The Cyber Trail v4.0 VESSEL is a three-mode cybersecurity education platform built entirely in vanilla HTML, CSS, and JavaScript — no frameworks, no npm, no build tools. It runs directly in any modern browser from a single folder of static files, making it trivially deployable to Cloudflare Pages.
🖥️
PROFESSIONAL MODE
// SOC ANALYST · RED TEAMER · THREAT HUNTER
Dark terminal interface. MITRE ATT&CK-mapped missions across 10 threat zones. 35 missions, 9 operative classes, live NVD CVE feed, XP progression, skill tree. Designed for current or aspiring cybersecurity professionals.
11 Zones
35 Missions
9 Classes
MITRE ATT&CK
Live CVE Feed
8-Question Quiz
🏠
BUSINESS AWARENESS
// EVERYDAY USERS · STAFF TRAINING · HOME USERS
Clean modern interface. Real-world security skills for everyday life and business environments. 6 themed zones, 12 missions covering passwords, phishing, social media, home network security, mobile safety, and online shopping.
6 Zones
12 Missions
36 Questions
Practical Skills
Action Steps
🛡️
SCAM GUARD
// ELDER FRAUD PROTECTION · WCAG AA+
Large-text accessible design (20px Verdana, 58px touch targets, 7:1 contrast). 8 scam scenarios with real verbatim scammer scripts. 10-item security checklist. 8-question quiz. Full fraud hotline directory for US and Canada.
8 Scam Scenarios
10 Checklist Items
8 Quiz Questions
WCAG AA+
Fraud Hotlines
👥 21-GAMER PROFILE SYSTEM
When the game section loads, you see the
Profile Selector — up to 21 operative profiles can be created. Each profile stores independent progress for all three game modes (Professional, Business Awareness, Scam Guard). Profiles persist across browser sessions via
localStorage under key
ct_profiles_v31. Create a profile → choose a mode → play. Switch profiles anytime from the mode select screen.
Profile data stored per profile: name · avatar emoji · Professional mode full save (class, level, XP, zones, missions, skills, tools, achievements) · Business Awareness save (XP, completed missions/zones) · Scam Guard save (completed scams, checklist, quiz scores, protection points).
HOW THE MODE SELECTOR WORKS
When the game section of the portfolio page loads, it shows the three mode selector cards inline. Clicking any card calls
ModeSelector.launch(mode), which hides the selector, sets
document.body.dataset.mode to the chosen mode, and launches the corresponding game engine. The game appears as a
position:fixed fullscreen overlay (z-index 9000) above the portfolio. The ← Back button collapses the overlay and restores the selector view.
The game is split across three files. cyber-trail-data.js is a pure data module. cyber-trail-engine.js contains all game logic. cyber-trail.css contains all visual styles for all three modes.
/* FILE STRUCTURE */
css/
└─ cyber-trail.css // All three themes + v2.1 CRT terminal styles
js/
├─ cyber-trail-data.js // Pure data — const CT = { ... }
└─ cyber-trail-engine.js // All game logic
index.html // Portfolio + game HTML shells
_headers // Cloudflare security headers (CSP, HSTS, etc.)
