ZombieCop.run is a fully autonomous red‑team platform that thinks and acts like a real attacker. Powered by AINA OS (Rocheston AI Intelligence) with HexStrike AI, it plans multi‑stage campaigns, pivots as defenses react, and documents every step—no manual playbooks, no complex setup. The result is a fast, repeatable way to pressure‑test your defenses with the intelligence and relentlessness of a seasoned adversary.

At the heart of the experience is a digital twin of a modern video‑game company—a realistic enterprise with 50 employees, multiple departments, desktops, servers, web apps, CI/CD pipelines, and cloud accounts. AINA drives end‑to‑end scenarios across this environment: targeted phishing and lateral movement, web exploitation (WordPress, Tomcat, SQLi), ransomware operations with dark‑web leak simulation, DDoS stress, and more—all observed through XDR/SIEM telemetry and ATT&CK‑mapped detections. Blue teams practice incident response, forensics, recovery, and compliance reporting, while security leaders get proof of control effectiveness and clear paths to hardening.

Built for authorized training in an isolated range, ZombieCop.run turns security assessment into a living exercise—autonomous, intelligent, and relentlessly practical. Launch the simulation, watch AINA adapt in real time, and come away with one message: this is a sophisticated, AI‑powered cyberattack platform for the way modern enterprises really operate.

Section 1: The Problem — The Skills Gap Nobody Talks About

Most cybersecurity training teaches isolated tasks, and many professionals earn badges and certificates by completing narrowly defined labs. In a real SOC, however, everything happens at once: ransomware spreads across dozens of hosts, the CEO demands answers, Legal and PR press for guidance, and the team looks to you to lead. The gap isn’t knowledge of individual techniques like SQL injection detection; the gap is experience with the complete picture under pressure. That moment—deciding what to do first when everything is on fire—is where most practitioners freeze, not because they lack facts, but because they’ve never lived the integrated reality.

Section 2: The Solution — Welcome to ZombieCop.Run

ZombieCop.Run is a continuous, integrated combat simulation where you defend a real company—a 50‑person video game studio in San Francisco—against a sophisticated, AI‑driven attack. You operate inside a live, business‑context environment with real people, real systems, and real consequences. The mission begins quietly, and then the first alert fires. From that moment on, you are the security team, and every decision you make shapes the outcome.

Section 3: Complete Attack Lifecycle

Unlike platforms that break learning into disconnected episodes, ZombieCop.Run threads the entire kill chain into one continuous scenario. A phishing email leads to credential theft; lateral movement escalates to ransomware; a dark‑web leak triggers public scrutiny; crisis response unfolds across technical and business lanes. Everything is connected, simultaneous, and time‑sensitive. You won’t just learn what ransomware is; you’ll feel what it’s like when it threatens your company’s source code and the phone won’t stop ringing.

Section 4: AINA — The AI Adversary

AINA, the AI Network Adversary, does not follow scripts. It thinks like a real threat actor, adapts to your defenses in real time, pivots when you block an attack path, escalates when you look away, and continues until you stop it. Block a web exploit and AINA shifts to an exposed storage bucket; patch the server and it pivots to phishing; focus on one host and it spreads elsewhere. The result is a living opponent that forces you to think faster than the attacker.

Section 5: A Real Company With Real Stakes

ZombieCop.Run models a real organization instead of generic “victim” machines. You’ll work across 50 fully configured, containerized hosts mapped to employees and departments, with Linux workstations, WordPress, Tomcat, Jenkins, GitLab and GitHub, source code repositories, email, data stores, and segmented networks. Stopping ransomware on “Linux39” isn’t a checkmark; it’s saving HR from PII exposure and avoiding a GDPR incident.

Section 6: Security Meets the C‑Suite

Technical mastery alone isn’t enough. In ZombieCop.Run, you will justify isolation decisions to the CEO, coordinate breach notifications with Legal, handle media inquiries with PR, and brief the Board on options such as restoring from backups or negotiating a ransom. You will learn to translate technical reality into executive action while the clock is running.

