InfoNoSecurity Europe is the organiser of Infosecurity Europe 2026, a flagship cybersecurity trade event held at ExCeL London on 2–3 June.
“The point of a tabletop is not to win. It is to find the seams in your response — the handoffs, the assumptions, the silences — while the only thing at stake is your pride.”
Speak from your assigned function. If you would not have the information in real life, you don’t have it here either. Bluffing is fine; lying about facts is not.
The exercise rewards making a call with imperfect information. Document the decision, the rationale, and the dissent — not a perfect plan.
Each act is timeboxed. The clock will press you toward the wrong answer faster than the adversary will. Notice when it does.
Treat scenario detail, observed behaviours, and named decisions as confidential. The post-incident review is for learning, not litigation.
InfoNoSecurity Europe is the organiser of Infosecurity Europe 2026, a flagship cybersecurity trade event held at ExCeL London on 2–3 June. The event draws over 19,000 registered delegates, 400 exhibiting sponsors, and 180 speakers — many of them high-net-worth individuals (HNWIs), C-suite executives, and government officials. Delegate registration, speaker management, and sponsor coordination are handled through a cloud-hosted event management platform called EventForge, supplemented by a CRM (Salesforce), a mobile event app, and a legacy on-premises badge-printing system networked into ExCeL's venue infrastructure. The scenario begins on Monday of Week 1 (Mon W1) at 06:00, roughly 72 hours before the event opens. The threat: attackers have silently compromised the EventForge platform via a misconfigured API endpoint, exfiltrating delegate, speaker, and sponsor records including home addresses, dietary preferences, employer data, and VIP access flags. The exfiltrated data is being weaponised in two parallel tracks — a targeted burglary operation against HNWIs known to be attending the event, and a sophisticated spear-phishing campaign launched against the broader delegate pool. The organiser does not yet know any of this.
“The story you are about to play through is not a story about clever attackers. It is a story about a company that already had everything it needed to see what was happening — and didn’t look in time.”
The brief unfolds in three acts. Each act introduces a new pressure on the organisation, surfaces a set of core tensions for the room to wrestle with, and culminates in a small number of decisions that will materially shape what comes next. Timeline events and multiple-choice prompts are released live during the session and are deliberately not previewed here.
Anomalies accumulate across functions that don’t routinely talk to each other. The question is not yet what to do — it is whether anything is happening at all, and who has the authority to say so out loud.
“If your organisation declared this an incident on the basis of what is described above — would anyone be surprised? Would anyone be relieved?”
Encryption lands. A ransom note follows. The press has the outline before the board does. Now the work is no longer technical — it is moral, legal, commercial and human, all at once, on the same conference call.
“Every decision in this act is a trade. Be honest, in the moment, about what you are trading away — and to whom you owe an explanation if you are wrong.”
Containment holds. The acute crisis ends and the structural one begins: governance, accountability, architecture, and the public posture the company will live with for the next eighteen months.
“The decisions in this act outlive the incident. Treat them as the first eighteen months of a strategy, not the last hour of a crisis.”
Roles are assigned at the start of the session. Each Blue Team and Support player holds decision authority within their function; Red Team roles are voiced by the facilitator and surface through injects rather than direct dialogue.
This document is the pre-read. The live exercise — timeline events, decision prompts, scoring and debrief — is run inside IncidentResponse.App. Follow the steps below to take the room from this brief into a facilitated session.
From any browser, go to IncidentResponse.App and sign in as the facilitator. You do not need to install anything — the session runs in the browser for everyone in the room.
From the home screen, choose one of the two paths below depending on whether you already have a saved scenario file:
▣ Upload a saved scenario and go directly to scenario preparation — if you already hold the matching scenario XLSX file (the companion to this brief). Drop it into the uploader and the platform will reconstruct the world, cast and acts described here.
◇ Create a whole new scenario — if you do not have an XLSX. The guided builder will walk you through subject organisation, sector, acts, tensions and players, and produce a fresh scenario you can save and re-run later.
Assign Blue Team and Support roles from the cast page. Use the host control screen to drive the scenario and project the big screen view on a large screen in the room or as a shared screen if playing via Zoom; players engage using their own unique player links on their own devices. Confirm timeboxing and the house rules before you release the first inject.
Move through Build-Up, Contagion and Resolution at the pace of the room. The platform releases timeline events and decision prompts in order, captures each call, and produces a structured debrief pack at the end of the session.
After each act, a tutorial session runs in-app — combining short quizzes, training videos and slides — to consolidate the learning before the next act begins.
“Bring this brief into the room, open the app, and let the scenario do the work. The rest belongs to the people around the table.”