This activity simulates a real Security Operations Center (SOC) tabletop exercise. There are no right answers given immediately — only consequences.
Your goal is to move through the incident using the correct response process, not speed or panic.
It is 10:15 AM on a school day. Multiple staff members report they suddenly cannot
access files on a shared drive. File names now include .locked.
One teacher reports a ransom note on their screen demanding payment in 48 hours.
Logs show unusual file access patterns. Antivirus alerts appear on two machines.