FORTRESS is an interactive web-based platform designed to help security professionals understand and implement defense-in-depth strategies using NIST SP 800-53 security controls. The platform provides hands-on learning through simulations, scenario-based training, and practical exercises to build a robust security architecture.
| Module | Focus | Description |
|---|---|---|
| 01 — Control Matrix | Taxonomy | Interactive matrix of 6 control types × 3 implementation functions |
| 02 — Attack Simulation | Practical Testing | Toggle controls on/off and see how defense-in-depth stops real attacks |
| 03 — Scenario Lab | Decision Training | 8 realistic scenarios to test your control selection knowledge |
| 04 — Encyclopedia | Reference | 50+ security controls with descriptions, examples, and tags |
| 05 — Defense Builder | Architecture | Build your defense stack and see real-time coverage scores |
| 06 — Knowledge Quiz | Assessment | 12-question quiz with detailed explanations |
| Control Type | Color | Description | Example |
|---|---|---|---|
| Preventive | 🟦#00d4ff |
Stop threats BEFORE they occur | Firewalls, MFA, Encryption |
| Detective | 🟨#ffb300 |
Identify threats that ARE occurring | SIEM, IDS, UEBA, Log Monitoring |
| Corrective | 🟩#00e676 |
Reduce impact of threats that HAVE occurred | IR Plans, System Reimaging, Account Lockout |
| Deterrent | 🟪#e040fb |
Discourage attackers from ATTEMPTING | Warning Banners, Visible Cameras, Security Signs |
| Recovery | 🟦#1de9b6 |
Restore systems AFTER successful attack | Backups, DR Plans, High Availability |
| Compensating | 🔵#448aff |
Alternative when primary controls can't be implemented | Legacy system isolation, Manual approvals |
- Technical — Implemented through hardware and software
- Administrative — Implemented through policies and human processes
- Physical — Implemented through tangible security measures
- Interactive cells — Click any cell to see all controls in that category
- Control chips — 3 sample controls shown per cell
- Count indicators — Number of controls in each category
- Expandable detail — Full control descriptions with examples
| Scenario | Type | Difficulty | Attack Vector |
|---|---|---|---|
| Email-Delivered Ransomware | Phishing / Ransomware | 🔴 HIGH | Malicious Excel attachment → SMB lateral movement |
| Malicious Employee Data Theft | Insider Threat | 🟡 MEDIUM | Departing admin exfiltrating 50K customer records |
| SQL Injection → Data Breach | Web Application Attack | 🟡 MEDIUM | SQLi dumping user credentials database |
Each scenario shows a 5-step attack progression:
- Initial Recon / Phishing Email / Notice Given
- User Clicks / Data Access / SQLi Exploit
- Malware Dropper / Mass Download / DB Dumped
- Lateral Movement / Cloud Upload / Creds Cracked
- Ransomware Encrypts / Data Exfiltrated / Full Access
- Toggle controls ON/OFF — See which layers stop the attack
- Real-time status — STANDBY → UNDER ATTACK → BLOCKING / BREACHED
- Step-by-step animation — Watch the attack progress through layers
- Detailed results — "ATTACK STOPPED — Email security gateway blocked the phishing email" or "BREACH — 50,000 records exfiltrated"
Each scenario includes 4 defense layers with 8-12 total controls:
- Email & Endpoint Controls — Email gateway, EDR, MFA, Awareness
- Detection & Monitoring — SIEM, EDR behavioral, Network monitoring
- Network Segmentation — Segmentation, Least privilege
- Recovery Controls — Immutable backups, IR Plan
| # | Scenario Title | Control Type Focus |
|---|---|---|
| 01 | Preventing Brute Force | ✅ Preventive |
| 02 | Ransomware Response | ✅ Recovery |
| 03 | Detecting the Insider | ✅ Detective |
| 04 | Legacy System Vulnerability | ✅ Compensating |
| 05 | Post-Breach Notification | ✅ Corrective |
| 06 | Discouraging Opportunists | ✅ Deterrent |
| 07 | Account Compromise Recovery | Multiple (Corrective → Detective → Preventive) |
| 08 | Critical Infrastructure Protection | ✅ Recovery |
- Realistic incident briefs with context and evidence
- Multiple-choice decisions (A/B/C/D)
- Immediate feedback explaining WHY each choice is correct/incorrect
- Score tracking (X/8 correct)
- Scenario status indicators (○ Not started / ✓ Correct / ✗ Incorrect)
SCENARIO 01 — Preventing Brute Force
An attacker is running an automated password spraying attack against your
organization's Office 365 login page, trying common passwords across thousands of accounts.
