Try a tabletop exercise
before you commit.
After Action is a cyber crisis readiness platform built by security operators. These interactive scenarios are the same engine our facilitated engagements run on — free to try, no signup, no AI key required.
Pick a scenario. Make decisions under pressure. See where your response would have broken down. Then decide whether you want us to facilitate the next one live.
Ransomware: Operation Dark Vault
A ransomware group has gained access through compromised VPN credentials. File encryption is spreading across the corporate network while attackers claim to have exfiltrated sensitive data. You must contain the threat, notify stakeholders, and decide on recovery strategy.
- 01Suspicious VPN Login from Foreign IP
- 02Mass File Encryption Detected
- 03Ransom Note and Media Inquiry
Cloud Compromise: Azure AD Takeover
An attacker has obtained OAuth tokens through a sophisticated phishing campaign targeting your M365 administrators. They have escalated privileges in Azure AD, created backdoor accounts, and are accessing sensitive SharePoint sites and email inboxes. Your cloud security posture is being tested.
- 01Suspicious Azure AD Activity
- 02Data Exfiltration from SharePoint
- 03Board Notification and Regulatory Obligations
Business Email Compromise: Wire Fraud
The CFO's email account has been compromised through a credential harvesting campaign. The attacker is using the legitimate account to send fraudulent wire transfer requests to finance staff, mimicking the CFO's communication style. $2.1 million is at risk.
- 01Suspicious Wire Transfer Request
- 02Account Compromise Confirmed
- 03Recovery and Employee Communications
Insider Threat: Data Exfiltration
A senior engineer who recently gave their two-week notice has been detected downloading large volumes of proprietary data. USB device activity, cloud storage uploads, and after-hours access patterns suggest systematic data theft. You must balance investigation with employee rights.
- 01DLP Alert: Mass Download Activity
- 02Personal Cloud Storage Uploads
- 03Confrontation and Legal Action
Supply Chain: Vendor Software Compromise
A critical monitoring tool used across your infrastructure has pushed a compromised update. The backdoor provides attackers with persistent remote access. Multiple organizations are affected. You must determine your exposure and contain the threat while the vendor investigates.
- 01Vendor Security Advisory
- 02Backdoor Activity Confirmed
- 03Multi-Organization Coordination
OT/ICS: Water Treatment SCADA Attack
Attackers have gained access to your water treatment facility's SCADA systems through an exposed remote access portal. Chemical dosing parameters have been modified and operators are seeing erratic sensor readings. Public safety is at stake.
- 01Erratic SCADA Readings
- 02IT/OT Crossover Confirmed
- 03EPA Notification and Public Safety
Social Engineering: Deepfake CEO Fraud
Attackers are using AI-generated deepfake audio of your CEO to authorize fraudulent actions. Help desk staff and executives have received convincing phone calls. The line between real and fake communications is blurring.
- 01Deepfake Voice Call to Help Desk
- 02Cascading Deepfake Attacks
- 03Employee Confidence Crisis
Data Breach: Customer PII Exposure
A SQL injection vulnerability in your customer-facing portal has been exploited, exposing personal data of 250,000 customers. You must contain the breach, assess the damage, notify affected individuals, and manage regulatory obligations across multiple jurisdictions.
- 01Breach Discovery via Dark Web
- 02Scope Assessment: PCI and PII Impact
- 03Customer Notification and Public Response
Want a custom scenario for your team?
We build bespoke exercises tailored to your industry, tech stack, and threat model — with full facilitation and reporting.