Ghost Rat Scenario: Titan Defense Systems Surveillance
Planning Resources
Scenario Details for IMs
Titan Defense Systems: Classified Weapons Crisis During Delivery Deadline
Organization Profile
- Type: Prime defense contractor developing classified weapons systems, missile defense technologies, electronic warfare platforms, and military communication networks for Department of Defense and allied military forces
- Size: 1,200 employees including 580 aerospace and weapons engineers holding TOP SECRET/SCI clearances designing classified military systems, 240 systems integration specialists conducting prototype testing at secure government ranges, 150 program management personnel coordinating multi-billion dollar defense contracts, 120 cybersecurity and counterintelligence specialists managing classified network protection, 75 quality assurance engineers conducting Department of Defense certification testing, 25 facility security officers enforcing physical security protocols, and 10 executive leadership with compartmented access to special access programs
- Annual Operations: Managing $2.8 billion in active defense contracts across 18 military programs including next-generation missile defense interceptors, hypersonic weapons development, directed energy weapon prototypes, and secure military communications platforms, maintaining TOP SECRET facility clearance enabling access to classified weapons specifications requiring stringent counterintelligence cooperation and foreign ownership control, developing classified weapons technologies representing $800 million cumulative research investment providing U.S. military technological superiority over foreign adversaries, operating air-gapped engineering networks physically isolated from external connectivity to protect classified design specifications, coordinating classified prototype testing with U.S. Strategic Command and allied military forces, and supporting national security mission where weapons technology disclosure to foreign adversaries creates existential military disadvantage
- Current Delivery Crisis: Classified missile defense system delivery Thursday to U.S. Strategic Command—$450 million contract milestone represents critical national security capability, but Ghost-RAT discovery threatens both delivery timeline and classified technology protection requiring DCSA counterintelligence notification
Key Assets & Impact
Asset Category 1: Classified Weapons Delivery & Contract Performance - Thursday delivery deadline determines $450M contract payment milestone, delays affect military operational readiness and allied defense cooperation, contract performance record influences future competitive bids worth $5B
Asset Category 2: Classified Technology Protection & Military Advantage - Weapons designs classified TOP SECRET/SCI create U.S. military superiority, foreign adversary access to interceptor specifications eliminates defensive capability, technology disclosure affects national security strategic positioning
Asset Category 3: Counterintelligence Obligations & Facility Clearance - NISPOM regulations require immediate DCSA notification of classified compromise, delayed reporting creates willful violation triggering criminal prosecution, transparent disclosure guarantees facility clearance suspension halting all classified programs
Immediate Business Pressure
Monday Morning, 7:15 AM - 72 Hours Before Classified Delivery:
Chief Security Officer Colonel (Ret.) David Martinez discovered Ghost-RAT malware providing complete remote surveillance of Titan’s classified engineering networks. The APT—sophisticated espionage tool specifically targeting defense contractors—had systematically monitored classified weapons development for past eight months, exfiltrating missile defense specifications, interceptor algorithms, electronic warfare countermeasures, and classified meeting discussions about military operational requirements.
Classified missile defense system delivery was Thursday morning at U.S. Strategic Command. The interceptor technology represented critical national security capability protecting against ballistic missile threats. Any delivery delay affected military readiness and allied defense commitments depending on U.S. technological superiority.
But Defense Counterintelligence and Security Agency regulations required immediate incident notification within 24 hours of discovering classified compromise—triggering federal investigation potentially suspending facility clearance until damage assessment completed and remediation validated, guaranteeing missed delivery deadline and $2.8 billion program suspension affecting all classified contracts.
Critical Timeline & Operational Deadlines
- Eight months ago: Ghost-RAT infiltration via spear-phishing emails targeting defense engineers
- Monday, 7:15 AM (Session Start): APT discovery 72 hours before classified delivery deadline
- Tuesday (24 hours): NISPOM incident reporting deadline to DCSA
- Thursday, 8:00 AM: Classified missile defense delivery to U.S. Strategic Command
- Post-discovery: Damage assessment, technology transfer analysis, foreign adversary capability implications
Cultural & Organizational Factors
Factor 1: Defense engineers routinely opened military technical documents from industry sources, normalizing sophisticated spear-phishing despite security training
Factor 2: Classified program delivery pressure prioritized engineering productivity over strict email security enforcement
Factor 3: Air-gapped network confidence reduced monitoring for APT persistence exploiting insider access
Factor 4: Contract performance emphasis created organizational fear of DCSA reporting triggering program-ending clearance suspension
Operational Context
Defense contractors operate under National Industrial Security Program regulations enforcing classified information protection through facility clearances, counterintelligence cooperation, and immediate security incident reporting—these requirements create absolute obligations beyond contract performance or business continuity where national security protection takes priority over delivery schedules or competitive positioning, with NISPOM violations potentially triggering criminal prosecution and permanent facility clearance revocation eliminating defense contracting capability.
Key Stakeholders
Stakeholder 1: Colonel (Ret.) David Martinez - Chief Security Officer Stakeholder 2: Dr. Sarah Chen - Chief Engineer Stakeholder 3: Robert Williams - CEO Stakeholder 4: DCSA Counterintelligence Investigator
Why This Matters
You’re not just removing APT malware from defense contractors—you’re determining whether classified weapons delivery obligations override counterintelligence transparency when incident reporting threatens both military readiness timeline and $2.8B program continuation.
You’re not just protecting classified technology—you’re defining whether defense industrial base security means accepting technology disclosure to foreign adversaries, or implementing transparent damage assessment despite contract suspension and military operational impacts.
