incident-response-trainer
Incident response training · Rule-based scoring
DemoCatalogDiagnosticHistoryDashboardCoach Notes
Attempt report

Departing engineer downloaded full customer export 36h before resignation effective date

CybersecurityInsider Data LeakDifficulty · Medium

Attempt 1 of 1 · cmpd0zwv600052f0j647leqf7

← All attempts↻ Retry this scenarioNew scenario
Progress vs previous attempt

This is your first attempt for this scenario. Retry the scenario to generate a side-by-side comparison against your previous response.

Progression · Keep practicing

Stay on Medium · Cybersecurity

4 signals are blocking advancement to Hard. Keep practicing at Medium until those areas stabilize. (Track: Cybersecurity)

Track · Cybersecurity
Medium
Sample · 3 recent attempts1 positive4 blocking

Signals helping

  • Dangerous action frequency. None in recent attempts

Signals blocking advancement

  • Recent average score. 0 / 100 (need ≥ 80)
  • Recent pass rate. 0 of 3 passed (need ≥ 66%)
  • Rubric category coverage. 0% average (need ≥ 60%)
  • Consistently weak rubric areas. Attack understanding, Asset impact, Prioritization
Other observations
  • Recent retry improvement trend. Score is flat across recent attempts
Submission · what was sent and how you responded
Insider Data LeakDifficulty · mediumHigh asset
[DLP] 380 MB customer export by m.silva — uploaded to personal cloud
From
DLP Alerts <dlp@acme-corp.local>
To
soc@acme-corp.com
Date
2026-04-19 10:50 UTC
DLP rule DLP-CRM-EXFIL-03 fired. User m.silva@acme-corp.com (Senior Engineer, Platform team) ran a bulk export from the CRM at 09:48 UTC: customer-export.csv, 1.21M rows, 384 MB. Twelve minutes later the same file (matching content hash) was uploaded from a personal-laptop session on the guest Wi-Fi to a Dropbox personal account. Context (from HR): Silva submitted resignation 2 weeks ago. Last day is 2026-04-30 (in 11 days). No prior history of bulk exports on this account in the last 12 months. This may need legal/HR involvement. Please respond carefully. — DLP
Evidence
DLP event + CRM audit + endpoint context
# CRM audit log (m.silva@acme-corp.com)
2026-04-19 09:31:08  LOGIN     ip=10.12.40.221 (corp-laptop, MSILVA-LT04)
2026-04-19 09:48:14  EXPORT    object=Account  filter=AllTime  rows=1,212,884
                     fields: name, email, phone, contract_value, support_tier, notes
2026-04-19 09:48:51  DOWNLOAD  customer-export.csv  size=384MB
2026-04-19 10:01:17  LOGOUT

# Network / DLP correlation
10:00:42  guest-wifi  src=10.250.6.18 (BYOD, MAC f4:5c:..)
          POST  https://www.dropbox.com/upload  body_hash=matches customer-export.csv
          uploaded to: m.silva.personal@gmail.com Dropbox

# Other audit findings (last 14 days, same account)
- 5 queries against AWS prod IAM ListUsers / ListAccessKeys
- README access in repo "infra-secrets-runbook" (private)
- After-hours logins: 3 nights this week (22:30–01:00 UTC)

# HR record (sensitive)
m.silva — resignation accepted 2026-04-05, last day 2026-04-30,
no formal offboarding ticket opened yet.
Affected asset
Name
m.silva@acme-corp.com (Senior Engineer)
Type
Engineering account with CRM read + AWS read role + private repo access
Owner
Platform Engineering
Level
High
Your submitted response
2 words
test 6
Final score
0/ 100
2 words submitted
Verdict · Fail

The response is missing several critical incident response steps. Review the rubric and try again. Score: 0/100. Strongest area: Clarity & structure (3%). Weakest area: Attack understanding (0%) — expand this next time. The response is quite short; aim for a more structured, step-by-step plan.

Category breakdown

Where points came from

coverage × weight = points
  • Attack understanding0/4 · 0.0 / 15
  • Asset impact0/4 · 0.0 / 10
  • Prioritization0/3 · 0.0 / 10
  • Containment0/5 · 0.0 / 20
  • Investigation0/5 · 0.0 / 15
  • Recovery0/4 · 0.0 / 10
  • Evidence preservation0/4 · 0.0 / 10
  • Clarity & structure0/2 · 0.3 / 10

Strengths

No category reached 70% coverage.

