Large Group Facilitator Guide: Noodle RAT – Biotech Research Surveillance

Tip

Quick Reference

Format: Multi-Team Coordination
Session length: 150 min + 25 min debrief (Fog Lifts arc requires analytical depth)
Teams: Alpha (Forensics) / Bravo (Network/Infrastructure) / Charlie (Business Impact)
Variants: US only – GenVista Therapeutics
Expertise level: Advanced (APT investigation and biotech regulatory context)
Central dilemma: Submit Phase III trial data on Thursday as scheduled, or delay for integrity verification – the binary is set by the CSO: one altered data point invalidates the submission, and Alpha must confirm “read-only or modified” before the decision can be made
For format selection, IC briefing, and general facilitation mechanics, see the Large Group Facilitation Guide.

21 Artifacts at a Glance

Red herring: svc.backup account appears in BRAVO Initial Indicator 2 as the source of bulk file reads overnight. Teams may assume these are legitimate backup jobs. The tell: svc.backup originates from 10.10.50.47 (research VLAN) – not from 10.10.60.12 (the actual backup server admin VLAN). Do not flag this in advance.

Tier	Team	Card	Key Content
R1	Alpha	Initial Indicator 1: Memory Injection Alert – No Disk Artifact	Reflective DLL injection; 2 hosts (`RES-WS-047`, `RES-WS-051`); no file on disk; keylogger + clipboard capture + file staging capability; `198.51.100.87:443` C2
R1	Alpha	Initial Indicator 2: LSASS Credential Read from Research Workstation	`lsass.exe` credential dump; `researcher.m` and `lab.admin` credentials at risk; lateral movement to `LIMS-SRV-01` possible
R1	Bravo	Initial Indicator 1: Encrypted Beaconing – Six-Week Pattern	6 weeks of HTTPS beaconing; no disk artifact; unrestricted outbound policy; beacon pattern: 30-min check-in + burst on collection days
R1	Bravo	Initial Indicator 2: Bulk File Access from Trial Repository	5 sessions; 7,694 files accessed; `researcher.j` and `svc.backup` credentials; all from `10.10.50.47` (red herring tell: `svc.backup` expected from `10.10.60.12`)
R1	Charlie	Initial Indicator 1: Research Scope at Risk – CSO Assessment	CSO binary: one altered data point invalidates Phase III submission; Thursday deadline; 44-day dwell uncertain scope
R1	Charlie	Initial Indicator 2: Investor and Regulatory Confidence Exposure	Pre-IPO timeline; Partner A co-development agreement; IRB notification if patient data involved; Series A data at risk
R2-3	Alpha	Deep Analysis 1: Volatile Memory Capture – Implant Anatomy	Full implant profiling; file staging capability confirmed; `analyst.p` and `researcher.j` compromised; `RES-WS-047` and `RES-WS-051`
R2-3	Alpha	Deep Analysis 2: Initial Access Reconstruction	Spear-phishing January 24; credential portal with GenVista branding; implant delivered 119 seconds after credential submission; attacker knows GenVista branding
R2-3	Alpha	Deep Analysis 3: Dwell Time and Collection Scope	44-day dwell; 5 structured collection sessions; Monday burst on detection day (attacker may have known discovery was imminent); `LIMS-SRV-01` accessed February 11
R2-3	Bravo	Deep Analysis 1: C2 Infrastructure Analysis	2 staged domains never used (other targets); DigitalOcean Singapore; JPCERT/CC links to prior campaign with 4 confirmed prior victims
R2-3	Bravo	Deep Analysis 2: Network Segmentation Gap Analysis	Unrestricted outbound HTTPS; SMB and Kerberos from research VLAN to admin VLAN; `LIMS-SRV-01` accessible from research via HTTP/HTTPS
R2-3	Bravo	Deep Analysis 3: Three Compromised Hosts – Isolation Status	`RES-WS-047`, `RES-WS-051`, `RES-WS-064` isolated; domain admin credentials appear clean; `LIMS-SRV-01` 2,847 records under review
R2-3	Charlie	Deep Analysis 1: Data Integrity Certification Requirements	Hash baselines exist for 847 submission files; “likely read-only” based on no write events; LIMS results no hash baseline; 21 CFR Part 11 allows post-submission challenge
R2-3	Charlie	Deep Analysis 2: Partner and Investor Notification Obligations	48-hour clock may be running; holding statement drafted; IRB notification pending forensic determination; Partner A Section 12 clause risk
R2-3	Charlie	Deep Analysis 3: Submission Decision Framework	Option A (submit Thursday with disclosure); Option B (voluntary delay + FDA notification); Option C (delay without disclosure – last resort); decision deadline Wednesday 15:00 UTC
R4-5	Alpha	Development 1: Forensic Confirmation – Files Read, Not Modified	Read-only confirmed; hash verification covers 847 files; Option A viable; IC to brief CEO immediately
R4-5	Alpha	Development 2: Persistence Removal and Clean Baseline Verification	`svc.backup` disabled; domain treated as “potentially enumerated”; gold image from February 1 (pre-compromise January 24 – clean); 3 researchers need new machines
R4-5	Bravo	Development 1: Outbound HTTPS Inspection – Emergency Policy Change	Proxy allowlist implemented; after-hours file access alerting; MFA-gated jump server for lateral movement; TLS inspection Phase 2
R4-5	Bravo	Development 2: Similar Biotech Targeting Pattern – Peer Intelligence	4 prior victims (JPCERT/CC); 2 staged domains suggest other orgs currently targeted; FBI recommends formal report; data may surface in competitor research in 12-18 months
R4-5	Charlie	Development 1: Voluntary FDA Disclosure Drafted	“No evidence of modification”; hash verification covers 847 files; 2 prior FDA submissions with analogous disclosures accepted; FBI reporting referenced
R4-5	Charlie	Development 2: Partner Notification Sent – Response Received	Partner A Section 12.4 MAE clause triggered; Partner B data confirmed out of scope; Board session Wednesday 17:00 UTC; CEO managed both notifications personally