game-guide.html // This file
/* DATA OBJECT STRUCTURE */
const CT = {
VERSION: "3.1.0",
RANKS: [ ...8 rank tiers ],
XP_TABLE: [ ...30 XP thresholds ],
PRO: { // Professional mode data
CLASSES: [ ...9 operative classes ],
TIERS: [ ...4 tier definitions ],
ZONES: [ ...11 zone objects ],
MISSIONS: { net1_m1: {...}, web1_m1: {...}, ... } // 30 total,
TOOLS: [ ...12 tools ],
ACHIEVEMENTS: [ ...18 achievements ],
CVE_FALLBACK: [ ...8 critical CVEs ],
QUIZ: [ ...8 questions ],
},
ELDER: { // Scam Guard mode data
STATS: { ic3Complaints, ic3Losses, ... },
SCAMS: [ ...8 scam scenario objects ],
CHECKLIST: [ ...10 security checklist items ],
RESOURCES: { hotlines, neverCallYou, youtube },
QUIZ: [ ...8 questions ],
},
AWARE: { // Business Awareness mode data
ZONES: [ ...6 zone objects ],
MISSIONS: { pw_m1: {...}, ph_m1: {...}, ... } // 12 total,
}
};
/* ENGINE OBJECT STRUCTURE */
ModeSelector // init(), launch(mode) — handles overlay activation
ProGame { // Professional mode engine
state: { name, classId, level, xp, completedMissions[], ... }
init() // Load save or show char create
showCharCreate() // Render class selection grid
showMap() // Render HUD + zone SVG map + CVE feed
renderHUD() // Update 8 HUD elements (name, rank, XP bar, etc.)
renderZoneMap() // Draw SVG nodes + connector lines
openZone(z) // Show mission list panel
startMission(id) // Launch mission overlay + timer
awardXP() // XP award + level-up check + zone completion check
loadCVEFeed() // Fetch NVD API (fallback to static data)
showQuiz() // 8-question knowledge test overlay
}
ElderGame { // Scam Guard mode engine
state: { completedScams[], checklistDone[], quizScores[], totalPoints }
init() // Load/init state, bind nav, show menu tab
showTab(t) // Switch between: menu / scenarios / checklist / quiz / resources
renderMenu() // Home screen with stats + fast fact
renderScenarios() // 8-card grid of scam scenarios
openScam(id) // Show scam detail: script + red flags + verify + choices
renderChecklist() // Accordion checklist with progress bar
renderResources() // Hotlines + never-call-you facts + YouTube
renderQuiz() // 8-question sequential quiz
}
AwareGame { // Business Awareness mode engine
state: { completedMissions[], completedZones[], totalXP }
init() // Load/init state, render hub
renderHub() // 6-zone card grid overview
openZone(id) // Zone mission list
startMission(id) // Sequential question-answer flow
}
PROFESSIONAL MODE FLOW
- Mode selected →
ProGame.init()
- No save found →
showCharCreate()
- Class selected →
startGame() → showMap()
- Zone clicked (if unlocked) →
openZone()
- Mission clicked →
startMission()
- Choice made →
awardXP() → check level/zone
- Continue → close overlay →
renderHUD() + renderZoneMap()
SAVE / STATE SYSTEM
- Each mode uses its own
localStorage key
ct_pro_v31 — Professional mode savect_elder_v31 — Scam Guard savect_aware_v31 — Awareness save- Saved as JSON on every state change
- Corrupt save silently falls back to default state
- Reset clears key + reloads page (Pro mode)
LIVE CVE FEED (PROFESSIONAL MODE)
On map load,
ProGame.loadCVEFeed() fetches
https://services.nvd.nist.gov/rest/json/cves/2.0?cvssV3Severity=CRITICAL&resultsPerPage=5 with a 6-second timeout. On success, the 5 most recent critical CVEs are displayed in the right panel. On failure (network error, timeout, or API unavailability), it silently falls back to 8 hardcoded static CVEs including CVE-2024-3400 (PAN-OS CVSS 10.0), CVE-2024-12356 (BeyondTrust), and CVE-2023-22527 (Confluence). The
_headers file includes
connect-src https://services.nvd.nist.gov in the CSP to allow this request.
Professional mode is built for cybersecurity practitioners. Every mission maps to a MITRE ATT&CK technique, a NICE Workforce Framework role, and one or more certification exam objectives. Missions are locked behind zone tiers — you must complete 3 zones in each tier to unlock the next.
● detection
● offensive
● defense
● forensics
● intel
● network
TIER UNLOCK SYSTEM
Tier 1 (Foundations) — Available from Level 1. Zones: Packet Alley, Injection Junction, Malware Morgue.