Missing / weak

  • Attack understanding
  • Asset impact
  • Prioritization
  • Containment
  • Investigation
  • Recovery
  • Evidence preservation
  • Clarity & structure

Dangerous actions detected

None detected in your response.

Learning · Coaching

Learn from this attempt

Post-submission coaching for this scenario. Score and verdict are unchanged — these notes are for your next attempt.

Why points were deducted

  • Containment0% coverage

    Combine legal hold + account disable + token / role revoke + CASB block + vendor takedown; any one alone is not containment for this case.

  • Attack understanding0% coverage

    Name this as a departing-employee insider exfil (intent + access + opportunity) — not just `a big DLP alert`.

  • Investigation0% coverage

    Build the 14-day timeline across CRM / AWS / GitHub / DLP, confirm the file hash match, and audit other exfil channels — do not stop at `the upload happened`.

Model answer outline

From: Incident Response Lead (SOC on-call)To: IT Leadership · Affected Asset Owner · On-call SOCSubject: [SEV-2][INC-CYB-MB510] Departing engineer downloaded full customer export 36h before resignation effective date — status update
Incident · INC-CYB-MB510 · SEV-2 / P2Status · Investigating — containment in progressCybersecurity · Insider Data Leak · Mediumm.silva@acme-corp.com (Senior Engineer) · High criticalityDetected ~ 2026-04-19 10:50 UTC
Situation & summary

Silva (Senior Engineer, leaver in 11 days) ran a 1.21M-row, 384 MB customer export from CRM at 09:48 UTC, then re-uploaded the same content hash to a personal Dropbox via guest Wi-Fi (BYOD) at 10:00 UTC. Side signals fit an insider exfil pattern — 5 AWS prod IAM probes, access to `infra-secrets-runbook`, and three after-hours nights this week. HR has not opened a formal offboarding ticket yet, so this is also a process gap.

Severity & priority

Rated SEV-2 / P2. Treat as a P1 confirmed insider exfil with regulated data (PII / customer records), not a generic DLP false-positive.

Prioritization & impact
  • Treat as a P1 confirmed insider exfil with regulated data (PII / customer records), not a generic DLP false-positive.
  • Sequence is critical: legal hold and evidence preservation before any user-facing action so the investigation survives review.
  • Loop in Legal, HR, Privacy / DPO, and the IR lead in parallel — do not act unilaterally.
Containment (actions taken / in progress)
  • Issue a legal hold on Silva's mailbox / chat / repos and disable the account only after HR / Legal sign off on timing (so process is defensible).
  • Revoke CRM session, AWS role / access keys, GitHub access, and any cached SSO refresh tokens; remove the user from privileged groups.
  • Block the Dropbox personal upload path at CASB / egress and request takedown of the uploaded file via the vendor's abuse / privacy channel.
Investigation (in progress)
  • Build a 14-day timeline from CRM audit log, AWS CloudTrail, GitHub audit log, and DLP / CASB events around 09:48 → 10:00 UTC.
  • Confirm the file hash match between the CRM download and the Dropbox upload so the chain is documented end-to-end.
  • Audit other channels Silva can exfil through (mailbox forwarding, Slack DMs, personal git, USB) and whether any colleague accounts show parallel behavior.
  • Map exactly what data class was exported (the field list in the audit log: name / email / phone / contract_value / support_tier / notes) so the legal exposure is concrete.
Recovery & next steps
  • Open a formal offboarding ticket with HR / IT and use this case to fix the leaver checklist (privileged access removal at notice, not on last day).
  • Tighten DLP rules so a 384 MB CRM export to BYOD on guest Wi-Fi alerts and blocks, not just alerts.
  • Review least-privilege scope on Senior Engineer accounts (CRM read, AWS prod read, private secrets repo) — that combination should not be the default.
Evidence preservation
  • Apply legal hold across mail, chat, repo, and storage before disabling the account so artifacts are not lost.
  • Capture the corp laptop (MSILVA-LT04) under chain of custody for forensic image, hashes, and disk evidence.
  • Export the DLP event, CRM audit log, AWS CloudTrail entries, and the matching content hash; keep all timestamps in UTC.
Stakeholder communication
  • Brief Legal / HR / Privacy first with a tight timeline and exposure assessment; let them lead any contact with Silva.
  • Notify the CRM data owner and customer-facing leadership about scope, but only with a Legal / Privacy review of the wording.
  • Hold any external customer or regulator notification until Legal / Privacy decides notification thresholds are met.
Do NOT
  • Do not confront / tip off Silva before legal hold is in place — they may delete evidence.
  • Do not delete Silva's email, files, or git history; preservation comes first.
  • Do not act unilaterally without Legal / HR; this case is partly a labor / privacy matter, not just security.
  • Do not paste the leaked file or any PII into the case ticket; reference by hash.

