Attendee view — what you’d normally see
You’re looking at the locked record state — the drill is finished, the facilitator has hit Lock, and Claude has already generated the AI Coaching panel below. In a live drill, attendees see:
- Live data — the drill clock, the current inject, and delivery status update every 3 seconds without refreshing. When the facilitator pauses, your clock freezes too. Open this URL on a TV or hand it to security leadership and they follow the room without screen-sharing.
- Pick your role first, then answer each inject. The facilitator hands you a separate Participant URL; on landing you select your role from your tenant’s org-shape roster (e.g., M365 Admin, VP IT, External IR Retainer). Each inject then has a text box where you submit your own written answer. Submissions stream onto the facilitator’s screen in real time with your selected role attached — when the facilitator Drops the inject, your role-tagged response is locked into the auditor evidence record alongside the team’s consensus answer. Auditors get full attribution: which role said what, at which T+N drill-clock minute.
- AI Coaching only unlocks after the facilitator hits Lock — Claude reviews every team response, every score, and the per-inject pacing, then writes the coaching panel you see further down. It’s pre-populated here so you can see the full post-lock view; in a real drill the panel would be blank with a “Generating AI coaching feedback…” spinner for ~30-60 seconds after Lock.
Legacy-auth bypass leads to mass mailbox exfiltration
Your scan revealed legacy auth still permitted on 14 active users — this scenario exercises what happens when an attacker exploits that gap.
Drill is locked
The facilitator has locked the session. The full evidence record — including all team responses, scoring, and the per-inject pacing audit — is now available at the canonical session URL.
Open the locked record →AI Coaching
strongThe team executed a competent containment-first response under pressure, recognizing the legacy-auth gap as the root cause within the first 10 minutes and pushing a Conditional Access block before the attacker could pivot beyond the initial five mailboxes. Detection time was strong (sub-15-minute paging from the SOC alert) and the §164.402 4-factor analysis was invoked correctly when Legal joined — both rare in first-run drills. Where the team lost points was on eradication completeness (inbox-rule sweep was scoped to the five known-affected mailboxes only, not the full finance org) and on the AP queue audit that surfaced the $84K wire — recovery validation was reactive rather than systematic.
Adequate would have been containment + 4-factor without the eradication and recovery gaps; exemplary would have required systematic eradication sweep + proactive AP queue audit. Strong reflects competent execution with predictable first-run gaps.
Top strengths
- •Detection-to-paging within 15 minutes — well inside SOC SLA targets
- •Containment decision was technically correct AND fast (CA block for legacy auth, not a panic disable of all finance accounts)
- •§164.402 4-factor framework invoked deliberately when PHI question surfaced — not after-the-fact retrofit
Top gaps
- •Inbox-rule eradication scoped to known-affected mailboxes only — hidden rules on adjacent finance accounts may still be live
- •AP queue audit was triggered by a single noticed invoice, not a systematic sweep — other modified-banking-instructions invoices may still be pending
- •Communications cascade was discussed but ownership was ambiguous — no named owner for board notification
Per-inject feedback (5 injects)
What went well: IC made the right call (CA block for legacy auth) within the 90-second window the inject required. No paralysis-by-analysis.
What fell short: The decision to observe vs immediately block was not explicitly weighed — IC defaulted to block. In a real attacker scenario where the entry vector is ambiguous, that bias could lock you out of forensic visibility.
Coaching: Next drill, force the IC to verbalize the observe-vs-contain tradeoff out loud, even when the answer is obviously containment. Building that muscle for the ambiguous cases starts with the obvious ones.
What went well: Legal invoked the §164.402 4-factor framework by name. Documentation was specific (nature of PHI, who accessed, mitigation, probability) — not just hand-waving 'we should probably analyze breach.'
What fell short: Documentation captured the factors but not the decision timestamps. Auditors look for 'when was each factor analyzed' — that's where breach-notification clocks start.
Coaching: Add a one-line timestamp capture to your IR template: 'Factor N analyzed at HH:MM by [name]'. Free; massive auditor value.
What went well: Wire recall procedure was invoked within minutes of discovery — bank window is 24h, you used 15 minutes of it.
What fell short: AP queue audit was reactive: 'this one invoice was bad, let's check this one.' No systematic sweep of all open invoices for banking-instruction changes. A real BEC attacker would have modified multiple invoices.
Coaching: Build a one-page AP audit checklist for incident response: 'list all open invoices, sort by banking-instruction-change date, verify vendor of any change in last N days by phone.' Pre-built, not invented under pressure.
What went well: Communications cascade audiences were correctly identified (employees, board, customers, regulators).
What fell short: No named owner per audience. 'Comms will handle' is not a plan — auditors and the board want a name next to each line. The compromised VP was identified as needing personal notification but no one volunteered to make that call.
Coaching: Bake named-owner-per-audience into your IR plan. The drill is the place where you discover whose name should be there before a real incident.
What went well: Team self-rated honestly — no defensive over-scoring. The eradication and AP queue gaps were called out by the team before the facilitator surfaced them.