2025 stat: T1055 Process Injection = 31% of all malware actions observed (Picus Red Report 2025).
Tier 2 (Intermediate) — Unlock after completing 3 zones. Zones: Cipher District, Incident Row, Cloud District.
Tier 3 (Advanced) — Unlock after completing 6 zones. Zones: Industrial Sectors, Threat Intel Hub, Red Zone,
⚗️ Exploit Lab (NEW).
Tier 4 (Boss) — Unlock after completing 9 zones. Zone: The Architect's Lair (3 boss missions).
| ID | Mission | Type | XP | MITRE Technique | Time |
|---|
| net1_m1 |
Packet Intercept Identify anomalous C2 beacon in guest VLAN pcap using Wireshark |
detection | 120 XP |
T1043 — Commonly Used Port | 90s |
| net1_m2 |
ARP Poisoning Storm Identify ARP spoofing source, enable Dynamic ARP Inspection |
network | 150 XP |
T1557.002 — ARP Cache Poisoning | 120s |
| net1_m3 |
DNS Tunneling Detected Confirm DNS exfiltration, block external resolvers |
intel | 180 XP |
T1071.004 — DNS Application Layer | 150s |
| ID | Mission | Type | XP | MITRE Technique | Time |
|---|
| web1_m1 |
SQL Injection Hunt Confirm SQLi in login form, implement parameterised queries |
offensive | 140 XP |
T1190 — Exploit Public-Facing App | 90s |
| web1_m2 |
XSS Payload Lab Validate reflected XSS, implement CSP + output encoding |
offensive | 160 XP |
T1059.007 — JavaScript Scripting | 120s |
| web1_m3 |
IDOR Exploitation Demonstrate predictable integer ID access control flaw |
offensive | 200 XP |
T1530 — Data from Cloud Storage | 150s |
| ID | Mission | Type | XP | MITRE Technique | Time |
|---|
| mal1_m1 |
Ransomware Triage Identify ransomware family, isolate systems, restore from backup |
forensics | 160 XP |
T1486 — Data Encrypted for Impact | 120s |
| mal1_m2 |
Process Injection Analyse svchost memory injection (T1055 — #1 ATT&CK technique 2025-26) |
forensics | 190 XP |
T1055 — Process Injection (31% of attacks) | 180s |
| mal1_m3 |
AI Phishing Analysis Detect AI-generated spear phish (83% of 2025 phishing emails are AI) |
detection | 170 XP |
T1566.001 — Spear Phishing Attachment | 90s |
| ID | Mission | Type | XP | MITRE Technique | Time |
|---|
| cr1_m1 |
Broken Encryption Audit Identify MD5/DES usage, replace with bcrypt/AES-256-GCM/TLS 1.3 |
defense | 150 XP |
T1600 — Weaken Encryption | 90s |
| cr1_m2 |
Certificate Spoofing Investigate rogue CA via Certificate Transparency logs (crt.sh) |
detection | 180 XP |
T1539 — Steal Web Session Cookie | 120s |
| cr1_m3 |
Ransomware Key Analysis Identify weak RNG, attempt decryption via NoMoreRansom.org |
forensics | 200 XP |
T1486 — Data Encrypted for Impact | 150s |
| ID | Mission | Type | XP | MITRE Technique | Time |
|---|
| ir1_m1 |
Breach Containment Execute full PICERL cycle for 40GB data exfiltration incident |
forensics | 180 XP |
TA0010 — Exfiltration | 180s |
| ir1_m2 |
Log Analysis Sprint Triage 47,000 SIEM alerts to find 3 true positives |
detection | 160 XP |
T1562.006 — Indicator Blocking | 120s |
| ir1_m3 |
Persistence Hunt Find all attacker persistence (scheduled tasks, registry, WMI) after 16-day dwell |
detection | 200 XP |
T1053.005 — Scheduled Task | 150s |
| ID | Mission | Type | XP | MITRE Technique | Time |