Which control type DIRECTLY prevents this type of attack from succeeding?
[A] Preventive — implement account lockout policy and MFA
[B] Detective — set up SIEM alerting
[C] Corrective — reset all compromised passwords after the attack
[D] Recovery — restore from backup once accounts are compromised
✓ CORRECT — Preventive controls are the first choice. Account lockout stops
brute force by disabling accounts after failed attempts, while MFA makes the
attack completely ineffective even if the password is guessed.
| Category | Count | Examples |
|---|---|---|
| Preventive | 20 | Firewall, MFA, Encryption, Patch Management, DLP |
| Detective | 10 | SIEM, IDS/IPS, UEBA, Vulnerability Scanner, Honeypot |
| Corrective | 5 | System Reimaging, Account Lockout, Quarantine |
| Deterrent | 4 | Warning Banners, Visible Cameras, Security Signage |
| Recovery | 4 | Backups (3-2-1), Disaster Recovery Plan, High Availability |
| Compensating | 5 | Network Segmentation, Manual Approval, Cyber Insurance |
- Filter by type — Preventive, Detective, Corrective, Deterrent, Recovery, Compensating
- Filter by function — Technical, Administrative, Physical
- Search — By control name or description
- Color-coded types — Each control type has distinct visual theme
- Example column — Real-world implementations
| Column | Content |
|---|---|
| Control Name | Firewall |
| Type | Preventive |
| Function | Technical |
| Description | Filters network traffic based on rules, blocking unauthorized connections. |
| Example | pfSense, Palo Alto, AWS Security Groups |
| Layer | Type | Color | Controls |
|---|---|---|---|
| Perimeter Defense | Preventive | 🟦#00d4ff |
Firewall, IDS/IPS, WAF |
| Identity & Access | Preventive | 🟦#00d4ff |
MFA, PAM, Least Privilege |
| Endpoint Protection | Preventive | 🟨#ffb300 |
EDR, App Whitelisting, Patch Management |
| Detection & Monitoring | Detective | 🟨#ffb300 |
SIEM, UEBA, FIM |
| Data Protection | Preventive | 🟦#00d4ff |
DLP, Encryption (at rest), Encryption (transit) |
| Recovery & Continuity | Recovery | 🟩#1de9b6 |
Backups (3-2-1), DR Plan, IR Plan |
- 18 draggable controls organized by layer
- Score values (+7 to +12 per control)
- Click to place/remove from defense architecture
| Threat Category | Coverage | Controls |
|---|---|---|
| Ransomware | 0-100% | EDR, Backups, MFA, App Whitelisting, SIEM |
| Insider Threat | 0-100% | UEBA, DLP, PAM, Least Privilege, SIEM |
| Credential Theft | 0-100% | MFA, PAM, SIEM, UEBA |
| Data Exfiltration | 0-100% | DLP, Encryption, IDS, SIEM |
| Malware | 0-100% | EDR, App Whitelisting, Firewall, Patch Management |
| Availability Loss | 0-100% | Backups, DR Plan, IR Plan |
- Real-time security score (0-100%)
- Grade indicators — NO CONTROLS → WEAK → MODERATE → STRONG → FORTRESS
- Coverage bars with color alerts:
- 🔴 DANGER (<40%)
- 🟡 WARN (40-69%)
- 🟢 GOOD (70%+)
- Gap analysis — Shows which threat categories need attention
| # | Topic |
|---|---|
| 01 | Detective vs Deterrent — Camera example |
| 02 | Administrative Controls — Policies, procedures, training |
| 03 | Compensating Controls — Legacy systems |
| 04 | Corrective Controls — System reimaging |
| 05 | Deterrent Controls — Warning signage |
| 06 | MFA & CIA Triad — Confidentiality |
| 07 | Separation of Duties — Preventive + Administrative |