Opening Delivery

This is Group B “Fog Lifts” – the attack started 44 days ago and was designed to be invisible. Teams open their cards in a state of uncertainty: something was found, but its scope and impact are completely unclear.

“It is Monday 09:00 UTC. GenVista Therapeutics’ EDR just flagged an anomalous memory injection on two research workstations. There is no file on disk. There is an active C2 connection. Your Phase III FDA submission is Thursday. You are the incident response team. Turn over your cards.”

Critical note: Teams will want to know whether the trial data has been modified. That is the correct question. Do not answer it for them – ever. That answer can only come from Alpha’s forensic work, and it doesn’t arrive until Round 4 (Development 1). If a team asks “has the data been changed?” – the answer is: “That is exactly what Alpha needs to determine. What does Alpha need to find out?”

Pre-release framing: The Thursday deadline is real. The CSO’s binary (one altered data point invalidates submission) is real. Teams need to feel the weight of both before opening cards.

Round-by-Round Facilitation Notes

Round 1 – Initial Indicators

Released: All 6 R1 cards at session open

Alpha discovers: Memory-only implant with file staging capability; 2 hosts confirmed; LSASS credential dump means lateral movement is possible

Bravo discovers: 6 weeks of beaconing that was invisible; 5 bulk file access sessions – svc.backup as one source (red herring setup: source IP is research VLAN, not backup server)

Charlie discovers: CSO binary – one altered data point invalidates submission; 44-day scope unknown; pre-IPO investor exposure adds urgency

IC synthesis: Alpha knows the implant has file staging capability (files could have been exfiltrated). Bravo knows which files were accessed. Charlie knows which files are submission-critical. The IC must connect all three to frame the core question for the session.

IM navigation prompt: “Ask Alpha: what does ‘file staging capability’ mean – can the implant read and transmit files? Ask Bravo: which specific files were accessed? Ask Charlie: which of those files are in the Phase III submission package?”

