Infrastructure Scenario Tests

The organization's internal CA intermediate certificate expires tomorrow. All internal services using certificates signed by this CA will fail TLS validation.

The SSL certificate for the main customer-facing website has expired. All HTTPS connections show browser warnings and HSTS-enabled clients cannot connect at all.

GitHub Secret Scanning detected production database credentials committed to a public repository. Credentials are for the production PostgreSQL instance.

A system update disabled UFW (Uncomplicated Firewall), exposing all ports to the network. Server now has 15 open ports that should be firewalled.

An unauthorized SSH public key was added to /root/.ssh/authorized_keys. The key does not match any known employee keys. Possibly from a compromised service account.

Multiple IP addresses are brute forcing RDP on a Windows server exposed to the internet. 10 IPs rotating through common username/password combinations.

A misconfigured Windows Firewall rule is allowing all inbound traffic on all ports. The rule was created by an installer and overrides the default block.

A single IP address is attempting SSH brute force login with 500+ attempts per minute. fail2ban is not installed. Root login is permitted.

A configuration rollback re-enabled TLS 1.0 and 1.1 on the production load balancer. PCI DSS compliance violated. Vulnerability scanners firing alerts.

The TLS secret used by the Kubernetes ingress controller has expired. All ingress routes returning TLS errors.

The external OAuth2/OIDC identity provider (Okta) is experiencing a major outage. All SSO login attempts fail because the authorization endpoint is unreachable. Users cannot authenticate to any application that relies on Okta for SSO, affecting the entire organization.

A JWT signing key rotation was performed on the authentication service, but the new public key was not distributed to 4 of 7 microservices that validate tokens. These services are rejecting all tokens signed with the new key, while the auth service has stopped issuing tokens with the old key.

An automated vulnerability scan discovers a critical CVE with a CVSS score of 10.0 affecting the production web server software. The vulnerability allows unauthenticated remote code execution and has a known public exploit. The affected software is running on 15 production servers.

A quarterly security audit discovers that 23 production services are still offering deprecated cipher suites including RC4, DES, and 3DES. Several services also support TLS 1.0 and 1.1. This fails PCI DSS Requirement 4.1 and multiple CIS benchmarks.

An external penetration test discovers a critical remote code execution vulnerability in the production API through an unsanitized file upload endpoint. The pentester demonstrates full shell access to the application server and lateral movement to the database server.

A weekly CIS benchmark compliance scan detects that 43 production servers have drifted from their hardened baseline. An unauthorized configuration management change reverted SSH hardening, disabled audit logging, and re-enabled insecure protocols across the production fleet.

A GDPR compliance scan discovers that the automated data retention purge job has been silently skipping records due to a foreign key constraint error. 2.3 million EU user records past their retention period have not been deleted, violating GDPR Article 5(1)(e) storage limitation principle.

An automated SOC 2 compliance scan discovers 14 terminated employee accounts that are still active across production systems. The offboarding automation failed silently for 3 months, and these accounts retain full production access including database admin and cloud console roles.

The centralized audit logging service for a healthcare application has been silently failing for 72 hours. No access logs for electronic protected health information (ePHI) were captured during this period, creating a HIPAA audit trail gap that must be reported and remediated.

A database scan discovers unencrypted cardholder data (primary account numbers) stored in a staging database that was never intended to be in PCI scope. A developer copied production data to staging for debugging without masking sensitive fields, violating PCI DSS Requirement 3.4.