|---|
| cloud1_m1 |
S3 Bucket Exposure Assess public S3 bucket, enable Block Public Access + Macie |
defense | 150 XP |
T1530 — Data from Cloud Storage | 90s |
| cloud1_m2 |
IAM Privilege Escalation Map iam:PassRole attack paths using Pacu + BloodHound equivalent |
offensive | 180 XP |
T1098 — Account Manipulation | 120s |
| cloud1_m3 |
Container Escape Demonstrate --privileged container escape via cgroup v1 |
offensive | 210 XP |
T1611 — Escape to Host | 180s |
| ID | Mission | Type | XP | MITRE Technique | Time |
|---|
| ot1_m1 |
PLC Recon Identify Shodan-exposed Modbus/DNP3 interfaces, implement air-gap |
intel | 190 XP |
T1046 — Network Service Scanning | 150s |
| ot1_m2 |
TRITON Simulation Detect attack on Safety Instrumented Systems, switch to manual override |
forensics | 220 XP |
T1489 — Service Stop | 180s |
| ot1_m3 |
Supply Chain Compromise Emergency response to CVE-2024-3400 (PAN-OS CVSS 10.0) exploitation |
intel | 200 XP |
T1195 — Supply Chain Compromise | 150s |
| ID | Mission | Type | XP | MITRE Technique | Time |
|---|
| ti1_m1 |
IOC Correlation Ingest 200 ISAC IOCs via STIX/TAXII into MISP, correlate in SIEM |
intel | 170 XP |
TA0009 — Collection | 120s |
| ti1_m2 |
Threat Actor Profiling Build ATT&CK heatmap for APT41 (BARIUM), update SIEM detection rules |
intel | 190 XP |
TA0043 — Reconnaissance | 150s |
| ti1_m3 |
Dark Web Monitoring Employee credentials found on dark web — force reset + MFA + audit |
intel | 210 XP |
T1589.001 — Gather Victim Credentials | 150s |
| ID | Mission | Type | XP | MITRE Technique | Time |
|---|
| red1_m1 |
Initial Access OSINT + spear phishing + NetNTLM capture in authorised red team engagement |
offensive | 200 XP |
T1598 — Phishing for Information | 180s |
| red1_m2 |
Lateral Movement Mimikatz → Pass-the-Hash → BloodHound AD path → Domain Controller |
offensive | 220 XP |
T1550.002 — Pass the Hash | 180s |
| red1_m3 |
C2 Evasion Malleable C2 profile via domain fronting through CDN to evade EDR |
offensive | 230 XP |
T1071.001 — Web Protocols | 200s |
| ID | Mission | Type | XP | MITRE Technique | Time |
|---|
| boss1_m1 |
APT Unmasking Full enterprise threat hunt with Velociraptor, map nation-state APT kill chain |
forensics | 280 XP |
TA0011 — Command & Control | 240s |
| boss1_m2 |
Zero-Day Response Virtual patch CVE-2023-22527 (CVSS 10.0) with IPS rules + source IP restriction |
defense | 300 XP |
T1190 — Exploit Public-Facing App | 240s |
| boss1_m3 |
The Final Confrontation RansomHub enterprise breach — BC/DR activation, restore from offline backup, FBI/CISA reporting, NIST CSF 2.0 |
forensics | 350 XP |
T1486 — Data Encrypted for Impact | 300s |
OPERATIVE CLASSES (9 TOTAL)
Each class provides a unique passive bonus and starting tool loadout. Classes:
SOC Analyst (+10 CIA score on detection),
Penetration Tester (+15% XP on offensive),
Digital Forensics (reveal hidden clues),
Security Architect (+20% XP on defense),
Threat Hunter (+25% XP on intel),
Security Engineer (+15% XP on network),
Incident Responder (+30s on all timed missions),
Red Team Operator (2× XP on red missions),
CTI Analyst (unlocks threat actor profiles).
