Poison Ivy Scenario: Corporate Espionage Campaign

Poison Ivy Scenario: Corporate Espionage Campaign

Meridian Chemical Corporation: Chemical and advanced materials company with 2,000 employees
Corporate Espionage • PoisonIvy
STAKES
Trade-secret protection + Program integrity + Partner trust + Legal defensibility
HOOK
R&D teams at Meridian Chemical Corporation report unexplained remote cursor movement, unauthorized document previews during secure sessions, and repeated command execution on formulation workstations. Network telemetry shows outbound encrypted sessions from research enclaves, while endpoint scans reveal no obvious destructive malware activity.
PRESSURE
  • Executive decision point: Friday 1:30 PM
  • Program exposure: proprietary formulation and process-intelligence portfolio
  • Strategic impact: $240 million competitive and contract exposure
FRONT • 120 minutes • Intermediate
Meridian Chemical Corporation: Chemical and advanced materials company with 2,000 employees
Corporate Espionage • PoisonIvy
NPCs
  • Robert Henderson (CEO): Owns enterprise posture on continuity, disclosure, and trust
  • Dr. Sarah Chen (VP R&D): Represents active formulation-program integrity risk
  • Kevin Torres (CISO): Leads containment, forensics, and authority coordination
  • Amanda Park (General Counsel): Directs legal response and trade-secret posture
SECRETS
  • Monitoring controls prioritized broad endpoint alerts over operator-behavior analytics
  • Privileged R&D roles had access scopes broader than least-privilege requirements
  • Covert remote access focused on high-value formulation artifacts before broad disruption

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

Poison Ivy Corporate Espionage Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

Poison Ivy Corporate Espionage Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Hook

Initial Symptoms to Present:

Warning🚨 Initial User Reports
  • “R&D workstations show intermittent remote cursor movement and unauthorized command execution”
  • “Sensitive formulation files open unexpectedly during restricted work sessions”
  • “Endpoint scans show limited indicators despite persistent suspicious control artifacts”
  • “Encrypted outbound sessions originate from protected research environments”

Key Discovery Paths:

Detective Investigation Leads:

  • Timeline reconstruction shows persistent covert access before visible operational impact
  • Access traces indicate focused interest in high-value formulation and process datasets
  • Evidence suggests attacker behavior tuned for long-duration surveillance and collection

Protector System Analysis:

  • Research endpoints show remote-control artifacts and command-execution anomalies
  • Segmentation controls reduced but did not prevent repository-level exposure pathways
  • Recovery confidence depends on preserving evidence before broad reset actions

Tracker Network Investigation:

  • Forensics identify periodic encrypted beaconing from high-value research systems
  • Transfer patterns indicate staged exfiltration from formulation repositories
  • Infrastructure overlap suggests organized espionage tradecraft rather than opportunistic activity

Communicator Stakeholder Interviews:

  • R&D leadership needs immediate guidance on safe continuation thresholds
  • Partners request confidence statements on IP and data integrity
  • Legal and security teams need clear disclosure thresholds tied to evidence quality

Mid-Scenario Pressure Points:

  • Hour 1: Leadership cannot confirm integrity of active formulation baselines
  • Hour 2: Indicators suggest unauthorized reads of high-value process artifacts
  • Hour 3: Partners request formal incident posture updates and risk assessment
  • Hour 4: Contract and legal confidence declines as unresolved scope expands

Evolution Triggers:

  • If containment is delayed, covert access persists and collection scope increases
  • If systems are reset too quickly, critical investigative evidence may be lost
  • If communication is delayed, partner trust and legal defensibility deteriorate rapidly

Resolution Pathways:

Technical Success Indicators:

  • Verified removal of covert access paths and restoration of trusted R&D baselines
  • Evidence package preserved for authority and legal coordination
  • Monitoring strategy upgraded to detect persistent remote-control behaviors

Business Success Indicators:

  • Continuity and disclosure decisions remain defensible with documented rationale
  • Stakeholder communication stays timely, accurate, and confidence-scoped
  • Strategic IP risk is managed through coordinated technical and legal governance

Learning Success Indicators:

  • Team recognizes long-duration remote-access surveillance patterns in corporate espionage
  • Participants practice balancing evidence preservation with contractual urgency
  • Group coordinates technical, legal, and executive decisions under pressure

Common IM Facilitation Challenges:

If Teams Rush to Reimage Systems:

“Which evidence artifacts are essential before reset actions, and who authorizes that tradeoff?”

If Program Pressure Overrides Security Discipline:

“What evidence threshold is required before asserting trade-secret integrity to partners and authorities?”

If Authority Coordination Is Delayed:

Success Metrics for Session:

Template Compatibility

This scenario adapts to multiple session formats with appropriate scope and timing:

Quick Demo (35-40 minutes)

Structure: 2 investigation rounds, 1 decision round
Focus: Remote-access detection and immediate trade-secret-integrity decisions
Key Actions: Scope exposure, preserve evidence, issue first confidence posture

Lunch & Learn (75-90 minutes)

Structure: 4 investigation rounds, 2 decision rounds
Focus: Parallel forensic triage, legal posture, and disclosure sequencing
Key Actions: Build timeline confidence, protect high-value formulation assets, align R&D and legal messaging

Full Game (120-140 minutes)

Structure: 6 investigation rounds, 3 decision rounds
Focus: End-to-end corporate-espionage response under high-stakes contract pressure
Key Actions: Coordinate leadership and R&D teams, decide continuity posture, define durable remediation

Advanced Challenge (150-170 minutes)

Structure: 7-8 investigation rounds, 4 decision rounds
Expert Elements: Trade-secret litigation tension, disclosure conflict, and governance pressure
Additional Challenges: Ambiguous scope, partner escalation, and compressed decision windows

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Pre-Defined Response Options

  • Option A: Evidence-Preserved Containment

    • Action: Isolate high-risk systems, preserve evidence, and execute staged recovery with legal and authority coordination.
    • Pros: Improves attribution confidence and long-term defensibility.
    • Cons: Slower short-term recovery and immediate operational pressure.
    • Type Effectiveness: Super effective for durable strategic resilience.

