An abused deploy pipeline pushed an IaC change that collapsed segmentation around the regulated zone and minted a cloud admin role — while a tainted build shipped to the fleet
A extremely-hard Cyber × Network Fusion scenario on Tri-Domain: Pipeline → IaC Segmentation Break → Cloud IAM Crisis.
Start a graded attempt against this scenario. Your response is scored by the same deterministic rubric used across the catalog. Email and evidence content stay hidden until you start.
Launches this exact scenario. One of 6 templates in this Track + Difficulty pool.
catalog id · fusion-tri-domain-pipeline-iac-segmentation-crisis
What this scenario practices, mapped to recognized frameworks.
Educational mapping only. Not a compliance attestation.
- Contain an abused CI/CD pipeline that collapsed segmentation and minted a cloud admin role
- Evidence-preserving rollback to a known-good IaC state without halting delivery
- Trusted Relationship · Initial AccessT1199 · TA0001MappedHigh confidence
Trains response to abuse of a trusted CI/CD deploy pipeline applying an unreviewed infrastructure-as-code change.
- Account Manipulation: Additional Cloud Roles · PersistenceT1098.003 · TA0003MappedHigh confidence
Trains detecting and removing the new wildcard-admin IAM role the pipeline run created as cloud persistence.
- Impair Defenses: Disable or Modify Cloud Firewall · Defense EvasionT1562.007 · TA0005PartialMedium confidence
Trains the defender side: recognizing that the IaC run rewrote a security group / ACL and collapsed mandatory regulated-zone segmentation.
- User Account ContainmentD3-UACMappedHigh confidence
Trains suspending the pipeline identity and revoking its sessions so it cannot apply further control-plane changes.
- Resource Access Policy AuditingD3-RAPAMappedHigh confidence
Trains auditing the IaC-applied IAM role trust and the rewritten network policy to scope the blast radius.
- Service Binary VerificationD3-SBVMappedMedium confidence
Trains verifying the unsigned artifact from the unapproved registry against a signed known-good build before any reuse.
- Adverse Event Analysis · DetectDE.AE · DEMappedHigh confidence
Trains separating a genuine deploy from adversary activity across pipeline, cloud IAM, and network telemetry.
- Mitigation · RespondRS.MI · RSMappedHigh confidence
Trains re-isolating the regulated zone and freezing the pipeline without halting every team's delivery.
- Incident Recovery Plan Execution · RecoverRC.RP · RCMappedMedium confidence
Trains rolling IaC back to a reviewed known-good state and rebuilding from signed artifacts after evidence capture.
- IR lifecycle phaseDetection & AnalysisMappedHigh confidence
Trains reconstructing the run from cloud audit and version-control history when pipeline logs are only partially retained.
- IR lifecycle phaseContainment, Eradication & RecoveryMappedHigh confidence
Trains evidence-preserving containment instead of blind-reverting all IaC or freezing the whole business.
- IR lifecycle phasePost-Incident ActivityMappedMedium confidence
Trains hardening to least-privilege per-job pipeline identities, IaC peer review, and segmentation-as-code drift detection.
- Detecting Relevant Threats and TTPs3.AMappedHigh confidence
Trains the detection baseline that surfaces IAM role creation and regulated-zone ACL changes from a deploy pipeline.
- Log Collection2.TMappedMedium confidence
Trains preserving cloud audit, version-control history, and artifact provenance to reconstruct the partial trail.
- Access Control ManagementControl 6MappedHigh confidence
Trains scoping the pipeline identity to least privilege and removing the unrequested admin IAM role.
- Network Infrastructure ManagementControl 12MappedHigh confidence
Trains restoring the collapsed regulated-zone segmentation and managing it as reviewed network policy.
- Application Software SecurityControl 16MappedMedium confidence
Trains securing the CI/CD pipeline and requiring signed, provenance-verified artifacts.