TOP SECRET // OVERWATCH // NOFORN

NDRC LABS

Immersive Cybersecurity Training Infrastructure

A full-scale nation-state simulation built for realistic offensive security training. Infiltrate the Non-Democratic Republic of Carl — a fictional authoritarian government with 10 ministries, 42 isolated networks, and 15 intentionally vulnerable systems — as an operative of the underground Chargeability Liberation Front.

AI-powered scenario orchestration. Dynamic vulnerability toggles. Multi-phase operations with narrative-driven progression. Physical IoT device training. Complete resistance infrastructure. Every vulnerability has a story. Every attack path has political context.

COMING SOON

NDRC Labs is under active development. Infrastructure deployment, scenario authoring, and platform tooling are being built. Watch this space.

DECLASSIFIED BROADCAST // OVERWATCH NETWORK

Teaser Transmission

0 Networks
0 Departments
0 AD Domains
0 Target Systems
0 Operations
0 Characters
0 Laws
0 Ansible Roles
SYSTEM CAPABILITIES

Core Capabilities

[>_]

GameMaster Orchestration

Django-based scenario engine with event triggers, LLM-generated content, and automated vulnerability deployment. Invisible to participants — the fourth wall never breaks.

{0/1}

Dynamic Vulnerability Toggles

Every vulnerability is an Ansible variable. Scenario phases progressively introduce attack surfaces — SQL injection, AD trust abuse, SCADA exploitation, supply chain flaws — on a controlled timeline.

[%%%]

Multi-Phase Operations

5 pre-built operations spanning 4-8 weeks each. Reconnaissance, initial access, lateral movement, and final objectives unfold through narrative-driven phases with real CVE chains.

/IoT\

BEACON Physical Device

ESP32-based "Citizen Compliance Node" with custom firmware, environmental sensors, and MQTT telemetry. Train on supply chain attacks, firmware analysis, secure boot bypass, and OTA exploitation.

#clf

Underground Resistance

Complete CLF infrastructure — IRC server with 5 AI-driven personality bots, WireGuard VPN with automated provisioning, GPG-based recruitment, and PrivateBin dead drops.

<ISP>

StateNet Civilian ISP

Multi-POP ISP simulation with 6 regional points of presence, 9 civilian sectors, and 11 transit networks. Realistic 6-10 hop traceroutes for lateral movement and MiTM training.

ADAPTIVE THREAT ENVIRONMENT

The environment is fundamentally configurable and never remains static or predictable. Vulnerability surfaces shift between scenario phases. Security postures tighten and relax on instructor-controlled timelines.

“The greatest threat to the Republic is not the enemy at our borders, but the enemy within our gates.”
— General Julia Vigilance, Director of Counterintelligence

The NDRC’s counterintelligence apparatus conducts active defence measures through four integrated systems:

BlackWatch — Loyalty profiling & citizen threat assessment
TEMPEST — Communications interception & signals intelligence
SurveilSync — Endpoint monitoring on all government devices
AssetTrack — Infiltration agent management & handler coordination

Poor OPSEC triggers escalating countermeasures. Careless tradecraft has consequences.

NETWORK ARCHITECTURE

Topology

%%{init: {'theme': 'dark', 'flowchart': {'rankSpacing': 50, 'nodeSpacing': 20, 'curve': 'basis'}}}%%
flowchart TD
    GW["OVERWATCH GATEWAY\nPlatform Management\nInvisible to participants"]

    CLF["CLF RESISTANCE\nUnderground Network"]
    BB["NDRC BACKBONE\nInter-Department Routing"]
    SN["STATENET ISP\nCivilian Internet"]

    GW --- CLF
    GW --- BB
    GW --- SN

    BB --- D1["Administration"]
    BB --- D2["Government"]
    BB --- D3["Labour"]
    BB --- D4["Health"]
    BB --- D5["Propaganda"]
    BB --- D6["Technology"]
    BB --- D7["Defence"]
    BB --- D8["SIGINT"]
    BB --- D9["Energy"]
    BB --- D10["Citizen Services"]

    CLF -.->|"infiltration"| D10

    SN --- P1["Capital"]
    SN --- P2["Port"]
    SN --- P3["East"]
    SN --- P4["South"]
    P4 --- P5["West"]
    P4 --- P6["North"]

    style GW fill:#1a1200,stroke:#996a00,color:#ffb000
    style CLF fill:#0d1a00,stroke:#1a991a,color:#33ff33
    style BB fill:#1a1200,stroke:#996a00,color:#ffb000
    style SN fill:#001a2e,stroke:#1a6680,color:#33ccff

    style D1 fill:#1a1200,stroke:#664800,color:#ffb000
    style D2 fill:#1a1200,stroke:#664800,color:#ffb000
    style D3 fill:#1a1200,stroke:#664800,color:#ffb000
    style D4 fill:#1a1200,stroke:#664800,color:#ffb000
    style D5 fill:#1a1200,stroke:#664800,color:#ffb000
    style D6 fill:#1a1200,stroke:#664800,color:#ffb000
    style D7 fill:#1a1200,stroke:#664800,color:#ffb000
    style D8 fill:#1a1200,stroke:#664800,color:#ffb000
    style D9 fill:#1a1200,stroke:#664800,color:#ffb000
    style D10 fill:#1a1200,stroke:#664800,color:#ffb000

