Poison Ivy Scenario: Law Enforcement Surveillance
Law Enforcement Surveillance • PoisonIvy
STAKES
Investigation integrity + Officer safety + Witness protection + Evidence continuity
HOOK
Detectives report confidential case files opening after hours, surveillance footage logs showing unexplained playback sessions, and informant records accessed without assigned investigators present. Network teams confirm persistent encrypted outbound traffic from investigative workstations while endpoint scans show inconsistent indicators.
PRESSURE
- Arrest window: Thursday
- Decision deadline: Thursday 4:30 PM
- Operating context: Municipal force with 2,500 officers and dedicated cybercrime and narcotics divisions
FRONT • 150 minutes • Expert
Law Enforcement Surveillance • PoisonIvy
NPCs
- Chief Patricia Hoffman (Command Lead): Owns operational go/no-go decision and safety posture
- Sergeant Kevin Torres (Cybercrime Lead): Directs host triage and intrusion analysis
- Lieutenant Sandra Park (Organized Crime Operations Lead): Owns arrest sequencing and witness-risk assessment
- Captain David Chen (IT and Communications Lead): Controls investigative systems containment and forensic retention
SECRETS
- Investigative workstations trusted legacy remote-administration channels during sensitive case prep
- Access controls for witness and surveillance repositories exceeded least-privilege policy intent
- Covert monitoring activity focused on operational planning artifacts before visible disruption
Poison Ivy Scenario: Law Enforcement Surveillance
Law Enforcement Surveillance • PoisonIvy
STAKES
Investigation integrity + Officer safety + Witness protection + Evidence continuity
HOOK
Investigators report confidential case files opening after hours, surveillance footage logs showing unexplained playback sessions, and witness records accessed without assigned officers present. Network teams confirm persistent encrypted outbound traffic from investigative workstations while endpoint scans show inconsistent indicators.
PRESSURE
- Arrest window: Thursday
- Decision deadline: Thursday 16:30
- Operating context: Regional force with 2,000 officers and specialist cybercrime and organized crime units
FRONT • 150 minutes • Expert
Law Enforcement Surveillance • PoisonIvy
NPCs
- Chief Constable Richard Blackwood (Command Lead): Owns operational go/no-go decision and safety posture
- Detective Inspector Priya Sharma (Cybercrime Lead): Directs host triage and intrusion analysis
- DCI Eleanor Crawford (Organized Crime Operations Lead): Owns arrest sequencing and witness-risk assessment
- Superintendent James Mitchell (IT and Communications Lead): Controls investigative systems containment and forensic retention
SECRETS
- Investigative workstations trusted legacy remote-administration channels during sensitive case prep
- Access controls for witness and surveillance repositories exceeded least-privilege policy intent
- Covert monitoring activity focused on operational planning artifacts before visible disruption
Planning Resources
For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:
Poison Ivy Law Enforcement Planning Document
Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.
Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:
Poison Ivy Law Enforcement Scenario Slides
Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support
Scenario Details for IMs
Hook
“It is Monday at 9:10 AM at Metro City Police Department. Organized crime investigators preparing coordinated arrests report unauthorized case-file access, unexplained remote cursor movement, and surveillance systems opening evidence clips without analyst input. Cyber staff see recurring outbound sessions from investigative endpoints but cannot yet confirm full scope. Command leadership must protect officers and witnesses before operational plans are compromised.”
“Initial command alert logged at 9:10 AM. Regional context: US.”
“It is Monday at 09:10 at Midlands Constabulary. Organized crime investigators preparing coordinated arrests report unauthorized case-file access, unexplained remote cursor movement, and surveillance systems opening evidence clips without analyst input. Cyber staff see recurring outbound sessions from investigative endpoints but cannot yet confirm full scope. Command leadership must protect officers and witnesses before operational plans are compromised.”
“Initial command alert logged at 09:10. Regional context: UK.”
