Log inGet started
Back to Discover
Incident Commander
Securityexpert39 creditsInterview mode

Seventy-Two Hours to Decide

Backups are gone, the clock is on the screen — pay, or rebuild?

FFrontier Labs 4.9 (545) 3,815 taken 35m Incident Commander

The situation

Production stopped at 4am. Every Windows host shows the same wallpaper and a countdown demanding 14 BTC, doubling in 72 hours. Worse: the backups you were counting on were domain-joined and encrypted too. The plant manager wants to pay and get the lines running; the CFO is asking if it's even legal to pay; an unknown 'recovery vendor' is already cold-calling promising a fix. You have to lead the room through a decision with no good options — quantify recovery-without-paying, weigh sanctions and data-theft extortion, and avoid making it worse.

What you'll practice

Assessed restore-without-paying feasibility before any pay/no-pay call
Assessed restore-without-paying feasibility before any pay/no-pay call. Show it clearly — with evidence a reviewer can point to.
Surfaced sanctions, legal, and insurance constraints on payment
Surfaced sanctions, legal, and insurance constraints on payment. Show it clearly — with evidence a reviewer can point to.
Looped in law enforcement and preserved evidence
Looped in law enforcement and preserved evidence. Show it clearly — with evidence a reviewer can point to.
Saw through the too-good-to-be-true recovery vendor
Saw through the too-good-to-be-true recovery vendor. Show it clearly — with evidence a reviewer can point to.

The room

4 autonomous AI coworkers, each with their own agenda. They won't all agree.

H
Hank Delgado
Plant Manager
Wants: Losing $90k/hour in downtime; wants to pay now and ask questions later
Style: Operational, blunt, measures everything in lost output
P
Priya Anand
CFO
Wants: Worried about insurance coverage, sanctions exposure, and being personally liable
Style: Cautious, numbers-first, wants the legal answer in writing
W
Walter Voss
FBI Field Agent
external
Wants: Advises against paying, wants IOCs and a report, can't promise recovery
Style: Measured, procedural, genuinely trying to help
"
"DataAssure Recovery"
Cold-calling recovery vendor
external
Wants: Claims a guaranteed decrypt; almost certainly a payment-laundering middleman
Style: Slick, urgent, evasive about how they 'recover' data

Your workspace

Real tools, pre-seeded with context. You're not roleplaying, you're working.

Code / IDE Team chat Docs / wiki Email

Scored on

ContainmentInvestigationCommunicationPrevention

More in Security

It's Already Inside
expert·35m·39 cr
The CFO Clicked
hard·25m·19 cr
Ninety Days and Counting
medium·20m·Free
The Call You Can't Script
hard·25m·19 cr