The cutting edge of offensive security. Master real 2024–2025 attack techniques. Unlock at Level 12.
| ID | Mission | Type | XP | MITRE Technique | Skill Req |
|---|
| ex1 |
ROP Chain Basics
Build a return-oriented programming chain to bypass DEP/NX. Real CVE-2025-0282 (Ivanti, CVSS 9.0) class technique. Tools: ROPgadget, pwntools. |
EXPLOIT |
220 |
T1203 |
Skill 12 |
| ex2 |
Use-After-Free Browser Escape
Analyse a UAF memory corruption primitive in a Chrome-class engine. CVE-2024-1084 / CVE-2025-0999 pattern. Tools: Ghidra, GDB, pwndbg. |
FORENSICS |
240 |
T1203 |
Skill 14 |
| ex3 |
Blind SQL Injection — Time-Based Exfil
Extract an admin password hash using time-based blind SQLi (WAITFOR DELAY). MOVEit CVE-2023-34362 class. Tools: sqlmap --technique=T, Burp Suite. |
EXPLOIT |
200 |
T1190 |
Skill 13 |
| ex4 |
Supply Chain Backdoor — XZ Utils
CVE-2024-3094 (CVSS 10.0). Implement SBOM, Sigstore, SHA-pinned deps, reproducible builds to harden the software pipeline against Jia Tan-class attacks. |
EXPLOIT |
280 |
T1195.002 |
Skill 16 |
| ex5 |
Living off the Land — LOLBins Hunt
Detect Volt Typhoon-style LOLBin abuse (certutil, mshta, regsvr32). Write Sysmon + Splunk rules. Deploy WDAC application allowlisting. |
DETECTION |
220 |
T1218 |
Skill 14 |
| ex6 |
Process Injection — Hollow the Guardian
Detect and respond to Emotet-style process hollowing (T1055.012). Memory forensics with Volatility3, HVCI hardening. Highest-XP mission in the game. |
EXPLOIT |
300 |
T1055.012 |
Skill 18 |
⚗️ EXPLOIT LAB — STUDY TOPICS
Use the
LEARN command in the terminal to access deep-dive study notes:
LEARN rop ·
LEARN uaf ·
LEARN lotl ·
LEARN supplychain ·
LEARN processinject ·
LEARN sql
Business Awareness mode uses a clean, modern card interface. Players progress through 6 themed zones, each containing 2 missions with 3 multiple-choice questions each. Every mission ends with a real-world Take Action step the player can do immediately.
HOW IT WORKS
- Select a zone from the hub grid
- Select a mission from the zone view
- Answer 3 multiple-choice questions
- Each correct answer reveals an explanation
- Final screen shows score + earned XP + Action Step
- Completed missions show ✅ and can be replayed
ZONES AT A GLANCE
- 🔑 Password Valley — Strong passwords & 2FA
- 🎣 Phishing Flats — Email & SMS/phone scams
- 📱 Social Media Swamp — Privacy & fake profiles
- 📡 Network Nook — WiFi & VPN safety
- 📲 Mobile Mountain — Smartphone security
- 🛒 Shopping Square — Online shopping safety
pw_m1 — Password Strength Test (+50 XP)
Strong vs weak passwords, passphrase superiority, NIST password policy (change only on breach), password manager recommendation (Bitwarden). Action: Check HaveIBeenPwned.com for your email address.
pw_m2 — 2-Factor Authentication (+60 XP)
What 2FA is, which accounts to enable first (email > banking), why you must never share a 2FA code with anyone who calls you. Action: Enable 2FA on Google, Apple, or Microsoft account.
ph_m1 — Email Phishing Spotter (+55 XP)
Check sender email address vs display name, Canada Post package fee scam recognition, identifying legitimate vs phishing emails (no urgency, correct URL). Action: Hover over 3 email links this week without clicking.
ph_m2 — Smishing & Vishing (+65 XP)
SMS spoofing (td-banking-secure.com ≠ TD Bank), caller ID spoofing, correct response to government impersonation calls. Action: Register on Canada's National Do Not Call Registry.
