Esc Scenario

The Break In

CCTV is down. The Local Equipment Room has locked itself out. The PLC isn't responding. You're the on-site response team - and a live SOC is waiting on WhatsApp for your first update. No warm-up. No hand-holding. The clock is already running.

Active Incident — Planet Energy Facility 8
Book This Scenario
Get The Brochure
ESC_BreakIn_01
The Scenario

No Warm Up. No Hand Holding.

You're the on-site information security team at Planet Energy's Facility 8 - one of the most sensitive energy facilities in the country. Ten minutes ago, something went wrong in Local Equipment Room 3. CCTV went offline. The PLC stopped responding. The access codes were changed overnight.

It might be nothing. A power blip. A maintenance glitch. But The Breach Collective have been targeting energy companies, and this doesn't feel like nothing.

Your job is to get into the LER, assess the damage, communicate with the SOC, and stabilise the environment before this becomes a full-blown outage with very real consequences. The SOC is live on WhatsApp. They'll guide you, challenge you, and ask questions you need to be ready to answer.

This isn't a classroom exercise. The incident is already in progress.

Incident Brief — Planet Energy Facility 8
LER 3 Lockdown — Potential Compromise
🔒 Systems downCCTV offline, PLC unresponsive, access codes changed. Maintenance teams locked out.
📡 Zero visibilitySOC has no eyes on the facility. Monitoring must be restored before investigation can continue.
⚠️ Threat intelligenceThe Breach Collective have been targeting energy infrastructure. Treat as hostile until confirmed otherwise.
🕐 Window is narrowDowntime is accumulating by the minute. Resolution is urgent. Do not make things worse.
SOC note: Action without communication equals consequences. Contact us the moment you're inside. Do not proceed without authentication.
⎯ What happens

Inside the room.

01

Get into the LER

The Local Equipment Room is locked. Work through the physical puzzles and evidence to crack the access codes and get inside. There are clues... and at least one thing that should probably never have been left where it was.

First lesson lands immediately

02

Contact the SOC

Inside the room is a tablet, a red lockout box bristling with padlocks, and instructions for reaching the SOC. Contact them via WhatsApp. Authenticate your team. Without doing this, the rest of the investigation falls apart.

Comms and identify verification

03

Restore Visibility

The SOC is flying blind. Your first task after authentication is giving them back their eyes. The answer is hidden somewhere in the room... read carefully, think methodically, and send the right information back via WhatsApp.

Incident Response Under Pressure

04

Get in the lockout

The red lockout box is secured with multiple fastenings... each one requires a different approach. Social media, physical maps, crossword puzzles, and ongoing WhatsApp intel from the SOC all play a role. This is where teams either pull together or descend into chaos.

Multiple parallel threads

The Break In isn't linear

Unlike other ESC scenarios, your team can tackle elements in different orders - but there are dependencies, and skipping the SOC communication will derail things later on. The game rewards good incident response behaviour and punishes bad habits. That's the point.

⎯ Learning outcomes

What your team takes away

The Break In covers the full stack of OT security failures - from weak passwords on physical access points to default credentials on critical systems. Every mistake in the game reflects real world mistakes that cause real incidents in real facilities.

Password Security

Weak credentials don't just increase risk in the abstract - in The Break In, they open the door. Literally. Players encounter bad password habits across multiple puzzle layers, each time experiencing the direct operational consequence of a credential failure rather than being told about it in a slide.

IEC 62443 ⋅ NIST CSF PR.AA ⋅ NIS2 ART.21 ⋅ NCSC CAF B3

Physical Security

Tailgating, cloned access cards, unsecured spaces - the scenario shows how physical security failures are the entry point for OT compromise. Players trace the attacker's route through the facility and discover exactly how the breach began long before any digital system was touched.

NCSC CAF B1 ⋅ ISO 27001 A.7 ⋅ IEC 62443-2-1

Removable Media

There's a USB in the lockout box. It doesn't need to be plugged in. Teams that plug it in anyway discover something memorable waiting for them... a pointed reminder that unknown removable media in an OT environment isn't a curiosity, it's a threat vector. The lesson arrives without a single word from the facilitator.

