ForgeAwareness
Get started
← Back to shop

Social Engineering Escape Room Kit

A 60-minute facilitator-led team experience. Defend a fictional company from a 48-hour coordinated social engineering attack across 6 stages — pretexting, OSINT, phishing, vishing, physical, and supply chain.

Section 1 of 5~5 min read
Download raw ↗

🕵️ SOCIAL ENGINEERING ESCAPE ROOM KIT

The 60-Minute Coordinated Attack Simulation

A complete facilitator-led team experience for security awareness. Your employees face a coordinated 48-hour attack across six vectors — pretexting, OSINT, phishing, vishing, physical tailgating, and supply chain compromise. They have 60 minutes to survive it.

Built for the awareness lead running events at 200+ person companies. In-person and remote variants included. Serious tone. Real attacker tactics. Polished, ready to run.

What's Inside

#FilePurpose
01Facilitator ScriptComplete 60-min timing, dialogue, decision trees, scoring
02Pre-Event Setup30-min prep checklist, room layout, equipment
03Slide DeckOpening & stage transitions (project during event)
04Player HandoutsPhishing emails, OSINT screenshots, physical cards
05Decision TreesBranching outcomes per stage, guard rails
06Scoring TemplateLive leaderboard + real-time team tracking
07Debrief DeckPost-event teaching + control mapping
08Remote VariantZoom breakouts, digital handouts, timing tweaks
09Marketing One-PagerEmail your boss. Sell the event.

The Scenario Frame

Day 0: {{company}} is under coordinated attack. Threat actor has gathered OSINT, spoofed email, sent deepfakes. Over 48 hours, they'll hit six vectors simultaneously. Your team must spot the attack chain, make decisive calls under pressure, and rebuild the timeline.

The Six Stages (8–10 min each):

  1. Pretexting (Phone) — IT support calls about a vendor account change
  2. OSINT (Reconnaissance) — Find the information leak that powered the spear phish
  3. Phishing (Email) — Spot the spear phish in a stack of 8 real-looking emails
  4. Vishing + Deepfake — Voicemail from the "CFO" requests emergency wire
  5. Physical (Tailgating) — Delivery person follows through the badge gate
  6. Supply Chain — Compromised vendor requests invoice payment

Final Boss (5 min): Rebuild the attack timeline. Identify the controls that would have caught it.

Highlights

  • Serious, grounded tone — Sandworm-book realism in an engaging escape-room format
  • Two difficulty modes: Standard (default) and Hard (for security teams)
  • Dual delivery: In-person (printable PDFs) AND remote (Zoom breakouts)
  • Fully facilitator-paced — No tech failures, no dependency on apps
  • 6–30 players — Scales from small team event to company-wide offsite
  • Inclusive design — Tests decision-making, not technical knowledge
  • Tokenized — {{company}}, {{team}}, {{reportingEmail}}, {{ciso_name}} everywhere

Quickstart for Facilitators

  1. Read 01-Facilitator-Script.md (the full blueprint)
  2. Prep 02-Pre-Event-Setup.md (checklist, room layout, 30 min before event)
  3. Print 04-Player-Handouts.pdf (one set per team of 6)
  4. Project 03-Slide-Deck.html during the event
  5. Track 06-Scoring-Template.html live on a laptop
  6. Debrief with 07-Debrief-Deck.html

For remote events: Follow 08-Remote-Variant-Guide.md (Zoom breakout instructions + digital handout links).

Success Metrics

  • Engagement: 90%+ of players recall at least 2 attack vectors
  • Behavior: Teams identify the control gaps in debrief
  • Knowledge: 80%+ can spot a spear phish in follow-up assessments
  • Advocacy: Attendees recommend the event to peers (eNPS +40+)

Tone & Philosophy

This kit is serious, not scary. The frame is "learning exercise under controlled conditions," not "your company is actually being attacked right now."

Teams will:

  • Feel the pressure of real decision-making
  • Laugh at the absurd deepfake voicemail
  • Have aha moments when they connect the dots
  • Leave empowered, not demoralized

The debrief is where teaching happens — rebuild the attack chain, map to controls, celebrate what they caught.

Event Flow at a Glance

Opening (5 min)
├─ Stage 1: Pretexting call (9 min + 1 min debrief)
├─ Stage 2: OSINT hunt (10 min + 1 min debrief)
├─ Stage 3: Phishing emails (9 min + 1 min debrief)
├─ Stage 4: Vishing & deepfake (9 min + 1 min debrief)
├─ Stage 5: Physical tailgating (8 min + 1 min debrief)
├─ Stage 6: Supply chain decision (8 min + 1 min debrief)
└─ Final Boss: Attack timeline + controls (5 min)

Total: ~60 minutes

What to Customize

  • {{company}} — Your company name
  • {{team}} — Team/department running the event
  • {{reportingEmail}} — Security team email for "findings"
  • {{ciso_name}} — Your CISO or security lead
  • {{eventDate}} — When the event happens
  • Difficulty mode — Standard (default) or Hard
  • Delivery mode — In-person or Remote (see 08-Remote-Variant-Guide.md)

All placeholder tokens are marked clearly in the facilitator script.

Technical Requirements (Minimal)

In-Person:

  • Projector + laptop (for slides & scoring)
  • Printer (handouts)
  • Timer (phone works fine)
  • Optional: wireless microphone if venue is large

Remote:

  • Zoom + breakout rooms
  • Participants share screen or can see shared document
  • No video required (audio-only works)

Mantra

The attack was coordinated. Your defense should be too.

Every {{company}} employee is a sensor. This event teaches them what to look for.

Questions? Next Steps

  1. Brand & customize — 30 min to replace placeholders
  2. Print or prep digital — 20 min
  3. Run through the script once — 15 min (narrator familiarity)
  4. Execute — 60 min (the real thing)
  5. Debrief & collect feedback — 10 min

Total prep time: ~2 hours.

Built with {{company}}'s security mission in mind. Let's turn employees into your first line of defense.