A journalist from a national newspaper calls your comms team. They have a source claiming your customer data is being sold on a dark web forum. They want a comment within the hour.

Your IT team discovers the breach is worse than expected — the attacker has had access for 2 weeks, not 3 days. Internal emails between board members discussing a recent acquisition are also compromised. Your regulator's hotline has left a voicemail asking for an urgent callback.

A class-action law firm has already contacted three of your major institutional clients. Your share price is down 8% since the news leaked. An employee posts on social media criticising the company's cybersecurity practices.

A primary school near one of the hospitals reports 40 children absent with flu-like symptoms today, up from a normal rate of 5. Three teachers are also sick. A parent has posted a viral TikTok claiming "something is being covered up."

Preliminary lab results (rushed) suggest a novel respiratory pathogen — not influenza, not COVID. Two more ICU admissions. The national health minister's office calls wanting a briefing. A private hospital in your region has begun turning away patients with respiratory symptoms.

Genomic results arrive early: the pathogen is a novel coronavirus variant with estimated R0 of 3.5. One of the original patients is a frequent international traveller who returned from Southeast Asia 10 days ago. WHO wants to be looped in. Your PPE stockpile is at 60% capacity.

HR informs you that the VP of Supply Chain has just booked a one-way flight to a country with no extradition treaty, departing Sunday evening. They have also requested emergency access to the company's contract management system — a system they do not normally access directly.

An investigative journalist has called your investor relations team asking about "irregularities in your supply chain procurement." They mention the same three suppliers named in the whistleblower complaint. Your quarterly earnings call is scheduled for next Wednesday.

Your internal audit team discovers that the kickback scheme is larger than initially reported — six suppliers, not three, totalling an estimated $4.2M. Two other senior managers appear to have been copied on relevant emails. Your largest institutional investor has requested an emergency call with the board chair.

Social media is flooded with reports of elderly residents in tower blocks without heating or lifts. A care home in the affected region has called 999 reporting that their generator has failed. Traffic lights are out across the city centre, causing gridlock that is blocking emergency vehicles.

Engineers report that one of the failed power stations has a cracked turbine blade — repair will take 72 hours minimum. The grid operator estimates partial restoration in 8 hours if the second station can be restarted, but there is a 30% chance of a wider cascade if they push the restart too aggressively. Gas suppliers warn that pipeline pressure is dropping.

Temperatures are forecast to drop to −12°C overnight. The military has offered 500 troops for humanitarian support but needs a specific tasking request within 2 hours. A water treatment plant in the affected area has lost power, and engineers estimate 6 hours before water supply is affected. The Prime Minister's office wants a public update by 14:00.

Your technical analysts confirm the video is AI-generated but cannot yet identify the source. Three major news networks have aired the clip with "unverified" caveats. Your Foreign Minister's scheduled bilateral meeting with the neighbouring country — planned for this week and critical for a trade deal — is now in jeopardy. Opposition politicians are calling for an inquiry.

A second deepfake drops — this time audio of your Defence Minister apparently discussing secret military deployments near the border. Intelligence services believe both fakes originate from a state-sponsored operation by a third country seeking to destabilise the region. The neighbouring country has recalled their ambassador for consultations.

Social media analysis shows a coordinated bot network amplifying both fakes with inflammatory commentary. Your population is split — 40% believe the videos are real despite official denials. A protest is forming outside the neighbouring country's embassy in your capital. Your intelligence service has evidence linking the operation to a specific foreign actor but releasing it would compromise a sensitive source.

Your local operations manager claims the report is "exaggerated" and that the monitoring organisation has an "anti-mining agenda." However, your own environmental team has flagged that they requested additional monitoring equipment 18 months ago and were denied due to budget cuts. Two ESG-focused institutional investors have emailed requesting an urgent meeting.

The host country's environment minister appears on national television demanding your company "take full responsibility." Health clinics downstream report elevated rates of gastrointestinal illness among children. An NGO has begun organising affected communities for a potential class-action lawsuit. Your company's ESG rating has been placed on review.

Internal documents surface (leaked by a former employee) showing that your local subsidiary knew about contamination risks 2 years ago but chose not to report them to headquarters. Your share price is down 12%. The host government is threatening to revoke your mining licence. Your board chair is asking what you plan to tell the AGM next month.