IEC 62443 ⋅ NIST CSF PR.PT ⋅ NCSC CAF B4

Digital Footprint & osint

The attacker did their research before setting foot in the facility. Players discover how publicly available information - social media posts, LinkedIn activity, shared photos - gave the attacker everything they needed to plan the breach. The company's own marketing team contributed more than they realised.

ISO 27001 A.6.3 ⋅ DORA ART.13 ⋅ NCSC CAF A1

⎯ what makes this different

The soc is
live on whatsapp.

Every other escape room ends at the props on the table. The Break In doesn't. From the moment your team makes contact, a live SOC thread opens on WhatsApp... and it stays open for the duration.

Ash from the SOC asks questions your team needs to answer accurately. Shares intel at the right moment. Challenges assumptions. And if your team skips the contact step and charges ahead, the consequences arrive later.. 

Action without communication equals consequences. That's not just a game rule. It's the central lesson of every OT incident that has ever escalated beyond what it needed to be.

⎯ built for ot

The only scenario Build for industrial environments

The Break In is the only ESC scenario built specifically around operational technology and industrial control systems. The setting isn't incidental... it's the point. The scenario puts players in the role of an on-site response team at a critical national infrastructure facility, facing the kind of incident that OT security professionals spend their careers preparing for.

The puzzles, the OSINT trail, the physical security failures, the default credentials on the PLC... every element maps directly to the attack vectors that have caused real outages in real energy, utilities, and industrial facilities. The Break In is used by organisations who need their operational teams to understand what a cyber-physical incident actually looks and feels like under pressure.

It's also the scenario that generates the most post-session conversation among technical teams, because the attacker's route through the facility is disturbingly plausible.

  • Energy & Utilities

    Power generation, grid operators, water treatment. The core audience for this scenario.

  • Manufacturing & Industrial

    Facilities with ICS, SCADA or PLC environments where cyber-physical risk is real.

  • Healthcare & Critical Infrastructure

    Any sector where operational downtime has direct safety or service consequences.

  • Oil, Gas & Nuclear

    High consequence environments where incident response capability is a regulatory requirement.

  • Transport & Logistics

    Infrastructure operators where physical and digital security are deeply interconnected.

⎯ Who it's for

built for teams with real stakes

  • OT & ICS Security Teams

    The primary audience. Engineers, operators, and security professionals in industrial environments who need to rehearse incident response in a way that feels real.. without the consequences of a real incident. The scenario is technically credible enough to challenge people who know their stuff.

  • On Site Operational Teams

    The people who would actually be first on the scene during an OT incident... not always security specialists, but the team expected to respond. The Break In gives them an experience of what that looks like before the real thing happens.

  • Cross-Functional Security & Operations

    Running The Break In with a mixed team, security alongside engineering alongside operations management, creates the shared language and incident response instincts that make real-world response actually work. Siloed teams who've never practiced together find this scenario particularly revealing.

  • Leadership with OT Responsibility

    Senior leaders overseeing critical infrastructure need to understand what a cyber-physical incident feels like under pressure, not just what it looks like in a post-incident report. The Break In is the most effective way to make that visceral rather than theoretical.

Good to know

The Break In requires a Wi-Fi connection for the tablet element and the live WhatsApp SOC interaction. In facilitated sessions we handle all the setup. For kit hire, we'll brief you on exactly what you need in place. The scenario also requires a WhatsApp-enabled phone or tablet to run the SOC thread. We include full setup instructions with every kit.

RECOMMENDED FOR

ENERGY ⋅ UTILITIES ⋅ MANUFACTURING ⋅ HEALTHCARE ⋅ NUCLEAR ⋅ OIL & GAS ⋅ TRANSPORT ⋅ CNI

⎯ the details

The numbers that matter

45min

duration

Plus 15-20 minute facilitated debrief. Back-to-back rotations available for larger groups.

4

players per team

Minimum 2. Optimal at 4. Multiple kits can run simultaneously for bigger events.

1table

space required

A standard meeting room table is all you need. Wi-Fi required for tablet and SOC interaction.