Red herring note: svc.backup in Bravo’s Initial Indicator 2 appears as a legitimate explanation (backup job running overnight). Teams will often accept this without checking the source IP. Don’t flag the discrepancy. When Bravo’s team briefs the IC on the bulk file access, the IC may ask “could that be the backup system?” – if teams say yes without checking IPs, prompt: “What is the expected source IP for svc.backup?”

Timing: 20–25 min

Round 2 – Deep Analysis

Released: 3 cards per team

Alpha discovers: Full implant anatomy; spear-phishing initial access January 24; 44-day dwell with 5 structured sessions; LIMS-SRV-01 accessed February 11

Bravo discovers: C2 infrastructure linked to prior APT campaign; network segmentation gaps that enabled lateral movement; 3 hosts isolated

Charlie discovers: Hash baselines exist for 847 submission files – integrity verification is possible; “likely read-only” finding from write event analysis; submission decision framework (3 options)

IC synthesis: Charlie now has 3 options for Thursday. The decision deadline is Wednesday 15:00 UTC. Alpha must deliver “read-only confirmed” before Option A is viable. The IC must set Alpha’s task clearly.

IM navigation prompt: “Ask Charlie: when does the decision need to be made? Ask Alpha: when can you confirm whether the files were modified?”

Note: This is the Fog Lifts arc inflection point – teams should begin narrowing from confusion to a focused investigation. Teams that haven’t resolved the svc.backup red herring yet will likely resolve it now when Bravo checks the Deep Analysis 2 segmentation card.

Timing: 25–30 min

Round 3 – Deep Analysis, Second Pass

No new artifacts.

Alpha: Continue LIMS integrity analysis; dwell time confirmation. Bravo: Confirm scope; prepare network controls for implementation. Charlie: Finalize submission decision framework analysis; prepare partner notification holding statement.

IC synthesis: What does Alpha need to deliver before Wednesday 15:00 UTC to make Option A viable? Is that timeline feasible?

IM navigation prompt if stuck: “The decision deadline is Wednesday 15:00 UTC. It is Monday 09:00 UTC. That is 54 hours. What does Alpha need to do in that window – and do they have what they need?”

Timing: 20–25 min

Round 4 – Developments

Released: 2 cards per team

Alpha: Forensic confirmation – files read, not modified; hash verification covers 847 files; Option A is viable

Bravo: Emergency network controls implemented; peer intelligence – 4 prior victims; 2 staged domains (other orgs possibly targeted now)

Charlie: FDA voluntary disclosure drafted; partner notifications sent

IC synthesis: Alpha’s finding clears Option A. The IC needs to brief the CEO immediately with 2-3 sentences.

IM navigation prompt: “Alpha has a finding that unblocks the Thursday decision. What are the 2-3 sentences the IC uses to brief the CEO right now?”

Timing: 20–25 min

The Central Dilemma

Submit Phase III trial data on Thursday, or delay for integrity – and Alpha must answer “read-only or modified” before the decision can be made.

The binary is set by the CSO before Round 1 begins: one altered data point invalidates the submission. This is not a judgment call – it is a factual question that only Alpha can answer. The IC’s job is to ensure Alpha has the resources and the clear mandate to answer it, and to communicate the answer to Charlie before the Wednesday 15:00 UTC decision deadline.

The submission decision options:

Option A (submit with disclosure): Viable only if Alpha confirms read-only. The FDA disclosure language is in Charlie’s Development 1 card. Accepted in 2 prior similar cases.
Option B (voluntary delay + FDA notification): Viable if Alpha cannot confirm by Wednesday 15:00 UTC, or if the integrity finding is ambiguous. Creates a public FDA docket entry.
Option C (delay without disclosure): Last resort only. Under what specific finding would the team recommend it? (Answer: if modification is confirmed.)

Teams that make the submission decision before Alpha completes the LIMS audit are making the decision on incomplete information. The IC’s job is to hold that decision until Alpha delivers.