IM Facilitation Notes
1. Emphasize dual stakes—military operational readiness AND classified technology protection both at risk
2. Make delivery deadline tangible—72-hour window with Strategic Command depending on missile defense capability
3. Use eight-month APT persistence to explore long-term espionage damage assessment complexity
4. Present Ghost-RAT as deliberate foreign adversary weapons technology targeting
5. Address defense contractor responsibility balancing contract performance against national security transparency
6. Celebrate DCSA incident reporting prioritizing technology protection despite delivery and business impacts
Opening Presentation
“It’s Monday morning at Titan Defense Systems, and the company is completing final classified designs for next-generation military equipment that will be delivered to the Pentagon on Thursday. But during secure engineering meetings, staff notice disturbing anomalies: CAD workstations performing actions without user input, classified design files opening automatically, and computer screens flickering during confidential discussions. Security investigation reveals sophisticated remote access tools providing foreign adversaries complete surveillance capabilities over classified defense development.”
Initial Symptoms to Present:
Key Discovery Paths:
Detective Investigation Leads:
Protector System Analysis:
Tracker Network Investigation:
Communicator Stakeholder Interviews:
Mid-Scenario Pressure Points:
- Hour 1: Pentagon security officials discover potential compromise of classified weapons delivery affecting national defense readiness
- Hour 2: FBI counterintelligence investigation reveals evidence of foreign military intelligence targeting
- Hour 3: Classified weapons designs found on foreign intelligence networks affecting military operational advantage
- Hour 4: Defense Security Service assessment indicates potential compromise of multiple classified military programs
Evolution Triggers:
- If investigation reveals foreign technology transfer, national security enforcement action affects defense industry
- If remote surveillance continues, adversaries maintain persistent access for long-term classified intelligence collection
- If classified design theft is confirmed, military operational security and national defense capabilities are compromised
Resolution Pathways:
Technical Success Indicators:
- Complete foreign surveillance removal from classified engineering systems with preservation of counterintelligence evidence
- Classified weapons technology security verified preventing further unauthorized foreign access
- Nation-state infrastructure analysis provides intelligence on coordinated defense industrial targeting
Business Success Indicators:
- Classified weapons delivery protected through secure forensic handling and counterintelligence coordination
- Defense contract relationships maintained through professional incident response and security demonstration
- National security compliance demonstrated preventing defense security penalties and clearance revocation
Learning Success Indicators:
- Team understands sophisticated foreign intelligence capabilities and long-term defense industrial espionage
- Participants recognize defense contractor targeting and national security implications of classified technology theft
- Group demonstrates coordination between cybersecurity response and counterintelligence investigation requirements
Common IM Facilitation Challenges:
If Foreign Surveillance Sophistication Is Underestimated:
“Your malware removal is progressing, but Dr. Chang discovered that foreign adversaries have been watching classified engineering meetings in real-time for months. How does comprehensive foreign surveillance change your counterintelligence approach?”
If National Security Implications Are Ignored:
“While you’re cleaning infected systems, Agent Kim needs to know: have classified weapons designs been transferred to foreign military programs? How do you coordinate cybersecurity response with counterintelligence investigation?”
If Classified Information Impact Is Overlooked:
“General Wells just learned that next-generation weapons technology may be in foreign hands. How do you assess the national security impact of stolen classified military technology?”
Success Metrics for Session:
Template Compatibility
Quick Demo (35-40 min)
- Rounds: 1
- Actions per Player: 1
- Investigation: Guided
- Response: Pre-defined
- Focus: Use the “Hook” and “Initial Symptoms” to quickly establish defense contractor espionage crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing foreign intelligence targeting and national security implications.
Lunch & Learn (75-90 min)
- Rounds: 2
- Actions per Player: 2
- Investigation: Guided
- Response: Pre-defined
- Focus: This template allows for deeper exploration of defense contractor espionage challenges. Use the full set of NPCs to create realistic classified delivery and counterintelligence pressures. The two rounds allow discovery of weapons design theft and military technology compromise, raising stakes. Debrief can explore balance between cybersecurity response and counterintelligence coordination.
Full Game (120-140 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing classified weapons protection, counterintelligence coordination, military delivery deadlines, and national security obligations. The three rounds allow for full narrative arc including foreign surveillance discovery, classified technology impact assessment, and defense security coordination.
Advanced Challenge (150-170 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Complexity: Add red herrings (e.g., legitimate defense engineering causing false positives). Make containment ambiguous, requiring players to justify counterintelligence decisions with incomplete classified information. Remove access to reference materials to test knowledge recall of APT behavior and defense security principles. Include deep coordination with FBI counterintelligence and Defense Security Service.
Quick Demo Materials (35-40 min)
Guided Investigation Clues
Clue 1 (Minute 5): “Digital forensics reveal sophisticated nation-state remote access trojan providing comprehensive surveillance capabilities over Titan Defense Systems’ classified engineering workstations. Security analysis shows foreign adversaries maintaining complete remote control including real-time screen monitoring, keystroke logging, and file exfiltration of classified weapons designs. Engineering staff report CAD workstations performing unauthorized actions during secure classified development meetings.”
Clue 2 (Minute 10): “Counterintelligence timeline indicates foreign surveillance maintained for months through spear-phishing campaign using convincing military technical documents targeting defense engineers. Command and control traffic analysis reveals sophisticated foreign intelligence infrastructure coordinating multi-target defense industrial espionage. Classified network assessment shows unauthorized access to next-generation weapons specifications and military technology affecting national defense readiness.”
Clue 3 (Minute 15): “FBI counterintelligence investigation discovers classified weapons designs on foreign intelligence networks confirming technology transfer to adversary military programs. Pentagon security officials report potential compromise of classified delivery affecting national defense capabilities. Defense Security Service assessment indicates coordinated targeting of multiple defense contractors suggesting systematic foreign intelligence campaign against classified military development programs.”
Pre-Defined Response Options
Option A: Emergency Classified Protection & Counterintelligence Coordination
- Action: Immediately isolate compromised classified engineering systems, coordinate comprehensive counterintelligence investigation with FBI and Defense Security Service, conduct classified damage assessment for weapons technology exposure, implement emergency security protocols for classified delivery protection.
- Pros: Completely eliminates foreign surveillance preventing further classified technology theft; demonstrates responsible national security incident management; maintains defense contract relationships through transparent counterintelligence coordination.