Your DPO confirms this qualifies as a reportable personal-data breach under GDPR. The 72-hour notification clock started when the scan flagged it — you now have roughly 68 hours remaining. Engineering has patched the endpoint, but you still need to determine how many of the 340 IPs were automated scanners versus targeted access. Your sales team has a product demo with a major prospect at 14:00 today.

Log analysis shows 12 of the 340 IPs made repeated, structured requests consistent with deliberate data harvesting. Those 12 IPs pulled configuration data for 87 client accounts. Three of those clients are in financial services with their own regulatory obligations. Your customer success team is asking whether they should mention anything during a routine quarterly review call happening in an hour.

One of the 87 affected clients has independently noticed unusual activity on their account and has emailed support asking if there was "any issue on your end." Your legal team has drafted two versions of the client notification: a minimal version and a detailed version. The CEO wants to know what will be in the regulator filing before it goes out. Engineering has found a second endpoint with the same misconfiguration, though no evidence it was accessed.

For the logistics team: Your CTO mentions that a competitor provider has quoted £780K for equivalent service, but they have no track record in your sector and references are thin. Finance has confirmed there is zero flexibility in the IT budget this year, but there may be room to commit to a longer contract term.
For the CloudOps team: Your finance director privately tells you the actual cost increase is 14%, not 22% — the extra margin was built in as negotiation room. However, this client accounts for 8% of your regional revenue and losing them would trigger a restructure.

For both teams: The logistics company's head of operations interrupts to say that a service outage last quarter cost them £150K in delayed shipments, and they expect the new contract to include stricter SLAs with financial penalties. CloudOps's engineering lead responds that the outage was caused by the logistics company's own misconfigured DNS records, and they have the support tickets to prove it.

For the logistics team: Your CEO has just told you that a major new retail client is onboarding next quarter, which will increase your infrastructure needs by 30%. You had not planned to mention this.
For the CloudOps team: Your sales VP emails to say a large competitor of the logistics company has approached CloudOps for a quote. Taking them on could more than replace the revenue, but there may be a conflict-of-interest clause in the existing contract.

Red Team prompt: A major comparison website has just announced it will increase commission rates by 40% for new digital insurers joining its panel. Your direct-to-consumer channel would need to compete head-on or pay the higher commission. Additionally, three of your best underwriters sit in the commercial motor team — if the book is exited, they will likely leave.
Blue Team: Respond to these challenges. You have 5 minutes.

Red Team prompt: The insurtech acquisition target has just lost its CTO and two senior engineers. Their claims platform runs on a bespoke tech stack that your IT team has no experience with. Due diligence also reveals that 60% of the insurtech's revenue comes from a single client. Meanwhile, interest rates have risen, increasing your cost of capital for the £35M investment.
Blue Team: Defend or adapt the plan. You have 5 minutes.

For both teams: The regulator has published draft guidance that would require all direct-to-consumer insurance products to include enhanced vulnerability assessments, adding an estimated £15 per policy in operational cost. Simultaneously, a competitor has announced it is entering the digital channel with a £50M marketing budget. The board wants a revised recommendation in writing by Friday — do you proceed, modify, or shelve each initiative?

For the Board: Midway through the ExCo presentation, the board chair interrupts to ask: "What is the current status of the Henderson project? I had coffee with their CEO last week and he seemed unhappy." This forces the ExCo to address the project delay whether or not they had planned to raise it proactively.
For the ExCo: You must now decide how much detail to share and how to frame the recovery plan.

For both teams: The company secretary passes the board chair a note: the firm's head of the consulting division (responsible for 45% of revenue) has handed in their resignation this morning, effective in 3 months. They are joining a competitor. The ExCo only learned about this 30 minutes before the meeting but chose not to include it in their update. The board now knows.

For the Board: You must now decide whether the current situation warrants any of the following: requesting a revised annual forecast, commissioning an independent review of the technology project, asking the CEO to present a retention plan within two weeks, or scheduling an extraordinary board meeting. You have 10 minutes to deliberate and communicate your decisions to the ExCo.
For the ExCo: Listen, respond to questions, and commit to specific actions and timelines.