Information Asymmetry Map

Alpha knows	Bravo knows	Charlie knows	IC must synthesize
Implant has file staging capability (files could be exfiltrated or modified)	Which files were accessed (7,694 reads; 0 writes)	Which files are in the 847-file Phase III submission package	Alpha’s capability finding + Bravo’s access log + Charlie’s submission file list = the actual data integrity question
5 structured sessions over 44 days; `LIMS-SRV-01` accessed February 11	Unrestricted outbound HTTPS enabled all 6 weeks of beaconing	CSO binary – one altered point invalidates submission	The 44-day scope (Alpha) + the unrestricted outbound path (Bravo) frames the CSO’s risk (Charlie)
Forensic confirmation arrives in Round 4 (Development 1)	Network controls can be implemented immediately	Decision deadline Wednesday 15:00 UTC – 54 hours from Round 1	Alpha’s timeline must meet Charlie’s deadline – if it cannot, Option B becomes the path

Common Failure Modes

1. Teams make the submission decision before Alpha completes LIMS audit

What it looks like: Charlie team votes for Option A based on “likely read-only” without waiting for Alpha’s confirmed forensic finding.

IM response: “The CSO said one altered data point invalidates submission. Do you have that answer – confirmed, not ‘likely’?”

2. svc.backup red herring accepted without checking source IP

What it looks like: Bravo team briefs the IC that the bulk file reads were probably backup jobs running overnight.

IM response: “What is the expected source IP for svc.backup? What IP appears in the access log?”

3. Alpha fixates on attribution instead of data integrity

What it looks like: Alpha team focuses on implant anatomy, campaign attribution, and JPCERT/CC links rather than the LIMS audit and hash verification.

IM response: “Attribution context is useful. But the CSO’s decision deadline is Wednesday. What does Alpha need to deliver before then – and is the LIMS audit in progress?”

4. Bravo assumes network isolation eliminates the threat

What it looks like: Bravo isolates the 3 hosts and reports “contained” without addressing the 44-day data access history.

IM response: “The hosts are isolated. Does that answer the question of what was taken over the past 44 days?”

5. Charlie treats all 3 options as equivalent

What it looks like: Charlie team presents all 3 options neutrally without identifying that Option C is last-resort only.

IM response: “The CSO described Option C as last resort. Under what specific forensic finding would your team recommend it?”

6. IC defers submission decision past Wednesday 15:00 UTC

What it looks like: The session runs to Round 4 without the IC having set a clear directive for Alpha’s timeline.

IM response: “The submission decision window closes Wednesday 15:00 UTC. Alpha has a forensic timeline. Does that timeline meet the window?”

Discussion Prompts by Tier and Team

Initial Indicators – Round 1

ALPHA – Initial Indicator 1: Memory Injection Alert – No Disk Artifact

If there is no file on disk, what evidence survives a reboot – and how long do you have before someone restarts these machines?
Why would two workstations check in to the same IP address within two minutes of each other?
The AV says clean. What does that tell you about the limitations of this control for this type of threat?
What should happen to RES-WS-047 and RES-WS-051 right now, and who needs to approve it?
What other machines on the research network might show the same pattern that haven’t been flagged yet?

ALPHA – Initial Indicator 2: LSASS Credential Read from Research Workstation

Who does analyst.p sit next to, and did they know each other’s credentials – or did the implant extract them from memory?
How many distinct identities has the attacker been operating under, and which ones still have active credentials?
The svc.backup account shows up twice. What access does that account have that a researcher account would not?
Why would all five of these authentication events happen between midnight and 04:00 UTC?
When did you first have the ability to detect this – and when was it actually detected?

BRAVO – Initial Indicator 1: Encrypted Beaconing – Six-Week Pattern

642 beacon entries at 4-hour intervals over 44 days. Why was none of this flagged during that window?
The domain was registered on December 14 – before the phishing email was sent on January 24. What does that tell you about the planning timeline for this operation?
Multiple large transfers correlate with after-hours file server access. What is the attacker doing between the small beacons and the large transfers?
What would have to change in the monitoring setup for a pattern like this to get caught earlier?
Is Monday’s 2.8MB burst the end of the operation, or could it be staging for something else?