Dangerous actions to avoid

  • Do not confront / tip off Silva before legal hold is in place — they may delete evidence.
  • Do not delete Silva's email, files, or git history; preservation comes first.
  • Do not act unilaterally without Legal / HR; this case is partly a labor / privacy matter, not just security.
  • Do not paste the leaked file or any PII into the case ticket; reference by hash.

How to improve next time

  • Insider cases live or die on chain of custody — apply legal hold and image the laptop before you disable the account.
  • Always engage Legal / HR / Privacy in parallel; insider-exfil is partly a labor / contractual matter, not just an IR matter.
  • Confirm the content-hash match between the CRM download and the personal-cloud upload — that one fact ties the case together.
  • Use the case to fix the leaver checklist (privileged access removed at notice, not on last day) so the next departure does not recreate this exposure.
  • Reference leaked data by hash, never by content; never paste PII into tickets, chat, or email.
AI · Supplemental review

Request an AI review of this attempt

This AI review is supplemental coaching. It does not change your official score or verdict. The review is only kept for this page session and is not saved permanently.

Review language
AI Tutor · Explains your result

AI Tutor

This tutor explains your result. It does not change your score. Pick a question to see how the deterministic grading reached your verdict and where to focus next.

Generated deterministically from your graded result — no AI model was called.

Why did I get this score?

Your verdict was Fail at 0/100. That total is the sum of deterministic rubric points across 8 categories — each scores how much of its expected, ordered steps your answer covered, not an opinion about your writing. Your strongest coverage was Clarity & structure (3%). Points were held back mostly in Containment (0%), Attack understanding (0%), Investigation (0%).

Rubric focuscontainmentattackUnderstandinginvestigation
Next study step

Re-read the containment expectations for this scenario and list the concrete steps you missed.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

What should I improve first?

Focus on Containment first — it is your weakest rubric area at 0% coverage and carries weight 20. For this scenario: Combine legal hold + account disable + token / role revoke + CASB block + vendor takedown; any one alone is not containment for this case.

Rubric focuscontainment
Next study step

Rewrite your containment section as a short numbered checklist before your next attempt.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

How does my answer compare to the model answer outline?

Compared with the model answer outline, the most useful sections to study are the ones matching your weak areas. Re-read the outline's containment, attack understanding, investigation guidance and check which listed points you did not cover. The outline is a high-level checklist of expected points — use it to find gaps, not to copy a finished answer.

Rubric focuscontainmentattackUnderstandinginvestigation
Next study step

Pick one model-answer section you missed and add its key points to your next response in your own words.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

Which rubric area mattered most here?

Containment mattered most here: it carries the highest rubric weight (20), so coverage there moves your score the most. You covered 0% of it this time, worth 0 points.

Rubric focuscontainment
Next study step

Prioritise the highest-weight categories first; make sure containment is fully addressed before lower-weight ones.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

What should I study next?

Based on this attempt, study containment, attack understanding, investigation next. Coaching tip for this scenario: Insider cases live or die on chain of custody — apply legal hold and image the laptop before you disable the account.

Rubric focuscontainmentattackUnderstandinginvestigation
Next study step

Insider cases live or die on chain of custody — apply legal hold and image the laptop before you disable the account.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

Coach Notes

Open full notebook →

Save study notes for this attempt. They also collect in your mistake notebook.

Loading notes…