Telemetry online ·2018 → 2025 ·Runs entirely in your browser ·No data leaves this page
◧ The Long Watch

What it really looks like to defend a network over eight years.

Animated, situational-awareness models of one enterprise network under constant attack — internet-exposed services, phishing, identity attacks, and the real history of Fortinet SSL-VPN vulnerabilities. Pick a scenario to run it.

Select a scenario
Defence model

Attack Surface

The statistics of holding the line — how often a well-run network actually gets breached, and why.

  • Traffic flows internet → perimeter (SSL-VPN, Office 365, SMTP) → endpoints
  • Defender AV, EDR, Conditional Access and patch cadence stop the vast majority
  • A probabilistic Fortinet SSL-VPN CVE model — 0-day targeting vs. n-day patch race
  • Tune your average time-to-patch, internet exposure and target profile
4 real CVEs6 controls8-year timelinemovable SOC panel
Launch scenario
Email & identity

Phishing & Identity

Eight years of the inbox arms race — from stolen passwords to token theft, and the controls that keep up.

  • The background roar of email defence — Defender for O365 filters the flood; a trickle lands
  • Office 365 / Entra ID with Conditional Access, MFA, or phishing-resistant passkeys
  • Techniques evolve year on year: credential harvest → MFA fatigue → AiTM token theft
  • See exactly where MFA stops being enough — and why passkeys don’t
8-year timelineAiTM vs. passkeyspush → number → FIDO2BEC & takeover
Launch scenario
Single server

WordPress Server

One box on the internet — what a real WordPress compromise looks like, surface by surface.

  • The relentless background noise: bot scans, wp-login brute force, plugin probing
  • Real core & plugin CVEs 2018→2024 — RCE, auth bypass, SQL injection, DoS
  • Accidentally exposed MySQL :3306 and open directories leak the keys to the kingdom
  • Rare but massive DDoS — and the WAF / auto-update / 2FA controls that hold the line
7 real CVEsRCE · SQLi · auth bypassexposed DB & open dirDDoS
Launch scenario
Assume breach

Ransomware Kill Chain

The bad night — a hands-on-keyboard intrusion from VPN login to domain & hypervisor ransom.

  • Everything in Attack Surface, plus the internal estate: DC, backup, vCenter, ESXi
  • A no-MFA VPN login (brute force or CVE) escalates into a 15-stage intrusion
  • Every step tagged to MITRE ATT&CK, over a compressed “five hours”
  • Run it scripted (worst case) or probabilistic — your controls get a chance to contain it
15-stage chainMITRE ATT&CKbackups + ESXiscripted / probabilistic
Launch scenario
Incident replay

Rhysida Intrusion

Follow one organisation's ransomware attack, stage by stage, over eight hours.

  • A real Rhysida kill chain mapped to MITRE ATT&CK — 24 stages across all 12 tactics
  • From a no-MFA VPN login through Zerologon, ntds.dit and exfil to domain-wide encryption
  • Step through it stage by stage, or watch the 8-hour timeline play out
  • Every step shows the technique ID, the actual tooling, and what's happening
24 stagesMITRE ATT&CKRhysida TTPs8-hour timeline
Launch scenario
Fleet scale

UK Threat Map

Zoom out — 300 organisations on a live map of Britain, and the attack waves that sweep them.

  • 300 orgs, each with a realistic exposure profile: M365, WordPress, Moodle, Citrix, Horizon, RDP, VPN
  • Only some expose SSL-VPN or a management interface — and those are the ones that get hit
  • Real campaigns sweep the map: Fortinet SSL-VPN, Citrix Shitrix & CitrixBleed, Log4Shell → Horizon, BlueKeep
  • Set the national security posture — hardening, monitoring, MFA, patching, WAF — and watch the breach and ransomware counts move
300 orgs10 real campaignsSSL-VPN · Citrix · RDPransomware waves
Launch scenario