Module 5.6 — Variant Scenarios and Lab Platform

Day 5 capstone · Section 6 of 6

Why variants

The course runs multiple times per year at SANS events. The Verdancy Health / PROMETHEUS-7 scenario stays fresh for the first ~6 deliveries; after that, repeat students and instructor familiarity create a stale-content risk. Three pre-built variants swap the org and the Stage-3 attack surface while preserving the four-stage kill-chain shape and the Mirror Twist.

Instructor effort to swap a variant: approximately 1 day of content reseeding (regenerating the synthetic alert pack, NoraBot equivalents, CloudTrail equivalents). The facilitation script is materially the same across all three variants.

Variant A — “Hollow Mirror: Fintech”

Target organization: Halgrove Capital Partners, a regional bank with ~5,500 employees and $40B in assets under management.

Stage-3 surface change: Instead of a customer-facing chatbot (NoraBot), the prompt-injection target is an internal copilot (“HalgroveGPT”) used by the wealth-advisor team for client research and portfolio analysis. The adversary plants poisoned content in a public investor-relations document that gets ingested into the copilot’s RAG corpus.

Adversary handle: STYX-4

Stage-4 impact: Exfiltration of high-net-worth client portfolio data (~2,800 client records, including SSNs, wire instructions, and trust beneficiary information). Estimated regulatory exposure: ~$220M in CFPB and state fines.

Distinctive elements:

• Stage 1 recon includes adversary scraping of LinkedIn investment-advisor profiles
• Stage 2 deepfake call impersonates the bank’s CEO contacting a senior trader for an “urgent confidential FX hedge”
• Stage 4 exfil destination is a misregistered domain that resembles the bank’s known archive bucket

Realism: Halgrove Capital Partners is fictional. The scenario draws on documented patterns from regulatory disclosures of financial-services AI deployments (most fintechs have NDAs that prevent public AI-incident detail).

Variant B — “Hollow Mirror: OT / Manufacturing”

Target organization: Brackenwell Industrial Systems, a specialty chemicals manufacturer with operations across 7 facilities.

Stage-3 surface change: The prompt-injection target is a maintenance-scheduling agent (“BrackenwellOps”) that controls work-order dispatch to OT (operational technology) systems. The adversary plants a poisoned maintenance instruction that, when retrieved, modifies the work-order in a way that has physical-system implications.

Adversary handle: CINDERHOOK

Stage-4 impact: Instead of data exfiltration, this variant has physical-system sabotage — Stage 4 reveals that the work-order modification caused a misconfiguration of a specialty-chemical reactor, leading to off-spec product over a 6-hour production window. Estimated impact: $48M in product write-offs and a near-miss safety event.

Distinctive elements:

• Stage 1 recon includes adversary access patterns through the OT environment’s MES (Manufacturing Execution System) audit logs
• Stage 2 deepfake call impersonates the head of maintenance to authorize an “urgent unscheduled vendor service window”
• Stage 4 telemetry is OT-domain (Modbus traffic, plant historian queries) not just IT-domain
• Stage 4’s “AI SOC manipulation” plays out at the IT/OT boundary — adversary log injection causes the AI triage to attribute Modbus anomalies to a vendor’s scheduled service window

Realism: OT scenarios are particularly hard to find authentic published material for. Instructors delivering this variant should be paired with an OT-domain SME for credibility.

Variant C — “Hollow Mirror: Public Sector / DMV”

Target organization: State of Lincoln Department of Motor Vehicles, 4,800 employees serving 11.2 million citizens.

Stage-3 surface change: The prompt-injection target is a citizen-facing chatbot (“LincolnAssist”) that helps with license renewals, registration questions, and appointment scheduling. The adversary plants poisoned content in a publicly-indexed FAQ document.

Adversary handle: PALEHORSE-9

Stage-4 impact: Instead of data exfiltration alone, this variant adds journalist-leak parallel comms exposure — during Stage 4, the adversary leaks fabricated documents to a regional journalist suggesting (incorrectly) that the DMV has been spying on citizens with the AI system. The SOC’s IR response must coordinate with public-affairs and legal in real-time, not just technical remediation. Estimated impact: ~$30M in incident-response costs and a 3-year regulatory consent decree.

Distinctive elements:

• Stage 1 recon includes adversary scraping of public records and FOIA-released documents
• Stage 2 deepfake is a video deepfake of the agency director (uses different audio detection lesson than voice-clone variants)
• Stage 4 includes the parallel comms / journalist response track that other variants don’t have
• Stage 4’s “AI SOC manipulation” deceives the agency’s automated triage into classifying the journalist contact as benign vendor outreach

Realism: Public-sector AI deployments are increasingly common; this variant is grounded in documented patterns from state-government chatbot deployments and the political risks they encounter.

