Scenario Library

Try a tabletop exercise
before you commit.

After Action is a cyber crisis readiness platform built by security operators. These interactive scenarios are the same engine our facilitated engagements run on — free to try, no signup, no AI key required.

Pick a scenario. Make decisions under pressure. See where your response would have broken down. Then decide whether you want us to facilitate the next one live.

Scenarios Available8
critical

Ransomware: Operation Dark Vault

A ransomware group has gained access through compromised VPN credentials. File encryption is spreading across the corporate network while attackers claim to have exfiltrated sensitive data. You must contain the threat, notify stakeholders, and decide on recovery strategy.

10-15 minutesCompromised VPN credentials
What you'll face
  • 01Suspicious VPN Login from Foreign IP
  • 02Mass File Encryption Detected
  • 03Ransom Note and Media Inquiry
critical

Cloud Compromise: Azure AD Takeover

An attacker has obtained OAuth tokens through a sophisticated phishing campaign targeting your M365 administrators. They have escalated privileges in Azure AD, created backdoor accounts, and are accessing sensitive SharePoint sites and email inboxes. Your cloud security posture is being tested.

10-15 minutesOAuth token theft via phishing
What you'll face
  • 01Suspicious Azure AD Activity
  • 02Data Exfiltration from SharePoint
  • 03Board Notification and Regulatory Obligations
high

Business Email Compromise: Wire Fraud

The CFO's email account has been compromised through a credential harvesting campaign. The attacker is using the legitimate account to send fraudulent wire transfer requests to finance staff, mimicking the CFO's communication style. $2.1 million is at risk.

10-15 minutesExecutive email account takeover
What you'll face
  • 01Suspicious Wire Transfer Request
  • 02Account Compromise Confirmed
  • 03Recovery and Employee Communications
high

Insider Threat: Data Exfiltration

A senior engineer who recently gave their two-week notice has been detected downloading large volumes of proprietary data. USB device activity, cloud storage uploads, and after-hours access patterns suggest systematic data theft. You must balance investigation with employee rights.

10-15 minutesAuthorized access abuse
What you'll face
  • 01DLP Alert: Mass Download Activity
  • 02Personal Cloud Storage Uploads
  • 03Confrontation and Legal Action
critical

Supply Chain: Vendor Software Compromise

A critical monitoring tool used across your infrastructure has pushed a compromised update. The backdoor provides attackers with persistent remote access. Multiple organizations are affected. You must determine your exposure and contain the threat while the vendor investigates.

10-15 minutesTrojanized software update
What you'll face
  • 01Vendor Security Advisory
  • 02Backdoor Activity Confirmed
  • 03Multi-Organization Coordination
critical

OT/ICS: Water Treatment SCADA Attack

Attackers have gained access to your water treatment facility's SCADA systems through an exposed remote access portal. Chemical dosing parameters have been modified and operators are seeing erratic sensor readings. Public safety is at stake.

10-15 minutesExposed remote access portal
What you'll face
  • 01Erratic SCADA Readings
  • 02IT/OT Crossover Confirmed
  • 03EPA Notification and Public Safety
high

Social Engineering: Deepfake CEO Fraud

Attackers are using AI-generated deepfake audio of your CEO to authorize fraudulent actions. Help desk staff and executives have received convincing phone calls. The line between real and fake communications is blurring.

10-15 minutesAI-generated voice deepfake
What you'll face
  • 01Deepfake Voice Call to Help Desk
  • 02Cascading Deepfake Attacks
  • 03Employee Confidence Crisis
high

Data Breach: Customer PII Exposure

A SQL injection vulnerability in your customer-facing portal has been exploited, exposing personal data of 250,000 customers. You must contain the breach, assess the damage, notify affected individuals, and manage regulatory obligations across multiple jurisdictions.

10-15 minutesSQL injection in customer portal
What you'll face
  • 01Breach Discovery via Dark Web
  • 02Scope Assessment: PCI and PII Impact
  • 03Customer Notification and Public Response
8
Scenarios live
6
Threat categories
24
Decision points
800-61
NIST coaching framework

Want a custom scenario for your team?

We build bespoke exercises tailored to your industry, tech stack, and threat model — with full facilitation and reporting.