Noodle RAT Scenario: Investment Bank Trading Floor

Noodle RAT Scenario: Investment Bank Trading Floor

Pinnacle Investment Group: Investment bank with 2,000 employees managing $100 billion in assets
APT Espionage • NoodleRAT
STAKES
Trading model integrity + Client confidence + Market governance + Strategic advantage
HOOK
Trading and quant teams at Pinnacle Investment Group report workstation latency spikes, unexplained session prompts, and abnormal encrypted outbound traffic from restricted model-development systems. Security scans show no malicious files on disk, but memory telemetry indicates covert process manipulation around proprietary trading workflows.
PRESSURE
  • Critical market window: Thursday close
  • Asset scope: $100 billion
  • Strategic exposure: $420 million strategy and execution exposure
FRONT • 180 minutes • Expert
Pinnacle Investment Group: Investment bank with 2,000 employees managing $100 billion in assets
APT Espionage • NoodleRAT
NPCs
  • Victoria Sloane (CEO): Owns executive posture on continuity, disclosure, and confidence
  • Marcus Chen (CTO): Leads technical containment and environment hardening
  • Dr. Andrea Park (Head of Trading): Represents active strategy and execution risk
  • Thomas Wright (CISO): Coordinates evidence preservation and authority engagement
SECRETS
  • Security controls emphasized file-based detection and underweighted volatile-memory behavior
  • Privileged analytics users had broader repository access than least-privilege policy intended
  • Covert access prioritized strategy-development data before broad disruption became visible

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

Noodle RAT Investment Bank Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

Noodle RAT Investment Bank Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Hook

Initial Symptoms to Present:

Warning🚨 Initial User Reports
  • “Trading-analysis systems show intermittent latency and unexplained session prompts”
  • “Security scans report clean disks despite persistent suspicious behavior”
  • “Restricted model repositories generate abnormal access and credential events”
  • “Encrypted outbound sessions appear from high-value analytics environments”

Key Discovery Paths:

Detective Investigation Leads:

  • Timeline reconstruction shows covert access preceding visible instability
  • Access traces indicate focused interest in strategy and execution artifacts
  • Evidence suggests low-noise persistence optimized for prolonged surveillance

Protector System Analysis:

  • Analytics endpoints show volatile-memory anomalies inconsistent with normal workloads
  • Segmentation controls reduced but did not eliminate exposure pathways
  • Recovery confidence depends on preserving volatile evidence before reset actions

Tracker Network Investigation:

  • Forensics identify periodic encrypted beaconing from strategy-development systems
  • Transfer patterns indicate staged exfiltration from model repositories
  • Infrastructure overlap suggests organized espionage rather than opportunistic malware

Communicator Stakeholder Interviews:

  • Trading leadership needs immediate guidance on safe continuity thresholds
  • Clients request confidence statements on strategy integrity and risk posture
  • Legal and compliance teams need clear disclosure thresholds tied to evidence quality

Mid-Scenario Pressure Points:

  • Hour 1: Trading leadership cannot confirm integrity of active strategy baselines
  • Hour 2: Leadership receives indicators that high-value model artifacts were accessed
  • Hour 3: Regulatory stakeholders request formal incident posture updates
  • Hour 4: Market-window confidence declines as exposure scope remains unresolved

Evolution Triggers:

  • If containment is delayed, covert access persists and collection scope expands
  • If systems are reset too quickly, critical volatile evidence may be lost
  • If communication is delayed, regulator and client confidence deteriorates rapidly

Resolution Pathways:

Technical Success Indicators:

  • Verified removal of covert access paths and restoration of trusted analytics baselines
  • Evidence package preserved for authority and investigative coordination
  • Monitoring strategy upgraded to detect low-noise persistence behaviors

Business Success Indicators:

  • Continuity and disclosure decisions remain defensible with clear rationale
  • Stakeholder communication stays timely, accurate, and confidence-scoped
  • Strategy risk is managed through coordinated trading, compliance, and security governance

Learning Success Indicators:

  • Team recognizes covert surveillance patterns that evade simple file-based controls
  • Participants practice balancing evidence preservation with market urgency
  • Group coordinates technical and business decisions under strategic pressure

Common IM Facilitation Challenges:

If Teams Rush to Reimage Systems:

“Which volatile artifacts are essential before reset actions, and who signs off on that tradeoff?”

If Market Pressure Overrides Security Discipline:

“What evidence threshold is required before asserting strategy integrity to clients and regulators?”

If Authority Coordination Is Delayed:

Success Metrics for Session:

Template Compatibility

This scenario adapts to multiple session formats with appropriate scope and timing:

Quick Demo (35-40 minutes)

Structure: 2 investigation rounds, 1 decision round
Focus: Covert-access detection and immediate integrity posture decisions
Key Actions: Scope exposure, preserve evidence, issue first market-confidence posture

Lunch & Learn (75-90 minutes)

Structure: 4 investigation rounds, 2 decision rounds
Focus: Parallel forensic triage, compliance posture, and disclosure sequencing
Key Actions: Build timeline confidence, protect high-value models, align trading and security messaging

Full Game (120-140 minutes)

Structure: 6 investigation rounds, 3 decision rounds
Focus: End-to-end financial espionage response under high-stakes market pressure
Key Actions: Coordinate leadership and trading teams, decide continuity posture, define durable remediation

Advanced Challenge (150-170 minutes)

Structure: 7-8 investigation rounds, 4 decision rounds
Expert Elements: Integrity disputes, disclosure conflict, and governance tension
Additional Challenges: Ambiguous scope, client escalation, and regulatory scrutiny

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Pre-Defined Response Options

  • Option A: Evidence-Preserved Containment

    • Action: Isolate high-risk systems, preserve volatile evidence, and execute staged recovery with authority coordination.
    • Pros: Improves attribution confidence and long-term defensibility.
    • Cons: Slower short-term recovery and immediate market-pressure impact.
    • Type Effectiveness: Super effective for durable strategic resilience.

