The InfoNoSecurity Europe 2026 Incident.
Seventy-two hours before the doors open at ExCeL London, something is already wrong inside the organisation running the show — and nobody in the building knows it yet. And as they arrive on the day, event organisers are blissfully unaware that their worst day ever is about to unfold. Likewise delegates, speakers and sponsors don't yet realise that their personal information has been compromised, and that many have been identified as High Net Worth Individuals (HNWIs) and while they mingle at the show, criminal gang members are rifling through the valuables at their homes. Take a seat — are you ready to play?
Every part of Badges, Burglars & Breaches — the brief, the cast, the three acts — was built specially for this week's event on IncidentResponse.app, in about the time it takes to grab a coffee.
InfoNoSecurity Europe runs the flagship cybersecurity event of the year. Nineteen thousand delegates. Four hundred sponsors. A guest list thick with executives, officials and high-net-worth names — all of it sitting in one platform.
The event runs on a cloud event-management platform, a CRM, a mobile app and a legacy badge-printing system wired into the venue. Everything works. Registration is humming. The keynote stage is built.
And three days out, an attacker is already inside — quietly turning fields collected for convenience into a map for real-world harm. The clock has started running; the organiser just hasn't noticed.
This is a story about a company that already had everything it needed to see what was happening — and didn't look in time. You decide whether your room would have looked sooner.
The brief sets the world and the cast, then stops short of the live injects. The exercise itself unfolds across three timed acts — each one tightening the screws on a room that started the morning thinking everything was fine.
Anomalies accumulate across functions that don't routinely talk to each other. The question isn't yet what to do — it's whether anything is happening at all, and who has the authority to say so out loud.
Encryption lands. A ransom note follows. The press has the outline before the board does. The work is no longer technical — it's moral, legal, commercial and human, all at once, on the same call.
Containment holds. The acute crisis ends and the structural one begins: governance, accountability, architecture, and the public posture the company will live with for the next eighteen months.
Roles are assigned at the top of the session. Each seat at the executive table holds real decision authority within its function — and will be held to account for the calls it makes under the clock.
A single-player token lets one person run the whole room — ideal before a board meeting, a regulator submission, or a renewal pitch.
Seat up to seven concurrent executives, with a live host dashboard, support-team routing and a broadcast-TV interview that lands mid-crisis.
Five facilitator-voiced adversaries surface through the inject feed — a journalist with a source, a class-action lawyer with a war chest, the threat actor itself, an activist investor, and the CISO community holding the room to account. Each one pushes the blue team in a different direction; they can be invoked in any combination.
Harker has been working on a long-form piece about data security failures at major industry events for six months. He already has a source inside a gold-tier sponsor and is aware of the API anomaly before the organiser has made any public statement. He will call the PRO at 09:30 Mon W1 seeking comment and will file with or without a response. His angle is the hypocrisy of a cybersecurity event being the source of a major breach.
Osei is the solicitor leading the 312-delegate class action, backed by a professional litigation funder. She is media-friendly and will grant interviews to financial and legal press throughout the proceedings. Her strategy is to maximise claimant numbers before the 14-day response window expires, and she is actively soliciting additional affected delegates via LinkedIn and the event's official attendee community forum.
GoldList is the criminal group that exfiltrated the EventForge data, coordinated the burglary operation, and launched the phishing campaign. They are a financially motivated Eastern European affiliate group with no ideological agenda. After the first domain takedown, GoldList registers a second phishing domain within four hours and begins selling the full 19,400-record dataset on a dark web forum for £12,000, increasing the pool of threat actors with access to the delegate data.
Veil holds a 9.4% stake in the parent group that owns InfoNoSecurity Europe and two other B2B event brands. He sends an open letter to the board on Wed W1 demanding the immediate resignation of the CEO and an independent board investigation into the cybersecurity posture of all group events. He circulates the letter to five other institutional shareholders and posts it on LinkedIn, where it gains significant traction in the investor community.
Chu moderates the largest UK CISO peer forum on Slack, with 2,200 members — many of whom are Infosecurity Europe regulars. She creates a dedicated incident thread within hours of the first press report, collating complaints from affected delegates, sharing phishing indicators of compromise, and calling for a boycott of the 2027 event unless InfoNoSecurity Europe publishes a full independent review. Her forum thread becomes the primary information source for the security community and is cited by multiple journalists.
Tell us where to send it. We'll issue a single-player token for Badges, Burglars & Breaches — you run all seven seats yourself, at your own pace.
We've logged your request for BBB-26-4EL. Your play token will arrive at your inbox shortly — keep an eye out, and check spam just in case.
Every great exercise needs the right people in the right seats. Nominate yourself — or someone you rate — for one of two rosters. Not sure which fits? Pick both, and we'll work it out together.
Support-team members play alongside the blue team during the exercise — the specialists you'd actually want on the bridge if the incident were live. They bring a function, hold a perspective, and keep the room honest.
Experts and trainers play the lecturer in a training scenario — setting the frame, drawing out the lessons as the acts unfold, and leading the debrief that turns a tense afternoon into something the room carries forward.
The full pre-read: the world, the cast, the house rules and the shape of each act. Open it, then print or save as PDF.
Open the briefEverything you need to host the exercise end-to-end — setup, timing, host dashboard, debrief prompts and worked notes.
Download the full guide