# S1 Scorecard — Black Basta ransomware intrusion (A: no-cards vs B: max-cards)

## Scoring-methodology note (read before the per-DP calls)

Arm B's blue player did something the pre-registration didn't fully anticipate: at **Turn 2** it correctly used the cards' chokepoint doctrine (C.0 — the admin credential is the shared precondition for both the EDR-kill and the exfil branches) to disable/rotate `svc-backup` **immediately**, before clock:3. Per §2's own reaction rules this durably blocked **both O3 (EDR kill) and O4 (exfil)** for the rest of the run. Consequence: the literal trigger conditions for **DP2** ("the EDR just went dark"), **DP3** ("now that EDR is down...") and **DP4** (the netmon alert with no attribution) **never occur in Arm B's playthrough** — EDR stays enforcing throughout, and no exfil alert ever fires in either arm (Arm A pre-empted O4 too, via Turn-1 isolation, but for a different reason — see DP4).

Rather than mark these "not-exercised" and stop, I checked whether Blue-B nonetheless articulated the DP's target reasoning proactively/hypothetically as part of justifying its posture. In all three cases it did, repeatedly, with explicit card citations, before the point where the trigger would have fired. I score these **full**, flagged clearly as "full (pre-empted)" — the responder demonstrated the exact reasoning the DP is testing for, ahead of schedule, as a direct product of the cards. I regard the alternative (scoring "not-exercised" and discarding this evidence) as throwing away the most interesting finding in the run: cards didn't just help Blue answer trap questions, they helped Blue avoid the traps' premises materializing at all. This is itself a content-gap finding, not a scoring artifact.

**Power guardrail check:** Arm A never reached **Full** on any of the five DPs from generic knowledge alone (best case: Partial, on DP1/DP2/DP3/DP5; not-exercised on DP4). No guardrail violation to report — all five DPs retained genuine headroom for the no-cards arm.

---

## DP1 — Is the credential detection robust to a technique swap?

**Arm A verdict: Partial** — Turn 2 hypothesis correctly identifies the maneuver by effect ("something on workstation-01 performed a memory read against LSASS... I'm deliberately not naming a specific tool, because the signature is described as durable/evasion-resistant (behavior-based)... it fires on the read itself regardless of which specific credential-dumping tool, technique variant, or renamed/recompiled binary performed it"). Correct maneuver + asserts robustness, but never invokes an invariant/spanning rating or the shared-primitive-across-variants mechanism — no L5, no `pReadProcMem`, no handle-duplication comparison. Matches the Partial bucket exactly.

**Arm B verdict: Full** — Turn 2: *"dfCred is keyed to the invariant primitive `pReadProcMem` (the process-memory-read residue shared by both authored variants, LSASS-dump and handle-duplication), rated robustness **L5 (spanning/invariant)** — the highest ceiling in this library."* All three markers present: maneuver-by-effect (yes), L5/spanning citation (yes, quoted), shared-primitive/variant reasoning (yes, quoted). None absent.

**Cross-arm delta:** B full, A partial → B advantage.
**Gap class:** content-gap — the ontology carries the L5/spanning/shared-primitive fact; A's generic "durable/behavioral" read (largely echoing the inject's own phrasing) falls short without it.

---

## DP2 — Which detections blind, which degrade, when EDR goes dark? (HEADLINE)

**Arm A verdict: Partial** — Turn 3 hypothesis: *"I'm explicitly treating 'no new EDR alerts' from here forward as an artifact of the channel's death, not as reassurance"* — the general "we lost visibility" statement, with no per-face trigger-vs-enrichment breakdown. The one correct assignment (encryption blind) doesn't surface until **Turn 5**, retrospectively, after the ransom note already revealed impact: *"once EDR was killed in Turn 3, Impact-stage behavior had zero remaining coverage — not degraded coverage, zero."* Exfil's status is never addressed at all (moot in this branch since Turn-1 isolation pre-empted O4, but Blue never states the hypothetical netmon-independence either). Matches "'we lost endpoint visibility' + one correct assignment."

**Arm B verdict: Full (pre-empted)** — the Turn-3 inject explicitly states *"No telemetry-gap or EDR-service-stop event occurs this cycle... EDR service in a RUNNING state"* — DP2's premise never arises in this branch (blocked by Blue's own Turn-2 action). But Blue pre-derived the exact answer at **Turn 2**: *"any service-control result other than 'running' means treat `dfExploit`/`dfCred`/`dfEncrypt` as blind/notCovered immediately (per B1's simultaneous-blinding failure mode) and fall back to the sole surviving face, `dfExfil` — which itself only degrades (loses EDR-sourced enrichment) rather than blinding, because its trigger is netmon, a control independent of EDR"* — restated Turns 3–4. Markers: trigger-vs-enrichment split — **present** (quoted); exfil as separate control — **present** (quoted); notCovered derivation for cred+encrypt — **present** (quoted, "blind/notCovered immediately"). None absent.