sm_m1 — What Can Strangers See? (+50 XP)
Grandchild scam enabled by public social media (posting grandchild's name), friend list privacy settings, vacation post timing risks. Action: Set Facebook friend list to "Only Me".
sm_m2 — Fake Profiles & Scammers (+60 XP)
Spotting fake romance/scam profiles (recently created, exotic job, no video calls), correct response to online money requests, what to do if you realise you've been scammed. Action: Reverse image search a suspicious profile photo.
net_m1 — Home Network Security (+55 XP)
Default router password risks, guest network isolation (smart devices vs computers), safe public WiFi practices (banking on mobile data vs coffee shop WiFi). Action: Change router admin password from default.
net_m2 — VPN & Safe Browsing (+60 XP)
What a VPN does (encrypts connection, doesn't guarantee safety), padlock ≠ trustworthy site (HTTPS means encrypted, not legitimate), browser pop-ups showing phone numbers = always scam. Action: Install uBlock Origin ad blocker.
mob_m1 — Smartphone Security (+50 XP)
Screen lock importance, over-permissioned apps (flashlight app needing contacts/location), Canada Post delivery SMS phishing recognition. Action: Audit app permissions in Settings > Apps.
mob_m2 — App Safety & Updates (+55 XP)
Official app stores only (sideloading risks), why security updates matter (Pegasus spyware exploited unpatched iPhones), fake "virus count" notification scams. Action: Enable automatic app updates in phone settings.
shop_m1 — Safe Online Shopping (+55 XP)
Verifying unfamiliar stores (Google/Trustpilot reviews), credit card vs debit vs wire vs gift card protection, 70% discount = almost certainly counterfeit or non-delivery. Action: Before next purchase from unfamiliar site, search "[store name] reviews scam".
shop_m2 — Spotting Fake Websites (+65 XP)
Real URL identification (paypal.com vs paypa1.com vs paypal-secure.com), HTTPS ≠ trustworthy (scam sites have valid certs), domain age check via WHOIS to catch new scam sites. Action: Check a suspicious website at whois.domaintools.com.
Scam Guard is designed for seniors and their families. Everything uses 20px Verdana, 58px minimum touch targets, and 7:1 contrast ratio (WCAG AAA). All scam scripts are verbatim from documented real-world incidents.
REAL-WORLD FRAUD STATISTICS (2024)
FBI IC3 2024:
147,127 elder fraud complaints ·
$4.885 billion lost (43% increase YoY). FTC:
$2.4B reported (actual losses estimated up to
$82B). Canada CAFC:
$644M CAD · seniors 60+ =
40% of all dollar losses. Median loss by channel: phone calls = $2,210 · social media = $561M aggregate. Only 4.2% of fraud victims actually report it — real losses estimated at $10–81.5B.
8 SCAM SCENARIOS
Caller claims to be from "Microsoft Security Department." Says your computer has a virus. Creates urgency ("2 hours"). Asks you to download TeamViewer for remote access.
Correct action: Hang up and call Microsoft at 1-800-642-7676.
KEY RULE: Microsoft, Apple, and Google will NEVER call you unsolicited.
Voicemail says "IRS is filing a lawsuit on your name." Demands $2,847 immediately in Google Play gift cards to avoid arrest.
Correct action: Hang up and call IRS at 1-800-829-1040.
KEY RULE: The IRS has NEVER accepted gift cards. Mail comes before calls.
Caller says "Hi Grandma, it's me!" — waits for you to say the name. Claims car accident, needs $3,000 bail. "Don't tell Mom and Dad." AI voice cloning now makes this nearly indistinguishable.
Correct action: Ask the family code word. If refused, hang up and call grandchild's known number.
KEY RULE: Set up a family code word today.
Online relationship, very quick. Always refuses or has excuses for video calls. Claims to be on oil rig/military/abroad. After weeks of trust-building, emergency: needs $4,000.