- Cons: Classified system isolation disrupts weapons delivery schedule affecting military readiness; counterintelligence investigation requires extensive defense security coordination; damage assessment may reveal significant classified technology compromise.
- Type Effectiveness: Super effective against APT malmon type; complete foreign intelligence removal prevents continued classified surveillance and military technology theft.
Option B: Forensic Preservation & Targeted Remediation
- Action: Preserve counterintelligence evidence while remediating confirmed compromised systems, conduct targeted classified damage assessment, coordinate selective federal notification, implement enhanced monitoring while maintaining classified delivery operations.
- Pros: Balances classified delivery requirements with counterintelligence investigation; protects critical defense contractor operations; enables focused national security response.
- Cons: Risks continued foreign surveillance in undetected locations; selective remediation may miss coordinated targeting; forensic requirements may delay classified technology protection.
- Type Effectiveness: Moderately effective against APT threats; reduces but doesn’t eliminate foreign intelligence presence; delays complete classified security restoration.
Option C: Business Continuity & Phased Security Response
- Action: Implement emergency secure development environment for classified delivery, phase foreign surveillance removal by weapons system priority, establish enhanced classified monitoring, coordinate gradual counterintelligence notification.
- Pros: Maintains critical classified weapons delivery schedule protecting military readiness; enables continued defense contracting operations; supports controlled federal coordination.
- Cons: Phased approach extends foreign surveillance timeline; emergency operations may not prevent continued classified technology theft; gradual notification delays may violate defense security requirements.
- Type Effectiveness: Partially effective against APT malmon type; prioritizes military delivery over complete foreign intelligence elimination; doesn’t guarantee classified technology protection.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Classified Weapons System Compromise Discovery (40-45 min)
Investigation Clues (Time-Stamped)
T+0 (Round Start):
- Detective (Digital Forensics): “Engineering workstation forensics reveal sophisticated nation-state remote access trojan with comprehensive surveillance capabilities including real-time screen capture, keystroke logging, and file exfiltration. Evidence shows foreign adversaries have maintained complete remote control over classified CAD workstations for approximately two months, specifically during next-generation weapons system development.”
- Protector (Classified Systems Security): “Security assessment of classified engineering network reveals unauthorized remote access during secure design meetings. Foreign surveillance tools were monitoring classified weapons specifications, military technology blueprints, and cryptographic protocol development in real-time. Some classified data shows evidence of exfiltration to foreign intelligence infrastructure.”
- Tracker (Counterintelligence Analysis): “Command and control infrastructure analysis reveals sophisticated foreign military intelligence capabilities consistent with nation-state APT operations. The targeting pattern specifically focused on classified weapons delivery timeline, suggesting operational intelligence objectives. Network behavior indicates coordinated multi-target campaign affecting broader defense industrial base.”
- Communicator (Federal Coordination): “General Wells reports Pentagon demanding immediate briefing on classified delivery security. FBI Agent Kim coordinating counterintelligence investigation. Defense Security Service questioning whether compromise affects Thursday’s classified weapons delivery to military. Colonel Martinez warns any classified data theft could compromise national defense readiness.”
T+15 (Mid-Round Pressure):
- NPC Event - Dr. Chang: “Michael’s forensic analysis confirms foreign adversaries accessed complete CAD files for next-generation weapons system during Monday’s secure design review meeting. They watched our classified engineering presentation in real-time, including military specifications that are decades ahead of known foreign capabilities.”
- Pressure Event: Pentagon security officials call demanding immediate status update. Classified weapons delivery is scheduled for Thursday - only 72 hours away. Any compromise of weapons specifications could affect military operational advantage and national defense readiness.
T+25 (Round Transition Setup):
- Detective Discovery: “Timeline analysis shows sophisticated spear-phishing campaign using convincing military technical documents targeted defense engineers three months ago. Foreign adversaries have had persistent access to classified engineering workstations throughout entire weapons development cycle.”
- Critical Decision Point: Team must decide whether to immediately halt classified delivery to Pentagon, risking military readiness impact, or attempt rapid remediation while maintaining delivery schedule.
Response Options for Round 1
Option A: Immediate Classified Isolation & Counterintelligence Coordination
- Action: Immediately isolate all compromised classified engineering systems, halt Thursday weapons delivery pending complete threat removal, coordinate comprehensive counterintelligence investigation with FBI and Defense Security Service, conduct classified damage assessment for foreign technology transfer.
- Pros: Prevents further classified technology theft; demonstrates responsible national security incident management; ensures complete foreign surveillance elimination before military delivery.
- Cons: Halting delivery disrupts Pentagon timeline affecting military operational readiness; extensive counterintelligence investigation delays defense contracting operations; damage assessment may reveal significant classified weapons technology compromise.
- Type Effectiveness: Super effective against APT - complete foreign intelligence removal with federal oversight.
- Consequences: Leads to Round 2 with Pentagon demanding alternative delivery timeline, FBI conducting extensive counterintelligence probe, full scope of classified technology theft being assessed.
Option B: Rapid Forensic Assessment Before Delivery Decision
- Action: Conduct emergency forensic assessment to determine extent of classified data exfiltration, coordinate with FBI counterintelligence while maintaining delivery timeline, implement enhanced monitoring of classified engineering systems, prepare contingency plans for delivery halt or continuation.
- Pros: Allows evidence-based decision about delivery timing; maintains military readiness option through rapid assessment; enables informed counterintelligence coordination.
- Cons: Assessment period extends foreign surveillance timeline; risks incomplete threat removal if delivery proceeds; Pentagon may demand immediate decision without waiting for forensics completion.
- Type Effectiveness: Moderately effective against APT - balances investigation with military readiness requirements.
- Consequences: Leads to Round 2 with partial forensic evidence revealing deeper compromise than expected, increasing pressure for delivery halt versus military operational needs.
Option C: Emergency Secure Delivery & Phased Remediation
- Action: Implement emergency secure environment for final weapons delivery preparation, isolate confirmed compromised systems while maintaining delivery timeline, coordinate selective counterintelligence notification, phase complete threat removal after Thursday delivery.
