incident-response-trainer
Incident response training · Rule-based scoring
DemoCatalogDiagnosticHistoryDashboardCoach Notes
Attempt report

Sales rep reports company laptop left in airport taxi overnight

CybersecurityDevice LossDifficulty · Easy

Attempt 1 of 1 · cmq9que2u00000j1ge8s0esj7

← All attempts↻ Retry this scenarioNew scenario
Progress vs previous attempt

This is your first attempt for this scenario. Retry the scenario to generate a side-by-side comparison against your previous response.

Progression · Keep practicing

Stay on Easy · Cybersecurity

4 signals are blocking advancement to Medium. Keep practicing at Easy until those areas stabilize. (Track: Cybersecurity)

Track · Cybersecurity
Easy
Sample · 5 recent attempts2 positive4 blocking

Signals helping

  • Dangerous action frequency. None in recent attempts
  • Recent retry improvement trend. Score is improving (+11 pts on later attempts)

Signals blocking advancement

  • Recent average score. 20 / 100 (need ≥ 75)
  • Recent pass rate. 0 of 5 passed (need ≥ 66%)
  • Rubric category coverage. 23% average (need ≥ 55%)
  • Consistently weak rubric areas. Investigation, Attack understanding, Containment
Submission · what was sent and how you responded
Device LossDifficulty · easyHigh asset
Lost laptop in JFK taxi last night — need to report
From
David Park <david.park@acme-corp.com>
To
soc@acme-corp.com
Date
2026-04-19 13:55 UTC
Hi SOC, I'm at the New York hotel and just realised I left my work laptop in the taxi from JFK last night. The driver is not answering callbacks. The bag also had a sticky note inside the flap with my pre-VPN PIN (I know, I'm sorry). The laptop is the silver Dell I was issued last year — hostname is DPARK-LT01. I think it was logged in and I just closed the lid (sleep). I had Outlook, Salesforce, and our internal wiki open recently. Please advise on what I should do. I've already filed a report with the taxi company. — David, Enterprise Sales
Evidence
Endpoint inventory + MDM record (DPARK-LT01)
# Asset record (Intune / corp inventory)
Hostname:       DPARK-LT01
Model:          Dell Latitude 7440 (corp-issued 2024-09)
User:           david.park@acme-corp.com (Sales)
OS:             Windows 11 Pro 24H2
BitLocker:      ENABLED at provisioning (key escrowed in Intune)
Compliance:     non-compliant (MDM heartbeat 6 days ago)
Autopilot tag:  SALES-LAPTOP

# Last sign-in / session activity
2026-04-18 22:14 UTC  Outlook desktop sync           (last)
2026-04-18 22:09 UTC  Salesforce SSO refresh          (last)
2026-04-18 21:58 UTC  Wiki SSO sign-in                (last)
2026-04-19 --:-- UTC  No activity since 22:14 UTC

# Access scope on this account
- Salesforce: read/write on ~140 enterprise accounts
- M365 mailbox + OneDrive (cached locally)
- Corporate VPN cert (machine + user) installed
- No admin / privileged role
Affected asset
Name
DPARK-LT01 / david.park@acme-corp.com
Type
Corporate Windows laptop (Sales user) + cached M365 / Salesforce session
Owner
Enterprise Sales · David Park
Level
High
Your submitted response
48 words
Containment: isolate the affected host and disable the compromised account. Investigation: preserve logs and authentication records, collect indicators of compromise. Recovery: reset credentials and restore from validated clean backups. Prioritization: contain first, then scope the investigation, then recover. Evidence: snapshot the host and retain logs for forensic review.
Final score
11/ 100
48 words submitted
Verdict · Fail

The response is missing several critical incident response steps. Review the rubric and try again. Score: 11/100. Strongest area: Clarity & structure (80%). Weakest area: Attack understanding (0%) — expand this next time. The response is quite short; aim for a more structured, step-by-step plan.