Correct action: Request an immediate video call — if refused, block all contact.
KEY RULE: Real people who love you will video call. Refusal = scammer.
Caller claims Medicare is sending new cards, needs to "confirm" Medicare number + SSN + DOB. Creates 24-hour urgency ("your coverage may be interrupted").
Correct action: Hang up and call Medicare at 1-800-633-4227.
KEY RULE: Medicare already has your number — they'll never call to ask for it.
Letter says you won $847,500 in the "Canadian National Lottery." Must pay $1,200 "processing fee" within 7 days. May include a fake cheque that bounces in 2–3 weeks.
Correct action: Discard letter, report to Canadian Anti-Fraud Centre at 1-888-495-8501.
KEY RULE: You cannot win a lottery you didn't enter. Fees = always a scam.
Text from "TD Bank" about suspicious $847 charge. Calls the number in the text. "Agent" asks for card number, PIN, and to read back a one-time verification code.
Correct action: Call the number on the back of your physical bank card — never the number in a text.
KEY RULE: Your bank will NEVER ask for your PIN or ask you to read back a one-time code.
Caller from "Canada Revenue Agency." Owes $3,840 in back taxes. Must go to Walmart right now, buy iTunes/Google Play gift cards, and read the numbers back.
Correct action (2 accepted): Hang up and call CRA at 1-800-959-8281 — OR — tell the cashier someone asked you to buy these cards (retailers are trained to stop this).
KEY RULE: Gift card payment demands are ALWAYS scams. Zero exceptions.
10-ITEM SECURITY CHECKLIST
Each item is an expandable accordion card. Completing an item marks it done and awards points.
📱2-Step Verification
120 pts
🔄Keep Devices Updated
80 pts
☁️Back Up Photos & Files
90 pts
📡Secure Home Router
70 pts
🎣Spot Phishing Emails
110 pts
🔒Check Privacy Settings
80 pts
🔐Lock Phone & Computer
60 pts
🛡️Browse Safely Online
70 pts
🗣️Set Up Family Code Word
150 pts
EMERGENCY HOTLINES (RESOURCES TAB)
USA HOTLINES
- National Elder Fraud: 1-833-372-8311
- AARP Fraud Helpline: 1-877-908-3360
- FTC: 1-877-382-4357 | ReportFraud.ftc.gov
- IRS: 1-800-829-1040
- SSA OIG: 1-800-269-0271
- Medicare: 1-800-633-4227
- FBI IC3: ic3.gov
CANADA HOTLINES
- Anti-Fraud Centre: 1-888-495-8501
- CRA (verify): 1-800-959-8281
- FCAC: 1-866-461-3222
- Local Police Non-Emergency
- cafc.ca — Canadian fraud reporting
/* localStorage KEYS */
ct_pro_v31 → JSON.stringify({
name: "Operative",
classId: "analyst",
level: 1,
xp: 0,
completedMissions: [] // up to 35 mission IDs,
completedZones: [] // up to 11 zone IDs,
unlockedTools: ["wireshark","nmap"],
achievements: [],
perfectRuns: 0,
noHintMissions: 0,
currentZone: null
})
ct_elder_v31 → JSON.stringify({
completedScams: [] // up to 8 scam IDs,
checklistDone: [] // up to 10 checklist item IDs,
quizScores: [] // history of quiz scores,
totalPoints: 0
})
ct_aware_v31 → JSON.stringify({
completedMissions: [] // up to 12 mission IDs,
completedZones: [] // up to 6 zone IDs,
totalXP: 0
})
/* XP & LEVELLING (Pro mode) */
xpForLevel(n) = CT.XP_TABLE[n]
// Table: [0, 100, 220, 370, 550, 770, 1040 ... up to Level 30]
Level up when: state.xp >= CT.XP_TABLE[state.level]
Zone unlock: completedZones.length >= tier.reqZones AND level >= zone.reqLevel
/* CVE FEED CACHING */
No local caching in v4.0 VESSEL — fetches live on each map load.