What fell short: Self-rating was qualitative ('that part was rough') rather than calibrated against the rubric thresholds. Threshold definitions exist for a reason.
Coaching: For the closing debrief, hand each participant a copy of the rubric thresholds. Self-score is more useful when calibrated to the same anchor the facilitator uses.
Per-criterion scoring calibration (6 criteria)
Detection time (alert → IC paged)
4 is correct. Sub-15-min paging matches the threshold; would have been 5 with sub-5-min (SOC tooling needs better escalation routing for a clean 5).
Containment decision quality
4 is appropriate. Correct technical block with slight delay on the observe-vs-contain conversation. A 5 requires both correct AND fast AND verbally weighing the alternative.
Eradication completeness
3 is generous; could argue 2. Affected accounts were addressed but no broader sweep. The threshold for 3 is 'affected accounts addressed but no broader sweep' — exactly what happened. Borderline.
§164.402 4-factor analysis
5 is correct. All 4 factors documented with evidence; missing only the per-factor timestamps which is a minor refinement, not a structural gap.
Communication cascade
3 is correct. Audiences identified, owners ambiguous — exact threshold definition. A 4 requires owner names; a 5 requires owners + timing per audience.
Recovery validation
3 is correct. Wire recall attempted, no broader queue audit. Threshold 4 requires affected-invoice reconciliation; 5 requires the full AP queue audit + vendor banking re-validation.
Top-3 IR plan recommendations
Build pre-baked AP queue audit checklist for incident response
The team invented the AP audit procedure under pressure during the drill. In a real incident, the BEC window is hours, not days — having the checklist pre-built is the difference between catching the second $84K wire and missing it.
Owner: Finance + IR retainer (joint owner) · Effort: S · NIST CSF RS.AN-3 · SOC 2 CC7.4
Add named owner per audience to the communications cascade in the IR plan
Cascade was discussed but ambiguity on ownership is the most common reason notification deadlines slip. The drill surfaced this; bake it into the plan before the real one.
Owner: Communications lead · Effort: S · NIST CSF RS.CO · HIPAA §164.404
Systematize the inbox-rule eradication sweep across the full finance org, not just affected mailboxes
Hidden inbox rules pre-position attackers for the next campaign. Scoping the sweep to known-affected accounts is the well-traveled mistake — the drill surfaced it without consequence; codify the correction before the real incident.
Owner: Identity / IT lead · Effort: M · NIST CSF DE.CM-7 · ISO 27001 A.5.24
Pacing observation
Pacing was tight — 22s average drift positive (slightly late) is well within the on-time band. The team did not rush past injects but also didn't stall. The +75 min wrap-up inject ran 4 minutes long because the self-rating discussion was substantive; that's good drill discipline, not a problem.
Drill duration: 1:08:42 · Avg drift: 22s
Generated by claude-haiku-4-5-20251001 on May 10, 2026, 15:42:18 UTC. SHA-256: sha256:9b2e4c1a8f7d6e3b4a2c5e7f9a1b3d5e7f9b1c3d5e7f9a1b3d5e7f9a1b3d5e7f
Inject timeline
Read-only view of every inject and whether the facilitator has delivered it yet. Spectators do not see the “Expected action” lines — those stay with the facilitator until the post-drill debrief.
- 1. T+10 min✓ Past
Your SOC analyst pages the on-call IC at 06:52 UTC: 'I see IMAP sign-ins for 5 finance users in the last 10 minutes from a single IP block. They all succeeded MFA bypass. What do you want me to do?' The IC has 90 seconds to give a containment instruction.
Participant submissions — none yet for inject 1Share the participant URL to invite team input. Submissions reveal here as they land.
advanced past at T+10:00
- 2. T+25 min✓ Past
Legal joins the bridge. They ask: 'Was any PHI in the affected mailboxes?' Two of the five mailboxes have HR records that include health benefit elections. Facilitator note (added in v1): if the team cannot answer within the inject window, the IR pre-built escalation tree applies — escalate to the named owner one tier above before the response runs over.
Participant submissions — none yet for inject 2Share the participant URL to invite team input. Submissions reveal here as they land.
advanced past at T+25:00
- 3. T+40 min✓ Past
Finance team lead notices an invoice they processed yesterday had banking instructions that don't match the vendor's last-known account. The wire was sent. Amount: $84,000.
Participant submissions — none yet for inject 3Share the participant URL to invite team input. Submissions reveal here as they land.
advanced past at T+40:00
- 4. T+55 min✓ Past
Communications lead asks: 'When do we tell employees? Customers? The board?' The compromised VP is going to need to know they were the entry point.
Participant submissions — none yet for inject 4Share the participant URL to invite team input. Submissions reveal here as they land.
advanced past at T+55:00
- 5. T+75 min▶ Active — currently discussing
Wrap-up: hand each participant the scoring rubric and ask for a 1–5 rating on each criterion based on the team's performance during the tabletop.
Spectator view is read-only. Team responses, scoring, and the facilitator’s “Expected action” reference text are not shown here — they live on the runner page and become part of the locked record. To facilitate the drill, open the runner instead.