Category breakdown

Where points came from

coverage × weight = points
  • Attack understanding0/3 · 0.0 / 15
  • Asset impact0/4 · 0.0 / 10
  • Prioritization0/2 · 0.0 / 10
  • Containment0/5 · 0.0 / 20
  • Investigation0/4 · 0.0 / 15
  • Recovery0/3 · 0.0 / 10
  • Evidence preservation1/3 · 3.3 / 10
  • Clarity & structure2/2 · 8.0 / 10

Strengths

  • Clarity & structure

Missing / weak

  • Attack understanding
  • Asset impact
  • Prioritization
  • Containment
  • Investigation
  • Recovery
  • Evidence preservation

Dangerous actions detected

None detected in your response.

Learning · Coaching

Learn from this attempt

Post-submission coaching for this scenario. Score and verdict are unchanged — these notes are for your next attempt.

Why points were deducted

  • Containment0% coverage

    Combine Intune remote wipe with account disable, session revoke, and VPN-cert revoke; one of the four alone leaves an open path.

  • Attack understanding0% coverage

    Name the threat as opportunistic physical access plus cached credentials / VPN cert / SSO sessions, not just `lost laptop`.

  • Investigation0% coverage

    Use Intune (BitLocker, last check-in), sign-in logs, and Salesforce / OneDrive activity to characterize what was open and what may have been cached.

Model answer outline

From: Incident Response Lead (SOC on-call)To: IT Leadership · Affected Asset Owner · On-call SOCSubject: [SEV-3][INC-CYB-EE5BE] Sales rep reports company laptop left in airport taxi overnight — status update
Incident · INC-CYB-EE5BE · SEV-3 / P3Status · Investigating — containment in progressCybersecurity · Device Loss · EasyDPARK-LT01 / david.park@acme-corp.com · High criticalityDetected ~ 2026-04-19 13:55 UTC
Situation & summary

David's corp Dell Latitude (DPARK-LT01) was left in a JFK taxi while logged in (lid closed, sleeping). BitLocker is on and key-escrowed in Intune, but MDM is non-compliant (last heartbeat 6 days ago) and the bag had a sticky note with the pre-VPN PIN. The account has read/write on ~140 enterprise Salesforce accounts and cached M365 / OneDrive — assume the device is in someone else's hands until proven otherwise.

Severity & priority

Rated SEV-3 / P3. Treat as a P1 lost-device incident: high-value Sales account, customer data scope, plausible physical access by an opportunistic finder.

Prioritization & impact
  • Treat as a P1 lost-device incident: high-value Sales account, customer data scope, plausible physical access by an opportunistic finder.
  • Do not wait for the taxi company to call back; act on the assumption that the device is gone.
  • Loop in IT, Sales management, and (depending on scope) Privacy / Legal in case PII was cached.
Containment (actions taken / in progress)
  • Send an Intune remote wipe to DPARK-LT01 (selective wipe at minimum, full wipe if compliance allows).
  • Disable / lock the M365 account, force sign-out everywhere, and rotate David's password before any reissue.
  • Revoke the machine + user VPN cert and disable any cached SSO refresh tokens (Salesforce, wiki, Outlook).
Investigation (in progress)
  • Confirm BitLocker status and key escrow in Intune; verify the device is not in a stale, decrypted state.
  • Pull last 7 days of sign-in / Salesforce / OneDrive activity to build a `last known good` and a `what was open` list.
  • Check whether the device has phoned home since 22:14 UTC the previous night — any check-in after the loss is a strong signal.
  • Review David's role scope so the impact statement names the actual data classes (~140 enterprise accounts, contract values, contacts).
Recovery & next steps
  • Reissue a managed laptop only after the lost device is confirmed wiped or marked permanently lost in Intune.
  • Refresh the user's training on lost-device reporting and the PIN-on-sticky-note hygiene failure.
  • Tighten the MDM compliance policy so a 6-day heartbeat gap automatically alerts before the next loss.
Evidence preservation
  • Preserve the Intune asset record, sign-in log, Salesforce export audit, and the wipe-confirmation receipt in the ticket.
  • Capture the police / taxi report reference numbers as part of the chain of custody.
  • Document the timeline (last sign-in, lid-close time, report time, wipe-issue time) so legal / insurance can rely on it later.
Stakeholder communication
  • Brief David factually about what was reset and why, and tell him not to attempt to sign in to his own account from a personal device until cleared.
  • Notify Sales leadership and Account Management so they can pre-empt any customer-facing impact on the ~140 accounts.
  • Hold any customer notification until investigation confirms what data class (PII, contract, contact) was at risk.
Do NOT
  • Do not just reissue a new laptop without first wiping / disabling the lost one.
  • Do not wait until business hours / Monday — every passing hour widens the exposure window.
  • Do not email the new VPN PIN, password, or recovery codes to David.
  • Do not assume BitLocker alone is enough; cached SSO sessions and the sticky-note PIN bypass disk crypto.