Fallback: CT.PRO.CVE_FALLBACK (8 static critical CVEs, 2024-2026)
The game ships as a 5-file static bundle deployable to Cloudflare Pages in under 60 seconds.
DEPLOYMENT FOLDER STRUCTURE
index.html — portfolio + game HTML shells (root)
_headers — Cloudflare security headers (root, no extension)
js/cyber-trail-data.js — game data module
js/cyber-trail-engine.js — game engine
css/cyber-trail.css — all visual styles
game-guide.html — this guide (optional, for reference)
- 1.Go to Cloudflare Pages → Create application → Pages → Direct upload
- 2.Upload the folder containing all 5 files maintaining the
js/ and css/ subdirectory structure
- 3.Cloudflare automatically reads
_headers and applies the security headers to all responses
- 4.Attach custom domain
cnxsec.net in Pages → Custom domains
- 5.Verify at securityheaders.com — you should score A or A+
- 6.Test the NVD CVE feed by opening Pro mode — if it shows "LIVE THREAT FEED", CSP is correct
SECURITY HEADERS — KEY POINTS
CSP connect-src now includes
https://services.nvd.nist.gov (NVD API primary),
https://raw.githubusercontent.com (CISA KEV fallback), and
https://www.cisa.gov. The previous
connect-src: none blocked all live feeds — this is now corrected.
COEP: unsafe-none is intentional — Google Fonts (Orbitron, IBM Plex Mono) do not send CORP headers, so
require-corp would break the fonts silently. Upgrade path: self-host fonts → set
require-corp.
frame-src: none and
X-Frame-Options: DENY prevent the site from being embedded in iframes (anti-clickjacking).
ADDING A NEW PRO MISSION
- Open
js/cyber-trail-data.js
- Add entry to
CT.PRO.MISSIONS
- Required fields:
id, zone, name, type, xp, timeLimit, difficulty, story, objective, steps[], tools[], choices[], attackTech, mitreUrl, ciaImpact, lesson
- Add mission ID to the zone's
missions: [] array in CT.PRO.ZONES
- No engine changes needed
ADDING A NEW SCAM SCENARIO
- Open
js/cyber-trail-data.js
- Add entry to
CT.ELDER.SCAMS
- Required fields:
id, title, icon, intro, script[], redFlags[], verifyQuestions[], choices[], lesson, reportTo
- Each choice needs:
text, outcome, points, correct
- No engine or HTML changes needed
ADDING A NEW AWARENESS MISSION
- Open
js/cyber-trail-data.js
- Add entry to
CT.AWARE.MISSIONS
- Required fields:
id, zone, name, xp, desc, questions[], action
- Each question:
q, a[], correct, exp
- Add mission ID to zone's
missions: [] in CT.AWARE.ZONES
EDITING PERSONAL INFO (PORTFOLIO)
- Open
index.html and search for const CONFIG = {
- Edit:
name, handle, role, location, email, github, linkedin
- Hero section text, skills, projects, and roadmap are all in the CONFIG block and the HTML sections above the game scripts
/* MISSION CHOICE SCORING */
choice.correct = true → Full XP awarded + mission marked complete
choice.correct = false → Partial XP (as set in data) + lesson shown, mission NOT marked complete
Timer expires → 0 XP + time expired message (mission NOT marked complete)
/* ZONE UNLOCK CONDITIONS */
zone.reqLevel must be <= state.level
CT.PRO.TIERS[tier-1].reqZones must be <= completedZones.length
/* CIA IMPACT SCALE */
1 = minimal impact
5 = critical/catastrophic impact
Displayed as: C: █████ I: ███░░ A: ████░
/* SUPPORTED BROWSERS */
Chrome 90+, Firefox 88+, Safari 14+, Edge 90+
Requires: localStorage, ES2020 (optional chaining, nullish coalescing), fetch, AbortSignal.timeout