Case Simulator
Friday night, 23:00 · LockBit is inside. What would you do?
Scenarios derived from real DSET cases. Every decision leaves an impact on time · cost · reputation.
LockBit Friday Night · production line halted at an automotive supplier
Friday 22:14 · a LockBit 3.0 variant encrypted 800 endpoints + 12 PLCs. Production stopped, ransom 1.8M USD. As the incident response lead, you will make 11 critical decisions in sequence.
Inside for 14 months: Municipal APT · data leaking silently
The municipality's SIEM alerts had been dismissed as 'internal IT' for weeks. On the first day the C2 traffic patterns match APT28. As the threat hunting lead, you will make 11 critical decisions in sequence.
Hospital HIS · ransomware arrived at surgery time
Saturday 06:42 · ER tablets on a lock screen · HIS down · 4 operating rooms suspending elective cases. 2 million patient records encrypted, ransom 2.4M USD. As the incident response lead, you will make 11 critical decisions in sequence.
CASE #DR-2891 · RAID-5 array with 3 failed disks · 7 TB financial archive
Monday morning · a bank back-office archive server will not boot. 4× 4 TB Enterprise SAS · RAID-5. First 1 disk died, then a rebuild started, then 2 more disks died. No hot spare. 7 TB of sector-compliance records · a BDDK audit in 5 days. A 48-hour SLA. You will make 11 critical decisions in sequence.
CASE #FRN-4421 · corporate espionage evidence on an iOS 17 device
An urgent notice from the Public Prosecutor's Office. A senior executive's iPhone 15 Pro Max · iOS 17.2.1. A corporate espionage suspicion · WhatsApp, Signal, Photos metadata are sought. The court wants a report in 72 hours. If the chain of custody breaks, the case collapses. You will make 11 critical decisions in sequence.
CASE #PT-1182 · penetration test of an e-commerce platform before Black Friday
One of Türkiye's top 5 e-commerce platforms · 14 days to Black Friday. A full-scope web + mobile + API pentest. PCI-DSS scope · 3M active customers · 8 million card records. OWASP ASVS L2 is mandatory. You will make 11 critical decisions in sequence.
CASE #SGT-7723 · extracting evidence from a locked iPhone for a life insurance claim
After the death of a 17-year-old in a motorcycle accident, a 2.4M TL life insurance process opened. The adjuster requested the iPhone 14 Pro contents to distinguish 'accident, suicide or intentional death'. The device sat 11 hours on a muddy road at the scene, the screen is cracked, Face ID is unusable, the PIN is unknown because the owner died, and Activation Lock is active. The family applied to the DSET mobile forensics team. You will make 11 critical decisions in sequence.
WhatsApp Business account takeover · fake IBAN sent to 47 customers, 312K TL fraud
Monday 08:14 · a textile exporter with 47 employees. The WhatsApp Business account was hijacked via an OTP transfer attack. The attacker is messaging 280 customers 'the IBAN has changed.' 12 fraudulent transfers are complete. You will make 11 critical decisions in sequence.
ESXi vCenter Akira ransomware · 47 VMs encrypted · logistics operations halted
04:17 · a regional logistics company's VMware vCenter was hit by an Akira variant. 47 VMs (ERP, warehouse management, driver tablets, file server) are encrypted. The NAS replica was already encrypted 4 hours earlier. Demand is 320K USD in Bitcoin. Operational loss is 18,000 EUR per hour. You will make 11 critical decisions in sequence.
CFO whaling · fake email from the CEO · pressure for an urgent 380K TL transfer
Friday 16:42 · the CFO received a look-alike domain email 'from the CEO': 'Urgent supplier payment, 380K TL to this IBAN, reporting on Monday.' The bank approval window is 30 min. The CEO is on a business trip in Germany with the phone off. You will make 11 critical decisions in sequence.
O365 takeover · supplier invoices stolen for 11 months via an auto-forward rule
An accounting assistant's O365 mailbox was compromised 11 months ago. The attacker used an 'Inbox rule' to forward all supplier invoices to themselves · changed IBANs and sent fake invoices. Monthly loss 240K TL. A supplier is calling asking 'where is our money.' You will make 11 critical decisions in sequence.
Active Directory DC compromise · Kerberoast + Pass-the-Ticket · 200 endpoints at risk
At a manufacturing firm with 200 endpoints, a SOC analyst noticed anomalous Kerberos TGS requests. 280 TGS-REQ for SPNs in 12 minutes. The attacker is trying to crack the Domain Admin hash. BloodHound indicator: there was also an attempt from the same PC 3 weeks ago. You will make 11 critical decisions in sequence.
Magecart skimmer planted in an e-commerce Magento checkout · 14 days ago
A Magento store with 8M TL monthly revenue. A customer complained 'my card details have been leaked.' A 12-line JavaScript skimmer was added to checkout.js, card data flows to a C2 in Latvia. 14 days × 60 orders per day = 840 cards leaked. You will make 11 critical decisions in sequence.
Hospital MR/CT devices in a cryptomining botnet · ICU monitor latency
At a 300-bed public hospital, IT noticed packet latency from the medical device network to the ICU monitors. 47 devices (MR, CT, biochemistry analyzers) are cryptomining with a Mirai variant + Monero miner. ICU monitor packet loss = a risk to vital monitoring. You will make 11 critical decisions in sequence.