- Pros: Maintains critical military readiness through Thursday delivery; protects defense contract relationship with Pentagon; enables controlled counterintelligence coordination timing.
- Cons: Phased approach risks continued foreign surveillance during delivery preparation; emergency operations may not prevent additional classified theft; delivery of potentially compromised weapons designs could affect national defense.
- Type Effectiveness: Partially effective against APT - prioritizes military delivery over complete foreign intelligence elimination.
- Consequences: Leads to Round 2 with delivery proceeding but FBI questioning adequacy of remediation, risk of foreign adversaries obtaining final weapons specifications.
Facilitation Questions for Round 1
- “How do nation-state APT capabilities targeting classified military technology differ from typical corporate espionage?”
- “What are the national defense implications when foreign adversaries gain real-time surveillance of classified weapons development?”
- “How should defense contractors balance military readiness requirements with complete threat remediation?”
- “What makes classified engineering workstation compromise particularly dangerous for national security?”
Round 1 Transition Narrative
Based on team’s chosen response option:
If Option A chosen: “Your immediate delivery halt triggers Pentagon crisis response. Military operational planners scramble to adjust readiness timeline. FBI counterintelligence launches intensive investigation of foreign military intelligence targeting. Forensics reveals foreign adversaries watched every classified design meeting for two months - the technology compromise may be more extensive than initially assessed.”
If Option B chosen: “Your rapid forensic assessment reveals devastating scope: Foreign adversaries accessed complete classified weapons specifications, including cryptographic protocols and targeting systems decades ahead of known foreign capabilities. FBI demands immediate delivery halt for counterintelligence investigation. Pentagon insists delivery must proceed for critical military operations. You’re caught between conflicting federal requirements.”
If Option C chosen: “Your emergency secure environment prevents some additional data theft, but forensics discovers foreign adversaries are still monitoring final delivery preparation. FBI counterintelligence questions whether weapons delivered to Pentagon may contain compromised specifications. Defense Security Service warns that proceeding with delivery under active foreign surveillance could constitute security clearance violations.”
Round 2: Classified Technology Transfer & Military Impact Assessment (35-45 min)
Investigation Clues (Time-Stamped)
T+0 (Round Start - Building on Round 1 outcome):
- Detective (Counterintelligence Forensics): “Complete forensic analysis confirms foreign military intelligence accessed classified weapons designs for next-generation targeting systems, advanced cryptographic protocols, and stealth technology specifications. Evidence indicates systematic technology transfer to foreign military development programs. Some engineering meetings were monitored in real-time by foreign intelligence analysts.”
- Protector (Classified Damage Assessment): “Defense Security Service assessment reveals potential compromise of multiple classified military programs beyond current weapons delivery. Foreign adversaries had access to research data affecting future defense projects worth billions. Classified network security shows coordinated targeting of other defense contractors working on related military technology.”
- Tracker (Attribution & Campaign Analysis): “Intelligence community confirms nation-state APT attribution with specific foreign military intelligence unit responsible for campaign. Analysis reveals Titan Defense is one of at least eight defense contractors targeted in coordinated operation to steal American military technology. Campaign operational security and capabilities indicate decades of foreign intelligence investment.”
- Communicator (Pentagon & Clearance Coordination): “Pentagon security officials briefed on complete classified technology compromise affecting military operational advantage. Defense Security Service reviewing Titan Defense clearance eligibility for all classified contracts. FBI counterintelligence coordinating with intelligence community on national defense implications. Military program directors questioning whether compromised weapons systems should be deployed.”
T+15 (Mid-Round Pressure):
- NPC Event - General Wells: “Patricia reports Pentagon is considering canceling entire weapons program due to foreign technology compromise. If foreign adversaries already have our specifications, deploying these systems could provide them tactical advantage. This could end Titan Defense’s primary defense contract and cost hundreds of millions in revenue.”
- Pressure Event: Intelligence community confirms classified weapons specifications found on foreign military development networks. Foreign adversaries are incorporating stolen American technology into their own weapons programs, potentially neutralizing US military technological advantage.
T+25 (Round Transition Setup):
- Critical Defense Decision: Military leadership must decide whether to proceed with compromised weapons system deployment, redesign systems with different specifications, or cancel program entirely. Team’s remediation quality and damage assessment will inform this decision affecting national defense strategy.
- Clearance Survival Challenge: Defense Security Service formal clearance review could result in suspension of all classified contract access. Titan Defense must demonstrate complete foreign intelligence removal and enhanced security to maintain defense business.
Response Options for Round 2
Option A: Complete Counterintelligence Cooperation & Security Enhancement
- Action: Provide complete classified damage assessment to Pentagon and intelligence community, coordinate comprehensive counterintelligence investigation with FBI, implement enhanced security architecture for all classified programs, accept potential program cancellation while demonstrating complete security improvement for future contracts.
- Pros: Maintains defense contractor clearances through transparent cooperation; supports national defense decision-making with complete intelligence; positions company for future classified contracts through demonstrated security enhancement.
- Cons: Complete cooperation may confirm program cancellation costing hundreds of millions; extensive security overhaul requires massive investment; transparent damage assessment may end multiple classified contracts.
- Type Effectiveness: Super effective against APT - complete foreign intelligence collaboration supports national defense.
- Business Impact: High short-term cost but preserves long-term defense contracting capability and clearances.
Option B: Targeted Damage Mitigation & Program Modification
- Action: Work with Pentagon to identify which specific weapons specifications were compromised, propose program modifications using alternative technology not accessed by foreign adversaries, coordinate focused counterintelligence response, implement enhanced security for remaining classified projects while attempting to save current contract.
- Pros: Program modification may save current contract and revenue; targeted approach focuses resources on salvageable classified work; maintains some defense contracting operations during remediation.
- Cons: Partial approach may not satisfy Defense Security Service clearance review; program modifications may not be technically feasible; Pentagon may demand complete redesign anyway.