BRAVO – Initial Indicator 2: Bulk File Access from Trial Repository

7,000 file reads across five sessions. Is this bulk scraping, or does the pattern suggest the attacker knew what they were looking for?
The svc.backup account authenticates from a research workstation. What does that tell you about how the attacker is managing their credential inventory?
No write events, no deletes. Does the absence of modification make this easier or harder to respond to?
Where are the files going after they are read? What does the attacker do with 7,694 trial data files?
Five sessions over six weeks. If there were a sixth session planned, when would it likely happen?

CHARLIE – Initial Indicator 1: Research Scope at Risk – CSO Assessment

The CSO says “one altered data point invalidates the submission.” What does your team need from the forensics team to answer that question?
Two datasets are marked “under review” for HIPAA relevance. What triggers a HIPAA breach notification, and is that clock running?
Thursday is 80 hours away. What is the minimum forensic scope needed to make a filing decision by Wednesday noon?
The efficacy summaries are both the most accessed and the most important dataset. Is that correlation meaningful?
Who else in the organization needs to know about this right now, and who decides when they are told?

CHARLIE – Initial Indicator 2: Investor and Regulatory Confidence Exposure

The CEO says investor materials cited data integrity. If that representation was made and the breach contradicts it, who is responsible for correcting it?
Partner agreements may define “confirmed breach” more broadly than your team’s definition. Does the legal team’s interpretation match what the logs already show?
The IRB notification clock has not started. What specific confirmation would start it – and should your team be working to answer that question urgently?
The CEO is pre-IPO. How does that change the stakes of a public disclosure versus a private one?
Who makes the call on whether to notify partners today versus waiting for forensic conclusions?

Deep Analysis – Rounds 2-3

ALPHA – Deep Analysis 1: Volatile Memory Capture – Implant Anatomy

You have a memory image. What is the first thing you need to extract from it to help the business decision this morning?
The stub at C:\Windows\Temp\gvtupd.exe is the only disk artifact. What should happen to it, and in what order relative to other remediation steps?
The malware family is identified as NoodleRAT v2. What does knowing the family tell you – and what does it not tell you?
The implant has a file staging capability. How do you determine which files were staged and transmitted versus which were only accessed?
The same injection pattern is on at least two machines. How many machines are you going to image, and how do you decide the scope?

ALPHA – Deep Analysis 2: Initial Access Reconstruction

The email passed all automated checks. What control, if any, could have stopped this?
The domain was registered January 21, email sent January 24. What does a 3-day gap suggest about the attacker’s operational process?
The credential prompt used GenVista branding. How did the attacker know what that looked like?
analyst.p is now a victim, not a suspect. How does your team handle the conversation with her?
The implant was delivered 119 seconds after credential submission. What does that automated speed tell you about the attacker’s infrastructure maturity?

ALPHA – Deep Analysis 3: Dwell Time and Collection Scope

44 days of dwell time. At what point in that timeline could detection have realistically happened with current controls?
The attacker ran 5 structured sessions rather than one large dump. What operational purpose does that serve?
Monday’s burst arrived the same day detection triggered. Is that coincidence, or could it indicate the attacker knew discovery was imminent?
3 compromised hosts are confirmed. What criteria would you use to declare the scope closed – how do you know there isn’t a fourth host?
The timeline shows LIMS-SRV-01 was accessed on February 11. What does that access mean for the lab result integrity question?

BRAVO – Deep Analysis 1: C2 Infrastructure Analysis

Two domains in this cluster have never been used. What should your team do with that information?
The attacker used DigitalOcean Singapore. Does the hosting location change anything about the attribution picture?
JPCERT/CC links this to a prior campaign with 4 confirmed prior victims. Should GenVista be contacting those victims, or waiting for FBI to facilitate that?
The operator motive is assessed as competitive intelligence, not ransomware or sabotage. Does that change your remediation priorities?
If the staged domains are for other targets, who needs to know – and through what channel?

