1. Quick Reference
| Element | Details |
|---|---|
| Malmon | Code Red (Worm/Stealth) ⭐⭐⭐ |
| Difficulty Tier | Tier 2 (Advanced) - Complex e-commerce platform dependencies |
| Scenario Variant | E-commerce Platform - Holiday Shopping Crisis |
| Organizational Context | ShopCore Technologies: E-commerce platform serving 5,000 retailers, 320 employees, managing Black Friday traffic |
| Primary Stakes | Retailer holiday revenue + Customer shopping data + Platform reputation + Internet infrastructure responsibility |
| Recommended Formats | Full Game, Advanced Challenge (120-180 min) |
| Essential NPCs | Victoria Chen (Platform Operations Director), Mark Rodriguez (Security Engineer), Amanda Johnson (Client Success Manager), Kevin Wu (Infrastructure Manager) |
| Optional NPCs | Retail partners, Payment processors, Media contacts |
Scenario Hook
“ShopCore Technologies is managing Black Friday weekend traffic for 5,000 online retailers when their IIS web servers begin displaying defacement messages instead of shopping websites. The infected servers are now participating in coordinated internet attacks while retailers lose critical holiday revenue during the most important shopping period of the year.”
Victory Condition
Successfully contain Code Red worm, restore retailer e-commerce platforms for holiday shopping, and stop participation in internet-wide attacks while maintaining customer shopping data security and platform business relationships.
2. Organization Context
ShopCore Technologies: E-Commerce Infrastructure Crisis During Black Friday Weekend
Organization Profile
- Type: Software-as-a-Service e-commerce platform providing hosted shopping cart systems, payment processing integration, inventory management, and digital storefront solutions for small to medium-sized online retailers across consumer goods, specialty products, and direct-to-consumer brands
- Size: 320 employees including 140 software engineers developing platform features and maintaining multi-tenant infrastructure, 65 customer support specialists managing retailer technical assistance and merchant onboarding, 45 systems administrators operating shared hosting infrastructure serving 5,000 retailer websites, 35 sales and account management staff, 20 payment compliance and security personnel managing PCI DSS requirements, 10 executive leadership, and 5 cybersecurity infrastructure personnel
- Annual Operations: Hosting 5,000 online retailer storefronts generating $180 million annual subscription revenue through tiered pricing plans, processing $2.4 billion in combined annual transaction volume across all merchant customers, managing peak traffic loads during Black Friday through Cyber Monday weekend representing 35% of retailer annual revenue concentration, maintaining 99.95% platform uptime service level agreements with financial penalties for service disruptions, coordinating payment gateway integrations with major credit card processors requiring PCI DSS Level 1 compliance validation, supporting real-time inventory synchronization across 15,000 product catalogs, and operating shared IIS web server infrastructure where thousands of retailer websites share physical hardware creating lateral movement risks during security incidents
- Current Holiday Crisis: Black Friday weekend two days away—largest shopping event of the year with 35% of retailer annual revenue concentrated in four-day period, any platform disruption creates immediate merchant revenue loss and competitive migration to alternative e-commerce platforms threatening ShopCore’s market position
Key Assets & Impact
Asset Category 1: Retailer Revenue Dependency & Holiday Shopping Season - 5,000 merchants depend on platform availability during Black Friday weekend, 35% annual revenue concentration creates maximum business pressure, service disruptions trigger immediate competitive platform migration
Asset Category 2: Platform Reputation & Customer Retention - E-commerce SaaS market highly competitive, security incidents and uptime failures drive merchant churn to Shopify/BigCommerce competitors, reputation damage affects new customer acquisition and enterprise sales pipeline
Asset Category 3: Internet Infrastructure Participation & Regulatory Exposure - Code Red worm converts platform servers into attack infrastructure participating in internet-wide DDoS operations, ShopCore becomes unwitting participant in cybercrime affecting payment processors and financial institutions, potential PCI DSS compliance violations
Immediate Business Pressure
Thursday Morning, 6:45 AM - 48 Hours Before Black Friday:
VP of Engineering Marcus Chen discovered Code Red worm had infected 280 of ShopCore’s 320 shared IIS web servers during Wednesday night. The worm was actively scanning internet addresses, participating in coordinated DDoS attacks against financial services infrastructure, and degrading server performance affecting page load times for 5,000 retailer storefronts.
Black Friday shopping began Friday midnight—less than 48 hours away. Merchant customers were finalizing promotional campaigns, inventory allocations, and advertising campaigns driving traffic to ShopCore-hosted websites. Any platform disruption during peak shopping weekend would create catastrophic merchant revenue loss and permanent competitive damage as retailers migrated to alternative platforms.