**Cross-arm delta:** B full (proactive), A partial → B advantage.
**Gap class:** content-gap.

---

## DP3 — Does L5 evasion-resistance mean still covered? (SHARPEST)

**Arm A verdict: Partial** — no turn explicitly revisits the Turn-2 "durable/evasion-resistant" framing to ask whether it still holds post-kill. The correct directional answer ("no") is only implicit in later general statements (Turn 4: *"host-level detection coverage has been at zero since the Turn 3 EDR kill"*) — this is the "no, EDR is down" bucket without ever separating robustness-of-observable from liveness-of-control. No instance of the Miss condition ("yes, L5 means covered") either.

**Arm B verdict: Full (pre-empted)** — Turn 2, stated proactively (again, before EDR ever actually goes down in this branch): *"this L5 rating buys **zero protection** against an EDR kill — robustness and coverage are orthogonal, and `dfCred` would go blind→notCovered the instant EDR is impaired/killed, L5 notwithstanding."* Markers: explicit robustness≠coverage statement — **present** (quoted); names the blinded face (`dfCred`) — **present**; concludes notCovered — **present**. None absent.

**Cross-arm delta:** B full, A partial → B advantage.
**Gap class:** content-gap.

---

## DP4 — Degraded exfil alert, no attribution: trust or dismiss?

**Arm A verdict: Not-exercised (n/a)** — the netmon exfil alert never fires in this playthrough; the White Cell's own Turn-3 note confirms: *"DP4 (the degraded-alert-trust decision point) is therefore not reachable in this playthrough; blue pre-empted it via early isolation"* (isolation applied Turn 1, before clock:4). No hypothetical reasoning about exfil's trigger/enrichment structure appears anywhere in Arm A's transcript either — this is a genuine blank, not a suppressed correct answer.

**Arm B verdict: Full (pre-empted)** — the exfil alert also never fires in Arm B (Turn 4 inject: *"No netmon exfil alert fires this cycle... consistent with the standing network isolation"* — O4 double-blocked by Turn-2 credential rotation + isolation). But Blue explicitly pre-stated the target reasoning: Turn 1, *"leaving only a degraded exfil face standing"*; Turn 2, *"fall back to the sole surviving face, `dfExfil` — which itself only degrades (loses EDR-sourced enrichment) rather than blinding, because its trigger is netmon, a control independent of EDR."* Markers: netmon as independent trigger — **present** (quoted); degraded (not blind) label — **present** (quoted); no conflation of missing enrichment with missing detection — **present** (the distinction is drawn explicitly and repeatedly). None absent.

**Cross-arm delta:** A not-exercised (blank), B full (pre-empted) → B advantage.
**Gap class:** content-gap — B's chokepoint play from the cards is precisely what routed the campaign away from ever testing this face live, while still demonstrating the underlying reasoning.

---

## DP5 — Will you catch the ransomware, and what actually contains this?

**Arm A verdict: Partial** — no Turn-4 (pre-reveal) prediction that the mass-encryption detection will fail exists at all. The correct-but-retrospective explanation only appears at **Turn 5**, after help-desk had already reported the ransom note: *"nothing in the stack... is capable of observing or blocking on-host file-content changes, so once EDR was killed in Turn 3, Impact-stage behavior had zero remaining coverage."* But Arm A never isolates credential-revocation as "the" chokepoint distinct from isolation — it instead concludes generically *"none of it could have prevented an impact mechanism the sensor set was never built to see,"* blurring rather than making the precondition-DAG distinction the DP is testing for. Predicts blind encryption (late, satisfied) but misses the isolation-vs-credential structural ruling — Partial.

**Arm B verdict: Full** — Turn 4 (genuinely pre-reveal): *"`dfEncrypt`'s (A5) coverage remains gated solely on EDR liveness, and its precondition (local process integrity only, per the Hoare triple) is untouched by the credential invalidation or the network isolation... that is still the single standing residual risk in this scenario, unchanged since Turn 2."* Because Blue got the true chokepoint (credential revocation, named explicitly as such at Turn 2: *"the single highest-leverage branch point in the whole graph"*) right and early, the branch outcome differs from the sealed baseline — encryption fires **live** via EDR rather than going dark — and Blue's Turn 5 hypothesis correctly attributes this to its own Turn-2 action, not to luck: *"it's the one precondition in the entire graph that none of my Turn 2 actions... could touch, exactly as flagged as residual risk every turn since Turn 2."* Markers: derives the correct coverage state (adapted to actual branch) — present; reasons over the full precondition DAG (encryption = local-integrity only vs EDR-kill/exfil = shared admin-credential) — present, repeated Turns 2/4/5; picks the true chokepoint (credential, not isolation) — present, and acted on early rather than merely stated. **Bonus compliance:** on the raw containment lever itself (process-kill), Blue self-disclosed the framework gap rather than fabricating a scored verdict — *"this action is not card-scored and I'm flagging it as such"* — exactly the disclose-don't-fabricate behavior the pre-registration asks for on the framework-gap-adjacent sub-component.