BRAVO – Deep Analysis 2: Network Segmentation Gap Analysis

The unrestricted outbound HTTPS policy was made for legitimate research reasons. Who made it, do they know what it enabled, and what do you say to them?
Six weeks of beaconing was invisible because it used port 443. What would a monitored proxy have needed to see to flag it as anomalous?
SMB and Kerberos are permitted from the research VLAN to the admin VLAN. Which of those permissions is necessary, and which could be removed?
LIMS-SRV-01 is in a separate VLAN but accessible from research via HTTP/HTTPS. Was that necessary, and does it remain necessary?
If you could add one detection control right now with zero budget impact, what would it be?

BRAVO – Deep Analysis 3: Three Compromised Hosts – Isolation Status

3 isolated workstations means 3 researchers without machines. How long can operations continue – and what is the process for getting them back online?
Domain admin credentials appear clean. What does that mean for the scope of the incident, and does it change your remediation priority list?
LIMS-SRV-01 has 2,847 records under review. How do you prioritize which records to check first given the submission deadline?
RES-FS-001 is clean but was accessed via stolen credentials. What needs to happen to the access control configuration before the workstations come back online?
researcher.m and lab.admin are cleared. Do those users know what happened – and do they need to take any action?

CHARLIE – Deep Analysis 1: Data Integrity Certification Requirements

Hash baselines exist from routine submission prep. What does that mean for how quickly integrity can be confirmed – and who runs the comparison?
Safety narratives show “likely read-only” based on no write events detected. Is “likely” sufficient for a regulatory filing, or does it need to be definitive?
Raw patient data has only a partial hash baseline. What is the process for certifying a dataset when you cannot hash-verify everything?
LIMS lab results have no hash baseline and were accessed. What is the worst-case scenario if those results cannot be certified before Thursday?
21 CFR Part 11 allows post-submission integrity challenges. Does that change the calculus on filing Thursday versus waiting?

CHARLIE – Deep Analysis 2: Partner and Investor Notification Obligations

Legal says the 48-hour clock may already be running. What is the cost of notifying partners today versus waiting for more complete information?
The holding statement says “scope under active investigation.” Is that accurate given what you know, and does it give you enough room to update the narrative later?
IRB notification requires confirming patient data involvement. Who is responsible for making that determination – forensics or legal?
The pre-IPO investor exposure is under legal review. Does your team need to know what that review concludes before you can proceed with other decisions?
Partner A has a co-development agreement. If they pause activities under Section 12 of their agreement, what is the business impact on GenVista’s pipeline?

CHARLIE – Deep Analysis 3: Submission Decision Framework

The decision deadline is Wednesday 3 PM UTC. What does forensics need to deliver, and by when, to make Option A viable?
Option B preserves integrity but creates a public FDA docket entry. How does the CEO weigh investor reaction to that versus investor reaction to a breach disclosure in the submission letter?
Option C is described as “last resort.” Under what specific forensic finding would the team recommend it?
The CEO and Board Chair have decision authority. What is your team’s role in that decision – and what is the clearest way to present your findings to support it?
If Option A proceeds, the cover letter discloses the breach. Who reviews and approves the disclosure language before Thursday?

Developments – Rounds 4-5

ALPHA – Development 1: Forensic Confirmation – Files Read, Not Modified

The forensic result is read-only. What are the two or three sentences your team will use to brief the CEO right now?
Hash verification covers 847 files. Are there files in the submission package that were not covered, and does that matter?
The attacker had the data for up to 44 days before this was detected. Does read-only access over 44 days change anything about your assessment of the risk?
This result clears the submission path. Does it also close the incident, or are there open investigation threads that continue regardless?
What is the one thing this forensic result does NOT answer – and does that thing need to be answered before Thursday?

ALPHA – Development 2: Persistence Removal and Clean Baseline Verification

Disabling svc.backup stops legitimate backups. Who is tracking that operational impact, and when does the account come back online?
The domain should be treated as “potentially enumerated.” What does a privileged account audit involve – who runs it and how long does it take?
Gold image baseline is from February 1. If the initial compromise was January 24, is there any risk the gold image is contaminated?
3 users need new machines or verified clean reimages. Are they back at work yet, and is there any data on their machines they need that is not covered by backup?
The C2 IP is blocked at the perimeter. If the attacker uses a different IP next time, what is the detection plan?