Section 7: The Complete Picture in Context

ZombieCop.Run unifies offensive security, defensive operations, incident response, compliance, DevSecOps, and recovery. You experience how tactics interlock, why they matter, and when to use them. SQL injection is not an abstract lab; it is how the attackers got in. Lateral movement is not a tactic on a slide; it is the path to the file server that holds your game’s source code. GDPR is not paperwork; it is a legal deadline you must meet while restoring systems.

Section 8: Realistic Pressure

The simulation imposes true time pressure, including a 72‑hour ransomware countdown, a 72‑hour GDPR reporting window, and a product launch that cannot slip. Stakeholder pressure mounts as the CEO asks when work can resume, Legal demands a breach assessment, PR fields media calls, and the Board wants cost and impact clarified. Simultaneous threats unfold—encryption events, lateral movement on additional hosts, a leak site going live, social posts with stolen data, and a fresh phishing wave—forcing ruthless prioritization with incomplete information. Your actions carry consequences: delay isolation and the spread worsens; brief poorly and leadership makes the wrong call; miss the reporting window and liability increases; restore the wrong backup and data is lost.

Section 9: Built on Real Enterprise Technology

The range is instrumented with the tools defenders rely on in production. Wazuh serves as the XDR and SIEM layer for unified telemetry, real‑time detection, custom rules, and active response. Nessus Professional supports vulnerability assessment and prioritization. Jenkins and GitLab power DevSecOps with secure code scanning, image scanning, and secret detection, while every action maps to the MITRE ATT&CK framework to track coverage and gaps. Multi‑cloud visibility spans AWS, Azure, and GCP for IAM validation, misconfiguration discovery, and audit trail analysis. Malware operations leverage YARA and VirusTotal for detection and enrichment. Containers are first‑class citizens with Docker and Kubernetes security scenarios, and Zero Trust patterns include conditional access, MFA, device posture, and microsegmentation. You will use these tools under pressure to save a company.

Section 10: What You Will Master

Across more than one hundred connected exercises, you will practice reconnaissance and OSINT, application security and web exploitation, phishing and social engineering, lateral movement and Active Directory tradecraft, exfiltration and C2 detection, safe ransomware operations and recovery, dark‑web operations and evidence preservation, EDR and SIEM tuning, full‑spectrum forensics and incident response, container and Kubernetes hardening, CI/CD and supply chain security, cloud security and serverless analysis, DDoS resilience, Zero Trust and identity analytics, compliance mapping and reporting, and network, Wi‑Fi, and VoIP security. Every skill contributes to a single objective: save the company.

Section 11: Your Journey Through ZombieCop

The journey begins with foundation work in the Sphere, a sequence of 160 playbook‑based labs designed to build the precise skills you will need. This phase takes roughly 120 to 160 hours, progresses at your pace, and tracks mastery objectively. You then enter the ZombieCop.Run mission, a continuous 40 to 80 hour scenario. In the first two weeks you conduct reconnaissance, launch and detect initial compromises, and see both red and blue perspectives. The third week focuses on lateral movement and containment under increasing pressure. The fourth week brings the ransomware crisis and public exposure. The fifth week is full incident response and recovery with forensics and legal obligations. The sixth week closes with after‑action reporting, hardening, and Zero Trust improvements. Success is measured by mission outcome, detection coverage, and response time.

Section 12: Certification

Upon completing Sphere and the ZombieCop mission, you earn the Rocheston Certified Cybersecurity Engineer Level 2 credential. This certification signifies demonstrated mastery of 160 techniques, hands‑on defense against AI‑driven attacks, effective ransomware response under pressure, and the ability to coordinate technical and executive workstreams. It is evidence that you can handle the real thing, not just pass a multiple‑choice exam.

Section 13: How ZombieCop Compares

Compared with fragmented lab platforms, ZombieCop.Run delivers a full breach lifecycle with a narrative mission, an adaptive AI adversary, a realistic company environment, business context, pressure testing, and an outcome measured by artifacts and readiness rather than quiz scores. Compared with traditional certifications, it emphasizes hands‑on integration, real‑time decision‑making, executive communication, and measurable improvements across the kill chain.

