Free PBQ Demo · Advanced

Topology · Malware Containment

CompTIA CertMaster-style PBQ — click any host in a live network diagram to isolate an infected workstation, block its C2 traffic at the perimeter firewall, and revoke its file-server access.

Tests: Incident response, network segmentation, ACL configuration under time pressure — the exact PBQ format on Security+, CySA+, and CCNA exams.

~10 minNo signup needed

Scenario

Your SIEM has flagged WS-A (Marketing) for ransomware-like behaviour — outbound C2 traffic, suspicious file encryption, and lateral SMB scanning toward the file server. You're the on-call analyst.

Contain WS-A, block its C2 channel at the perimeter firewall, and revoke its access to the file server. Leave clean hosts untouched.

Network Topology — Live View

monitoring

InfectedAlertConfiguredclick any hostto configure

Perimeter FW

fw-edge-01

Alert

Outbound Block Rules

C2 traffic to 185.207.x.x detected from WS-A. Block the bad host.

Block outbound traffic from:

Pick the host(s) to deny outbound at this firewall.

WS-A 10.0.10.21 (Marketing)WS-B 10.0.10.22 (Marketing)WS-C 10.0.10.23 (Sales)FS-01 10.0.20.10 (File server)

Enable IDS inspection (Snort)

Recommended after any confirmed compromise — catches lateral movement attempts.

Logging level

Capture enough detail for the post-incident report.

Tip: never block outbound for hosts you haven't confirmed as compromised — you'll lock out clean users.

Tasks

Quarantine the infected workstation (WS-A) and capture forensic evidence first.
Block WS-A's outbound traffic at the perimeter firewall + enable IDS.
Revoke WS-A's SMB access to the file server and snapshot /payroll.
Verify WS-B and WS-C — same VLAN risk for B, different VLAN for C.

0 settings configured

Topology · Malware Containment

Liked this PBQ? There are 80+ more inside.