# 🕵️ SOCIAL ENGINEERING ESCAPE ROOM KIT ### The 60-Minute Coordinated Attack Simulation A complete facilitator-led team experience for security awareness. Your employees face a coordinated 48-hour attack across six vectors — pretexting, OSINT, phishing, vishing, physical tailgating, and supply chain compromise. They have 60 minutes to survive it. Built for the awareness lead running events at 200+ person companies. In-person and remote variants included. Serious tone. Real attacker tactics. Polished, ready to run. --- ## What's Inside | # | File | Purpose | |---|---|---| | 01 | [Facilitator Script](01-Facilitator-Script.md) | Complete 60-min timing, dialogue, decision trees, scoring | | 02 | [Pre-Event Setup](02-Pre-Event-Setup.md) | 30-min prep checklist, room layout, equipment | | 03 | [Slide Deck](03-Slide-Deck.html) | Opening & stage transitions (project during event) | | 04 | [Player Handouts](04-Player-Handouts.pdf) | Phishing emails, OSINT screenshots, physical cards | | 05 | [Decision Trees](05-Decision-Trees.md) | Branching outcomes per stage, guard rails | | 06 | [Scoring Template](06-Scoring-Template.html) | Live leaderboard + real-time team tracking | | 07 | [Debrief Deck](07-Debrief-Deck.html) | Post-event teaching + control mapping | | 08 | [Remote Variant](08-Remote-Variant-Guide.md) | Zoom breakouts, digital handouts, timing tweaks | | 09 | [Marketing One-Pager](09-Marketing-One-Pager.html) | Email your boss. Sell the event. | ## The Scenario Frame **Day 0**: {{company}} is under coordinated attack. Threat actor has gathered OSINT, spoofed email, sent deepfakes. Over 48 hours, they'll hit six vectors simultaneously. Your team must spot the attack chain, make decisive calls under pressure, and rebuild the timeline. **The Six Stages** (8–10 min each): 1. **Pretexting (Phone)** — IT support calls about a vendor account change 2. **OSINT (Reconnaissance)** — Find the information leak that powered the spear phish 3. **Phishing (Email)** — Spot the spear phish in a stack of 8 real-looking emails 4. **Vishing + Deepfake** — Voicemail from the "CFO" requests emergency wire 5. **Physical (Tailgating)** — Delivery person follows through the badge gate 6. **Supply Chain** — Compromised vendor requests invoice payment **Final Boss** (5 min): Rebuild the attack timeline. Identify the controls that would have caught it. --- ## Highlights - **Serious, grounded tone** — Sandworm-book realism in an engaging escape-room format - **Two difficulty modes**: Standard (default) and Hard (for security teams) - **Dual delivery**: In-person (printable PDFs) AND remote (Zoom breakouts) - **Fully facilitator-paced** — No tech failures, no dependency on apps - **6–30 players** — Scales from small team event to company-wide offsite - **Inclusive design** — Tests decision-making, not technical knowledge - **Tokenized** — {{company}}, {{team}}, {{reportingEmail}}, {{ciso_name}} everywhere --- ## Quickstart for Facilitators 1. **Read** `01-Facilitator-Script.md` (the full blueprint) 2. **Prep** `02-Pre-Event-Setup.md` (checklist, room layout, 30 min before event) 3. **Print** `04-Player-Handouts.pdf` (one set per team of 6) 4. **Project** `03-Slide-Deck.html` during the event 5. **Track** `06-Scoring-Template.html` live on a laptop 6. **Debrief** with `07-Debrief-Deck.html` **For remote events**: Follow `08-Remote-Variant-Guide.md` (Zoom breakout instructions + digital handout links). --- ## Success Metrics - Engagement: 90%+ of players recall at least 2 attack vectors - Behavior: Teams identify the control gaps in debrief - Knowledge: 80%+ can spot a spear phish in follow-up assessments - Advocacy: Attendees recommend the event to peers (eNPS +40+) --- ## Tone & Philosophy This kit is **serious, not scary**. The frame is "learning exercise under controlled conditions," not "your company is actually being attacked right now." Teams will: - Feel the pressure of real decision-making - Laugh at the absurd deepfake voicemail - Have aha moments when they connect the dots - Leave empowered, not demoralized The debrief is where teaching happens — rebuild the attack chain, map to controls, celebrate what they caught. --- ## Event Flow at a Glance ``` Opening (5 min) ├─ Stage 1: Pretexting call (9 min + 1 min debrief) ├─ Stage 2: OSINT hunt (10 min + 1 min debrief) ├─ Stage 3: Phishing emails (9 min + 1 min debrief) ├─ Stage 4: Vishing & deepfake (9 min + 1 min debrief) ├─ Stage 5: Physical tailgating (8 min + 1 min debrief) ├─ Stage 6: Supply chain decision (8 min + 1 min debrief) └─ Final Boss: Attack timeline + controls (5 min) Total: ~60 minutes ``` --- ## What to Customize - **{{company}}** — Your company name - **{{team}}** — Team/department running the event - **{{reportingEmail}}** — Security team email for "findings" - **{{ciso_name}}** — Your CISO or security lead - **{{eventDate}}** — When the event happens - **Difficulty mode** — Standard (default) or Hard - **Delivery mode** — In-person or Remote (see 08-Remote-Variant-Guide.md) All placeholder tokens are marked clearly in the facilitator script. --- ## Technical Requirements (Minimal) **In-Person:** - Projector + laptop (for slides & scoring) - Printer (handouts) - Timer (phone works fine) - Optional: wireless microphone if venue is large **Remote:** - Zoom + breakout rooms - Participants share screen or can see shared document - No video required (audio-only works) --- ## Mantra > **The attack was coordinated. Your defense should be too.** Every {{company}} employee is a sensor. This event teaches them what to look for. --- ## Questions? Next Steps 1. **Brand & customize** — 30 min to replace placeholders 2. **Print or prep digital** — 20 min 3. **Run through the script once** — 15 min (narrator familiarity) 4. **Execute** — 60 min (the real thing) 5. **Debrief & collect feedback** — 10 min **Total prep time: ~2 hours.** --- *Built with {{company}}'s security mission in mind. Let's turn employees into your first line of defense.*