- Type Effectiveness: Moderately effective against APT - addresses confirmed compromises but may not demonstrate complete security improvement.
- Business Impact: Moderate cost with possibility of saving primary defense contract.
Option C: Minimum Viable Cooperation & Business Preservation
- Action: Provide required counterintelligence evidence while minimizing classified damage disclosure, argue for program continuation with enhanced security monitoring, coordinate minimum clearance review cooperation, focus on maintaining defense contract revenue over complete security overhaul.
- Pros: Protects current defense contract and revenue; minimizes immediate business disruption; maintains classified contracting operations.
- Cons: Minimal cooperation likely results in clearance suspension; Pentagon unlikely to proceed with compromised weapons program; FBI may compel more extensive cooperation; risks long-term defense business viability.
- Type Effectiveness: Partially effective against APT - prioritizes business over complete counterintelligence support.
- Business Impact: Low immediate cost but extremely high risk of clearance loss and program cancellation.
Facilitation Questions for Round 2
- “How does classified technology theft affect military operational advantage and national defense strategy?”
- “What are the ethical obligations of defense contractors when foreign adversaries obtain American weapons specifications?”
- “How should clearance review decisions balance security failures with contractor cooperation and remediation?”
- “What makes coordinated multi-contractor targeting campaigns particularly dangerous for defense industrial base?”
Victory Conditions for Lunch & Learn
Technical Victory:
- Complete removal of foreign surveillance from all classified engineering systems with forensic evidence preservation
- Enhanced security architecture preventing future nation-state targeting of classified military programs
- Counterintelligence contribution supporting broader defense industrial base protection
Business Victory:
- Defense contractor clearances maintained through demonstrated complete security improvement and federal cooperation
- Military relationship preserved through transparent damage assessment and program remediation support
- Defense contracting business continuity through enhanced security positioning despite technology compromise
Learning Victory:
- Team understands nation-state APT capabilities targeting classified military technology development
- Participants recognize defense contractor obligations to national security over business revenue
- Group demonstrates coordination between cybersecurity response, counterintelligence investigation, and military readiness requirements
Debrief Topics
- Nation-State APT Sophistication: How do foreign military intelligence capabilities differ from criminal threat actors?
- Classified Technology Protection: What security controls are required for defending classified weapons development?
- Military Operational Impact: How does technology compromise affect national defense strategy and capability deployment?
- Counterintelligence Coordination: What’s the relationship between cybersecurity incident response and intelligence community operations?
- Defense Security Clearances: How do clearance review processes evaluate contractor security after major breach?
- Business vs. National Security: When do defense contractors’ revenue interests conflict with national security obligations?
Full Game Materials (120-140 min, 3 rounds)
Round 1: Real-Time Foreign Surveillance Discovery (35-40 min)
Open Investigation (Player-Driven)
Available Evidence (Players must ask to investigate):
- Engineering workstation logs: Show unusual remote access patterns during classified design meetings
- CAD file access logs: Reveal unauthorized viewing of classified weapons specifications
- Network traffic: Indicates persistent connections to foreign infrastructure during business hours
- Email forensics: Sophisticated spear-phishing with military technical document attachments
- Classified meeting recordings: Video shows screen flickering and cursor movements engineers didn’t make
- Pentagon security logs: Questions about unusual data transfers from Titan Defense systems
Role-Specific Investigation Paths:
- Detective: Can pursue malware analysis, spear-phishing campaign investigation, foreign intelligence attribution, or classified data exfiltration timeline
- Protector: Can investigate engineering workstation security, classified network assessment, weapons system impact analysis, or multi-program compromise scope
- Tracker: Can analyze command and control infrastructure, nation-state capabilities assessment, defense industrial base targeting patterns, or intelligence community coordination
- Communicator: Can interview defense engineers about suspicious behavior, coordinate with Pentagon security, assess FBI notification requirements, or evaluate Defense Security Service implications
NPC Interactions (Players must initiate)
General Patricia Wells (Program Director):
- Available for classified delivery timeline, Pentagon coordination, military operational impact assessment
- If asked about delivery deadline: “We committed to Thursday delivery six months ago. Pentagon operational planning depends on this timeline. But if foreign adversaries have our specifications, deploying compromised systems could give them tactical advantage. This is a national defense decision, not just a business decision.”
- If asked about program cancellation: “This is our largest contract - $400 million over five years. Cancellation would require massive layoffs and potentially end Titan Defense as a going concern. But national security comes first, always.”
Dr. Michael Chang (Lead Systems Engineer):
- Available for technical analysis, classified systems assessment, weapons specifications impact evaluation
- If asked about surveillance capabilities: “Based on the malware analysis, foreign adversaries could see everything on our screens in real-time. They watched us designing targeting systems, reviewing cryptographic protocols, discussing countermeasures. It’s like they were sitting in our classified engineering meetings.”
- If asked about technology impact: “Some of these weapons specifications are decades ahead of known foreign capabilities. If they incorporate our designs into their systems, we may have just eliminated American military technological advantage in multiple domains.”
Colonel Sandra Martinez (Defense Security Service):
- Available for clearance implications, classified handling requirements, defense industrial base security
- If asked about clearance review: “When foreign military intelligence successfully targets a defense contractor’s classified programs, we must evaluate whether that contractor can be trusted with future classified work. Your cooperation and remediation will determine Titan Defense’s clearance eligibility going forward.”
- If asked about industry impact: “Intelligence indicates this is a coordinated campaign against multiple defense contractors. Your response could set precedent for how the defense industrial base handles nation-state targeting. Every defense contractor is watching what happens here.”
Agent Robert Kim (FBI Counterintelligence):
- Available for counterintelligence investigation, nation-state attribution, evidence requirements
- If asked about investigation scope: “This is economic espionage affecting national defense. We need complete forensic cooperation, access to all engineering systems, and detailed classified damage assessment. The intelligence community needs to understand exactly what foreign adversaries obtained to assess military operational impact.”