Section 14: Student Outcomes

Graduates consistently report that ZombieCop.Run bridges the gap between technical skills and incident command. Practitioners who previously excelled at isolated labs describe finally understanding how, when, and why to use each technique. Hiring managers value the ability to brief executives during a live incident and to substantiate decisions with evidence, timelines, and ATT&CK‑mapped detections.

Section 16: Pricing and Access

Contact your training provider for pricing. The individual certification track includes the full Sphere lab catalog, the complete ZombieCop mission, access to AINA, the integrated toolset, the Level 2 certification upon completion, digital verification, and twelve months of access.

Team Training Packages

Contact your training provider for pricing. Team packages for ten to fifty users include everything in the individual track plus team progress dashboards, optional custom scenarios, dedicated support, LMS integration, and volume options tailored to your organization.

Section 16: Call to Action

Your worst day is coming, whether it arrives next month or next year. You can face it for the first time at work, or you can practice it now in a safe but unforgiving simulation. Fail safely, learn quickly, and build the muscle memory to act decisively. When the real attack comes, you will have already been there and already saved a company.

Complete Lab Exercises — Overview

ZombieCop.run provides a reproducible, production‑grade range covering attacker lifecycle, blue‑team detection, forensics, and compliance validation. The environment models a 50‑person video game company with automated AINA orchestration, infection mapping, comprehensive telemetry ingestion, and objective scoring so progress is measurable and repeatable.

Complete Lab Exercises — Catalog

The catalog spans reconnaissance and asset discovery using automated and manual techniques; continuous vulnerability assessment and triage; web exploitation across WordPress, Tomcat, and modern APIs; SQL injection with data exfiltration; phishing and social engineering including spear‑phishing and credential capture; safe ransomware simulation with backup isolation, recovery, and crisis communications; dark‑web leak simulation with onion site publishing and monitoring; XDR and SIEM operations on Wazuh with rule tuning; endpoint testing and host hunting; container runtime and CI/CD security for images, runtime, and pipelines; malware scanning, YARA hunting, and eradication; incident response orchestration and runbooks; cloud and SaaS visibility across AWS, Azure, GCP, and GitHub; DevSecOps for secure builds and artifact provenance; compliance and controls mapping for PCI, NIST, GDPR, and HIPAA; Zero Trust access and policy enforcement using Pritunl‑style and modern identity providers; DDoS resilience and chaos engineering; network forensics and packet analysis; detection of data exfiltration and covert channels; memory forensics with Volatility and volatile artifact discovery; advanced C2 and beacon behavior with covert communications; the Monkey Island lateral movement and privilege escalation range; automated red‑blue tournament exercises with AINA; threat intelligence enrichment with automated responses; file integrity monitoring and osquery hunts; and secure incident documentation with legal‑ready evidence packages.

Lateral Movement and Privilege Escalation Range

The Monkey Island range validates automated pivot chains across mixed operating systems, teaches credential harvesting and reuse with the associated detection telemetry, demonstrates Kerberos abuse and Active Directory‑centric escalation, exhibits persistence techniques and their removal, and measures detection coverage, time to detect, and time to contain. Participants conclude by producing a complete incident timeline and a prioritized remediation plan.

Prerequisites and Assumptions

The lab runs in an isolated ZombieCop.run network that is either air‑gapped or strictly permissioned. It relies on prebuilt virtual machines and containers including an Active Directory domain controller, Windows endpoints, Linux servers, a jump host, a file and share server, and a CI server. AINA orchestration and Infection Monkey agents are available, and centralized logging is configured through Wazuh, osquery, and syslog or cloud equivalents. An operator with access to the lab control plane manages resets and snapshots.

Environment Snapshot

The scenario includes a Windows Server domain controller providing Active Directory, DNS, and Kerberos; Windows workstations with common enterprise applications; Linux development and application servers exposed over SSH; a multi‑interface jump host for pivoting; an SMB file share and network storage; a CI/CD server with service‑account credentials and artifacts; SIEM collectors with dashboards and alerting pipelines; and preseeded user accounts with varied password quality, including a privileged account for demonstration.

