1
2
3
4

Institution Profile

This information tailors the scenarios and AI-generated injects to your specific environment. It is not stored or transmitted.

Institution Details
Technology Stack — Select All That Apply
Microsoft 365 / Exchange
Email, Teams, SharePoint, OneDrive
Azure AD / Entra ID
Identity, SSO, Conditional Access
Canvas LMS (Instructure)
Learning management system
Moodle LMS
Open-source learning platform
AWS / Cloud Infrastructure
S3, EC2, RDS, research workloads
Microsoft Copilot
AI assistant deployed to staff/students
ChatGPT / Shadow AI
No formal AI governance policy
Banner / SITS (Student Records)
Student information system
Pure / Research Information System
Research outputs, grant management
Palo Alto / Fortinet (Firewall)
Next-gen firewall / NGFW
Darktrace / SIEM
AI-powered threat detection
On-Premises Active Directory
Legacy AD, hybrid identity
Roles Present in the Room Today
🎓
Vice-Chancellor / President
🔐
CISO / Head of IT Security
⚖️
Data Protection Officer
📋
Registrar / COO
🔬
VP Research / PVC Research
📢
Director of Communications
💼
CFO / Director of Finance
📜
University Solicitor / Legal
🏛️
Lay Governor / Board Member
2
3
4

Choose Your Scenario

Select the scenario that best fits your exercise objectives. Each scenario is adapted to your technology stack.

Scenario 01 · Identity & Access
Operation Academic Phantom
Device code phishing via Microsoft 365 OAuth — compromised identity, lateral movement, data exfiltration
A sophisticated threat actor group (UNK_AcademicFlare) sends device code phishing emails impersonating UKRI grant notifications. A research administrator authenticates the code, granting the attacker persistent OAuth access to M365, SharePoint research data, and the connected Pure research information system. The attack escalates over 96 hours before detection — by which point 280GB of pre-publication research has been exfiltrated.
Recommended for M365 sites HIGH SEVERITY Azure AD / Entra ID UKRI Notification Research Data OAuth Abuse
Difficulty: Advanced · 90 minutes · 4 injects
Select Scenario →
Scenario 02 · AI & Data Governance
The Copilot Disclosure
Microsoft Copilot queries student medical records stored in SharePoint — DSAR received, ICO complaint, media enquiry
A Wellbeing team member stores mental health case notes in a SharePoint folder with broad permissions. Microsoft Copilot — granted organisation-wide access — begins surfacing this data in response to staff queries about "student welfare". A student submits a DSAR. The DPO discovers Copilot has processed their medical data and the responses are stored in staff chat history. The ICO has received a complaint. The institution has no DPIA for Copilot. A journalist has made an enquiry.
AI governance scenario ICO 72hr clock Microsoft Copilot GDPR Art.22 DSAR Reputational Risk
Difficulty: Expert · 90 minutes · 4 injects
Select Scenario →
Scenario 03 · Ransomware & Business Continuity
ALPHV Targets the Academy
Ransomware via on-premises AD lateral movement — exam systems down, student record access lost, ransom demand
ALPHV/BlackCat gains initial access via a phishing email to an IT administrator. Using on-premises Active Directory lateral movement techniques — Pass-the-Hash, Kerberoasting, and GPO abuse — they achieve domain controller compromise within 48 hours. Ransomware is deployed across the network at 02:47 on the morning of final examinations. Banner student records are encrypted. Canvas is inaccessible. The exam timetable is lost. A £2.8M ransom is demanded. The Vice-Chancellor's office receives a call from the BBC.
BCP / DR scenario CRITICAL SEVERITY On-Prem AD Banner / SITS Exam Continuity Ransom Decision
Difficulty: Expert · 120 minutes · 5 injects
Select Scenario →
Inject Timer
15:00
Inject
1 / 4
Generating scenario adapted to your environment...
Live UCRF Radar
ICO 72-Hour Clock
71:58:43
Roles in Room
UCRF Pillar Scores
Institution
UCRF Tabletop Exercise — Confidential Report
Institution Name
Scenario: —
AjaCertX

Overall Resilience Band

Based on decisions made across all injects

Pillar Performance
Priority Gaps Identified
Recommended Next Steps — UCRF Action Plan
Turn This Into a Verified Gap-Closure Programme

AjaCertX delivers UCRF implementation support, ISO 27001 gap analysis, internal auditor training, and facilitated tabletop exercises with expert commentary. Scoped to your institution.

Book Discovery Call → Run Full UCRF Assessment
AjaCertX · contact@ajacertx.com · ajacertx.com · © 2026 AjaCertX. All rights reserved.
This report is generated from facilitator-recorded decisions during the tabletop exercise. It does not constitute a formal audit or legal opinion.
AI-Powered · World First · University Sector

The UCRF Tabletop
Exercise Engine

The world's first AI-adaptive cyber tabletop built specifically for university leadership. Your tech stack. Your roles. Real scenarios. Live UCRF radar. Instant branded report.