- If asked about attribution: “We have high confidence this is nation-state APT targeting American military technology development. This isn’t corporate espionage - it’s foreign intelligence operation against US national security interests. That changes everything about our investigation and your obligations.”
Pressure Events (Timed Throughout Round)
T+10: Engineering workstation begins displaying screen capture in real-time to foreign server. Foreign adversaries are actively watching classified weapons development RIGHT NOW.
T+20: Pentagon security liaison calls asking about unusual network traffic from Titan Defense to foreign infrastructure. They’re detecting the compromise independently and demanding immediate explanation.
T+30: Intelligence community analyst contacts FBI Agent Kim with classified information: Foreign military has already incorporated some stolen specifications into their weapons development program. Technology transfer is confirmed.
Round 1 Response Development
Players must develop response addressing:
- Immediate containment: How to stop active foreign surveillance without alerting nation-state attackers
- Delivery decision: Whether to proceed with Thursday Pentagon delivery or halt for complete remediation
- Counterintelligence coordination: When and how to notify FBI, Defense Security Service, and intelligence community
- Damage assessment: How to determine which classified specifications were accessed and exfiltrated
- Military impact: How to assess whether compromised weapons systems should be deployed
No pre-defined options - players must justify their approach
Round 1 Transition (Based on Player Decisions)
IM evaluates player response and introduces consequences:
- If delivery halted immediately: Pentagon operational planners scramble to adjust military readiness timeline; FBI appreciates cooperation
- If delivery continues: Intelligence community questions decision to deploy potentially compromised weapons; Defense Security Service concerns about clearance eligibility
- If containment aggressive: Foreign adversaries detect investigation and may accelerate data theft or establish backup persistence
- If damage assessment incomplete: Round 2 reveals technology compromise worse than initially understood
Round 2: Classified Program Cancellation & Clearance Review (40-45 min)
Evolving Situation (Based on Round 1)
New Evidence Available:
- Complete spear-phishing campaign timeline showing three-month foreign intelligence operation
- Classified damage assessment revealing multiple weapons programs compromised beyond current delivery
- Intelligence community analysis confirming foreign military incorporation of stolen technology
- Defense Security Service formal clearance review notice for all Titan Defense classified contracts
- Pentagon program review considering cancellation of compromised weapons system
Escalating Pressure:
- Military Crisis: Pentagon considers canceling entire weapons program due to foreign technology compromise
- Counterintelligence Intensity: FBI demands complete classified engineering system access for evidence collection
- Clearance Jeopardy: Defense Security Service reviewing whether Titan Defense can maintain classified contract eligibility
- National Defense Impact: Intelligence community assessing how stolen technology affects military operational advantage
Open Investigation Continues
Additional Investigation Paths:
- Multi-Program Assessment: Determine which other classified projects beyond current delivery were compromised
- Foreign Technology Transfer: Analyze how foreign adversaries are using stolen weapons specifications
- Defense Industrial Base: Investigate whether other defense contractors were targeted in coordinated campaign
- Security Enhancement: Design improved classified systems protection preventing future nation-state targeting
NPC Developments
General Wells - Program Cancellation Crisis:
- “Pentagon program director just informed me they’re leaning toward canceling the entire weapons system. Their logic: if foreign adversaries have our specifications, deploying these weapons gives them tactical advantage rather than preserving American military superiority. That decision costs us $400 million and potentially forces company shutdown. But I understand their reasoning from national security perspective.”
Dr. Chang - Technology Assessment Devastation:
- “The classified damage assessment is worse than we thought. Foreign adversaries accessed not just current weapons delivery, but also next-generation research affecting future defense programs. Some of this technology won’t be deployed for five years, but now foreign military has specifications today. We may have given them half-decade head start on advanced military capabilities.”
Colonel Martinez - Clearance Review Decision Point:
- “Defense Security Service clearance review focuses on three questions: How did nation-state adversaries penetrate your classified systems? What security improvements prevent future compromise? Why should we trust Titan Defense with classified work after this failure? Your answers determine whether you continue as defense contractor or not.”
Agent Kim - Intelligence Community Coordination:
- “Intelligence community is conducting strategic assessment of how stolen technology affects military planning. They need complete understanding of what foreign adversaries obtained, how they’re using it, and what operational adjustments military needs to make. Your cooperation directly impacts national defense strategy, not just your business.”
Pressure Events Round 2
T+10: Pentagon program director calls General Wells: “We’re 90% decided on program cancellation. Unless you can demonstrate the compromised technology doesn’t give foreign adversaries tactical advantage, we can’t proceed with deployment. National defense strategy comes before contractor revenue.”
T+25: Defense Security Service accelerates clearance review timeline. Final decision on Titan Defense’s classified contract eligibility needed within 48 hours instead of planned 30-day review.
T+35: Intelligence community shares classified assessment with FBI: Foreign military has incorporated stolen targeting system specifications into their weapons development, potentially neutralizing American technological advantage in multiple combat domains.
Round 2 Response Development
Players must address:
- Program Salvage Strategy: Can weapons system be modified with alternative specifications not accessed by foreign adversaries?
- Clearance Demonstration: What evidence proves Titan Defense can protect future classified programs?
- Counterintelligence Cooperation: How extensive should classified damage disclosure be to support national defense assessment?
- Business Survival: How to maintain defense contracting capability despite major program loss?
- Security Enhancement: What architectural changes prevent future nation-state targeting?
