K0NSULT // ai-truth/ipIII/sentinel
k0nsult.cloud / ai-truth / ipIII / sentinel / en

K0NSULT Sentinel — attack / defense simulator

An interactive purple-team exercise. Pick the role RED (attack) or BLUE (defence) and act from every node of the topology. The system scores defence by the evidence-first rule: every detection has proof, and an attack with no detection is a GAP. Mapped to MITRE ATT&CK. This English page is a companion/intro — the live simulator runs on the Polish page.

exercise-log · staging · NOINDEX. This is a teaching model. Nodes, vectors and results are SIMULATION — no real targets, no payloads, no actions on anyone else's infrastructure. It is an isolated model. Consistent with the Rules of Engagement: real testing only after a signed RoE.
Play the whole network. Score defence, not spectacle.

Sentinel turns the evidence-first doctrine into a game loop. RED probes and compromises nodes; BLUE hardens and monitors. What BLUE cannot see becomes a measured GAP — the central risk indicator. The simulator is a didactic skeleton; the real exercise metrics are collected by the Exercise Board under a signed RoE.

▶ Open the live simulator (PL)

The model in one glance

RED / BLUE from every node

The topology (edge, mail gateway, WAF, web/API, identity/AD, endpoint, AI agent, database, backup, SIEM) can be played from any point. Attack or defend where you choose.

Turn-based

Each action costs a turn. Attacks succeed probabilistically; hardening lowers the odds; monitoring generates detection. State is deterministic and inspectable.

MITRE ATT&CK mapping

Each vector carries a technique ID (T1566, T1190, T1078, T1105, T1041, T1490, T1562) plus AI classes (prompt injection, agent hijack). Coverage is the scoreboard.

Evidence-first scoring

Detections earn points only when they carry proof (a synthetic hash artefact). GAP counts attacks BLUE never saw. "No proof = a gap, not a fact."

How the score is computed (evidence-first)

Hardening a node (a BLUE control) lowers the chance of a successful attack and turns on monitoring (detection). A node with active monitoring detects attack attempts and generates evidence; without monitoring, the attempt falls into GAP.

Kill chain as a game loop

RED: RECONINITIAL ACCESSFOOTHOLDESCALATIONLATERALOBJECTIVE
BLUE: HARDENMONITORDETECT (+proof)CONTAINPROOF OF REPAIR
Auto kill-chain. A demo sequence (mail → WAF → AD → endpoint → DB → backup) lets a defender watch an unmonitored chain generate GAP after GAP — a vivid picture of blind spots.
Baseline harden. One click applies hardening + monitoring to all nodes, so BLUE can compare "before/after" detection.

Mapping nodes to defence playbooks

NodeExample RED vector (ATT&CK)BLUE controlipIII playbook
Email GatewayPhishing — T1566DMARC/DKIM, sandbox, FIDO2phishing
VPN / EdgeExploit public-facing — T1190Patch SLA, MFA, geoblockvulnerabilities
Identity / ADValid accounts — T1078PAM, rotation, impossible travelransomware
EndpointIngress tool / loader — T1105EDR/XDR, allowlistingransomware
DatabaseExfiltration — T1041DLP, encryption, tokenisationdata leak
Backup / Point ZeroInhibit recovery — T1490Immutable 3-2-1-1-0, offlinecontinuity
AI AgentPrompt injection / hijackTool firewall, sandbox, human approvalagent hijack
SIEM / SOCImpair defenses — T1562Log redundancy, alerts, immutabilityresponse board

The simulator is a teaching skeleton; scenarios and probabilities are simplified and marked SIMULATION. The real exercise metrics are collected by the Exercise Board.

Isolated model, no real targets. Sentinel never touches external infrastructure. It contains no payloads and no offensive instructions — only methodology (MITRE ATT&CK, kill chain) rendered as a scoreboard. Real attack/defense with a partner runs only under a signed RoE.
▶ Open the live simulator (Polish page)