A compromised cloud workload, a rogue route into on-prem, and a security agent going quiet — all at once
A extremely-hard Cyber × Network Fusion scenario on Tri-Domain: Workload → Interconnect → Detection Crisis.
Start a graded attempt against this scenario. Your response is scored by the same deterministic rubric used across the catalog. Email and evidence content stay hidden until you start.
Launches this exact scenario. One of 6 templates in this Track + Difficulty pool.
catalog id · fusion-tri-domain-workload-interconnect-detection-crisis
What this scenario practices, mapped to recognized frameworks.
Educational mapping only. Not a compliance attestation.
- Tri-domain workload-to-on-prem pivot triage under degraded detection
- Evidence-preserving containment without a full interconnect outage
- Unsecured Credentials: Cloud Instance Metadata API · Credential AccessT1552.005 · TA0006MappedHigh confidence
Trains response to theft and off-node use of the workload's instance metadata role token.
- Remote Services · Lateral MovementT1021 · TA0008PartialMedium confidence
Trains scoping the cloud-to-on-prem pivot that a rogue route and a widened security group enabled toward the management jump host.
- Impair Defenses: Disable or Modify Cloud Logs · Defense EvasionT1562.008 · TA0005PartialMedium confidence
Trains the defender side: reconstructing activity after node detection and cloud log forwarding were degraded.
- Network Traffic AnalysisD3-NTAMappedHigh confidence
Trains using off-node and cloud-provider telemetry to detect the rogue interconnect route and the cloud-to-on-prem probing.
- User Account ContainmentD3-UACMappedHigh confidence
Trains revoking the workload instance-role session so the stolen metadata token can no longer call cloud APIs.
- Service Binary VerificationD3-SBVMappedMedium confidence
Trains verifying the pulled container image against a known-good source before any rebuild.
- Adverse Event Analysis · DetectDE.AE · DEMappedHigh confidence
Trains separating a genuine workload fault from adversary activity while node detection is degraded.
- Mitigation · RespondRS.MI · RSMappedHigh confidence
Trains isolating the node and removing the rogue route without a full interconnect outage.
- Incident Recovery Plan Execution · RecoverRC.RP · RCMappedMedium confidence
Trains recovery that rebuilds the node from a signed known-good image only after evidence capture.
- IR lifecycle phaseDetection & AnalysisMappedHigh confidence
Trains fault-vs-adversary triage across workload, cloud network, and detection on one timeline.
- IR lifecycle phaseContainment, Eradication & RecoveryMappedHigh confidence
Trains evidence-preserving isolation instead of terminating the node or tearing down the interconnect.
- IR lifecycle phasePost-Incident ActivityMappedMedium confidence
Trains hardening instance identities, route change-control, and tamper-evident logging so the crisis cannot recur.
- Detecting Relevant Threats and TTPs3.AMappedHigh confidence
Trains the detection baseline that surfaces off-node use of a workload metadata token.
- Document Network Topology2.MMappedMedium confidence
Trains the topology baseline the cloud-to-on-prem route reasoning depends on.
- Access Control ManagementControl 6MappedHigh confidence
Trains workload-identity containment and least privilege when an instance metadata token is stolen.
- Network Infrastructure ManagementControl 12MappedHigh confidence
Trains safe handling of a rogue cloud route and a widened security group without a full interconnect outage.
- Audit Log ManagementControl 8MappedMedium confidence
Trains reasoning about the cloud log-forwarding gap and restoring tamper-evident logging.