  • Option B: Continuity-First Operations

    • Action: Maintain broad operations while applying targeted controls to minimize disruption.
    • Pros: Supports near-term trading continuity and client stability.
    • Cons: Higher risk of ongoing covert collection and uncertain exposure scope.
    • Type Effectiveness: Partially effective with elevated strategic risk.

  • Option C: Phased Confidence Restoration

    • Action: Prioritize critical model domains, restore in waves, and sequence disclosure as confidence improves.
    • Pros: Balances operational urgency with evidence discipline.
    • Cons: Extended ambiguity can strain client and regulator confidence.
    • Type Effectiveness: Moderately effective when governance remains disciplined.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Covert Access Discovery (30-35 min)

Investigation Clues:

  • Clue 1 (Minute 5): Analytics systems show persistent covert behavior without file-based indicators.
  • Clue 2 (Minute 10): Forensics indicate sustained unauthorized visibility into strategy workflows.
  • Clue 4 (Minute 20): Leadership requests immediate containment recommendation with market-impact estimate.

Round 2: Reporting and Market Confidence (30-35 min)

Investigation Clues:

  • Clue 5 (Minute 30): Stakeholders request formal confidence statements on model integrity.
  • Clue 7 (Minute 50): Trading teams request a clear go/no-go decision for continuity posture.
  • Clue 8 (Minute 55): Compliance and security teams require documented rationale for disclosure choices.

Round Transition Narrative

After Round 1 -> Round 2:

Facilitation questions:

  • “What minimum evidence supports a credible market-confidence statement?”
  • “Which decisions cannot wait for full forensic certainty?”
  • “How do you communicate uncertainty without eroding trust?”

Debrief Focus:

  • Integrating covert-threat forensics with financial governance decisions
  • Balancing market pressure with evidence quality and compliance obligations
  • Preserving confidence as exposure scope evolves across recovery phases

Full Game Materials (120-140 min, 3 rounds)

NoteHow Full Game Differs from Lunch & Learn

The Full Game expands from 2 guided rounds to 3 open-ended rounds. Players drive their own investigation using the Key Discovery Paths above rather than timed clues. Round 3 focuses on institutional recovery and financial-governance redesign.

Round 1: Executive Briefing and Scope Discovery (35-40 min)

Players investigate openly using role capabilities. Early findings include covert model access, uncertain scope, and rising market pressure.

If team stalls: “You can prioritize speed or confidence first. Which path remains defensible to trading leadership and authorities by end of day?”

Round 2: Regulatory Coordination and Market Decisions (35-40 min)

  • Technical teams complete artifact collection and present containment/recovery options.
  • Leadership requests a clear recommendation for continuity posture and disclosure timing.

Facilitation questions:

  • “What controls must be in place before asserting model and execution trustworthiness?”
  • “How will you document rationale for choices likely to face later review?”

Round 3: Institutional Recovery and Strategic Resilience (40-45 min)

Opening: Two weeks later, immediate containment is complete and leadership requests a 90-day remediation roadmap with owner-assigned milestones and measurable outcomes.

Pressure events:

  • Clients request proof of sustained control improvements and governance discipline
  • Oversight bodies request objective metrics tied to reduced surveillance risk
  • Trading leadership requests controls that preserve execution performance

Victory conditions for full 3-round arc:

  • Verified clean baseline for critical analytics and trading-support systems
  • Defensible reporting package for regulators and strategic clients
  • Durable financial-sector security controls aligned to operational constraints

Debrief Questions

  1. “Which early indicator most clearly signaled strategic surveillance rather than routine technical noise?”
  2. “How did market pressure alter risk tolerance across teams?”
  3. “What evidence was essential for credibility with regulators and clients?”
  4. “How can investment banks improve readiness without undermining execution performance?”

Debrief Focus

  • Financial espionage incidents combine market-integrity risk with strategic confidence pressure
  • Defensible response requires synchronized trading, security, and governance decisions
  • Long-term resilience depends on evidence discipline, segmentation, and transparent accountability

Advanced Challenge Materials (150-170 min)

Red Herrings and Misdirection

  1. A legitimate latency event overlaps with incident timing and distorts initial triage.
  2. A separate market-data vendor issue appears related but is operationally independent.
  3. Rumors of insider misuse divert attention from high-confidence forensic evidence.

Removed Resources and Constraints

  • No dedicated playbook for covert surveillance in quantitative trading environments
  • Volatile evidence collection procedures are inconsistent across desks
  • Immediate specialist support is delayed by contractual lead time

Enhanced Pressure

  • Trading leadership demands same-day confidence statements on continuity posture
  • Clients request detailed updates before full forensic scope is confirmed
  • Executive governance requires written rationale for each high-impact decision

Ethical Dilemmas

  1. Pause selected activity for stronger evidence confidence, or continue with higher residual risk.
  2. Disclose broad uncertainty early, or wait for cleaner scope at trust risk.
  3. Preserve full forensic integrity, or accelerate restoration with attribution loss.

Advanced Debrief Topics

  • Building investment-bank doctrine for covert surveillance incidents
  • Structuring governance when market urgency and technical certainty diverge
  • Sustaining long-term security investment in high-pressure trading organizations