Round 2 Transition
IM evaluates program remediation strategy and introduces Round 3 setup:
- Pentagon decision on weapons program based on damage assessment and modification proposals
- Defense Security Service clearance review outcome based on cooperation and security improvements
- Intelligence community strategic assessment of military operational impact
- Long-term defense contracting viability based on response quality
Round 3: National Defense Strategy & Contractor Recovery (40-55 min)
Final Crisis Resolution
Situation Status:
- Pentagon weapons program decision imminent - deploy, modify, or cancel
- Defense Security Service clearance review concluding - maintain, suspend, or revoke
- Intelligence community assessment complete - military operational strategy adjustments
- Defense contractor viability - business recovery path or potential shutdown
New Developments:
- Pentagon Decision: Final weapons program review meeting scheduled - Titan Defense must present remediation and modification proposals
- Clearance Outcome: Defense Security Service clearance review hearing - must demonstrate complete security enhancement
- Intelligence Impact: Military operational planning adjusting to foreign technology compromise - need contractor input
- Industry Leadership: Other defense contractors looking to Titan response as precedent for nation-state targeting
Final Investigation & Response
Critical Questions Players Must Answer:
- Program Modification Feasibility: Can weapons system be redesigned with alternative technology not compromised by foreign adversaries?
- Security Enhancement Proof: What concrete improvements demonstrate ability to protect future classified programs?
- National Defense Support: How can contractor support military operational adjustment to technology compromise?
- Business Recovery Path: What’s viable defense contracting future after major program loss?
- Industry Precedent: How should defense industrial base respond to nation-state APT campaigns?
NPC Final Positions
General Wells - Pentagon Presentation:
- “I’m presenting to Pentagon program review committee tomorrow. They need to hear: complete damage assessment, proposed weapons modifications using uncompromised technology, enhanced security architecture, and why they should trust Titan Defense with future classified programs. Our defense business depends on this presentation being absolutely convincing from both technical and national security perspectives.”
Dr. Chang - Engineering Remediation:
- “I’ve identified alternative targeting system designs using different technology the foreign adversaries didn’t access. It would require six-month development delay and $50 million additional investment. Pentagon has to decide if modified system provides sufficient military advantage to justify deployment, or if entire program should be cancelled to avoid giving foreign adversaries any tactical intelligence.”
Colonel Martinez - Clearance Decision:
- “Defense Security Service clearance review committee meets tomorrow. Decision factors: complete foreign intelligence removal, architectural security enhancements, demonstrated commitment to classified protection, and contractor cooperation throughout investigation. Clearance suspension ends defense business. Approval with conditions allows continued work with enhanced oversight.”
Agent Kim - Strategic Intelligence:
- “Intelligence community needs Titan Defense engineering expertise to assess military operational impact. Your engineers understand these weapons systems better than anyone - we need your help evaluating how foreign military might use stolen specifications and what countermeasures American forces should deploy. This is opportunity to contribute to national defense despite the breach.”
Final Pressure Events
T+15: Pentagon program review requests final presentation materials including: complete classified damage assessment, proposed system modifications, cost and timeline analysis, security enhancement documentation, and recommendation on deployment feasibility.
T+30: Defense Security Service offers conditional clearance retention: Maintain classified contracts with enhanced oversight and quarterly security audits, or face suspension. Must decide immediately.
T+40: Intelligence community proposes unique opportunity: Titan Defense engineers join classified assessment team advising military operational planning on foreign technology compromise countermeasures. This could be path to defense contracting recovery or admission of security failure.
Victory Conditions for Full Game
Technical Victory:
- Complete documented removal of foreign surveillance with forensic evidence supporting counterintelligence investigation
- Enhanced classified systems security architecture preventing future nation-state APT targeting
- Engineering contribution to military operational assessment supporting national defense strategy adjustment
Business Victory:
- Defense Security Service clearances maintained (potentially with conditions) allowing continued classified contracting
- Pentagon relationship preserved through transparent cooperation and program remediation proposals
- Defense business recovery path established despite major program challenges
Learning Victory:
- Team demonstrates sophisticated understanding of nation-state APT capabilities and foreign intelligence operations
- Participants recognize defense contractor obligations to national security transcending business interests
- Group navigates complex coordination between Pentagon, FBI counterintelligence, Defense Security Service, and intelligence community
- Understanding of classified technology protection and military operational impact assessment
Debrief Topics
- Nation-State APT Targeting: How do foreign military intelligence operations against defense contractors threaten national security?
- Classified Systems Protection: What security architecture is required for defending weapons system development against sophisticated adversaries?
- Military Operational Impact: How does technology compromise affect deployment decisions and defense strategy?
- Counterintelligence Cooperation: What’s balance between protecting business interests and supporting national defense investigations?
- Defense Security Clearances: How do clearance reviews evaluate contractors after major security incidents?
- Business vs. National Security: When should defense contractors prioritize national defense over financial survival?
- Industry Precedent: What lessons should defense industrial base learn from nation-state targeting?
- Strategic Intelligence: How can compromised contractors contribute to national defense recovery despite security failures?
