You are the on-call cybersecurity engineer for a SaaS company. At 4:42pm a researcher emails security disclosures with a screenshot showing public listing of an S3 bucket holding customer-uploaded PDFs. The bucket name matches a production naming convention. The researcher gave you 60 minutes before they post on their blog.
You have read access to the AWS account through a federated SSO role with security-auditor permissions. You have approval to invoke the documented break-glass procedure to make changes if the situation warrants it.
This scenario tests whether you can identify cloud misconfiguration root causes, prioritize containment over root cause investigation, and document for both regulatory and engineering audiences.
Time-pressured. A live threat actor panel updates every few seconds with new actions you must address.
Step timers count down. Color shifts and pulse cues warn at 25%, 10%, and 5% time remaining. Score decays over time.