incident-response-trainer
Incident response training · Rule-based scoring
DemoCatalogHistoryDashboard
← Back to catalog
CybersecurityhardOver-Permissioned AI Connector ExfiltrationCritical asset
Scenario

Third-party AI connector with broad OAuth scopes read mailboxes and drive at scale

A hard Cybersecurity scenario on Over-Permissioned AI Connector Exfiltration.

Practice this scenario

Start a graded attempt against this scenario. Your response is scored by the same deterministic rubric used across the catalog. Email and evidence content stay hidden until you start.

Launches this exact scenario. One of 6 templates in this Track + Difficulty pool.

catalog id · ai-connector-overpermissioned-exfil

Training alignment

What this scenario practices, mapped to recognized frameworks.

Educational mapping only. Not a compliance attestation.

What this trains
  • Over-permissioned AI-connector containment
  • OAuth scope review and least-privilege re-onboarding
MITRE ATT&CKmitre-attack
  • Data from Cloud Storage · CollectionT1530 · TA0009
    MappedHigh confidence

    Trains scoping of a connector reading drives/files at scale.

  • Email Collection · CollectionT1114 · TA0009
    PartialMedium confidence

    Trains reasoning about tenant-wide mailbox reads by the connector.

MITRE D3FENDmitre-d3fend
  • User Account ContainmentD3-UAC
    MappedHigh confidence

    Trains revoking the over-permissioned app grant and its tokens.

  • User Account PermissionsD3-UAP
    MappedHigh confidence

    Trains least-privilege re-scoping of the OAuth connector.

NIST CSF 2.0nist-csf-2
  • Identity Management, Authentication and Access Control · ProtectPR.AA · PR
    MappedHigh confidence

    Trains consent governance and least-privilege app access.

  • Incident Mitigation · RespondRS.MI · RS
    MappedMedium confidence

    Trains revoking grants and tokens to stop ongoing reads.

NIST SP 800-61r3nist-sp-800-61r3
  • IR lifecycle phaseDetection & Analysis
    MappedHigh confidence

    Trains bounding what the connector accessed despite partial logs.

  • IR lifecycle phaseContainment, Eradication & Recovery
    MappedHigh confidence

    Trains grant/token revocation and least-privilege re-onboarding.

CISA Cybersecurity Performance Goalscisa-cpg
  • Vendor/Supplier Cybersecurity Requirements2.R
    MappedHigh confidence

    Trains third-party connector governance and a required DPA.

  • Detecting Relevant Threats and TTPs3.A
    MappedMedium confidence

    Trains detection of anomalous high-volume connector reads.

CIS Controls v8cis-controls
  • Service Provider ManagementControl 15
    MappedHigh confidence

    Trains the service-provider control the incident exercises.

  • Access Control ManagementControl 6
    MappedHigh confidence

    Trains least-privilege and admin-governed app consent.