Scenario Families

Archetypes are reusable range shapes ordered by complexity and research cost. Scenarios add vulnerabilities and objectives on top of an archetype.

• A, Cloud-native startup: small GCP-style app, database, worker, bucket, cloud audit logs, and light host telemetry.
• B, SaaS B2B: larger service graph with API tiers, workers, queues, warehouse access, cache, and artifact storage.
• C, Corporate office: AD-like identity, workstations, file server, DMZ host, jumpbox, SIEM, and EDR-style telemetry.
• D, Hybrid corporate: cloud plus on-prem style networks with identity bridging and visibility gaps.
• E, Container-native: Kubernetes and service-mesh surfaces with container, audit, and workload-identity telemetry.
• F, SOC-heavy: a telemetry substrate that can be applied over A-D for SIEM-grade defensive evaluation.
• G, OT/ICS: deferred beyond v1 because realistic physical-process modeling is a separate research problem.

Scenario manifests select an archetype, version, overrides, background traffic profile, documented vulnerabilities, objectives, and safety controls.

• Scenarios can adjust host counts within defined bounds and choose off, quiet, normal, or busy background traffic.
• Scenarios can add hosts or vulnerability surfaces without weakening safety posture.
• Every archetype and scenario should map to specific MITRE ATT&CK technique IDs for coverage reporting.

Background traffic and telemetry are part of the benchmark, not decoration. Defender agents must separate malicious activity from legitimate operational noise.

• Traffic profiles include web activity, auth events, file-system activity, email-like signals, and normal egress.
• Commercial EDR behavior may be approximated with open tooling when licenses make direct use impractical.
• Broken services, latency, IAM friction, and noisy tools are recorded because real cyber work contains those conditions.