Initial Symptoms to Present:
- “Case-management files show unexplained after-hours access bursts”
- “Surveillance playback logs include sessions with no assigned analyst”
- “Investigative workstations show intermittent cursor movement without operator input”
- “Outbound encrypted traffic recurs from endpoints holding witness and arrest-planning data”
Key Discovery Paths:
Detective Investigation Leads:
- Timeline reconstruction shows covert operator activity preceding visible disruption
- Access records indicate sustained interest in witness handling and arrest sequencing artifacts
- Evidence suggests long-duration observation designed to undermine planned operations
Protector System Analysis:
- Endpoint triage confirms covert control indicators across investigative hosts
- Repository permission review identifies overexposure in witness and surveillance systems
- Containment success depends on preserving forensic evidence while hardening access boundaries
Tracker Network Investigation:
- Beaconing patterns indicate coordinated command infrastructure and staged exfiltration
- Data movement profile aligns with operational intelligence collection, not rapid disruption
- Lateral access traces show deliberate progression through high-value investigative systems
Communicator Stakeholder Interviews:
- Command leadership requests a defensible arrest-operation recommendation under uncertainty
- Witness-protection teams need immediate risk prioritization and safety sequencing
- Legal and oversight teams require clear evidential-integrity and notification posture
Mid-Scenario Pressure Points:
- Hour 1: Witness handlers report potential exposure of protected identities
- Hour 2: Operations teams cannot verify integrity of arrest staging documents
- Hour 3: Command staff must decide whether to proceed with coordinated takedown plans
- Hour 4: Public-safety risk rises as compromised intelligence may reach criminal targets
Evolution Triggers:
- If containment is delayed, operational intelligence exposure scope continues to grow
- If systems are reset without evidence capture, prosecution and integrity challenges escalate
- If witness-risk messaging is delayed, protective operations lose lead time
Resolution Pathways:
Technical Success Indicators:
- Covert access paths are removed and investigative systems are restored to trusted baselines
- Forensic timeline is preserved for legal review and prosecution support
- Access governance is tightened around witness and surveillance repositories
Business Success Indicators:
- Arrest and witness-protection decisions remain defensible under documented risk analysis
- Command communications remain timely and aligned with public-safety obligations
- Operational continuity is maintained without accepting unmanaged intelligence leakage
Learning Success Indicators:
- Team recognizes covert-surveillance patterns targeting law-enforcement operations
- Participants balance evidence preservation with immediate safety and mission urgency
- Group coordinates technical, operational, and oversight decisions under pressure
Common IM Facilitation Challenges:
If Teams Prioritize Arrest Timing Over Exposure Analysis:
“What confidence threshold do you require before approving operation-day movement with possibly exposed plans?”
If Teams Skip Oversight Coordination:
“State Attorney General and CJIS oversight contacts request an immediate incident status and documented controls for investigative-data integrity and chain-of-custody preservation.”
“ICO supervisory contacts request an immediate incident status and documented controls for investigative-data integrity and evidential handling under law-enforcement processing rules.”
If Teams Delay Witness-Risk Escalation:
“Which witness cohorts need immediate protective measures in the next hour, and who owns that decision?”
Success Metrics for Session:
Template Compatibility
This scenario adapts to multiple session formats with appropriate scope and timing:
Quick Demo (35-40 minutes)
Structure: 2 investigation rounds, 1 decision round
Focus: Detect covert surveillance indicators and make an initial operation-safety call
Key Actions: Validate exposure scope, preserve evidence, trigger witness-risk controls
Lunch & Learn (75-90 minutes)
Structure: 4 investigation rounds, 2 decision rounds
Focus: Coordinate host triage, command risk posture, and oversight engagement
Key Actions: Build forensic confidence, segment sensitive repositories, align operation decision criteria
Full Game (120-140 minutes)
Structure: 6 investigation rounds, 3 decision rounds
Focus: End-to-end law-enforcement surveillance response under public-safety pressure
Key Actions: Reconcile operational urgency with witness protection and evidential defensibility
Advanced Challenge (150-170 minutes)
Structure: 7-8 investigation rounds, 4 decision rounds
Expert Elements: Chain-of-custody disputes, command authority conflict, and multi-agency timing friction
Additional Challenges: Ambiguous forensic scope, witness intimidation signals, and contested operational deadlines
Quick Demo Materials (35-40 min)
Guided Investigation Clues
- Clue 1 (Minute 5): Security operations at Metro City Police Department confirm covert endpoint control across sensitive investigative hosts.
- Clue 2 (Minute 10): Lieutenant Sandra Park confirms unauthorized views of arrest sequencing notes, surveillance schedules, and witness-protection staging documents prepared for this week’s operation.
- Clue 3 (Minute 15): Chief Patricia Hoffman convenes an emergency command briefing and confirms that this week’s organized-crime takedown cannot proceed on assumptions. Sergeant Kevin Torres reports that investigative endpoints show persistent remote-control artifacts tied to after-hours file access. Lieutenant Sandra Park warns that undercover coordination notes and witness handling plans may already be exposed. Captain David Chen orders immediate containment with evidence preservation for FBI coordination.
- Clue 1 (Minute 5): Security operations at Midlands Constabulary confirm covert endpoint control across sensitive investigative hosts.