Advanced Challenge Materials (150-170 min, 3+ rounds)
Advanced Challenge Modifications
Complexity Additions:
- Conflicting National Security Priorities:
- Pentagon needs Thursday delivery for critical military operations
- FBI counterintelligence wants investigation before any delivery
- Defense Security Service demands immediate clearance review
- Intelligence community needs time for strategic damage assessment
- Players must navigate contradictory federal requirements
- Classification Level Complexity:
- Different weapons specifications at CONFIDENTIAL, SECRET, and TOP SECRET levels
- Foreign access to each classification level has different operational impact
- Damage assessment must differentiate compromise by classification
- Clearance review evaluates handling of each classification separately
- Technical Modification Uncertainty:
- Engineering team can’t guarantee alternative designs achieve same military capability
- Modified weapons may require extensive testing before Pentagon acceptance
- Foreign adversaries may have accessed technology thought to be secure
- Players must make program decisions with incomplete engineering certainty
- Attribution Evolution:
- Initial evidence suggests criminal espionage
- Later indicators point to nation-state APT
- Final analysis reveals specific foreign military intelligence unit
- Coordination requirements change as attribution understanding develops
- Red Herrings:
- Legitimate remote engineering support that appears suspicious
- Pentagon security testing that mimics foreign surveillance
- Engineering workstation behavior from approved vendor software
- Network traffic from classified research collaboration misidentified as exfiltration
Remove Access to Reference Materials:
- No MITRE ATT&CK framework lookup during gameplay
- No defense security regulations quick-reference
- No classification handling guides
- Players must recall knowledge of:
- Nation-state APT techniques and capabilities
- Defense Security Service clearance review processes
- Classified information handling requirements
- Counterintelligence coordination procedures
Justification Requirements:
Players must provide detailed written justification for:
- Delivery timing decisions (with military operational impact analysis)
- Classification damage assessment (demonstrating understanding of classification levels)
- Clearance review evidence (proving capability to protect future classified programs)
- Program modification proposals (with technical feasibility and national security trade-off analysis)
Advanced Challenge Round Structure
Round 1: Ambiguous Discovery During Critical Delivery Window (45-50 min)
- Evidence mixing legitimate engineering activity with foreign surveillance
- Unclear whether compromise affects only current delivery or multiple programs
- Pentagon demanding delivery decision with incomplete forensic information
- Attribution uncertain between criminal and nation-state actors
- Players must decide on delivery, notification, and containment with high ambiguity
Round 2: Multi-Program Compromise with Resource Constraints (50-55 min)
- Forensics reveals compromise extends to multiple classified programs
- Limited investigation team can’t simultaneously assess all affected projects
- Pentagon program review demanding decisions on multiple weapons systems
- Conflicting federal guidance on counterintelligence cooperation vs. clearance protection
- Must prioritize engineering resources across competing classified investigations
Round 3: Clearance Hearing with Strategic Intelligence Opportunity (55-65 min)
- Defense Security Service clearance review hearing requires justifying all previous decisions
- Intelligence community proposes contractor support for national defense assessment
- Some engineering staff unwilling to participate in classified damage disclosure
- Final Pentagon program decisions based on contractor remediation quality
- Must balance business recovery with national security contribution
Advanced Pressure Events
T+20 (Round 1): Engineering team reports legitimate vendor remote support session that forensics flagged as suspicious. How do players differentiate authorized from malicious remote access?
T+35 (Round 1): Pentagon security liaison reveals they conducted penetration testing last month that may explain some forensic indicators. Must re-evaluate attribution with new information.
T+15 (Round 2): Engineering analysis reveals alternative weapons designs require technology that foreign adversaries may have also accessed. Technical modification path uncertain.
T+40 (Round 2): Defense Security Service asks why counterintelligence cooperation was delayed (if applicable) or why excessive disclosure damaged clearance defense (if applicable). Must justify decisions with incomplete information from Round 1.
T+25 (Round 3): Intelligence community reveals foreign military already deployed countermeasures to American weapons system, proving they have complete specifications. All program modification efforts may be futile.
T+50 (Round 3): Pentagon offers unexpected choice: Cancel current compromised program but award new $600 million contract for different classified system, contingent on clearance retention and demonstrated security improvements. Business recovery opportunity or setup for future failure?
Advanced Victory Conditions
Technical Victory (High Bar):
- Complete foreign surveillance removal verified through independent intelligence community assessment
- Enhanced classified systems architecture approved by Defense Security Service as meeting highest standards
- Engineering contribution to national defense strategy supporting military operational adjustments
- Documented lessons learned shared with defense industrial base through classified channels
Business Victory (High Bar):
- Defense Security Service clearances maintained without suspension period
- Pentagon relationship preserved with new contract opportunities despite program challenges
- Defense contracting revenue maintained above 70% of pre-incident levels within 12 months
- Industry leadership position established through sophisticated response to nation-state targeting
Learning Victory (High Bar):
- Justified all delivery and notification decisions with specific military operational impact analysis (recalled from memory)
- Demonstrated understanding of classification level handling and damage assessment requirements
- Explained nation-state APT detection challenges and counterintelligence coordination approaches
- Articulated defense contractor obligations transcending business interests in national security contexts
- Navigated conflicting federal requirements across Pentagon, FBI, Defense Security Service, and intelligence community
Advanced Facilitation Challenges
When Players Struggle with Classification Complexity:
Don’t simplify for them. Instead: “Different classification levels have different national security implications. How does foreign access to TOP SECRET weapons specifications affect military operational planning differently than CONFIDENTIAL compromise? You need to demonstrate this understanding for clearance review.”
When Players Request Unavailable Information:
Enforce constraints: “You don’t have classification handling guides available. Based on your understanding of defense security requirements, what damage assessment process would Defense Security Service expect for classified program compromise?”
When Players Avoid Pentagon Decision Trade-Offs:
Force decision: “Pentagon program director needs answer now: proceed with Thursday delivery of potentially compromised weapons, delay six months for system redesign, or cancel $400 million program entirely. Each choice has national security and business implications. You must decide - what’s your recommendation and why?”
When Players Rely on Pre-Defined Responses:
Remove safety net: “There are no template approaches for nation-state targeting of classified weapons development. You need original strategy addressing: immediate foreign surveillance elimination, delivery decision rationale, counterintelligence cooperation scope, clearance demonstration evidence, and program remediation proposals. What’s your approach?”
Advanced Debrief Topics
- Decision-Making Under National Security Pressure: How did military operational requirements affect incident response decisions?
- Classification Level Handling: What damage assessment process differentiates compromise impact by classification?
- Nation-State APT Detection: Without reference materials, what foreign intelligence techniques did you identify and how would you detect them?
- Federal Coordination Conflicts: What strategies navigate contradictory requirements across Pentagon, FBI, Defense Security Service, and intelligence community?
- Attribution Evolution Impact: How did changing understanding of adversary (criminal vs. nation-state) affect response strategy?
- Clearance Review Demonstration: What evidence convinces Defense Security Service of capability to protect future classified programs?
- Program Modification Feasibility: How do engineering constraints affect weapons system remediation and national defense strategy?
- Business vs. National Defense: When should defense contractors prioritize military operational advantage over financial survival?
- Counterintelligence Cooperation: What’s appropriate balance between supporting national security investigation and protecting business interests?
- Industry Leadership: What lessons should defense industrial base learn from this nation-state targeting scenario?