Demo Mode

Every screen, flow, export, and remediation path is the real Veri-Guard product. The specific findings, scores, and runbooks shown are curated to illustrate a typical before/after story. Your tenant scan produces your own numbers.

Get started
Veri-Tech
Back to Veri-Vault
Drill bundleVeri-Vaultmidmarket · 7 roles6-year WORM retention

Ransomware encrypts production AND attempts to encrypt backup vault

Your Vault posture shows 30-day WORM and 28 days since last restore test. This scenario exercises the restore decision tree under time pressure with a sophisticated attacker.

NIST CSF
Recover (RC.RP, RC.IM)
Generated at
May 7, 2026, 14:32 UTC
Source job
Source checksum

Run drill — live (demo)

Try the live drill runner — timer, inject Drop buttons, response capture, scoring rubric, the lock flow, AI Coaching feedback simulation, and the spectator URL handoff for attendees. No tokens consumed; no audit record produced. The lock will synthesize a real-looking session checksum (browser SHA-256) so you can see the locked-evidence view.

Open demo runner

Bundle versions & edit history

Draft · editable

This drill bundle is editable until the first session is created. Each save appends a new version (v1, v2, …) with a SHA-256 captured in the audit chain — auditors can see exactly what changed, when, and by whom. The first Run drill click freezes the bundle: whatever version is active at that moment becomes the locked auditor-evidence source for every session that follows.

View version

Sessions started right now will run against v1. The bundle freezes at v1 the first time someone clicks Run drill — make any edits before then.

Ransomware encrypts production AND attempts to encrypt backup vault

Veri-Vault · v1.0.0

Your Vault posture shows 30-day WORM and 28 days since last restore test. This scenario exercises the restore decision tree under time pressure with a sophisticated attacker.

NIST CSFISO 27001 A.5.30SOC 2 A1.2HIPAA §164.308(a)(7)(ii)(B)
NIST CSF
Recover (RC.RP, RC.IM)
Duration
90 minutes (DR tabletops run long because RPO/RTO + restore-validation are real)
Injects
6 timed
Rubric
6 criteria

On a Sunday at 03:42 UTC, a ransomware operator with prior persistence in your environment triggers encryption across 4 file servers, 12 database hosts, and the M365 tenant's SharePoint sites. By 04:15 UTC, your monitoring tools page on-call. By 04:30, you've isolated the affected network segments. At 05:02, the attacker — who clearly knows you have Veri-Vault — attempts to authenticate against the Vault management plane using a stolen privileged identity. Your immutability window saves you: writes to existing backups are denied. But the attacker can attempt to *delete* the Vault if they reach a sufficiently privileged identity. They don't, today. Now you face the actual question: do you pay, or do you restore?

Threat actor: Sophisticated ransomware operator (Conti-affiliate or similar). Goal: ransom payment. Has researched your Vault posture before encrypting.

Attack chain

  1. 1
    Pre-encryption recon: Attacker has had persistence for 11 days. Uses time to map Vault's protection model: WORM window, immutability period, who has delete rights.
  2. 2
    Encryption: Triggers encryption across production. Demands ransom: $4.2M in 48 hours; $8.4M after.
  3. 3
    Vault attack attempt: Attempts to authenticate to Vault management plane to delete or encrypt backups. WORM denies writes; delete-attempt requires privilege the attacker has not yet escalated to.
  4. 4
    Decision point: You have backups. They survive the attack. Question becomes: how fast can you actually restore, what data was post-last-backup, and is your restored environment safe to bring back online?

Affected assets

  • 4 file servers (~8TB user data)
  • 12 database hosts (production + 2 staging)
  • M365 SharePoint sites (~2TB document libraries)
  • Email continuity (mail flow at risk if Exchange Online compromised — separate scope)
  • Customer-facing application (24-hour downtime threshold before SLA breach)

Vault posture

  • Last successful restore test: 28 days ago Restore time and integrity not validated under current configuration
  • Immutability window: 30 days WORM Adequate for typical attacker dwell time but no margin if response is delayed
  • Backup age: Newest: 2 hours; Oldest: 13 days Recent enough to limit data loss; full coverage
  • Coverage: Veri-Guard + Veri-Tune configurations only File servers + DB hosts NOT in Vault — restored from separate backup product (out of Vault scope)

Generated from Veri-Vault posture snapshot on 2026-05-07 (47 backups, 28 days since last restore test). This is facilitator material — verify scenario specifics against your environment before use. Veri-Tech does not warrant scenario fitness for any specific audit framework; pair with the Vault posture report (which IS recoverability evidence) and your own DR/BC plan.

AI generation provenance

Model
claude-haiku-4-5-20251001
Template version
v1.0.0
Generated at
May 7, 2026, 14:32 UTC
Org-shape snapshot
midmarket · 7 roles frozen at generation time

Auditors verify AI-generation lineage by reading _manifest.json in the source bundle (full token + cache accounting, generation timestamps, SHA-256 cross-references). The auditor ZIP carries it verbatim.

Auditor-grade artifacts

The three audience-tailored downloads below are demo replicas of what a locked session would produce — full Team Debrief PDF, board-packet Executive Brief PDF, and the Auditor ZIP with bundle audit chain + SHA-256 cross-references. The locked session backing these demo artifacts is pre-populated with realistic responses + scores so the PDFs render against meaningful content. Production artifacts ship with a 6-year WORM retention contract on a real Vault tenant; these are clearly watermarked as demo.

Edit history

Draft (editable)

Active version: v1. No sessions have been created yet — the bundle is still editable. The chain freezes at the first session creation.

  1. v1 Facilitator save·May 7, 2026, 14:42 UTC
    By
    demo.facilitator@veri-tech.net
    Bundle hash
    sha256:b9d4c8e3f2a1

    Tightened the T+25 min inject + added missing vendor-coordination workload to the IR plan

    Fields changed (1)
    • injects[1].content
  2. v0 AI baseline·May 7, 2026, 14:32 UTC
    By
    claude-haiku-4-5-20251001
    Bundle hash
    sha256:a8c3b7f2e1d9

Each version’s SHA-256 is captured in the IrTabletopBundleEdited / IrTabletopBundleFrozen audit events (App Insights, 6yr retention) and exported into the auditor ZIP’s manifest.json.

Demo mode: editable-drafts saves never touch a server, no Anthropic tokens are consumed, downloads carry a “DEMO ARTIFACT” watermark in their manifest disclaimer. In production: each save POSTs to /api/ir-tabletop-bundles/{drillId}/versions, computes a real server-side diff + SHA-256, appends to the WORM-protected audit chain, and emits an IrTabletopBundleEdited App Insights event with 6-year retention.