Lab Flow

The exercise begins with reconnaissance to enumerate hosts and services and to draft an initial attack graph and asset map. A controlled credential compromise follows, obtained through simulated phishing or capture, then augmented with in‑memory or at‑rest harvesting to escalate from low privilege to local administrator by exploiting safe misconfigurations. With elevated access, you laterally pivot using SMB, WinRM, PSExec, or SSH as appropriate, demonstrating automated pivot chains under AINA supervision. Kerberos abuse is introduced through Kerberoasting and, where allowed, Pass‑the‑Ticket or Overpass‑the‑Hash, with any directory‑level simulations gated behind strict rollback protections. Automated propagation is choreographed and recorded with Monkey Island, while persistence is planted using scheduled tasks, services, or cron entries and later removed during cleanup. A small, controlled exfiltration test validates egress controls and logging, and a final, gated step demonstrates a domain‑admin escalation with immediate rollback and full event capture.

Blue Team Work

Defenders create precise Wazuh detections for the tactics observed, hunt with osquery for anomalous users, services, tasks, and process trees, and correlate SIEM events to construct a defensible incident timeline. They isolate compromised hosts, remove persistence, rotate credentials, restore services, and gather memory and event logs for deeper forensic analysis before running verification scans to confirm eradication.

Detection Mapping

Detection focuses on suspicious process creation and parent‑child anomalies, Windows logon and privilege events, creation of scheduled tasks and services, unusual SMB administrative access, Kerberos irregularities such as elevated ticket volume or suspicious service tickets, unexpected lateral RDP and SSH sessions, file‑system changes in common staging locations, and DNS patterns consistent with tunneling or covert exfiltration. Each signal is mapped to relevant MITRE ATT&CK techniques to quantify coverage.

Expected Artifacts

Students collect memory images that reveal credential residues and injected processes, event logs with timestamps for logons, service and task creation, and privileged activity, packet captures that show lateral movement and command sequences, SIEM correlation and alert records mapped to ATT&CK identifiers, server and storage logs that corroborate exfiltration attempts, and Monkey Island infection maps with action logs and timelines.

Scoring and Metrics

Performance is measured by time to detect from first red‑team action to first actionable alert, time to contain from detection to isolation, coverage as the percentage of adversary actions that generated mapped detections, remediation effectiveness measured by successful removal of persistence and rotation of credentials, and forensic completeness based on the sufficiency of artifacts to reconstruct the timeline.

Post‑Lab Remediation

After the exercise, compromised systems are snapshotted and isolated for study, all demo credentials and service accounts are rotated, persistence mechanisms are removed and verified, any altered infrastructure such as group policies or services is reverted, comprehensive hunts and scans confirm the absence of residual footholds, and detections and playbooks are updated with lessons learned.

Safety and Ethics

All work remains within an air‑gapped or explicitly permissioned environment with no connection to production systems or external networks. Real personal data is never used. Every destructive action is reversible, snapshots precede risky steps, an emergency stop can halt automation instantly, and written authorization defines scope before any live exercise is undertaken.

Optional Advanced Extensions

Advanced tracks may chain full Active Directory abuse from Kerberoasting to ticket forgery and DCSync within a tightly controlled rollback framework, orchestrate cross‑platform pivots from Windows to Linux using SSH proxies and reverse tunnels, schedule automated red‑blue tournaments where AINA executes campaigns against time‑boxed defenders to measure progress, and tune stealthy C2 beacons while blue teams adjust thresholds to detect low‑and‑slow behavior.

Lab Deliverables

Students submit a timestamped attack timeline with evidence mapped to ATT&CK techniques, a SIEM alert inventory aligned to each adversary action, a remediation checklist proving credential rotation and persistence removal with systems restored, a forensic evidence package containing memory images, logs, packet captures, and infection maps, and a blameless after‑action report with prioritized recommendations.

Estimated Durations

A full instructor‑guided run with detection and remediation typically takes between three and five hours, a focused single pivot‑chain exercise runs forty‑five to ninety minutes, and an automated stress or metrics run completes in thirty to sixty minutes.

Implementation Notes

Monkey Island infection maps serve as canonical visual outputs in lab reports. Step logs are exposed in the lab console for replay and instructor review. Instructors can switch between manual step‑through for teaching and fully automated timed runs for benchmarking. Every automated action is tagged with ATT&CK metadata for auto‑mapping in the SIEM, and instructor scripts provide exact parameters for repeatability.

