Infrastructure Scenario Tests

The WatchGuard AuthPoint cloud MFA service becomes unreachable, preventing all multi-factor authentication for VPN, web applications, and network access across the organization.

Sophos Intercept X behavioral analysis blocks a legitimate custom in-house application as ransomware due to its file encryption behavior (the app encrypts documents for secure transfer), preventing a critical business process.

A Sophos Central Intercept X update causes the EDR engine to quarantine a critical Windows system DLL across all managed endpoints, rendering 300 workstations unable to run key business applications.

A Sophos XG 330 web application protection rule blocks legitimate customer portal traffic by flagging JSON API payloads as SQL injection attempts, preventing all customer-facing operations.

An attacker deploys cryptocurrency mining malware on 5 production servers after exploiting an unpatched vulnerability in a web management interface. The miners consume 90%+ CPU across all affected servers, causing severe performance degradation for production workloads. The mining pool connections are obfuscated through DNS-over-HTTPS to avoid detection.

A senior database administrator who submitted their resignation 2 weeks ago is systematically exfiltrating customer data. The DBA is running bulk SELECT queries during off-hours, compressing the results, and uploading them to a personal cloud storage account via HTTPS. DLP sensors detect the anomalous data transfer patterns.

A zero-day remote code execution vulnerability in the Apache Struts framework is being actively exploited against the organization's public-facing Java applications. The EDR detects suspicious process execution patterns consistent with the exploit. CISA has not yet issued an advisory but threat intel feeds show active exploitation in the wild.

A popular NPM package used across the organization's Node.js microservices is compromised via a maintainer account takeover. The malicious version exfiltrates environment variables (including database credentials and API keys) to an attacker-controlled endpoint. The compromised package was automatically pulled in during a routine CI/CD build.

An attacker performs a SIM swap attack on the CEO's mobile carrier to intercept SMS-based MFA codes. Using previously phished credentials and the intercepted MFA codes, the attacker gains access to the CEO's email, financial systems, and wire transfer approval authority. The attacker initiates a fraudulent wire transfer for $2.4M.

An attacker with a low-privilege shell exploits a misconfigured sudoers entry that allows NOPASSWD execution of a text editor (vim). The attacker uses vim's shell escape to gain root access on 4 production servers. The misconfiguration was deployed via Ansible to all servers in the 'webservers' group.

A distributed botnet launches a coordinated brute force SSH attack against the organization's public-facing servers. Over 50,000 login attempts per hour from 2,000+ unique IP addresses. Several service accounts with weak passwords are compromised. The attackers establish reverse shells on 3 servers.

A firewall policy update pushed to 8 client firewalls fails on 3 of them, leaving those clients with an incomplete ruleset that allows unrestricted outbound traffic. The policy push failure went unnoticed because the management platform showed a false success status.

A client's VPN credentials are found on a dark web dump. Unauthorized connections are detected from foreign IPs through the client's site-to-site VPN tunnel. The attacker is pivoting through the VPN to access internal resources. Immediate tunnel teardown and credential rotation required.

Ransomware (LockBit 3.0 variant) is detected spreading laterally via SMB (port 445) from a compromised workstation. The malware is encrypting shared drives and attempting to reach backup servers. 3 file servers already affected. EDR alerts are firing but automated containment is not configured.

An attacker compromises the internal DNS server and injects fraudulent A records for banking and M365 login pages. Users are redirected to phishing pages that harvest credentials. The poisoned cache affects 3 client tenants on the MSP's shared DNS infrastructure.

A ransomware attack is actively encrypting files on the primary file server. Hundreds of files are being renamed with .encrypted extension. Multiple users report locked files. The attack originated from a phished employee workstation.