| 08 | 3-2-1 Backup Rule — Recovery |
| 09 | IDS vs IPS — Detective vs Preventive |
| 10 | SIEM — Detective control |
| 11 | Security Awareness Training — Preventive + Administrative |
| 12 | Defense in Depth — Layered controls |
- Progress tracking with animated bar
- Score display (X/12)
- Immediate feedback with detailed explanations
- Color-coded results (✅ correct / ❌ incorrect)
- Letter-based selection (A/B/C/D)
- Dark blue background (
#050d1a) — SOC standard - Cyan primary (
#00d4ff) for technical controls - Amber highlights (
#ffb300) for detective controls - Green success (
#00e676) for corrective/recovery controls - Red alerts (
#ff1744) for critical threats - Hexagon logo with glowing effect
- Rajdhani — Bold headers, control types, risk scores
- Inconsolata — Monospace for technical data, timestamps
- Barlow Condensed — Body text, descriptions
- Grid backgrounds with cyan overlay
- Gradient accents for depth
- Color-coded control chips by type
- Progress bars with threat-level coloring
- Attack path visualization with step icons
- Defense layer cards with toggle controls
┌─────────────────────────────────────┐
│ FORTRESS Platform │
├─────────────────────────────────────┤
│ │
│ ┌─────────────────────────────┐ │
│ │ Module 1: Control Matrix │ │
│ │ • 6 types × 3 functions │ │
│ │ • 50+ controls │ │
│ │ • Expandable detail views │ │
│ └─────────────────────────────┘ │
│ │
│ ┌─────────────────────────────┐ │
│ │ Module 2: Attack Sim │ │
│ │ • 3 scenarios │ │
│ │ • 12 defense layers │ │
│ │ • Toggle controls │ │
│ │ • Animated attack path │ │
│ └─────────────────────────────┘ │
│ │
│ ┌─────────────────────────────┐ │
│ │ Module 3: Scenario Lab │ │
│ │ • 8 scenarios │ │
│ │ • 4 choices each │ │
│ │ • Score tracking │ │
│ │ • Detailed feedback │ │
│ └─────────────────────────────┘ │
│ │
│ ┌─────────────────────────────┐ │
│ │ Module 4: Encyclopedia │ │
│ │ • 50+ controls │ │
│ │ • 4 category filters │ │
│ │ • Search function │ │
│ │ • Color coding │ │
│ └─────────────────────────────┘ │
│ │
│ ┌─────────────────────────────┐ │
│ │ Module 5: Defense Builder │ │
│ │ • 6 defense layers │ │
│ │ • 18 controls │ │
│ │ • Real-time scoring │ │
│ │ • Threat coverage │ │
│ │ • Gap analysis │ │
│ └─────────────────────────────┘ │
│ │
│ ┌─────────────────────────────┐ │
│ │ Module 6: Quiz │ │
│ │ • 12 questions │ │
│ │ • Progress bar │ │
│ │ • Detailed explanations │ │
│ └─────────────────────────────┘ │
└─────────────────────────────────────┘
// Module 1: Control Matrix
buildMatrix() // Render interactive control matrix
showMatrixDetail(type, func) // Show controls in selected category
// Module 2: Attack Simulation
loadAtkScenario(idx) // Load attack scenario
renderAtkViz(sc) // Render attack visualization
toggleAtkControl(controlId) // Toggle control ON/OFF
runAtkSim(scId) // Run attack simulation
// Module 3: Scenario Lab
loadScenario(idx) // Load scenario into workspace
selectScOpt(idx, optIdx) // Select answer choice
checkScAnswer(idx) // Validate and provide feedback
updateScScore() // Update score display
// Module 4: Encyclopedia
filterEncy(filter, btn) // Filter controls by type/function
renderEncy() // Render filtered controls
// Module 5: Defense Builder
