SentinelMesh

LiveDemo

Cyber-Physical Defense Copilot — Powered by ASI-1

Scenario Active

Idle

Events:0

Events Ingested

→ idle

Anomalies

→ monitoring

Threat Level

Active Zones

0/10

Devices Online

→ all healthy

ASI Status

0complete

Event Stream

No telemetry data

Select a scenario to begin streaming telemetry events

Assets

Facility Map

Normal Warning Alert

ATT&CK Kill Chain

4/5 Stages

🔍

ReconTA0043

🔓

Initial AccessTA0001

⚙️

ExecutionTA0002

🔧

PersistenceTA0003

📤

ExfiltrationTA0010

⚠ Advanced persistent threat — 4 stages confirmed

Threat timeline renders with event data

⚠ Active Incident — Immediate Action Required

criticalmulti vectorINC-2026-0323-001

Coordinated Physical-Cyber Breach: Rogue IoT Device with Active Data Exfiltration in Lab 1

96%

Confidence

An unauthorized IoT device (MAC: aa:bb:cc:dd:ee:01, vendor unknown/spoofed) was physically connected to the Research Lab 1 network rack, injected malware into camera cam-l1-01 exploiting CVE-2024-3721, disabled surveillance, and exfiltrated 2.4 GB of sensitive research data to external IP 203.0.113.77 via encrypted TLS. Simultaneous off-hours motion detection and failed credential attacks confirm a premeditated, multi-stage intrusion by a skilled threat actor.

Root Cause

Physical security bypass allowed an unauthorized individual to access the Research Lab 1 network rack and deploy a rogue IoT device with pre-loaded malware. The device exploited CVE-2024-3721 (CVSS 9.1) in camera firmware 1.2.3 to disable surveillance, establish a persistent foothold, and exfiltrate data via a TLS-encrypted covert channel to a known APT-linked IP range.

Business / Safety Impact

CRITICAL dual impact: (1) 2.4 GB of potentially sensitive research data exfiltrated to a suspicious external destination; (2) Complete surveillance loss in Research Lab 1 creates a physical safety blindspot for personnel, hazardous materials, and equipment; (3) Potential regulatory compliance violations (data breach notification laws, NFPA 101) due to impaired safety monitoring systems.

Escalation:

CISO→Facility Director→Legal Counsel→Executive Leadership

Cyber AnalystAgent

Analysis

THREAT LEVEL CRITICAL — Active Data Exfiltration Confirmed. Key Technical Findings: Unknown Device (08:44:12): MAC aa:bb:cc:dd:ee:01 — vendor field spoofed using OUI randomization, classic IoT attack staging technique. IP 10.0.1.99 obtained via DHCP within 30 seconds of connection. USB Insertion (08:44:17): Five seconds after network registration — consistent with automated malware payload delivery. CVE-2024-3721 in firmware 1.2.3 allows root shell via crafted USB update. Camera Offline (08:44:31): Deliberate sabotage — surveillance blackout provides operational cover for physical intrusio...

Recommendations

Immediately isolate VLAN segment — quarantine all devices on 10.0.1.x subnet
Block 203.0.113.77 and full /24 subnet at perimeter firewall — APT-affiliated IP range
Initiate full packet capture for forensic analysis — preserve evidence before device reboot
Deploy threat hunting rules for CVE-2024-3721 exploitation indicators across all camera assets

Facility SafetyAgent

Analysis

PHYSICAL SECURITY BREACH — Research Lab 1 Compromised. Surveillance Blackout Analysis: cam-l1-01 offline from 08:44:31 creates a complete physical security blindspot in Research Lab 1. The 14-minute blackout window coincides precisely with the network exfiltration and motion detection events — this is not a coincidence. Physical Presence Confirmed: Motion detected at 08:45:50 during the exact camera blackout window. The attacker was physically present in Research Lab 1 during active exfiltration, suggesting data staging from local storage rather than remote-only operation. Access Control Im...

Recommendations

Lock down physical access to Research Lab 1 — require dual-factor badge entry effective immediately
Audit all badge access logs for Research Lab 1 in past 72 hours — identify tailgating or unauthorized entry
Activate backup camera coverage from adjacent hallway cameras (cam-corridor-01, cam-corridor-02)
Notify Facility Security Officer and initiate physical walkthrough with security personnel

Incident CommanderAgent

Analysis

COORDINATED MULTI-VECTOR ATTACK — EXECUTIVE BRIEFING REQUIRED. This incident represents a sophisticated, premeditated attack combining physical infiltration with advanced cyber exploitation techniques. Threat actor assessment: APT-level capability based on (1) Pre-staged rogue hardware with spoofed MAC, (2) Zero-second delay exploitation of known CVE, (3) Encrypted exfiltration to APT-linked infrastructure, (4) Active operator involvement evidenced by real-time credential attacks during exfiltration. Priority Sequencing: (1) STOP THE BLEEDING — exfiltration may still be active if firewall bl...

Recommendations

Activate Incident Response Plan immediately — declare P0 security incident and assemble IR team
Brief CISO and executive team within 30 minutes with this incident summary
Engage external digital forensics firm — preserve chain of custody for potential legal proceedings
Prepare regulatory breach notification — 72-hour reporting window may apply under applicable laws

What-If Simulator

Target: cam-l1-01

isolate device

-78%

Before96%

After18%

Effect timeline: 2–5 minutes

•Network threat neutralised — rogue device loses C2 channel

•Device quarantined to VLAN sandbox for forensic analysis

•Lateral movement to adjacent segments stopped immediately

Execute immediately — highest risk reduction with minimal operational downtime.

Report

Incident Report: Coordinated Physical-Cyber Breach: Badge Reconnaissance and Camera Admin Attack

Incident ID: INC-2026-0323-001

Timestamp: 23/3/2026, 9:15:00 am

Severity: 🔴 CRITICAL

Category: multi vector

Confidence: 96%

Executive Summary

Root Cause

Physical security bypass allowed an unauthorized individual to access the Research Lab 1 network rack and deploy a rogue IoT device with pre-loaded malware. The device exploited CVE-2024-3721 (CVSS 9.1) in camera firmware 1.2.3 to disable surveillance and exfiltrate data via a TLS-encrypted covert channel to a known APT-linked IP range.

Business / Safety Impact

•2.4 GB of potentially sensitive research data exfiltrated to a suspicious external destination

•Complete surveillance loss in Research Lab 1 — physical safety blindspot created

•Potential regulatory compliance violations (NFPA 101, data breach notification laws)

Escalation Path

CISO → Facility Director → Legal Counsel → Executive Leadership

Immediate Actions Required

1.Isolate rogue device — network quarantine effective immediately

2.Block IP 203.0.113.77 and full /24 subnet at perimeter firewall

3.Initiate full packet capture for forensic analysis

4.Deploy threat hunting rules for CVE-2024-3721 across all camera assets

5.Brief CISO and executive team within 30 minutes

MITRE ATT&CK Kill Chain

•Recon (TA0043) — Network reconnaissance detected

•Initial Access (TA0001) — Rogue IoT device physically connected

•Execution (TA0002) — CVE-2024-3721 exploited in camera firmware

•Persistence (TA0003) — Surveillance disabled, foothold established

•Exfiltration (TA0010) — 2.4 GB data sent via TLS to APT-linked IP