Back to Quest Board
🔵

The Poisoned Alliance

Third-Party Supply Chain Compromise
P1 — Critical

A trusted ally has been compromised. Your realm's managed services provider — once a stalwart guardian of your fortress walls — has fallen to dark forces. The enemy now holds the keys to your kingdom, and the true extent of the betrayal remains shrouded in fog.

45 minutes
DC 14
2 Injects
4–12 Players

Compliance Frameworks

NIST CSF ID.SC ISO 27001 A.15 DORA Art.28-30 FCA SYSC 8

🛡️ Roles & Party Members

War Chief Required
Incident Commander

Leads the response team, makes containment and escalation decisions

Arcane Engineer Required
IT Operations Lead

Provides technical context, manages vendor access, proposes containment

Shadow Watcher Required
SOC Analyst

Conducts threat hunting, reviews authentication logs, monitors for compromise indicators

Keeper of the Codex Required
Compliance / DPO

Assesses regulatory implications, manages SWIFT CSP obligations

Loremaster Optional
Legal Counsel

Reviews vendor contracts, advises on liability and legal remedies

Alliance Keeper Optional
Third-Party / Vendor Manager

Manages vendor relationship, coordinates incident response with SecureOps

High Council Elder Optional
Senior Management

Provides executive decision authority, manages systemic risk implications

⚡ Inject Timeline

1
Vendor Notification — A Raven Bearing Dark Tidings
T+0 Minutes

The bank's managed IT services provider, 'SecureOps Ltd' (fictitious), has issued an urgent notification to all clients. SecureOps provides privileged remote access for system administration, patch ma...

6 Discussion Prompts 1 Dice Events 4 Possible Complications
2
Evidence of Access — The Enemy Was Already Inside
T+20 Minutes

Internal threat hunting has identified suspicious activity. Authentication logs show that a SecureOps service account authenticated to three of the bank's domain controllers at 04:30 UTC, six days ago...

6 Discussion Prompts 1 Dice Events 4 Possible Complications

📋 Debrief Questions

Post-Battle Assessment
  1. Were vendor access controls adequate?
  2. Was the threat hunting response timely and effective?
  3. Were SWIFT CSP obligations understood and met?
  4. Were contractual protections with SecureOps adequate?
  5. What improvements should be made to third-party risk management?
  6. How should vendor access be restructured going forward?