WireLurker Scenario: Tech Startup

WireLurker Scenario: Tech Startup

Aether Labs: US iOS/macOS startup, 80 employees, all-Apple development

Startup IP Exfiltration Incident • WireLurker

STAKES

Proprietary code protection + Investor confidence + Release integrity

HOOK

Aether Labs reports unstable behavior across Mac development workstations, unexpected trust prompts on connected iOS test devices, and outbound transfer spikes from source and build storage. Release candidates no longer match verified baselines, and teams lose confidence in whether unreleased product assets remain contained.

PRESSURE

• Demo readiness checkpoint at Friday 16:00
• Ongoing risk to USD 25M projected product value and delivery by 80 employees under late-stage fundraising pressure

FRONT • 120 minutes • Intermediate

Aether Labs: US iOS/macOS startup, 80 employees, all-Apple development

Startup IP Exfiltration Incident • WireLurker

NPCs

• Alex Rivera (CEO and Founder): Balancing investor confidence with crisis transparency
• Jennifer Wu (CTO): Leading containment decisions across macOS and iOS workflows
• Dev Kapoor (Lead iOS Developer): Escalating release integrity risk in core product modules
• Mia Chen (Head of Security): Driving forensic triage and hardening priorities

SECRETS

• Teams installed unverified utilities to accelerate build and profiling tasks
• Source and artifact storage shared trust boundaries with insufficient segmentation
• Test-device workflows bypassed strict enrollment controls during sprint deadlines

WireLurker Scenario: Tech Startup

Nordic Innovation Labs: Stockholm tech startup, 60 employees, all-Apple development

Startup IP Exfiltration Incident • WireLurker

STAKES

Proprietary code protection + Investor confidence + Release integrity

HOOK

Nordic Innovation Labs reports unstable behavior across Mac development workstations, unexpected trust prompts on connected iOS test devices, and outbound transfer spikes from source and build storage. Release candidates no longer match verified baselines, and teams lose confidence in whether unreleased product assets remain contained.

PRESSURE

• Demo readiness checkpoint at Friday 16:00
• Ongoing risk to SEK 220M projected product value and delivery by 60 employees under late-stage fundraising pressure

FRONT • 120 minutes • Intermediate

Nordic Innovation Labs: Stockholm tech startup, 60 employees, all-Apple development

Startup IP Exfiltration Incident • WireLurker

NPCs

• Erik Lindqvist (CEO and Grundare): Balancing investor confidence with crisis transparency
• Anna Lindgren (CTO): Leading containment decisions across macOS and iOS workflows
• Magnus Bergstrom (Lead iOS Developer): Escalating release integrity risk in core product modules
• Karin Soderstrom (Head of Security): Driving forensic triage and hardening priorities

SECRETS

• Teams installed unverified utilities to accelerate build and profiling tasks
• Source and artifact storage shared trust boundaries with insufficient segmentation
• Test-device workflows bypassed strict enrollment controls during sprint deadlines

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

WireLurker Tech Startup Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

WireLurker Startup Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Hook

“It is Wednesday 09:30 at Aether Labs. Engineering teams are preparing investor demo builds when key Mac development workstations begin failing, connected iOS test devices trigger unauthorized trust prompts, and outbound transfer traffic rises from build storage. Some app modules still compile, but signing integrity and source baseline confidence are now uncertain. Leadership sets a hard demo checkpoint at Friday 16:00.”

“It is Wednesday 09:30 at Nordic Innovation Labs. Engineering teams are preparing investor demo builds when key Mac development workstations begin failing, connected iOS test devices trigger unauthorized trust prompts, and outbound transfer traffic rises from build storage. Some app modules still compile, but signing integrity and source baseline confidence are now uncertain. Leadership sets a hard demo checkpoint at Friday 16:00.”

Initial Symptoms to Present:

Warning🚨 Initial User Reports

• “Core macOS development environments fail during release build steps”
• “Connected iOS test devices show unexpected trust and sync prompts”
• “Outbound transfer spikes appear in source and build-storage telemetry”
• “Release artifacts no longer align with expected signing and hash baselines”

Key Discovery Paths:

Detective Investigation Leads:

Note🔍 Detective Investigation Path

• Forensic evidence confirms unauthorized transfer staging from high-value source repositories
• Workstation analysis detects trojanized development utilities with persistence behavior
• Timeline reconstruction links initial compromise to unsanctioned tooling deployment paths

Protector System Analysis:

Note🛡️ Protector System Analysis

• Monitoring shows lateral movement across build hosts and connected mobile test workflows
• Integrity controls around signing and release promotion are partially bypassed
• Segmentation review reveals weak boundaries between development, build, and artifact storage systems

Tracker Network Investigation:

Note🌐 Tracker Network Investigation

• Transfer mapping highlights repeated movement patterns targeting unreleased product assets
• Dependency analysis identifies concentration risk in shared Apple-centric build services
• External interface review suggests possible spillover toward investor demo environments

Communicator Stakeholder Interviews:

Note🗣️ Communicator Stakeholder Interviews

• Product leadership requests a minimum-viable release confidence definition before investor briefing
• Security leadership requires strict sequencing between containment and demo-readiness claims
• Executive leadership demands clear status messages grounded in verified technical evidence

Mid-Scenario Pressure Points:

• Hour 1: Investors request reassurance that demo deliverables remain intact
• Hour 2: Engineering teams request temporary security exceptions to preserve build velocity
• Hour 3: External chatter suggests a competitor may have seen similar product behaviors
• Hour 4: Leadership requires a defensible go/no-go recommendation for investor demo execution

Evolution Triggers:

• If containment lags, additional proprietary assets transfer beyond controlled boundaries
• If mobile test channels stay open, persistence survives workstation remediation
• If integrity checks are reduced, compromised builds may enter investor-facing demonstrations

Resolution Pathways:

Technical Success Indicators:

• Team blocks active transfer channels and contains spread across build and device workflows
• Release artifacts pass trusted baseline validation before demo promotion
• Hardening controls enforce signed tooling trust and managed test-device connectivity

Business Success Indicators:

• Demo decisions are made with evidence-backed confidence, not schedule pressure alone
• Investor communication remains transparent, accurate, and technically defensible
• Delivery continuity is preserved while protecting high-value intellectual property

Learning Success Indicators:

• Team demonstrates startup-specific response patterns for macOS/mobile malware incidents
• Participants align fundraising pressure with rigorous release assurance standards
• Group defines durable controls for plugin governance, signing trust, and artifact handling

Common IM Facilitation Challenges:

If Demo Confidence Is Assumed Too Quickly:

“You have partial recovery, but what evidence proves investor-demo builds are trustworthy?”

If Speed Overrules Containment Discipline:

“Engineering requests immediate exceptions. Which exceptions are safe, and which reopen the same compromise path?”

If Investor Communication Is Delayed:

“Investors are asking direct questions now. What can you communicate with confidence versus what must remain provisional?”

Success Metrics for Session:

• Team interrupts exfiltration before broad startup IP exposure
• Demo artifacts pass defensible integrity validation thresholds
• Build and connected-device controls remain coherent under funding pressure
• Stakeholder updates reflect validated technical state
• Participants identify sustainable controls for future high-stakes startup releases

Template Compatibility

This scenario adapts to multiple session formats with appropriate scope and timing:

Quick Demo (35-40 minutes)

Structure: 2 investigation rounds, 1 decision round
Focus: Fast containment and investor-demo integrity triage
Simplified Elements: Guided clues and constrained response options
Key Actions: Stop active transfer, isolate risky workflows, validate demo artifacts

Lunch & Learn (75-90 minutes)

Structure: 4 investigation rounds, 2 decision rounds
Focus: Startup continuity under active malware and fundraising pressure
Added Depth: Signing-chain trust, release governance, and investor communications
Key Actions: Sequence secure restoration while preserving confidence in product readiness

Full Game (120-140 minutes)

Structure: 6 investigation rounds, 3 decision rounds
Focus: End-to-end startup incident command for IP-sensitive release pipelines
Full Complexity: Containment, assurance, and executive decision-making under valuation pressure
Key Actions: Integrate engineering, security, and leadership signals into a defensible demo posture

🌍 Localizing to Other EU Countries

This Swedish variation can be adapted to other EU countries during facilitation. All EU countries share GDPR requirements, but supervisory authorities and startup-ecosystem interfaces vary.

When adapting this scenario, substitute these elements:

Country	Data Protection Authority	Startup Ecosystem Context	Cybersecurity Agency
France	CNIL	French tech and incubator ecosystem	ANSSI
Germany	BfDI or state DPA	Berlin and Munich startup hubs	BSI
Netherlands	Autoriteit Persoonsgegevens	Amsterdam and Eindhoven startup clusters	NCSC-NL
Norway	Datatilsynet	Nordic growth-stage startup ecosystem	NCSC-NO
Spain	AEPD	Barcelona and Madrid scale-up ecosystems	INCIBE

Notes:

• Germany: Federal structure can require additional state-level notification handling.
• Norway: Not an EU member, but GDPR-aligned obligations apply through EEA frameworks.
• France: Sector-specific startup funding and state support may influence disclosure expectations.

Startup names and NPC names are left to the IM's discretion.