  • Option B: Continuity-First Operations

    • Action: Maintain broad operations while applying targeted controls to minimize disruption.
    • Pros: Supports near-term continuity and partner stability.
    • Cons: Higher risk of ongoing covert collection and uncertain exposure scope.
    • Type Effectiveness: Partially effective with elevated strategic risk.

  • Option C: Phased Confidence Restoration

    • Action: Prioritize critical assets, restore in waves, and sequence disclosure as confidence improves.
    • Pros: Balances operational urgency with evidence discipline.
    • Cons: Extended ambiguity can strain partner and legal confidence.
    • Type Effectiveness: Moderately effective when governance remains disciplined.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Covert Access Discovery (30-35 min)

Investigation Clues:

  • Clue 1 (Minute 5): Research systems show persistent covert behavior and control anomalies.
  • Clue 2 (Minute 10): Forensics indicate sustained unauthorized visibility into strategic R&D workflows.
  • Clue 4 (Minute 20): Leadership requests immediate containment recommendation with contractual impact estimate.

Round 2: Reporting and Confidence Posture (30-35 min)

Investigation Clues:

  • Clue 5 (Minute 30): Partners request formal confidence statements on trade-secret integrity.
  • Clue 7 (Minute 50): R&D leadership requests a clear go/no-go continuity posture.
  • Clue 8 (Minute 55): Legal and security teams require documented rationale for disclosure choices.

Round Transition Narrative

After Round 1 -> Round 2:

Facilitation questions:

  • “What minimum evidence supports a credible confidence statement to partners?”
  • “Which decisions cannot wait for full forensic certainty?”
  • “How do you communicate uncertainty without eroding trust?”

Debrief Focus:

  • Integrating remote-access forensics with trade-secret governance decisions
  • Balancing contract pressure with evidence quality and legal obligations
  • Preserving confidence as exposure scope evolves through recovery phases

Full Game Materials (120-140 min, 3 rounds)

NoteHow Full Game Differs from Lunch & Learn

The Full Game expands from 2 guided rounds to 3 open-ended rounds. Players drive their own investigation using the Key Discovery Paths above rather than timed clues. Round 3 focuses on institutional recovery and corporate-governance redesign.

Round 1: Executive Briefing and Scope Discovery (35-40 min)

Players investigate openly using role capabilities. Early findings include covert repository access, uncertain scope, and rising contract pressure.

If team stalls: “You can prioritize speed or confidence first. Which path remains defensible to R&D leadership and partners by end of day?”

Round 2: Regulatory Coordination and Continuity Decisions (35-40 min)

  • Technical teams complete artifact collection and present containment/recovery options.
  • Leadership requests a clear recommendation for continuity posture and disclosure timing.

Facilitation questions:

  • “What controls must be in place before asserting R&D integrity confidence?”
  • “How will you document rationale for choices likely to face later legal review?”

Round 3: Institutional Recovery and Strategic Resilience (40-45 min)

Opening: Two weeks later, immediate containment is complete and leadership requests a 90-day remediation roadmap with owner-assigned milestones and measurable outcomes.

Pressure events:

  • Partners request proof of sustained control improvements and governance maturity
  • Legal leadership requests objective metrics tied to reduced surveillance risk
  • R&D teams request controls that preserve development velocity

Victory conditions for full 3-round arc:

  • Verified clean baseline for critical R&D and collaboration systems
  • Defensible reporting package for partners, legal counsel, and authorities
  • Durable corporate-espionage controls aligned to operational constraints

Debrief Questions

  1. “Which early indicator most clearly signaled strategic surveillance rather than routine technical noise?”
  2. “How did contract pressure alter risk tolerance across teams?”
  3. “What evidence was essential for credibility with partners and authorities?”
  4. “How can R&D organizations improve readiness without undermining innovation speed?”

Debrief Focus

  • Corporate-espionage incidents combine trade-secret risk with partner-confidence pressure
  • Defensible response requires synchronized technical, legal, and governance decisions
  • Long-term resilience depends on evidence discipline, segmentation, and transparent accountability

Advanced Challenge Materials (150-170 min)

Red Herrings and Misdirection

  1. A legitimate remote-support session overlaps with incident timing and distorts triage.
  2. A separate vendor sync issue appears related but is operationally independent.
  3. Internal rumor of accidental data leakage diverts focus from forensic evidence.

Removed Resources and Constraints

  • No dedicated playbook for covert remote-access campaigns in R&D environments
  • Evidence collection procedures are inconsistent across technical teams
  • Immediate external specialist support is delayed by contractual lead time

Enhanced Pressure

  • Leadership demands same-day confidence statements on continuity posture
  • Partners request detailed updates before full forensic scope is confirmed
  • Executive governance requires written rationale for each high-impact decision

Ethical Dilemmas

  1. Pause programs for stronger evidence confidence, or continue with higher residual risk.
  2. Disclose broad uncertainty early, or wait for cleaner scope at trust risk.
  3. Preserve full forensic integrity, or accelerate restoration with attribution loss.

Advanced Debrief Topics

  • Building industrial doctrine for covert surveillance incidents
  • Structuring governance when program urgency and technical certainty diverge
  • Sustaining long-term security investment in high-pressure R&D organizations