An interactive purple-team exercise. Pick the role RED (attack) or BLUE (defence) and act from every node of the topology. The system scores defence by the evidence-first rule: every detection has proof, and an attack with no detection is a GAP. Mapped to MITRE ATT&CK. This English page is a companion/intro — the live simulator runs on the Polish page.
Sentinel turns the evidence-first doctrine into a game loop. RED probes and compromises nodes; BLUE hardens and monitors. What BLUE cannot see becomes a measured GAP — the central risk indicator. The simulator is a didactic skeleton; the real exercise metrics are collected by the Exercise Board under a signed RoE.
▶ Open the live simulator (PL)The topology (edge, mail gateway, WAF, web/API, identity/AD, endpoint, AI agent, database, backup, SIEM) can be played from any point. Attack or defend where you choose.
Each action costs a turn. Attacks succeed probabilistically; hardening lowers the odds; monitoring generates detection. State is deterministic and inspectable.
Each vector carries a technique ID (T1566, T1190, T1078, T1105, T1041, T1490, T1562) plus AI classes (prompt injection, agent hijack). Coverage is the scoreboard.
Detections earn points only when they carry proof (a synthetic hash artefact). GAP counts attacks BLUE never saw. "No proof = a gap, not a fact."
Hardening a node (a BLUE control) lowers the chance of a successful attack and turns on monitoring (detection). A node with active monitoring detects attack attempts and generates evidence; without monitoring, the attempt falls into GAP.
| Node | Example RED vector (ATT&CK) | BLUE control | ipIII playbook |
|---|---|---|---|
| Email Gateway | Phishing — T1566 | DMARC/DKIM, sandbox, FIDO2 | phishing |
| VPN / Edge | Exploit public-facing — T1190 | Patch SLA, MFA, geoblock | vulnerabilities |
| Identity / AD | Valid accounts — T1078 | PAM, rotation, impossible travel | ransomware |
| Endpoint | Ingress tool / loader — T1105 | EDR/XDR, allowlisting | ransomware |
| Database | Exfiltration — T1041 | DLP, encryption, tokenisation | data leak |
| Backup / Point Zero | Inhibit recovery — T1490 | Immutable 3-2-1-1-0, offline | continuity |
| AI Agent | Prompt injection / hijack | Tool firewall, sandbox, human approval | agent hijack |
| SIEM / SOC | Impair defenses — T1562 | Log redundancy, alerts, immutability | response board |
The simulator is a teaching skeleton; scenarios and probabilities are simplified and marked SIMULATION. The real exercise metrics are collected by the Exercise Board.