AI-Adaptive Injects
Claude generates real-time injects based on your M365/Azure AD/Canvas environment. Not generic scenarios — your systems, your risks.
📊
Live UCRF Radar
6-pillar resilience dashboard updates in real-time as your team makes decisions. The room watches your score build live.
🎯
Role-Specific Cards
VC sees governance pressure. CISO sees Azure AD logs. DPO sees ICO clock. Simultaneously. Just like a real incident.
Free for all institutions · No download · Runs in your browser
1
2
3
4

Institution Profile

This information tailors the scenarios and AI-generated injects to your specific environment. It is not stored or transmitted.

Institution Details
Technology Stack — Select All That Apply
Microsoft 365 / Exchange
Email, Teams, SharePoint, OneDrive
Azure AD / Entra ID
Identity, SSO, Conditional Access
Canvas LMS (Instructure)
Learning management system
Moodle LMS
Open-source learning platform
AWS / Cloud Infrastructure
S3, EC2, RDS, research workloads
Microsoft Copilot
AI assistant deployed to staff/students
ChatGPT / Shadow AI
No formal AI governance policy
Banner / SITS (Student Records)
Student information system
Pure / Research Information System
Research outputs, grant management
Palo Alto / Fortinet (Firewall)
Next-gen firewall / NGFW
Darktrace / SIEM
AI-powered threat detection
On-Premises Active Directory
Legacy AD, hybrid identity
Roles Present in the Room Today
🎓
Vice-Chancellor / President
🔐
CISO / Head of IT Security
⚖️
Data Protection Officer
📋
Registrar / COO
🔬
VP Research / PVC Research
📢
Director of Communications
💼
CFO / Director of Finance
📜
University Solicitor / Legal
🏛️
Lay Governor / Board Member
2
3
4

Choose Your Scenario

Select the scenario that best fits your exercise objectives. Each scenario is adapted to your technology stack.

Scenario 01 · Identity & Access
Operation Academic Phantom
Device code phishing via Microsoft 365 OAuth — compromised identity, lateral movement, data exfiltration
A sophisticated threat actor group (UNK_AcademicFlare) sends device code phishing emails impersonating UKRI grant notifications. A research administrator authenticates the code, granting the attacker persistent OAuth access to M365, SharePoint research data, and the connected Pure research information system. The attack escalates over 96 hours before detection — by which point 280GB of pre-publication research has been exfiltrated.
Recommended for M365 sites HIGH SEVERITY Azure AD / Entra ID UKRI Notification Research Data OAuth Abuse
Difficulty: Advanced · 90 minutes · 4 injects
Select Scenario →
Scenario 02 · AI & Data Governance
The Copilot Disclosure
Microsoft Copilot queries student medical records stored in SharePoint — DSAR received, ICO complaint, media enquiry
A Wellbeing team member stores mental health case notes in a SharePoint folder with broad permissions. Microsoft Copilot — granted organisation-wide access — begins surfacing this data in response to staff queries about "student welfare". A student submits a DSAR. The DPO discovers Copilot has processed their medical data and the responses are stored in staff chat history. The ICO has received a complaint. The institution has no DPIA for Copilot. A journalist has made an enquiry.
AI governance scenario ICO 72hr clock Microsoft Copilot GDPR Art.22 DSAR Reputational Risk
Difficulty: Expert · 90 minutes · 4 injects
Select Scenario →
Scenario 03 · Ransomware & Business Continuity
ALPHV Targets the Academy
Ransomware via on-premises AD lateral movement — exam systems down, student record access lost, ransom demand
ALPHV/BlackCat gains initial access via a phishing email to an IT administrator. Using on-premises Active Directory lateral movement techniques — Pass-the-Hash, Kerberoasting, and GPO abuse — they achieve domain controller compromise within 48 hours. Ransomware is deployed across the network at 02:47 on the morning of final examinations. Banner student records are encrypted. Canvas is inaccessible. The exam timetable is lost. A £2.8M ransom is demanded. The Vice-Chancellor's office receives a call from the BBC.
BCP / DR scenario CRITICAL SEVERITY On-Prem AD Banner / SITS Exam Continuity Ransom Decision
Difficulty: Expert · 120 minutes · 5 injects
Select Scenario →
Inject Timer
15:00
Inject
1 / 4
Generating scenario adapted to your environment...
Live UCRF Radar
ICO 72-Hour Clock
71:58:43
Roles in Room
UCRF Pillar Scores
Institution
UCRF Tabletop Exercise — Confidential Report
Institution Name
Scenario: —
AjaCertX

Overall Resilience Band

Based on decisions made across all injects

Pillar Performance
Priority Gaps Identified
Recommended Next Steps — UCRF Action Plan
Turn This Into a Verified Gap-Closure Programme

AjaCertX delivers UCRF implementation support, ISO 27001 gap analysis, internal auditor training, and facilitated tabletop exercises with expert commentary. Scoped to your institution.

Book Discovery Call → Run Full UCRF Assessment
AjaCertX · contact@ajacertx.com · ajacertx.com · © 2026 AjaCertX. All rights reserved.
This report is generated from facilitator-recorded decisions during the tabletop exercise. It does not constitute a formal audit or legal opinion.
WhatsApp Connect