark compliance scan detects that 43 production servers have drifted from their hardened baseline. An unauthorized configuration management change reverted SSH hardening, disabled audit logging, and re-enabled insecure protocols across the production fleet.

A GDPR compliance scan discovers that the automated data retention purge job has been silently skipping records due to a foreign key constraint error. 2.3 million EU user records past their retention period have not been deleted, violating GDPR Article 5(1)(e) storage limitation principle.

An automated SOC 2 compliance scan discovers 14 terminated employee accounts that are still active across production systems. The offboarding automation failed silently for 3 months, and these accounts retain full production access including database admin and cloud console roles.

The centralized audit logging service for a healthcare application has been silently failing for 72 hours. No access logs for electronic protected health information (ePHI) were captured during this period, creating a HIPAA audit trail gap that must be reported and remediated.

A database scan discovers unencrypted cardholder data (primary account numbers) stored in a staging database that was never intended to be in PCI scope. A developer copied production data to staging for debugging without masking sensitive fields, violating PCI DSS Requirement 3.4.

An attacker deploys cryptocurrency mining malware on 5 production servers after exploiting an unpatched vulnerability in a web management interface. The miners consume 90%+ CPU across all affected servers, causing severe performance degradation for production workloads. The mining pool connections are obfuscated through DNS-over-HTTPS to avoid detection.

A senior database administrator who submitted their resignation 2 weeks ago is systematically exfiltrating customer data. The DBA is running bulk SELECT queries during off-hours, compressing the results, and uploading them to a personal cloud storage account via HTTPS. DLP sensors detect the anomalous data transfer patterns.

A zero-day remote code execution vulnerability in the Apache Struts framework is being actively exploited against the organization's public-facing Java applications. The EDR detects suspicious process execution patterns consistent with the exploit. CISA has not yet issued an advisory but threat intel feeds show active exploitation in the wild.

A popular NPM package used across the organization's Node.js microservices is compromised via a maintainer account takeover. The malicious version exfiltrates environment variables (including database credentials and API keys) to an attacker-controlled endpoint. The compromised package was automatically pulled in during a routine CI/CD build.

An attacker performs a SIM swap attack on the CEO's mobile carrier to intercept SMS-based MFA codes. Using previously phished credentials and the intercepted MFA codes, the attacker gains access to the CEO's email, financial systems, and wire transfer approval authority. The attacker initiates a fraudulent wire transfer for $2.4M.

An attacker with a low-privilege shell exploits a misconfigured sudoers entry that allows NOPASSWD execution of a text editor (vim). The attacker uses vim's shell escape to gain root access on 4 production servers. The misconfiguration was deployed via Ansible to all servers in the 'webservers' group.

A distributed botnet launches a coordinated brute force SSH attack against the organization's public-facing servers. Over 50,000 login attempts per hour from 2,000+ unique IP addresses. Several service accounts with weak passwords are compromised. The attackers establish reverse shells on 3 servers.

A firewall policy update pushed to 8 client firewalls fails on 3 of them, leaving those clients with an incomplete ruleset that allows unrestricted outbound traffic. The policy push failure went unnoticed because the management platform showed a false success status.

A client's VPN credentials are found on a dark web dump. Unauthorized connections are detected from foreign IPs through the client's site-to-site VPN tunnel. The attacker is pivoting through the VPN to access internal resources. Immediate tunnel teardown and credential rotation required.

Ransomware (LockBit 3.0 variant) is detected spreading laterally via SMB (port 445) from a compromised workstation. The malware is encrypting shared drives and attempting to reach backup servers. 3 file servers already affected. EDR alerts are firing but automated containment is not configured.