writing

Backdoors & Breaches: New scenarios and adaptations

July 1, 2026

Backdoors & Breaches: New Scenarios And Adaptations

Last year at DASH 2025, we released a Datadog expansion pack of Backdoors & Breaches, the popular incident response card game by Black Hills Information Security. This year, we were back at DASH 2026 in the Security Zone with more card decks to give out and new scenarios to play. If you didn’t have a chance to attend DASH and get a deck from us, you can order the expansion pack or play using the online format. New to the game? Start with our Backdoors & Breaches Gameplay Guide.

While the core deck and Datadog expansion pack support endless scenario combinations, our team thought up four new starter scenarios (described below) based on trends we're actively tracking in today's threat landscape. We welcome you to use them as written, adapt them to fit your goals, or build your own from scratch. The Datadog expansion pack lets you run tabletop exercises using the monitoring and security tools already at your fingertips.

Backdoors & Breaches at DASH 2026 (click to enlarge)
Backdoors & Breaches at DASH 2026 (click to enlarge)

Game adaptations

The more we've facilitated and played the game, the more variations we've found that deepen the discussion.

While facilitating the game at DASH, Olivia Gallucci, a Datadog security researcher, decided to play an “open face” version. Instead of using detection cards to discover attack cards, she flipped the attack cards face-up, then asked questions like "Why do you think this detection would work?" and “Could this tool also be used to fix the issue?” This format worked well for groups with mixed security backgrounds, as it shifted the focus to a group discussion.

This year we also added screenshots of detection tools to help players visualize what a real detection might look like. If you're playing this game as a full incident response tabletop exercise and have existing logs that match the scenario, you can have players search through them to find the problem themselves.

We also included Consultant Cards as we played the game this year, highlighting members from SecurityHQ, one of our security partners. When a player uses the "Call a Consultant" detection card, the consultant provides in-game advantages, like revealing the initial access card. These real-life consultants also stopped by to play with DASH attendees.

Scenarios

Scenario 1

Your platform team recently integrated a popular third-party library into your build pipeline to accelerate feature delivery. Shortly after deployment, unusual API activity and resource usage patterns are flagged. An investigation reveals that long-lived API tokens are being used from unfamiliar environments with no corresponding developer activity.

  • Initial access: Backdoored software supply chain
  • Pivot and escalate: Credential store compromise
  • C2 and exfil: Snapshotting resources as exfil
  • Persistence: Additional credential creation
Scenario 1 (click to enlarge)
Scenario 1 (click to enlarge)

Scenario 2

A rapidly developed “vibe-coded” application is deployed with minimal security review, inadvertently exposing cloud credentials due to embedded secrets in client-side code. Unusual access patterns soon emerge from external sources, followed by signs of privilege escalation within the environment. Data access and movement blend in with normal cloud activity, making detection difficult.

  • Initial access: Unauthorized cloud access
  • Pivot and escalate: Identity and access management (IAM) policy abuse
  • C2 and exfil: Living off the cloud as exfil
  • Persistence: Backdoored role trust policy
Scenario 2 (click to enlarge)
Scenario 2 (click to enlarge)

Scenario 3

A new AI web application vulnerable to prompt injection is running in one of your Kubernetes clusters. Soon after, you observe unusual service behavior and privilege changes across the cluster, along with outbound traffic that is quietly routing through a trusted SaaS provider. You terminate the pod, but suspicious activity resumes.

  • Initial access: Cloud application compromised
  • Pivot and escalate: Kubernetes service account PrivEsc
  • C2 and exfil: Software as a service (SaaS) tunneling virtual private network (VPN) as C2
  • Persistence: Cloned Kubernetes credentials
Scenario 3 (click to enlarge)
Scenario 3 (click to enlarge)

Scenario 4

A routine update to your build pipeline introduces an unexpected change that goes unnoticed during deployment. Days later, investigators identify exposed credentials in a storage location and unusual outbound HTTPS traffic originating from systems that shouldn’t be communicating externally. While access points are quickly locked down, a previously unseen service continues running in the environment.

  • Initial access: GitHub Action compromised
  • Pivot and escalate: Credentials exposed in storage bucket
  • C2 and exfil: HTTPS as exfil
  • Persistence: Malicious service
Scenario 4 (click to enlarge)
Scenario 4 (click to enlarge)

How to get started playing

Are you eager to play with the Datadog expansion pack? If you didn’t get a physical deck at DASH, you can pick one up at the Datadog booth at future security conferences or purchase one from the online store. If you want to play with a distributed team, you can also play online.

Did you find this article helpful?

Subscribe to the Datadog Security Digest

Get the latest insights from the cloud security community and Security Labs posts, delivered to your inbox monthly. No spam.

Related Content