placeControl(controlId) // Place/remove control from layer
updateBuilderCanvas() // Update all builder displays
resetBuilder() // Reset builder to empty state
// Module 6: Quiz
selQzOpt(qi, oi) // Select quiz answer
checkQz(qi) // Validate and provide feedback| Module | Items | Interactions | Learning Outcomes |
|---|---|---|---|
| Control Matrix | 6 types × 3 functions = 18 cells, 50+ controls | Cell clicks, detail expansion | Understand control taxonomy and classification |
| Attack Simulation | 3 scenarios × 4 layers × 8-12 controls = 30+ control toggles | Toggle controls, run simulation | See defense-in-depth in action |
| Scenario Lab | 8 scenarios × 4 choices = 32 decisions | Decision selection, feedback review | Apply control selection to real cases |
| Encyclopedia | 50+ controls × 4 attributes | Category filtering, search | Comprehensive control reference |
| Defense Builder | 6 layers × 18 controls × 6 threat categories | Control placement, coverage analysis | Architect defense stacks, identify gaps |
| Knowledge Quiz | 12 questions × 4 choices = 48 options | Answer selection, submission | Assess and reinforce knowledge |
| Time | Scene | Action |
|---|---|---|
| 0:00 | Matrix | Click Preventive/Technical cell → Show 20 controls |
| 0:05 | Attack | Load "Email-Delivered Ransomware" scenario |
| 0:10 | Attack | Toggle 3 controls OFF → Run simulation → Show breach |
| 0:15 | Attack | Reset, toggle all ON → Run → Show "ATTACK STOPPED" |
| 0:20 | Scenarios | Load "Preventing Brute Force" → Select correct answer |
| 0:25 | Scenarios | Show feedback with explanation |
| 0:30 | Encyclopedia | Filter by "Recovery" → Show 4 controls |
| 0:35 | Builder | Place controls across 3 layers → Score updates to 65% |
| 0:40 | Builder | Show threat coverage bars (Ransomware 80%, Insider 40%) |
| 0:45 | Builder | Gap analysis shows "Insider Threat coverage below 50%" |
| 0:50 | Quiz | Answer 2 questions → Progress bar updates |
| 0:55 | Close | Return to matrix |
- Load Time: < 2.5 seconds (zero external dependencies)
- Memory Usage: < 50 MB
- CPU Usage: Minimal (event-driven)
- Network: Zero requests after initial load
FORTRESS is a completely safe educational platform:
- ✅ No actual attacks performed
- ✅ All simulations run in browser memory
- ✅ No data collection or tracking
- ✅ No external dependencies
- ✅ Pure HTML/CSS/JavaScript
- ✅ Educational purposes only — learn security controls safely
MIT License — see LICENSE file for details.
- NIST SP 800-53 — Security and Privacy Controls for Information Systems
- ISO/IEC 27001 — Information Security Management
- NIST Cybersecurity Framework — Control categories
- SANS Institute — Security control training methodology
- MITRE ATT&CK — Attack mapping and techniques
- GitHub Issues: Create an issue
- Website: https://willie-conway.github.io/FORTRESS/
- Add more attack scenarios (5+ total)
- Include compliance mapping (PCI-DSS, HIPAA, GDPR)
- Export defense architecture as diagram
- Compare multiple defense strategies
- Risk scoring based on control gaps
- Budget constraints for control selection
- Multi-tenant organization profiles
- Historical score tracking
- Benchmark comparisons
- NIST CSF maturity levels integration
🏰 FORTRESS — Master Security Controls Through Simulation 🏰
Last updated: March 2025