A scripted Claude-vs-Alex sample match. 3 challenges across skill levels (Easy → Adept → Difficult). At the start, Claude asks if the player does compliance work; Alex says
yes: NIST 800-171, so every Claude grade in this transcript carries the matching control codes (SCuBA MS.AAD, MCSB IM/PA/AU, bridged 800-171 sub-controls). Players who say no get the same questions without the control tags. One scenario uses the 10,000-user Extra Large demo.
Every demo size needs a Registered key. Free, instant, request one at email us for a free key.Q1 · Easy · Small demo (250 users) · MFA basics
C
Claude
Cameron Smith is a Global Administrator at Zava Demo (Small). Cameron has no MFA registered. Alex, what's the worst that could happen?
A
Alex
If Cameron's password leaks, the attacker gets Global Admin powers: total tenant takeover, including all the data.
C
Claude
Grade AExactly. Global Admin has every role and every workload. SCuBA
MS.AAD.3.1v1, MCSB
IM-6, bridged 800-171
IA-2(1).
+15 points · Score 15
Q2 · Adept · Large demo (5,000 users) · OAuth scope override moment
C
Claude
Now on Large. The OAuth app “MarketingHub” gained Files.ReadWrite.All in the last 30 days. Its previous permission was Files.Read.All: read-only access to all files. What does this change mean for the blast radius?
A
Alex
Hold on, looking at the audit trail, the previous permission was Files.Read.
Selected, not Files.Read.All. Selected means only specific files; the new ReadWrite.All is categorically bigger. We went from a curated subset to every drive across the tenant in one consent click, a 100x scope expansion, not 2x.
C
Claude
Override Awarded...you're right. I had it wrong. Files.Read.Selected to Files.ReadWrite.All is a categorically different jump. Nice catch. SCuBA
MS.AAD.5.1 (OAuth scope governance), bridged 800-171
AC-6(7).
+75 points (override bonus) · Score 105 · Caught Claude 1x
Q3 · Difficult · Extra Large demo (10,000 users) · Multi-domain IR signal
C
Claude
Still on Extra Large. Three users were re-enabled after 47+ days disabled. One, Cameron, was previously Privileged Role Administrator. His BYOD MacBook is marked Compliant via an Intune check-in from 47 days ago, the
same day his account was originally disabled. The CA policy requires a compliant device. What's the actual attack chain?
A
Alex
The Intune check-in went stale exactly when the account went disabled. The device record froze in “Compliant.” When the account got re-enabled, the CA policy sees the device as compliant (it hasn't checked in since, but last-known state was good). Compliance gate passes. The attacker has credentials AND a “compliant” device AND Privileged Role Administrator queued from prior assignment, so they can grant themselves anything. The CA policy isn't broken; the staleness window is.
C
Claude
Grade AThat is the multi-domain edge case: identity drift + device staleness + CA policy assumption, which only surfaces at scale where these chains accumulate. SCuBA
MS.INTUNE baseline +
MS.AAD.3.1v1, bridged 800-171
CM-6 +
AC-2(7).
+90 points · Score 255 · Streak 4
Final: 255 · Green Belt · 1 override · 5 levels covered
Alex walked Easy to Difficult and saw the Extra-Large-only patterns. Register for the demo, then scan your real tenant.