Cross-variant common elements

All three variants share:

• The four-stage kill chain shape (recon → deepfake → injection → exfil/manipulation)
• The Mirror Twist — defender’s AI agent gets manipulated; students must catch their own agent’s wrong attribution
• The 1000-point scoring rubric (with the -50 AI-attribution penalty and the 100-point AI SOC hygiene category)
• The six required deliverables
• The 8-hour facilitation schedule

Lab platform setup

Per-student environment

Each student receives a browser-accessible isolated EC2 instance:

• Instance type: g5.xlarge (or m6i.2xlarge for CPU-only path) — provides GPU for the Day-2 audio-detector portion
• Network: Private VPC with controlled outbound (only to allow-listed endpoints; no direct internet access from the lab instances to prevent inadvertent leakage of synthetic content)
• Pre-loaded data:
  • ~/data/phase1_recon_alerts.json (Codex-generated, 14 records)
  • ~/data/phase3_norabot_trace.jsonl (Codex-generated agent trace)
  • ~/data/phase4_cloudtrail.jsonl (Codex-generated synthetic logs)
  • ~/data/voicemail.wav (synthetic deepfake audio against a SANS-owned synthetic CEO voice)
  • ~/data/vendor-onboarding-emergency.pdf (with embedded prompt-injection payload)
  • ~/submissions/ empty directory for student deliverable submissions
• Pre-installed tools:
  • The Day-1 detector stack from Module 1.6 lab
  • The Day-2 audio-detection pipeline from Module 2.2
  • The Day-3 prompt-injection detector from Module 3.4
  • The Day-4 Sigma + Suricata rule pack
  • The Day-4 multi-agent SOC workflow from Module 4.3
  • The Codex capstone_grader.py (for self-assessment during prep)
• Pre-configured “AI SOC”: the multi-agent triage workflow runs against the synthetic data with pre-seeded behaviors:
  • Phase 4: the triage agent confidently misattributes the exfil to “vendor-acme” — this is engineered into the lab, not magical AI behavior

Shared lab services

Beyond per-student instances:

• Email gateway shadow: simulates Verdancy’s mail flow; delivers the Phase 2 voicemail forward at T+2:05
• Active Directory shadow: 14,000 simulated user accounts including Brenda Castillo, Dr. Marcus Wei (CISO), and the technical principal accounts the adversary AssumeRole-targets
• CISO video kickoff: pre-recorded ~3-minute video that plays at T+0:05

Infrastructure cost guidance

For SANS delivery economics:

• Per-student EC2 costs: ~$1.20/hour during the 8-hour exercise = ~$10/student
• Shared lab services: ~$50/event regardless of student count
• For a typical 30-student delivery: ~$350 in cloud costs

The g5.xlarge requirement is the largest cost driver. For environments where GPU isn’t required (e.g., a variant that excludes the audio-detection phase), the m6i.2xlarge reduces per-student cost to ~$5/student.

Variant data regeneration

When swapping to a variant (Fintech, OT, Public Sector), the instructor regenerates the four synthetic data files:

python3 generate_capstone_data.py --variant fintech --output /lab/variants/fintech/
python3 generate_capstone_data.py --variant ot --output /lab/variants/ot/
python3 generate_capstone_data.py --variant public_sector --output /lab/variants/public_sector/

The generate_capstone_data.py script is a meta-tool that re-runs the Codex prompts (Phase 1 alerts, NoraBot/equivalent trace, CloudTrail/equivalent logs, deepfake audio) with the variant-specific scenario substitutions. Effort to produce: ~1 day of content reseeding plus instructor review.

Why this capstone design

The design decisions for the capstone derive from the course’s overall thesis:

• Adversary-AI is operational, not theoretical — the scenario is grounded in real 2025-2026 incident patterns
• The detector’s AI stack has failure modes — the Mirror Twist makes this visceral
• Workflow gaps are the durable control — Phase 2’s audio-detector-fails-but-workflow-gap-catches lesson reinforces this
• Independent verification is the meta-skill — Phase 4’s grounding-against-CloudTrail rewards exactly this discipline
• Detection engineering integrates — every prior day’s content shows up in Phase 1-4 simultaneously

A student who passes the capstone has demonstrated competence across:

• Day 1 (Embedding clustering + RAG + AI-phishing detection)
• Day 2 (Workflow-gap detection + audio analysis)
• Day 3 (EchoLeak-class injection + guardrail telemetry + lethal trifecta audit)
• Day 4 (Agent telemetry detection + action-criticality + supply-chain awareness)

That competence is the deliverable the course produces. The 700-pt pass bar exists to enforce it.

Closing the course

Day 5 closes the SEC5xx course. Students leave with:

• The detector’s AI stack assembled and operationally proven
• The integration test passed (capstone score)
• The deliverable package (timeline, IOC list, exec summary, CISO memo, AI SOC post-mortem, containment log)
• The course’s one big lesson: AI in the SOC is a tool with failure modes, not a source of truth
• GIAC AI Detection Analyst (GAIDA) certification eligibility (for those pursuing it)

The architectural insight running through all five days: the threat surface moved up the stack. Day 1’s adversary was at the gateway. Day 5’s adversary studied the defender’s stack. The detection engineer’s response moves with it — every layer needs operational controls, and no layer can be trusted in isolation.

Welcome to detection engineering in 2026.