Esc Scenario

The Breach

The hackers are playing games. Literally. A ransomware attack has locked down your systems - and they've left you the clues. Five suspects. Five compromise paths. Thirty minutes to crack the case and earn the decryption key.

Book This Scenario
Get The Brochure
The Breach ransomware cyber security escape room scenario props
The Scenario

The Hackers are Playing Games.

Overnight, High Tech Inc. was hit with ransomware. A group calling themselves The Breach Collective have locked down the systems - and they claim they only needed a single set of stolen credentials to get in. 

They've given you five suspects, five possible methods of compromise, and five locations. They've also delivered a backpack containing everything your team needs to crack the case. 

You have 30 minutes before they permanently encrypt the company's data. Analyse IT logs, phone records, internal emails, social media profiles, and some truly questionable password practices. Crack the case, call the hackers, and earn the decryption key. 

Get it wrong? Game over. 

⎯ What happens

Inside the room.

01

The Briefing

Your team is handed the backpack. Inside: suspects cards, access logs, social media profiles, internal emails, physical props, and a partial recording of a suspicious phone call. Nothing is labelled. Nothing is obvious.

Pressure begins immediately

02

The Investigation

You dig into the evidence. Cross-reference logs with emails. Match social media oversharing to the attack timeline. Decode the vishing call. Challenge the red herrings. Figure out who made the mistake - and how the attacker exploited it.

Collaboration under pressure

03

The Call

When you're ready to name your suspect and their compromise method, you call the hackers live. Viper from The Breach Collective answers. She'll tell you if you're right - and if not, you'll need to go back in.

Live interactive element

04

The Debrief

Your facilitator connects every decision your team made back to real-world behaviour. Where did you rush? What did you overlook? What does this tell you about how you'd respond in a genuine incident? This is where the real learning lands.

Behaviour change reinforced

⎯ Learning outcomes

What your team takes away

This isn't about teaching rules. It's about giving people a real experience of how attacks happen - so when the real thing shows up, they recognise it.

Social Engineering & Vishing

Players encounter a live vishing call mid-investigation - and by the time it arrives, they've already followed the breadcrumbs that led to it. They don't just learn what vishing is. They feel exactly how it works. That recognition carries back into their actual working day. 

ISO 27001 A.6.3 ⋅ NIST CSF PR.AT ⋅ NIS2 ART.21

Social Media Privacy & OSINT

Suspects in the scenario have real-looking social profiles. Players discover - sometimes uncomfortably - how much an attacker can learn from an Instagram profile. The lesson isn't abstract. It's their own digital footprint staring back at them. 

NCSC CAF A1 ⋅ DORA ART.13

Role-Based Attack Profiles

The scenario shows how attackers target specific roles differently - what they want from a finance team versus an IT administrator versus an executive assistant. Players start to see themselves as a target profile, not just a general employee. That shift in perspective changes how people make decisions.

ISO 27001 A.5.2 ⋅ NIST CSF GV.HR

Shared Security Responsibility

The breach didn't happen because IT failed, it happened because one ordinary person made one ordinary decision under pressure. The Breach makes that viscerally clear - and does it without blame. Players leave understanding that security isn't someone else's job.

ISO 27001 CL.7.3 ⋅ NCSC CAF B4 ⋅ NIS2 ART.20

⎯ Who it's for

built for the whole workforce.

  • Non-Technical Staff

    Finance, HR, operations, customer-facing roles - the people most likely to be targeted with social engineering. No technical knowledge required. The scenario is deliberately accessible so that the people attackers actually go after can experience what that looks like.

  • Leadership & Exec Teams

    Senior leaders are high-value targets. Most executives know the stats. They've seen the incident reports. The Breach makes them feel how fast one bad decision snowballs - which is a very different thing.

  • Mixed Cross-Functional Teams

    The scenario shows how a breach crosses department lines. Running it with a mixed team - IT alongside finance alongside ops - creates the shared language and instincts that make incident response actually work.

  • Conference & Away Day Groups

    Tight, self-contained, and runs in 30 minutes. Perfect for back-to-back groups at large events. High energy, immediately memorable, and gives people something to talk about long after the day ends.

Good to know

The Breach has no technical pre-requisites. Players don't need to know what ransomware is before they walk in - they'll understand it by the time they walk out. If you have a highly technical security team who want a deeper challenge, Elementary may be a better fit.