Dangerous actions to avoid

  • Do not just reissue a new laptop without first wiping / disabling the lost one.
  • Do not wait until business hours / Monday — every passing hour widens the exposure window.
  • Do not email the new VPN PIN, password, or recovery codes to David.
  • Do not assume BitLocker alone is enough; cached SSO sessions and the sticky-note PIN bypass disk crypto.

How to improve next time

  • On a lost device, racing against opportunistic access matters more than knowing exactly what was open — wipe first, classify after.
  • BitLocker is necessary but not sufficient: if the user wrote the PIN on a sticky note, the disk encryption is bypassed by design.
  • Always pair an Intune wipe with account / session / VPN-cert revoke; cached SSO tokens often outlive the password reset.
  • Use the lost-device incident to find the systemic gap (stale MDM heartbeat, exception that was never reviewed), not just clean up this one laptop.
  • Capture the police / taxi report references in the ticket — they are the only third-party evidence you will get later.
AI · Supplemental review

Request an AI review of this attempt

This AI review is supplemental coaching. It does not change your official score or verdict. The review is only kept for this page session and is not saved permanently.

Review language
AI Tutor · Explains your result

AI Tutor

This tutor explains your result. It does not change your score. Pick a question to see how the deterministic grading reached your verdict and where to focus next.

Generated deterministically from your graded result — no AI model was called.

Why did I get this score?

Your verdict was Fail at 11/100. That total is the sum of deterministic rubric points across 8 categories — each scores how much of its expected, ordered steps your answer covered, not an opinion about your writing. Your strongest coverage was Clarity & structure (80%). Points were held back mostly in Containment (0%), Attack understanding (0%), Investigation (0%).

Rubric focuscontainmentattackUnderstandinginvestigation
Next study step

Re-read the containment expectations for this scenario and list the concrete steps you missed.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

What should I improve first?

Focus on Containment first — it is your weakest rubric area at 0% coverage and carries weight 20. For this scenario: Combine Intune remote wipe with account disable, session revoke, and VPN-cert revoke; one of the four alone leaves an open path.

Rubric focuscontainment
Next study step

Rewrite your containment section as a short numbered checklist before your next attempt.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

How does my answer compare to the model answer outline?

Compared with the model answer outline, the most useful sections to study are the ones matching your weak areas. Re-read the outline's containment, attack understanding, investigation guidance and check which listed points you did not cover. The outline is a high-level checklist of expected points — use it to find gaps, not to copy a finished answer.

Rubric focuscontainmentattackUnderstandinginvestigation
Next study step

Pick one model-answer section you missed and add its key points to your next response in your own words.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

Which rubric area mattered most here?

Containment mattered most here: it carries the highest rubric weight (20), so coverage there moves your score the most. You covered 0% of it this time, worth 0 points.

Rubric focuscontainment
Next study step

Prioritise the highest-weight categories first; make sure containment is fully addressed before lower-weight ones.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

What should I study next?

Based on this attempt, study containment, attack understanding, investigation next. Coaching tip for this scenario: On a lost device, racing against opportunistic access matters more than knowing exactly what was open — wipe first, classify after.

Rubric focuscontainmentattackUnderstandinginvestigation
Next study step

On a lost device, racing against opportunistic access matters more than knowing exactly what was open — wipe first, classify after.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

Coach Notes

Open full notebook →

Save study notes for this attempt. They also collect in your mistake notebook.

Loading notes…