Demo Mode

Every screen, flow, export, and remediation path is the real Veri-Guard product. The specific findings, scores, and runbooks shown are curated to illustrate a typical before/after story. Your tenant scan produces your own numbers.

Get started
Veri-Tech
Back to Veri-Vault
Drill bundleVeri-Tunemidmarket · 7 roles6-year WORM retention

Personal phone with no MAM policy leaks corporate Outlook cache

Your scan flagged 38 personal devices accessing corporate mail without an App Protection Policy — this scenario walks through what happens when one is stolen.

NIST CSF
Protect (PR.PT)
Generated at
May 7, 2026, 14:32 UTC
Source job
demo-tune-0419
Source checksum
sha256:b39c…2af0

Run drill — live (demo)

Try the live drill runner — timer, inject Drop buttons, response capture, scoring rubric, the lock flow, AI Coaching feedback simulation, and the spectator URL handoff for attendees. No tokens consumed; no audit record produced. The lock will synthesize a real-looking session checksum (browser SHA-256) so you can see the locked-evidence view.

Open demo runner

Bundle versions & edit history

Draft · editable

This drill bundle is editable until the first session is created. Each save appends a new version (v1, v2, …) with a SHA-256 captured in the audit chain — auditors can see exactly what changed, when, and by whom. The first Run drill click freezes the bundle: whatever version is active at that moment becomes the locked auditor-evidence source for every session that follows.

View version

Sessions started right now will run against v1. The bundle freezes at v1 the first time someone clicks Run drill — make any edits before then.

Personal phone with no MAM policy leaks corporate Outlook cache

Veri-Tune · v1.0.0

Your scan flagged 38 personal devices accessing corporate mail without an App Protection Policy — this scenario walks through what happens when one is stolen.

NIST CSFSOC 2 CC6.1ISO 27001 A.8.1HIPAA §164.310(d)(1)
NIST CSF
Protect (PR.PT)
Duration
60 minutes
Injects
5 timed
Rubric
6 criteria

On a Friday evening, a senior engineer's personal Android phone is stolen at a transit station. The phone has Outlook for Android installed, signed in to corporate identity, with 14 days of cached mail including draft RFP responses and a board-deck PDF. The phone is unlocked when stolen (the engineer was actively using it). Your scan showed the device is enrolled in compliance reporting but has NO App Protection Policy applied — meaning the corporate data on the device is not encrypted at rest by the corporate-controlled key, and a remote wipe would only work if the device is online and we can locate it.

Threat actor: Opportunistic theft, low-skill. Phone may be wiped and resold OR data may be exfiltrated if the thief is more sophisticated than typical.

Attack chain

  1. 1
    Initial access: Phone stolen unlocked at transit station. Outlook is the front-most app.
  2. 2
    Data discovery: Thief (or buyer) explores the Outlook cache. 14 days of mail visible without re-authentication because session is active.
  3. 3
    Exfiltration: Cached attachments (board deck PDF, RFP drafts) downloadable via 'Save to Photos' → uploaded to attacker cloud storage.
  4. 4
    Persistence (optional): If thief is sophisticated: install a forwarding rule from the device, gaining persistent visibility into mail until detected.

Affected assets

  • Senior engineer's corporate mailbox (90 days mail history accessible via cache + reauth)
  • Board deck PDF (revenue projections + planned acquisitions)
  • RFP response drafts (competitive intelligence)
  • Cached calendar with attendee names + meeting subjects

Linked scan findings

Control IDSeverityFinding
INT-AP-001High
App Protection Policy not applied to BYOD Android devices accessing corporate Outlook
INT-CA-014High
Conditional Access does not require app-protection state for Outlook mobile
INT-CMP-007Medium
Device compliance reporting enabled but no policy enforcement

Generated from Veri-Tune scan demo-tune-0419 on 2026-05-07. This is facilitator material — verify scenario specifics against your tenant before use. Veri-Tech does not warrant scenario fitness for any specific audit framework; pair with the source scan job (which IS auditor evidence) and your own IR plan.

AI generation provenance

Model
claude-haiku-4-5-20251001
Template version
v1.0.0
Generated at
May 7, 2026, 14:32 UTC
Org-shape snapshot
midmarket · 7 roles frozen at generation time

Auditors verify AI-generation lineage by reading _manifest.json in the source bundle (full token + cache accounting, generation timestamps, SHA-256 cross-references). The auditor ZIP carries it verbatim.

Auditor-grade artifacts

The three audience-tailored downloads below are demo replicas of what a locked session would produce — full Team Debrief PDF, board-packet Executive Brief PDF, and the Auditor ZIP with bundle audit chain + SHA-256 cross-references. The locked session backing these demo artifacts is pre-populated with realistic responses + scores so the PDFs render against meaningful content. Production artifacts ship with a 6-year WORM retention contract on a real Vault tenant; these are clearly watermarked as demo.

Edit history

Draft (editable)

Active version: v1. No sessions have been created yet — the bundle is still editable. The chain freezes at the first session creation.

  1. v1 Facilitator save·May 7, 2026, 14:42 UTC
    By
    demo.facilitator@veri-tech.net
    Bundle hash
    sha256:b9d4c8e3f2a1

    Tightened the T+25 min inject + added missing vendor-coordination workload to the IR plan

    Fields changed (1)
    • injects[1].content
  2. v0 AI baseline·May 7, 2026, 14:32 UTC
    By
    claude-haiku-4-5-20251001
    Bundle hash
    sha256:a8c3b7f2e1d9

Each version’s SHA-256 is captured in the IrTabletopBundleEdited / IrTabletopBundleFrozen audit events (App Insights, 6yr retention) and exported into the auditor ZIP’s manifest.json.

Demo mode: editable-drafts saves never touch a server, no Anthropic tokens are consumed, downloads carry a “DEMO ARTIFACT” watermark in their manifest disclaimer. In production: each save POSTs to /api/ir-tabletop-bundles/{drillId}/versions, computes a real server-side diff + SHA-256, appends to the WORM-protected audit chain, and emits an IrTabletopBundleEdited App Insights event with 6-year retention.