Welcome to CypSec Group
We specialize in advanced defense and intelligent monitoring to protect your digital assets and operations.
Teaching security concepts through play.
Mansfeld-Südharz, Germany - November 25, 2025
The first thing you notice inside Laboratory 3 of the Anhalt-Bitterfeld vocational school is the smell: a faint mixture of acetone and anticipation. The benches that once held titration stands now support a row of battered ThinkPads whose fans spin like distant cicadas. The lights are off, the blinds drawn, and the only illumination comes from a single red LED strip that pulses in Morse-like intervals. Somewhere in the ceiling a Raspberry Pi is broadcasting a Wi-Fi network called “DC-42_BREACH” and every time the LED flashes the network name flickers to “_DC-42_BREACH_93%”. That is the cue: the students have fifteen minutes to stop a fictitious chemical plant from venting toxic gas, and the only weapon they possess is a folder of scrambled log files, a bash terminal decorated with neon-green stickers, and the collective memory of yesterday’s lesson on regular expressions. No teacher speaks; the story speaks instead, and the story is written in packet captures.
The premise is deliberately cinematic: a disgruntled intern has hijacked the plant’s SCADA lane through an exposed engineering workstation and scheduled a valve purge at 14:30 sharp. The pupils’ task is to reconstruct the kill-chain, find the cron job that triggers the purge, and neutralise it without shutting down the legitimate heating loop that keeps the reaction vessel stable. What sounds like a Hollywood subplot is in reality a forty-five-minute capstone designed by the Cyber Resilience Alliance to compress an entire semester of security fundamentals into one adrenaline burst. The narrative wrapper is not cosmetic; it is pedagogical. By embedding DNS tunnelling, privilege escalation and time-based logic bombs inside a plot they already care about, the students internalise abstraction layers without noticing the abstraction. The chemical plant is fictional, the pressure is real, and the clock is merciless.
Building the set required less hardware than a typical science-fair project. A recycled Siemens PLC donated by a local margarine factory runs a stripped-down ladder programme that opens and closes a transparent acrylic valve filled with coloured water. The valve is monitored by a five-euro flow sensor wired to an ESP32 that publishes MQTT messages to a Mosquitto broker on the same Raspberry Pi hosting the malicious Wi-Fi. When the students finally grep the cron table and comment out the malicious line, the LED strip switches from red to green, the valve motor stops, and the water column freezes mid-air like a snapshot of victory. The entire apparatus fits into a flight case the size of a trumpet box, meaning the escape room can be loaded into a teacher’s trunk and reassembled in any classroom with two power sockets and a WLAN password. The bill of materials is published under Creative Commons; schools as far away as Vilnius have already forked the repository and translated the dialogue into Lithuanian.
The pedagogy is built on stealth repetition. Each puzzle appears to be a plot device but is in fact a variation of a canonical MITRE technique. The first riddle involves a base64-encoded payload hidden inside an innocent-looking HTTP 404 page; decoding it reveals the IP address of the SCADA gateway. Later, the students discover that the intern’s user account has been added to the docker group—an invitation to escalate privileges by mounting the host filesystem inside a container. They must recognise the anomaly, craft a counter-injection script and schedule it through the same cron mechanism they are trying to sabotage, thereby practising both offence and defence in a single breath. Nothing is explained in advance; the log lines are the curriculum, and failure is part of the syllabus. When a valve opens too early, the coloured water spills into a transparent catch tank labelled “Environmental Damage: 480 000 €” and the room falls silent. The number is not arbitrary; it is the actual penalty a regional chemical SME paid after a similar incident in 2019, extracted from public court records and anonymised. The shock of real cost cements the lesson more deeply than any slide deck could.
"We do not teach commands; we teach consequence—every spilled drop of coloured water is a contract that never gets signed."
Assessment happens invisibly. Every command the students type is mirrored to a GitLab instance that timestamps each action and compares it against a gold-standard trace. A Python diffing engine produces a competence matrix: regex usage, file-carving accuracy, privilege-boundary awareness, time-to-containment. The teacher receives a one-page PDF minutes after the session ends, but the students never see a grade; instead they get a QR code that links to a digital badge compatible with the European Cyber Skills Framework. The badge does not certify mastery; it certifies exposure, a subtle but important distinction that keeps the activity inside curricular time rather than extracurricular competition. The first cohort of 17-year-olds who completed the room in June scored 34 % higher on the state-wide IT security module three weeks later, a delta that academic partners are now studying for longitudinal significance, but we present the figure only as an observation, not a promise.
Perhaps the most surprising outcome is teacher confidence. Instructors who once feared the command line now volunteer to extend the storyline. One chemistry teacher, whose previous digital pinnacle was a smart-board timer, rewrote the PLC logic to introduce a fake pressure sensor that misleads students unless they calibrate the offset manually. Her patch was merged into the main branch and is now credited in the README under her GitHub handle, an act of open-source authorship that reverberates through staff meetings louder than any policy memo. The escape room has become a staff-development Trojan horse: educators think they are decorating a game, but they are actually learning version control, YAML syntax and the difference between TCP and UDP without noticing the vocabulary creep. By December the Alliance will publish a train-the-trainer kit that compresses the entire deployment workflow into a six-hour workshop, ensuring that the bicycle can keep rolling even when the original builders have moved on.
Scaling beyond the county border is already under way. The narrative is location-agnostic—chemical plants are everywhere in Europe’s rust belts—but the props are deliberately low-cost and the IP is unencumbered. The only hard requirement is a teacher willing to act as dungeon master for forty-five minutes, a role that demands no programming skill beyond reading a bash script aloud and no theatrical skill beyond dimming the lights at the right moment. The rest is copy-paste: flash the SD card, bolt the valve to the bench, hand out the log folder. The story does the teaching; the hardware only keeps the score. If we succeed, the phrase “escape room” will quietly shift from entertainment to curriculum, and the county that once taught Europe how to make synthetic rubber will teach it how to synthetic-proof its own digital pipelines.
The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.
Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.
We specialize in advanced defense and intelligent monitoring to protect your digital assets and operations.