SQL Server LockBit + RAID-5 degraded · ERP DB · if one more disk fails the data is gone
A manufacturing firm's SQL Server 2019 was encrypted by LockBit, and at the same time the RAID-5 array has 1 failed disk (DEGRADED). If a second disk fails the data is completely lost. ERP + accounting + sales hold 8 days of data. The last clean backup is 6 days old. You will make 11 critical decisions in sequence.
Fake top-cover skimmer on a mall POS terminal · 47,000 cards read over 8 weeks
Mall management discovered 8 weeks ago that a POS terminal's top cover had been swapped with a fake device. In that period 47,000 cards were read and sent to the attacker via a Bluetooth chip. 1,200 frauds, averaging 1,800 TL. A bank alert arrived. You will make 11 critical decisions in sequence.
Corporate WordPress backdoor + 120 Japanese SEO spam URLs · Google rank dropped 78%
A B2B software firm's corporate WordPress site was compromised 6 months ago. Google Search Console issued a 'JP spam content' warning. 14 backdoor PHP files were added to wp-includes/, and 12,000 hidden posts were added to the DB. The site's Google rank dropped 78%. You will make 11 critical decisions in sequence.
Cement plant OT pentest · Siemens S7-1500 PLC + WinCC HMI · production must not be halted
A cement plant requested an authorized OT pentest from DSET. Target: Siemens S7-1500 PLC, WinCC HMI, ICS DMZ. Contract rule: halting production is forbidden. 14 business days. One wrong move = 240K TL/hour loss. You will make 11 critical decisions in sequence.
Mobile banking iOS+Android pentest · root/jailbreak bypass · MASVS L2
A top-5 bank requested an authorized mobile pentest from DSET. Target: jailbreak/root detection bypass, MitM, cert pinning bypass, and screen recording protection in the iOS+Android mobile banking app. OWASP MASVS L2 compliance target. 21 business days. You will make 11 critical decisions in sequence.
Turkey-based crypto exchange with 8M users · REST/WebSocket API + withdrawal flow pentest
A Turkish crypto exchange with 8M users requested a Red Team engagement from DSET. Target: REST/WebSocket API, withdrawal flow logic, cold wallet HSM signing flow. Black-box. Loss of funds is strictly FORBIDDEN. Test wallet limit 0.05 BTC. There is a risk of an anomaly-detection ban. You will make 11 critical decisions in sequence.
GSM operator Pulse Connect VPN intrusion · lateral movement · core OSS target
A GSM operator requested an authorized red team engagement. Target: external intrusion, VPN exploit, AD lateral movement, core OSS system. 30 business days. Impacting the production OSS system is strictly forbidden. Pulse Connect Secure CVE-2019-11510 + a leaked certificate is on Pastebin. You will make 11 critical decisions in sequence.
A+ office complex pentest · 480 cameras + BMS + elevator + 1,200 IoT devices
A newly built A+ office complex requested an acceptance test from DSET. CCTV (ONVIF, 480 Hikvision cameras), BMS (BACnet, HVAC + elevators + access control), 1,200 IoT devices. Impacting elevators, HVAC, or access control is FORBIDDEN (human safety). You will make 11 critical decisions in sequence.
Law firm DNS tunneling exfil · 8 GB of client files leaked over 3 months
An anomalous DNS query pattern was detected on the firewall of a high-end law firm. One endpoint makes 12,000 TXT record queries per day · subdomain pattern: 60-char random (base64-like). 8 GB of client files leaked over 3 months. The KVKK 72-hour clock has started. You will make 11 critical decisions in sequence.
PowerShell Empire fileless C2 · undetected for 90 days · 47 endpoints
At a software firm with 200 endpoints, a SOC analyst has been seeing anomalous PowerShell activity for weeks. AV/EDR keep reporting clean. Memory forensics revealed an Empire C2 beacon. 47 endpoints infected · 2 hops away from a DA compromise. You will make 11 critical decisions in sequence.
Cobalt Strike Malleable C2 · undetected for 4 months · investment holding
An investment holding's SOC analyst noticed an anomalous jitter pattern in HTTPS traffic. A Cobalt Strike Malleable C2 profile (Amazon mimicking) was used. Inside for 4 months · 23 endpoints infected. APT41 TTP match. You will make 11 critical decisions in sequence.
DJI Mavic 3 coast guard drone forensics · criminal evidence + flight route
A forensic unit handed DSET the memory of a DJI Mavic 3 seized by the coast guard. Analysis of the drone's flight history + video recordings + telemetry is needed in court. The chain of custody is critical, and the ISO 27037 procedure is mandatory. The defendant claims 'the drone is not mine'. You will make 11 critical decisions in sequence.
iPhone 15 Pro Pegasus-like spyware · journalist's device · NSO Group suspicion
An investigative journalist's iPhone 15 Pro shows 'excessive battery drain + phone overheating + background data traffic'. A court-approved forensic request. Suspicion of a Pegasus-like zero-click exploit (PassKit / BlastDoor bypass). A link to NSO Group? The Citizen Lab methodology is required. You will make 11 critical decisions in sequence.