Choose Your Training Role And User Name

🎛 Presenter

Controls the room, advances the timeline, frames the lesson.

🟥 Attacker

Explains what action created the risk, without real exploit detail.

🟨 Victim/System

Explains what the user or system experiences: prompts, errors, logs.

🟩 Defender

Identifies evidence, alerts, containment, and controls that break the chain.

🟪 Observer

Watches the full cause/effect/defend flow and answers prompts.

Cyber Center of Excellence May Session
Cause Effect Defend
Live Training Scenario Single Shared Room Presenter-Led Flow
Meeting tempo:
0–15 min: mini attack 15–30 min: mini defense 30–60 min: main attack

Next month: June opens with the defense briefing for May's main scenario.
Role: Not selected
Choose a role to focus the scenario view.
Single live room: Presenter controls the timeline; assigned roles make their own decisions.
LIVE SYNC: SINGLE ROOM
Room: MAY2026 — automatic.
Connecting to the shared training room...
Connecting roster...
Role task: Select a role to get your job for this section.
First 30 minutes

May Kickoff: Phishing Mini-Scenario

Use this to explain the meeting mechanics before the main scenario.

15 attack + 15 defense
StartAttackVictim EffectDefenderWrap

OFFENSIVE VIEW

attacker narrative

VICTIM / SYSTEM VIEW

user and cloud activity

DEFENDER VIEW

alerts and response
Final 30 minutes

Main Attack: File Viewer → Forced Authentication

This is the scenario that June will defend. Keep the attack explanation story-based: what happened, what changed, what evidence exists.

June defense handoff
BriefReconInput AbuseCallbackExposureEvidenceHandoff

OFFENSIVE VIEW

attacker sequence

VICTIM / SYSTEM VIEW

app, server, and network effects

DEFENDER VIEW

what the defender can see
Presenter framing:

“This is not a walkthrough. We are not teaching exploit syntax. We use a realistic pattern to ask: what did the system do, what would telemetry show, and what controls would have broken the chain?”
Audience prompt:

“At which moment did this become a security event: the weird file input, the outbound authentication attempt, the captured challenge, or the later login attempt?”
Assign for next meeting

June Defense Briefing Prep

June defends the May main scenario in the first 30 minutes, then introduces the next attack.

Output of May meeting
Prevent

How do we prevent file inclusion and unsafe remote path handling? What should input validation and allowlisting look like?
Detect

What logs reveal strange file parameters, outbound SMB/NTLM, suspicious server callbacks, or unusual service account use?
Respond

What do we do once credential exposure is suspected? Block egress, rotate account secrets, review host activity, validate scope.
Harden

What long-term controls matter: egress filtering, least-privilege service accounts, NTLM reduction, app testing, alert rules?
June opening line: “Last month, the attacker abused a file viewer and caused the server to authenticate outward. Today we defend that chain.”