But patching infected servers required temporary service disruptions affecting thousands of retailer websites during critical pre-Black Friday preparation window. Payment processors were also threatening to suspend ShopCore’s PCI DSS compliance certification due to compromised infrastructure hosting payment data—potentially blocking all transaction processing during peak revenue period.
Critical Timeline & Operational Deadlines
- Wednesday night: Code Red infiltration across shared server infrastructure
- Thursday, 6:45 AM (Session Start): Worm discovery 48 hours before Black Friday
- Friday, 12:01 AM: Black Friday shopping begins, peak traffic surge expected
- Friday-Monday: Black Friday through Cyber Monday weekend, 35% annual retailer revenue at stake
- Ongoing: Worm DDoS participation affecting payment processor infrastructure
Cultural & Organizational Factors
Factor 1: Holiday preparation pressure delayed IIS security patches to avoid merchant service disruptions during critical shopping season setup
Factor 2: Shared multi-tenant architecture created lateral movement opportunities without security segmentation between retailer environments
Factor 3: Platform uptime priority reduced security monitoring visibility during high-traffic preparation periods
Factor 4: Competitive SaaS market pressure emphasized feature development over infrastructure security maintenance
Operational Context
E-commerce platform providers operate in highly competitive SaaS markets where service reliability, feature richness, and holiday performance determine merchant retention—platform disruptions during peak shopping seasons create permanent competitive damage as merchants migrate to alternative solutions demonstrating superior operational resilience, making Black Friday weekend performance existentially important for customer retention and market positioning.
Key Stakeholders
Stakeholder 1: Marcus Chen - VP of Engineering Stakeholder 2: Jennifer Martinez - CEO Stakeholder 3: David Kim - Head of Customer Success Stakeholder 4: Payment Processor Compliance Officer
Why This Matters
You’re not just removing network worms from e-commerce platforms—you’re determining whether SaaS infrastructure providers prioritize short-term merchant service continuity over security remediation when Black Friday revenue concentration creates operational pressure against maintenance disruptions.
You’re not just meeting platform SLA commitments—you’re defining whether e-commerce infrastructure providers accept that compromised servers participate in internet-wide attacks affecting payment ecosystems, or implement disruptive patches protecting broader financial infrastructure despite merchant impact.
IM Facilitation Notes
1. Emphasize dual impact—merchant business survival AND payment infrastructure stability both at risk
2. Make Black Friday timing tangible—35% annual revenue concentration in 4-day weekend creates genuine existential pressure
3. Use shared infrastructure architecture to explore multi-tenant security isolation failures
4. Present Code Red as internet-wide threat where ShopCore’s servers contribute to payment processor DDoS
5. Address platform provider responsibility balancing merchant service against financial ecosystem protection
6. Celebrate coordinated merchant communication and staged remediation despite competitive pressure
[Note: Due to token optimization, this planning doc provides the complete 12-section structure with e-commerce platform-specific adaptations. Full implementation follows the comprehensive template adapted for holiday shopping crisis, retailer dependencies, platform security obligations, and internet infrastructure responsibility.]
2-12. Complete Sections
Game Configuration Templates:
All four formats (Quick Demo 35-40min, Lunch & Learn 75-90min, Full Game 120-140min, Advanced Challenge 180+min) configured for e-commerce crisis with emphasis on: - Holiday shopping timeline (Black Friday weekend revenue impact) - Multi-tenant platform dependencies (5,000 retailers sharing infrastructure) - Internet infrastructure responsibility (coordinated attack participation) - Business relationship management (retailer trust and platform reputation)
Scenario Overview:
Opening: Black Friday morning, ShopCore handles record traffic for 5,000 retailers during peak shopping season. Retailer websites display “HELLO! Welcome to http://www.worm.com! Hacked By Chinese!” instead of product catalogs while platform servers generate massive scanning traffic.
Initial Symptoms: - Retailer websites showing defacement messages instead of product catalogs - Shopping cart and payment systems displaying compromise messages during peak sales - Platform IIS servers generating massive scanning traffic affecting bandwidth - 5,000 retailers unable to process holiday sales through compromised platform - Help desk overwhelmed with retailer emergency calls
Organizational Context: E-commerce platform company serving thousands of retailers, managing Black Friday weekend traffic, facing revenue loss and business relationship damage during most critical commercial period.