BRAVO – Development 1: Outbound HTTPS Inspection – Emergency Policy Change

The proxy allowlist approach creates a 24-hour delay for new scientific database access. Who decides whether that tradeoff is acceptable – IT, the CSO, or the CEO?
After-hours file access alerting would have flagged all 5 collection sessions. Why wasn’t it already in place – and who needs to answer for that?
MFA-gated jump server for lateral movement would have blocked the svc.backup credential abuse. Is that a feasible change in the current architecture?
TLS inspection is listed as Phase 2. What is the risk of not implementing it immediately – and what would it have caught that the other controls miss?
These controls would have changed detection timeline from 44 days to potentially day one. How do you present that to leadership without making it sound like a blame exercise?

BRAVO – Development 2: Similar Biotech Targeting Pattern – Peer Intelligence

GenVista detected earlier than all 4 prior victims. What specific control made the difference – and is that control at risk of being removed in budget discussions?
The data will likely surface in competitor research within 12-18 months. What does GenVista’s legal team need to do now to be in a position to act when it does?
FBI recommends filing a formal report. What is the CISO’s role in that decision, versus the CEO’s?
Two staged domains suggest other organizations may currently be targeted by the same operator. Does GenVista have an obligation to share intelligence about those domains?
Prior victims received advance warning when their data surfaced – but only if they reported to FBI. What is the cost of not reporting?

CHARLIE – Development 1: Voluntary FDA Disclosure Drafted

The draft language says “no evidence of modification.” Is that the same as “definitively not modified”? Does that distinction matter for the FDA?
Hash verification covers 847 files. The disclosure references that number. What if FDA asks about the files that were not in the 847 – how does the team answer?
Two prior FDA submissions with analogous disclosures were accepted without re-audit. Does that precedent change the CEO’s risk calculation on Option A?
FBI reporting is referenced in the disclosure. If the CISO has not yet filed that report, does the disclosure language need to change?
Who has final approval authority over the submission cover letter – Regulatory Affairs, Legal, or the CEO?

CHARLIE – Development 2: Partner Notification Sent – Response Received

Partner A references Section 12.4 – likely a material adverse change clause. What does the Legal team need to assess, and how quickly?
Partner B says their data “does not appear” to be affected based on the description provided. Is that description accurate – and are the Series A pre-clinical datasets confirmed out of scope?
The Board session is Wednesday 17:00 UTC. What does your team need to prepare, and who is presenting?
Partner A’s 14-day forensic summary deadline is achievable. Who owns that deliverable, and has the clock started?
The CEO managed both notifications personally. What does that signal about how seriously the organization is taking the partner relationship risk?

Debrief Focus

1. “Alpha had the file staging capability finding in Round 1, Bravo had the access log, Charlie had the submission file list. The data integrity question required all three. When did those three pieces actually come together – and what was the bottleneck?”

Surfaces: IC synthesis function; how information silos delay critical decisions.

2. “The svc.backup account appeared in the access log and could have been a legitimate backup job. How long did it take to check the source IP – and what would have happened if that detail had been missed entirely?”

Surfaces: the importance of not accepting the first plausible explanation in forensic analysis.

3. “Alpha’s forensic confirmation arrived in Round 4. The submission decision deadline was Wednesday 15:00 UTC. Did Alpha’s timeline fit the window – and what would Option B have cost the organization if it hadn’t?”

Surfaces: the operational tension between forensic thoroughness and business timeline.

4. “The attacker had a 44-day dwell time and ran only 5 structured collection sessions. What does that operational discipline tell you about the threat actor’s objectives – and does it change how you think about the threat model for biotech research organizations?”

Surfaces: APT behavior vs. opportunistic threat actors; competitive intelligence as a threat category.

5. “The EDR caught the implant on day 44. Every other control missed it for 6 weeks. What would have caught it earlier – and is that control feasible for a research organization that needs unrestricted access to scientific databases?”

Surfaces: the security-research-productivity tradeoff unique to biotech.