Quick Demo Materials (35-40 min)

Guided Investigation Clues

• Clue 1 (Minute 5): “Outbound transfer telemetry maps to unreleased source and model-artifact paths in active repositories.”
• Clue 2 (Minute 10): “Toolchain analysis confirms trojanized development utilities in current macOS workflows.”
• Clue 3 (Minute 15): “Connected iOS testing channels remain an active persistence and data-transfer vector.”

Pre-Defined Response Options

Option A: Hard Containment and Demo Freeze

• Action: Isolate compromised development/build domains, suspend non-essential sync channels, and pause demo promotion pending integrity validation.
• Pros: Maximizes assurance and rapidly limits further exposure.
• Cons: Immediate schedule and investor-pressure increase.
• Type Effectiveness: Strong against spyware-style exfiltration behavior.

Option B: Phased Continuity with Strict Guardrails

• Action: Preserve limited clean build lanes while remediating affected hosts and enforcing trusted-tool policies.
• Pros: Maintains partial delivery momentum while reducing risk.
• Cons: Operationally complex and dependent on strict validation discipline.
• Type Effectiveness: Moderate with strong segmentation and policy enforcement.

Option C: Deadline-First Delivery

• Action: Prioritize near-term demo milestones, apply selective remediation, and postpone broader lock-down actions.
• Pros: Supports short-term schedule commitments.
• Cons: Highest residual risk for continued IP exposure and compromised demo quality.
• Type Effectiveness: Weak against persistent transfer and spread patterns.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Containment and Assurance Baseline (30-35 min)

Investigation clues:

• “Compromise behavior aligns with unsanctioned utility deployment under sprint pressure.”
• “Release artifacts show integrity drift across build and promotion stages.”
• “Connected-device workflows amplify persistence risk despite workstation cleanup.”
• “Leadership needs minimum assurance criteria before external commitments are reaffirmed.”

Facilitation questions:

• “Which assets and systems are mandatory for a safe minimum viable demo?”
• “What controls must be non-negotiable before reopening full build pipelines?”
• “How do engineering and security teams keep one coherent external narrative?”

Round 1→2 Transition

Containment reduces immediate risk, but fundraising confidence now depends on whether integrity evidence is strong enough for investor-facing commitments.

Round 2: Demo Readiness Under Investor Pressure (30-35 min)

Developments:

• “Recovery paths are available, but confidence differs across build, signing, and test workflows.”
• “Investor pressure for timeline certainty rises while forensic closure remains incomplete.”
• “Leadership must choose between faster demo timing and stronger assurance with potential delay.”

Facilitation questions:

• “What assurance threshold makes investor-demo delivery defensible?”
• “If delay is necessary, how do you communicate impact while preserving trust?”
• “Which temporary controls should become permanent startup policy after the incident?”

Full Game Materials (120-140 min, 3 rounds)

Round 1: Initial Compromise and Transfer Suppression (30 min)

Startup engineering operations enter crisis as malware behavior collides with high-stakes fundraising timelines and IP risk.

Round 2: Workflow Recovery and Confidence Management (35 min)

Partial restoration creates difficult tradeoffs between delivery speed and integrity confidence for investor-facing outputs.

Round 3: Strategic Hardening and Release Governance (35 min)

Immediate pressure eases, and leadership defines durable controls for trusted tooling, segmentation, and incident-informed demo governance.

Debrief Focus (Full Game)

• Why Apple-centric startup pipelines remain high-value exfiltration targets
• How fundraising pressure can distort assurance quality if not managed explicitly
• What evidence standards should govern investor-facing release decisions
• Which control upgrades best reduce recurrence without halting innovation velocity

Advanced Challenge Materials (150-170 min, 3+ rounds)

Red Herrings and Misdirection

• Legitimate synchronization spikes that resemble malicious outbound transfer patterns
• Scheduled build activity that produces noise similar to compromise indicators
• Parallel service degradation that distracts teams from highest-risk data paths

Removed Resources and Constraints

• No immediate specialist incident-response support during first response window
• Incomplete ownership and inventory data for legacy startup tooling
• Limited visibility and control on personally connected development test devices

Enhanced Pressure

• Investor confidence declines faster than technical certainty improves
• Internal teams demand risky exceptions to preserve demo schedules
• External scrutiny intensifies while forensic conclusions are still evolving

Ethical Dilemmas

• Whether to disclose partial breach scope early or wait for stronger evidence
• Whether to prioritize investor demo timing over higher release assurance
• Whether to enforce strict device controls that materially reduce engineering velocity

Advanced Debrief Topics

• Ethics of incident communication in venture-backed startup environments
• Governance tradeoffs between growth speed and defensible technical assurance
• Practical hardening patterns for Apple-centric development and test pipelines