Suggested Detection Rules

Ship the lab with rules that alert on credential dumping behavior and suspicious access to LSASS, creation of new services from non‑administrative contexts, scheduled tasks that execute from user profile paths, atypical SMB administrative share activity from endpoints, and spikes in Kerberos service ticket requests associated with service accounts.

Consistent Components Across Every Lab

Each exercise includes explicit learning objectives, prerequisites, and a clear environment snapshot; stepwise red‑team sequences with guarded rollback points; interleaved blue‑team tasks with exact hunting queries and example detectors; MITRE ATT&CK mappings; a required artifact list for student submissions; a scoring rubric with objective metrics; a thorough remediation checklist and snapshot procedure; safety, ethics, and legal constraints with an enforced emergency stop; instructor automation parameters and replayable logs; difficulty variants for beginner through advanced tracks; optional gated materials for vetted enterprise tracks; and built‑in reporting templates with exportable evidence suitable for audits and compliance.

Coverage Statement

ZombieCop.run delivers a complete, enterprise‑grade catalog that spans recon, web exploitation, lateral movement, ransomware, exfiltration, memory and network forensics, threat hunting, CI/CD and container security, cloud security, and compliance. Every exercise is instrumented, mapped to ATT&CK, and scored so teams can measure and improve what matters.

© 2025 Rocheston. All Rights Reserved.

Rocheston exclusively owns all copyrights and related intellectual property rights in the ZombieCop.Run platform and materials, including but not limited to all artwork, cinematic storylines, characters, mission designs, lab exercises, images, titles, concepts, AI orchestration logic, AINA and automated cyberattack AI frameworks, infection maps, scripts, dialogues, audiovisual elements, and other creative expressions as published.

Visual Identity and Trade Dress Protection: Rocheston's distinctive visual design for ZombieCop.Run, including but not limited to the specific combination and arrangement of vibrant color palettes (including pink #FF006E, yellow #FFD60A, purple #9B4DCA, cyan #00B4D8, green #06FFA5, and associated color schemes), 3D illustrated character designs and styles, color-blocked layout compositions, dark-mode interface aesthetics, rainbow progress indicators, typographic treatments, iconography, gamification elements, and overall "look and feel," constitutes protected trade dress under U.S. and international law. This distinctive visual identity has been extensively published and documented through 215+ screenshots and comprehensive marketing materials, establishing clear priority and secondary meaning in the marketplace. Any unauthorized use, imitation, or substantial similarity in visual design, color schemes, character illustration styles, interface layouts, or overall aesthetic presentation that creates a likelihood of confusion with Rocheston's established trade dress will be vigorously enforced as trade dress infringement and unfair competition.

Rocheston has extensively documented its visual design, character designs, interface layouts, and training methodology through public disclosure of 215+ screenshots, comprehensive lab manuals, video demonstrations, and marketing materials, establishing clear timestamp priority and market recognition. Any training platform, cyber range, or educational product that adopts substantially similar visual design elements, color schemes, character illustration styles, gamification approaches, or overall aesthetic presentation may face immediate legal action for trade dress infringement, copyright violation, and unfair competition, regardless of whether the underlying technical functionality differs. The distinctiveness of Rocheston's visual presentation has acquired secondary meaning in the cybersecurity training marketplace. Use of confusingly similar visual elements, even with different underlying content, may constitute actionable trade dress infringement.

Any form of copying, reproduction, imitation, derivative work, adaptation, re-skinning, transformation, modification, or re-creation of these materials — including but not limited to the use of alternate industries, institutions, or storylines (such as hospital, banking, military, or corporate breach scenarios) that replicate or emulate Rocheston’s original creative structure, sequence of events, or AI-powered cyberattack framework — constitutes an infringement of Rocheston’s intellectual property rights.

No portion of the ZombieCop.Run concept, narrative, AI orchestration logic, mission design, or training methodology may be reused, restyled, repurposed, or re-presented under any other brand, product, or identity, in any form, medium, or technology, without Rocheston’s prior written authorization.