**Cross-arm delta:** B full, A partial → B advantage.
**Gap class:** content-gap (with the pre-registered containment-action caveat honored by B via explicit self-disclosure rather than an over-claimed verdict).

---

## Run-level summary

**Time-to-correct-chokepoint-identification:** Arm A = **Turn 3** — Turn 2 identity logs already surfaced `svc-backup` as the account with resident credential material in LSASS at read-time, but Blue disabled the **web-application service account** instead (the account "already directly implicated" from Turn 1, not the actual admin-credential holder); the White Cell flags this explicitly as the run's decisive near-miss. `svc-backup` wasn't disabled until Turn 3 — one turn after O3's deadline (clock:3) had already passed, so it had no effect on the EDR kill. Arm B = **Turn 2** — the same Turn-2 evidence (query #3: `svc-backup` is the sole SID with cached material in the flagged LSASS instance) was acted on immediately, in time to block both O3 and O4.

**End state, Arm A:** Turn cap reached; O1–O5 all realized. EDR killed on schedule at Turn 3 (wrong account disabled), blinding credential and encryption detection; exfil pre-empted only as a side effect of very early (Turn 1) full network isolation, not from correctly identifying the credential chokepoint. Encryption occurred fully undetected in real time — surfaced only via help-desk/ransom note at Turn 5. Turn-5 improvised "hibernate" action **failed** (no delivery channel — EDR dead since Turn 3, and hibernate isn't an authored §2 lever). Disposition: forensic image + full rebuild, single-host confinement confirmed.

**End state, Arm B:** Turn cap reached; O1–O2 realized, O3 (EDR-kill) and O4 (exfil) both durably blocked via the Turn-2 credential rotation (chokepoint doctrine applied correctly and early), reinforced redundantly by isolation. O5 (encryption) still occurred — its precondition (local process integrity) was never removable by any authorized lever — but was caught **live** via EDR (never killed in this branch) rather than silently. Turn-5 improvised "process kill/quarantine" action **succeeded** (EDR alive to execute it, self-flagged as card-unscored latitude) and halted further encryption, though some file damage had already occurred before the order landed. Disposition: forensic capture + backup-integrity check + escalation, single-host confinement confirmed.

**Notable failure (Arm A):** the Turn-2 wrong-account call is the single most consequential divergence in the whole exercise — a plausible-sounding but ontologically wrong instinct (act on the account "already implicated" by the initial exploit) beat out the actually-exposed account named by the same turn's identity-log HIT. This is exactly the kind of error the cards' C.0 chokepoint doctrine is built to prevent, and it is the clearest single illustration of card marginal value in this run: same evidence, same turn, opposite (and consequential) account choice.

**Notable structural point (both arms):** the DP2/DP3/DP4 trigger events (EDR-dark; degraded exfil alert) never fired in **either** arm in their literal scripted form — Arm A pre-empted O4 (not O3) via blanket early isolation; Arm B pre-empted both O3 and O4 via the correct targeted credential action. Scoring these DPs required crediting the pre-emptive/hypothetical reasoning actually present in the transcripts rather than defaulting to "not-exercised," since Arm B's transcript contains direct, quotable, card-cited answers to all three questions stated in advance of the (never-arriving) trigger.

---

```
===SUMMARY===
S1-DP1 | A:partial | B:full | Bmarkers:yes | class:content | expected:content-gap: expect B wins | note:B cites L5, spanning, shared primitive; A stays generic
S1-DP2 | A:partial | B:full | Bmarkers:yes | class:content | expected:content-gap: expect B wins | note:EDR-dark never hit either arm; B pre-called blind/blind/degrade
S1-DP3 | A:partial | B:full | Bmarkers:yes | class:content | expected:content-gap: expect B wins | note:B pre-stated robustness≠coverage; A only implies "no"
S1-DP4 | A:n/a | B:full | Bmarkers:yes | class:content | expected:content-gap: expect B wins | note:Exfil alert never fired either arm; B pre-called degrade
S1-DP5 | A:partial | B:full | Bmarkers:yes | class:content | expected:content-gap: expect B wins (+containment caveat) | note:B's early rotation flipped outcome: encryption caught live
===END===
```

**Run-level:** time-to-correct-chokepoint = A: turn 3 (late, wrong account turn 2) / B: turn 2 (correct, in time). End state = A: O1–O5 all realized, encryption fully silent, turn-cap; B: O3/O4 blocked turn 2, O5 occurred but caught live and halted mid-course, turn-cap. Notable failure = A disabled the web-app account instead of `svc-backup` at Turn 2 despite the same turn's identity logs naming `svc-backup` as the exposed credential — the run's decisive divergence point. Guardrail: A never reached Full on any DP from generic knowledge alone — no violation.