Code Room
On-callMedium
Question
Three employees report nearly identical emails: a 'shared document' link leading to a pixel-perfect clone of your SSO login page on a look-alike domain. Your IdP audit log shows two of them entered credentials AND approved an MFA push, and there are now active sessions for those two accounts from a datacenter IP range (not residential), accessing the internal wiki and a code repo. The attack landed 25 minutes ago. You're the on-call security engineer. Triage and contain.
What a strong answer looks like
Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.
Learn the concepts
Loading whiteboard…
Run or narrate your approach, then ask the coach.