Violations will be treated as deliberate intellectual property theft and may result in immediate civil, criminal, and injunctive action under international copyright, trademark, and unfair competition laws.

“Cybersecurity Engineer” and “RCCE” are registered trademarks of Rocheston. Unauthorized use of these marks in any form, context, or representation is strictly prohibited and will be subject to trademark enforcement under applicable law.

DMCA Agent for Notice of Claimed Infringement: https://www.rocheston.com/contactus
Please include the full URL of the infringing material, a clear description of the work claimed to be infringed, your contact details, and an electronic signature.

Rocheston reserves all rights and remedies available under United States and international copyright, intellectual property, and trade secret law.

Rocheston is a small, innovative company with brilliant engineers who poured years of their lives into creating something truly original.

We're not a billion-dollar corporation. We don't have venture capital backing. We don't have teams of hundreds. We're a small group of passionate technologists who believed we could build something better than what the giants in our industry were offering.

And we did.

The ZombieCop.Run ecosystem — with its AINA autonomous adversary, cinematic mission structure, integrated training methodology, and RCCE® certification system — represents years of original design, engineering, and innovation. Every character. Every mission. Every line of AI logic. Built from scratch by our small team.

This is a true David vs. Goliath story.

We're standing against much larger certification giants who have every advantage: bigger budgets, more engineers, established market presence, massive sales teams, and the power to outspend us in every arena.

But we have something they don't: originality, creativity, and a vision that wasn't designed by committees or diluted by corporate interests.

HERE'S WHAT WE'RE ASKING

To the large, powerful organizations in our industry:

Please don't bully us by stealing or copying what we've created just because you have the resources to do it faster or the market power to drown us out.

We know you could build a similar platform. You have the money. You have the teams. You have the distribution channels.

But that doesn't make it right.

If you see value in what we've built, we're open to partnerships, collaborations, and licensing conversations. Talk to us. Work with us.

But please don't take years of our small team's innovation and repackage it as your own just because you can.

When a massive corporation appropriates the work of a small innovator, it's not competition.

It's exploitation.

It's using your scale as a weapon against people who can't match your legal budgets, marketing spend, or market reach.

TO THE CYBERSECURITY COMMUNITY

We're asking for your help.

If you see a large organization launch something that looks suspiciously similar to ZombieCop.Run — if they suddenly have an "AI-powered cinematic cyber range" with a narrative structure that mirrors ours, characters that echo ours, or missions that replicate our framework — please call them out.

Ask them: "Did you build this yourselves, or did you copy the small company that innovated first?"

Hold them accountable. Publicly.

Because when the community stays silent, the giants win by default.

Your voice matters. Your standards matter. Your willingness to stand up for independent innovators matters.

We're not asking you to boycott anyone. We're asking you to notice. To question. To expect originality from organizations that have every resource to create it.

WHY THIS MATTERS

Any attempt by larger organizations to mimic or repackage ZombieCop.Run will not only violate our intellectual-property rights — it will expose them to public scrutiny for exploiting a smaller innovator who spent years building something they couldn't be bothered to create themselves.

The cybersecurity community values integrity, ethics, and doing the right thing even when no one is watching.

Let's hold ourselves — and our industry leaders — to those standards.

Rocheston stands as proof that originality, creativity, and integrity can outclass scale.

We will defend our rights vigorously — not just because the law requires it, but because protecting independent innovation matters.

Not just for us. For every small team that dares to compete against giants.

If we don't stand up for what we built, we're telling the next generation of innovators: "Don't bother. The big players will just take it."

We built ZombieCop.Run not just as a platform, but as a declaration — proof that creativity and courage can still rewrite the rules of cybersecurity education. We will not watch originality be replaced by imitation, and we will not let giants steal from dreamers. If the future of this industry must choose between innovation and imitation, let history remember that Rocheston stood its ground.

This isn’t just about Rocheston; it’s about every creator who refuses to let their ideas be swallowed by corporations that mistake money for imagination.

If you believe in fairness, in creativity, and in defending those who build with passion instead of politics, stand with us. Together we can prove that innovation doesn’t belong to the biggest players — it belongs to the bravest ones.

© 2025 Rocheston. All Rights Reserved.