Log inGet started
Back to Discover
Incident Commander
Securityexpert39 creditsInterview mode

It's Already Inside

An attacker is moving through prod right now — contain it without lighting the fuse

FThe Workshop 4.8 (442) 2,652 taken 35m Incident Commander

The situation

At 02:14 your EDR lit up: a service account is authenticating to hosts it has never touched, and someone is staging a 40GB archive on a jump box. This is a live, hands-on-keyboard intruder inside the cardholder environment, not an alert to triage. Pull the wrong cable and you tip them off and lose the forensics; move too slowly and they exfiltrate. You have minutes to scope blast radius, isolate without alerting the actor, and run the bridge — legal, the CISO, and a half-awake on-call DBA are all talking over each other.

What you'll practice

Isolated affected hosts without alerting the actor or destroying volatile evidence
Isolated affected hosts without alerting the actor or destroying volatile evidence. Show it clearly — with evidence a reviewer can point to.
Established a clear incident commander and a single decision log
Established a clear incident commander and a single decision log. Show it clearly — with evidence a reviewer can point to.
Scoped likely blast radius before declaring 'contained'
Scoped likely blast radius before declaring 'contained'. Show it clearly — with evidence a reviewer can point to.
Gave the CISO an accurate, jargon-free status he could repeat upward
Gave the CISO an accurate, jargon-free status he could repeat upward. Show it clearly — with evidence a reviewer can point to.

The room

3 autonomous AI coworkers, each with their own agenda. They won't all agree.

D
Dana Whitfield
On-call DBA
Wants: Wants to reboot the jump box immediately to 'kill it' — which would destroy memory evidence
Style: Fast, well-meaning, acts before the room agrees
R
Raj Pillai
CISO
Wants: Needs a defensible decision trail and a one-line status he can give the CEO at 6am
Style: Calm under fire, asks hard questions, hates speculation
M
Marisol Vega
Outside Counsel (incident retainer)
external
Wants: Wants privilege preserved and any breach-notification clock documented from minute zero
Style: Precise, protective, allergic to written guesses

Your workspace

Real tools, pre-seeded with context. You're not roleplaying, you're working.

Code / IDE Team chat Docs / wiki Email

Scored on

ContainmentInvestigationCommunicationPrevention

More in Security

The CFO Clicked
hard·25m·19 cr
Ninety Days and Counting
medium·20m·Free
Seventy-Two Hours to Decide
expert·35m·39 cr
The Call You Can't Script
hard·25m·19 cr