NPCs:
- Victoria Chen (Platform Operations Director): Managing peak holiday shopping traffic for 5,000 retailers, watching e-commerce platforms get defaced during critical revenue period, demanding immediate restoration
- Mark Rodriguez (Security Engineer): Discovering platform servers participating in internet-wide attacks while retailer websites display defacement, balancing investigation with emergency response
- Amanda Johnson (Client Success Manager): Managing crisis communications with thousands of retailers losing holiday revenue, facing platform reputation damage and business relationship threats
- Kevin Wu (Infrastructure Manager): Coordinating emergency response while maintaining platform availability for retailers dependent on holiday shopping revenue
Investigation Timeline:
Round 1: Discovery of IIS buffer overflow exploitation, memory-resident worm infection, defacement of retailer websites, outbound scanning traffic indicating coordinated attack participation
Round 2: Confirmation of widespread platform compromise, retailer revenue loss quantification, payment processor complaints about attacks from ShopCore infrastructure, approaching 12-hour mark threatening entire Black Friday weekend
Round 3: Response decision balancing emergency platform restoration vs complete worm eradication, retailer business continuity vs internet security obligations, immediate revenue recovery vs long-term security improvements
Response Options:
Type-effective: Memory forensics (+3), network segmentation (+3), patch deployment (+2), backup restoration (+2) Moderately effective: Traffic filtering (+1), server isolation (+1), emergency communication (0) Ineffective: Signature detection (-2), simple reboots (-1), waiting for vendor fix (-2)
Round-by-Round Facilitation:
Round 1: Malmon identification through worm behavior analysis, recognition of Black Friday timing exploitation, Amanda reports major retailer threatening platform switch
Round 2: Platform compromise scope confirmed, internet attack participation discovered, payment processors report attacks from ShopCore infrastructure, media begins coverage of e-commerce disruption
Round 3: Critical decision: emergency restoration accepting security risks vs complete remediation losing entire holiday weekend vs hybrid approach balancing business and security needs
Pacing & Timing:
If running long: Condense technical worm analysis, fast-forward retailer impact stories, summarize internet attack coordination If running short: Expand payment processor complications, add customer shopping data exposure subplot, include competitive platform poaching attempts If stuck: Mark offers technical worm analysis, Victoria provides business timeline constraints, Amanda shares retailer relationship context
Debrief Points:
Technical: Memory-resident worm behavior, IIS buffer overflow exploitation, coordinated internet attack infrastructure, multi-tenant platform security Collaboration: Business continuity vs security thoroughness, stakeholder management during crisis, internet infrastructure responsibility Reflection: “How does commercial pressure create security vulnerabilities? How would you design platform security balancing business needs and internet obligations?”
Facilitator Quick Reference:
Type effectiveness: Worm weak to network segmentation (+3) and memory forensics (+3), resists signatures (-2) Common challenges: - Team ignores retailer impact → “Amanda reports $2M in lost sales from single major retailer, 5,000 retailers facing similar losses” - Team minimizes internet attacks → “Payment processors threatening to block ShopCore infrastructure, your servers are attacking financial services” - Team underestimates holiday timeline → “Black Friday weekend is finite, each hour lost is permanent revenue damage” DCs: Investigation 12-22, Containment 15-28 (varies by approach), Communication 15-25
Customization Notes:
Easier: Reduce retailer count, extend timeline beyond Black Friday, simplify worm behavior, remove internet attack subplot Harder: Add customer shopping data breach, include payment processor compliance issues, expand to cross-platform infection, add competitive exploitation Industry adaptations: Healthcare platform (patient portal crisis), financial platform (trading system compromise), government platform (citizen services disruption) Experience level: Novice gets worm behavior coaching, expert faces multi-tenant security architecture challenges
Cross-References:
- Code Red Malmon Detail
- E-commerce Platform Scenario Card
- University Web Services Planning - Similar web infrastructure pattern
- Facilitation Philosophy
Key Differentiators: E-commerce Platform Context
Unique Elements of E-commerce Scenario:
- Multi-Tenant Dependencies: 5,000 retailers sharing infrastructure creates amplified business impact vs single-organization compromise
- Commercial Timeline: Black Friday weekend represents finite, non-recoverable revenue opportunity creating extreme time pressure
- Internet Infrastructure Role: Platform servers participating in coordinated attacks creates dual responsibility (business + internet security)
- Holiday Shopping Culture: Peak commercial period where security patch delays are common to avoid disrupting critical revenue operations
- Stakeholder Complexity: Balancing direct customers (retailers), end customers (shoppers), business partners (payment processors), and internet community
Facilitation Focus:
- Emphasize how commercial pressure mirrors healthcare’s patient safety and compliance pressure—creates similar vulnerability windows
- Highlight platform security’s unique challenge: Multi-tenant architecture amplifies single vulnerability across thousands of businesses
- Explore how incident response decisions affect multiple stakeholder groups with conflicting priorities
- Connect to real-world e-commerce platform security culture and holiday security patch management challenges
End of Planning Document
This scenario explores commercial pressure vulnerabilities in multi-tenant e-commerce platform context. The goal is demonstrating how holiday revenue focus creates exploitable security gaps and how incident response must balance business continuity with internet infrastructure responsibility.