20min

setup time

We handle everything. You arrive to a room that's ready to go.

50+

people in a day

With back-to-back rotations across multiple kits. We'll help you plan the logistics.

3

delivery options

Facilitated, Kit Hire, or Long-Term Rental. Details below.

⎯ how to run it

choose your delivery format

Recommended

facilitated sessions

We set everything up and run the full session. Our facilitators manage the interaction in real time - keeping the pressure on, guiding the narrative, and delivering a structured debrief at the end.

Professional facilitator included
High-energy, seamless delivery
Structured debrief session
Best for technical teams, leadership sessions, away days
Flexible

Kit hire

We ship you the complete kit including the tablet. You run the session using a pre-configured SOC thread. We'll brief you fully on setup so you're confident before your team walks in.

Complete kit including tablet
Host guide for smooth internal delivery
Pre-configured SOC thread
Best for multi-site OT security programmes
sustained culture

long-term rental

Keep the kit year round for ongoing incident response rehearsal. Swap to different ESC scenarios throughout the year to cover different security topics without repeating the same experience.

Enterprise quality kit, yours to keep
Scenario swaps throughout the year
Training for internal hosts
Best for organisations with continuous OT security programmes
PPT_quotemarks

The games weren't just entertaining; they were a powerful tool for driving home critical security messages. We saw people discussing password managers, understanding social engineering risks, and becoming more cyber-aware. It's not just training - it's an experience that genuinely changes behaviour.

    Cyber Human Risk Manager, Scottish Power

2I2A4342
⎯ Questions

Things people usually ask

Question

Do players need OT or ICS knowledge to participate?

No technical prerequisites required. The scenario is designed to be accessible to anyone on an operational or security team.. from seasoned ICS engineers to general security awareness audiences. The OT context adds realism and urgency without requiring specialist knowledge to engage with.

Question

How does the live SOC WhatsApp thread actually work?

The SOC thread runs via WhatsApp and is pre-configured to guide teams through the key interaction points of the scenario... authenticating the team, sharing intel at the right moments, and applying pressure when things go quiet or steps get skipped. The consequences of ignoring the thread are built into the game.

Question

Why only 4 players instead of 5?

The Break In is more complex and more tactically demanding than the other ESC scenarios. At 4 players, teams are stretched enough to feel real pressure without having spare hands that dilute the urgency. It also mirrors realistic on-site response team sizes in most OT environments

Question

Can it run without Wi-Fi?

No. The tablet and the SOC WhatsApp thread both require a Wi-Fi connection. We recommend using a guest network where possible. If your facility has strict network policies, get in touch and we'll work through what's needed.

Question

How does this count towards compliance and regulatory requirements?

The Break In supports requirements under IEC 62443, NIS2 (Articles 20–21), DORA (Article 13), ISO 27001 (Clauses A.6.3, A.7, A.8), and NIST CSF 2.0. It's particularly well suited to organisations subject to CAF (Cyber Assessment Framework) requirements. We can provide documentation for your audit trail.

Question

How does this compare with other ESC scenarios?

The Break In is the most technically complex and sector-specific of the four scenarios. It's the only one with a live digital element (the SOC thread and tablet) alongside the physical kit. If you're looking for a general workforce scenario, The Breach or The Heist are better starting points. The Break In is built for operational teams who face real cyber-physical risk.

⎯ Other Scenarios

Explore the Full Range

30 mins ⋅ 5 players

The heist

Flip the script. You're playing the attackers. A CEO's lost rucksack, a digital footprint wide open - exploit everything you can find and pull off the ultimate heist.

30 mins ⋅ 5 players

The Break In

A ransomware attack. Five suspects. Five compromise paths. Crack the case, call the hackers live, and earn the decryption key before the clock runs out.

45 mins ⋅ 5 players

Elementary

Victorian espionage. Modern lessons. Step into Sherlock's office to uncover who stole the factory blueprints - ciphers, contraptions and a suspiciously clever origami puzzle that brings encryption to life.

Ready when you are

Let's Book The Break In

Tell us your team size, your location, and your rough timeline. We'll come back to you with everything you need to make it happen.

Get in Touch