RECOMMENDED FOR

FINANCIAL SERVICES ⋅ HEALTHCARE ⋅ PROFESSIONAL SERVICES ⋅ RETAIL ⋅ LEGAL ⋅ EDUCATION ⋅ ALL SECTORS

⎯ the details

The numbers that matter

30min

duration

Plus 15-20 minute facilitated debrief. Back-to-back rotations available for larger groups.

5

players per team

Minimum 3. Optimal at 5. Multiple kits can run simultaneously for bigger events.

1table

space required

A standard meeting room table is all you need. Works in any office, conference room, or event space.

20min

setup time

We handle everything. You arrive to a room that's ready to go.

50+

people in a day

With back-to-back rotations across multiple kits. We'll help you plan the logistics.

3

delivery options

Facilitated, Kit Hire, or Long-Term Rental. Details below.

⎯ how to run it

choose your delivery format

most popular

facilitated sessions

We turn up, set up, and run everything. Our hosts bring the energy, manage the pressure, and deliver a structured debrief that connects the gameplay to your team's real behaviours.

Professional facilitator included
High-energy, seamless delivery
Structured debrief session
Best for away days, conferences, leadership sesions
Flexible

Kit hire

We ship you a ready-to-run kit. Your internal champions run the session - same puzzles, same impact, delivered by your own team on your own schedule.

Complete kit with all props and locks
Host guide for smooth internal delivery
Multiple runs over days or weeks
Best for multi-site or shift-based teams
sustained culture

long-term rental

For organisations building security culture year-round. Keep the kit, run it as often as you like, and swap scenarios throughout the year to keep things fresh.

Enterprise quality kit, yours to keep
Scenario swaps throughout the year
Training for internal hosts
Best for onboarding programmes and ongoing culture work
PPT_quotemarks

Many expected it to be technical, but the experience was hands-on, accessible, and genuinely fun. The puzzles and props brought the learning to life in a way that traditional training just doesn't. It's entertaining, memorable, and makes key cyber behaviours stick.

    CISO, The Telegraph

Collaborating during The Breach cyber security escape room session
⎯ Questions

Things people usually ask

Question

Does anyone need technical knowledge to play?

None at all. The Breach is deliberately designed for a general workforce - the people attackers actually target. No one needs to know what ransomware is before they start. By the time the debrief ends, they'll understand it in a way that sticks.

Question

Can we run it in a larger group - more than 5 people?

Absolutely. Multiple kits can run simultaneously, and back-to-back rotations mean you can put 50+ people through the experience in a single day. We'll help you work out the logistics based on your group size and timing.

Question

How much space do we need?

A standard meeting room table. That's it. The kit is fully portable - we've run it in boardrooms, hotel conference rooms, office break-out spaces, and even in a pub. If there's a table, we can run a game there.

Question

Does this count towards ISO 27001 or other compliance frameworks?

Yes - experiential security training supports requirements under ISO 27001 (Clauses 7.2-7.3), NIST CSF 2.0 (PR.AT), NIS2 (Articles 20-21), and DORA (Article 13). We can provide documentation for your audit trail.

Question

What happens in the debrief?

Your facilitator walks through the decisions the team made - what they spotted, what they missed, where they rushed, where they hesitated - and connects it to the real behaviours you want to reinforce. It's not a lecture; it's a conversation that uses the team's own experience as the material.

Question

Can we customise the scenario for our industry or organisation?

Yes. We can adapt elements of The Breach to reflect your organisation's context - industry-specific roles, relevant attack types, or your own internal terminology. Get in touch to talk through what that looks like.

⎯ Other Scenarios

Explore the Full Range

30 mins ⋅ 5 players

The heist

Flip the script. You're playing the attackers. A CEO's lost rucksack, a digital footprint wide open - exploit everything you can find and pull off the ultimate heist.

45 mins ⋅ 4 players

The Break In

An OT incident shuts down CCTV, locks the equipment room, and knocks a PLC offline. Your team becomes the on-site SOC - physical clues, WhatsApp SOC guidance, and a clock that's counting down.

45 mins ⋅ 5 players

Elementary

Victorian espionage. Modern lessons. Step into Sherlock's office to uncover who stole the factory blueprints - ciphers, contraptions and a suspiciously clever origami puzzle that brings encryption to life.

Ready when you are

Let's Book The Breach

Tell us your team size, your location, and your rough timeline. We'll come back to you with everything you need to make it happen.

Get in Touch