- Clue 2 (Minute 10): DCI Eleanor Crawford confirms unauthorized views of arrest sequencing notes, surveillance schedules, and witness-protection staging documents prepared for this week’s operation.
- Clue 3 (Minute 15): Chief Constable Richard Blackwood convenes an emergency command briefing and confirms that this week’s organized-crime takedown cannot proceed on assumptions. Detective Inspector Priya Sharma reports that investigative endpoints show persistent remote-control artifacts tied to after-hours file access. DCI Eleanor Crawford warns that covert coordination notes and witness handling plans may already be exposed. Superintendent James Mitchell orders immediate containment with evidence preservation for NCSC and NCA coordination.
Pre-Defined Response Options
Option A: Evidence-First Containment
- Action: Isolate exposed investigative hosts, preserve forensic artifacts, and sequence recovery under command oversight.
- Pros: Maximizes evidential integrity and long-term prosecution defensibility.
- Cons: Creates immediate operational friction and command pressure.
- Type Effectiveness: Super effective for durable operational recovery.
Option B: Operations-First Continuity
- Action: Keep broad systems online while applying targeted controls to maintain near-term operation tempo.
- Pros: Preserves tactical momentum and short-term continuity.
- Cons: Increases risk of ongoing intelligence leakage and witness exposure.
- Type Effectiveness: Partially effective with elevated safety risk.
Option C: Phased Risk Reduction
- Action: Prioritize highest-risk repositories and witness data while restoring service in controlled waves.
- Pros: Balances safety urgency with technical discipline.
- Cons: Prolongs uncertainty and may strain command confidence.
- Type Effectiveness: Moderately effective when governance is strict.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Command Integrity and Exposure Scope (30-35 min)
- Opening: Chief Patricia Hoffman convenes an emergency command briefing and confirms that this week’s organized-crime takedown cannot proceed on assumptions. Sergeant Kevin Torres reports that investigative endpoints show persistent remote-control artifacts tied to after-hours file access. Lieutenant Sandra Park warns that undercover coordination notes and witness handling plans may already be exposed. Captain David Chen orders immediate containment with evidence preservation for FBI coordination.
- Clue 1 (Minute 10): Investigative host telemetry indicates repeated after-hours control sessions tied to sensitive case repositories.
- Clue 2 (Minute 20): Lieutenant Sandra Park confirms unauthorized views of arrest sequencing notes, surveillance schedules, and witness-protection staging documents prepared for this week’s operation.
- Opening: Chief Constable Richard Blackwood convenes an emergency command briefing and confirms that this week’s organized-crime takedown cannot proceed on assumptions. Detective Inspector Priya Sharma reports that investigative endpoints show persistent remote-control artifacts tied to after-hours file access. DCI Eleanor Crawford warns that covert coordination notes and witness handling plans may already be exposed. Superintendent James Mitchell orders immediate containment with evidence preservation for NCSC and NCA coordination.
- Clue 1 (Minute 10): Investigative host telemetry indicates repeated after-hours control sessions tied to sensitive case repositories.
- Clue 2 (Minute 20): DCI Eleanor Crawford confirms unauthorized views of arrest sequencing notes, surveillance schedules, and witness-protection staging documents prepared for this week’s operation.
Round 2: Oversight, Safety, and Operational Decision (30-35 min)
- Clue 3 (Minute 35): State Attorney General and CJIS oversight contacts request an immediate incident status and documented controls for investigative-data integrity and chain-of-custody preservation.
- Clue 4 (Minute 45): FBI warns that organized crime groups increasingly use covert endpoint surveillance to preempt law-enforcement operations and intimidate exposed witnesses.
- Pressure Event (Minute 55): “Command staff needs your decision by Thursday 4:30 PM: proceed, postpone, or redesign the Thursday operation.”
- Coordination Note: “Immediate external coordination: FBI plus State Attorney General and CJIS audit channels.”
- Clue 3 (Minute 35): ICO supervisory contacts request an immediate incident status and documented controls for investigative-data integrity and evidential handling under law-enforcement processing rules.
- Clue 4 (Minute 45): NCA reports that organized crime groups increasingly use covert endpoint surveillance to preempt constabulary operations and intimidate exposed witnesses.
- Pressure Event (Minute 55): “Command staff needs your decision by Thursday 16:30: proceed, postpone, or redesign the Thursday operation.”
- Coordination Note: “Immediate external coordination: NCSC and NCA plus ICO supervisory channels.”
Debrief Focus
- How covert surveillance changes operational assumptions in law-enforcement environments
- What evidence quality is required before high-risk command decisions
- Which witness-protection triggers should be automated for future operations
- How to align technical containment with legal and oversight obligations