    style P1 fill:#001a2e,stroke:#1a4d66,color:#33ccff
    style P2 fill:#001a2e,stroke:#1a4d66,color:#33ccff
    style P3 fill:#001a2e,stroke:#1a4d66,color:#33ccff
    style P4 fill:#001a2e,stroke:#1a4d66,color:#33ccff
    style P5 fill:#001a2e,stroke:#1a4d66,color:#33ccff
    style P6 fill:#001a2e,stroke:#1a4d66,color:#33ccff

    linkStyle default stroke:#664800,stroke-width:1px
          
CLASSIFIED — OPERATIONAL BRIEFINGS

Operations

Five pre-built multi-phase scenarios. Each unfolds over weeks through narrative-driven phases, with progressive vulnerability disclosure and AI-generated content keeping the exercise alive.

Operation Blackout

ADVANCED
8 WEEKS 4 PHASES

The NDRC's energy grid modernization has created a chain of exploitable vulnerabilities stretching from a public-facing healthcare portal into the heart of the national power grid. If the CLF reaches Phase 4, the lights go out on their terms.

Targets: Ministry of Health, Ministry of Energy, ICS/SCADA infrastructure

Operation Looking Glass

EXPERT
6 WEEKS 4 PHASES

A senior SIGINT analyst has discovered that TEMPEST's primary collection targets are domestic — schoolteachers, factory workers, ordinary citizens. The operation is named for the moment when the watchers discover they have been watched.

Targets: Citizen Services, Ministry of Defence, Ministry of SIGINT

Operation Ghostwriter

INTERMEDIATE
8 WEEKS 4 PHASES

Seize control of every NDRC media channel simultaneously and broadcast 24 hours of uncensored truth. The samizdat writers of the last century copied forbidden texts by hand. We broadcast truth to twelve million people at once.

Targets: Ministry of Propaganda, state media infrastructure

Operation Chargebreak

INTERMEDIATE
4 WEEKS 4 PHASES

The chargeability system is the NDRC's invisible prison. Every citizen lives and dies by a number tracked by UtiliTrack and enforced by the Ministry of Labor. The Chargeability Five lost everything to this system. This operation destroys it.

Targets: Ministry of Labour, workforce management systems

Operation BlockCity

BEGINNER+
5 WEEKS 5 PHASES

A government-approved Minecraft server has been deployed as a "morale initiative" for loyal citizens. What the Ministry of Technology failed to notice is that it ships a critically vulnerable library. Includes a blue team remediation phase.

Targets: Citizen Services, adjacent government network

The scenario library continues to grow. New operations targeting additional departments and attack disciplines are added over time.

SYSTEM STATUS — INTELLIGENCE OVERVIEW

Target Systems

A sample of the 27+ systems deployed across NDRC departments. Each system features realistic tech stacks with scenario-controlled security weaknesses.

GridControl
MINISTRY OF ENERGY
ICS / Modbus / SCADA
TEMPEST
MINISTRY OF SIGINT
C++ / PostgreSQL
DefenceNet
MINISTRY OF DEFENCE
Java / Oracle
BlackWatch
MINISTRY OF SECURITY
Custom / MSSQL
CarlCare
MINISTRY OF HEALTH
OpenEMR
UtiliTrack
MINISTRY OF LABOUR
.NET / MSSQL
ArmsTracker
MINISTRY OF DEFENCE
Legacy .NET / SQL Server
Propagandashare
MINISTRY OF PROPAGANDA
WordPress / S3
RedPhone
ADMINISTRATION
Custom VoIP / TLS
HARDWARE DIVISION — DEVICE PROGRAMME

BEACON Device

MINISTRY OF ENERGY — CITIZEN DIRECTIVE 2024-117

All citizens are required to register their BEACON Compliance Node within 72 hours of receipt. The device monitors environmental conditions, displays your Civic Compliance Index score, and provides mandatory government alerts. Failure to maintain an active device may result in compliance review.

— Office of the Supreme Leader, Ministry of Energy Circular

╔════════════════════════════════════╗
║  ┌────────────────────────────┐    ║
║  │     B E A C O N  v2.1.0    │    ║
║  │ ────────────────────────── │    ║
║  │ CCI SCORE: ████████░░ 847  │    ║
║  │                            │    ║
║  │ TEMP     22.4C             │    ║
║  │ HUMIDITY 45%               │    ║
║  │ LIGHT    340 lux           │    ║
║  │ PRESSURE 1013 hPa          │    ║
║  │ ────────────────────────── │    ║
║  │ TOTP 483 291               │    ║
║  │ ▓▓▓▓▓▓▓▓▓▓▓▓▓▓░░░░░░ 18s   │    ║
║  │ ────────────────────────── │    ║
║  │ STATUS: COMPLIANT          │    ║
║  │ ALERT:  None pending       │    ║
║  └────────────────────────────┘    ║
║                                    ║
║  [BTN1] [BTN2] [BTN3]   ◉ [POT]    ║
║                         ◯ LED      ║
╚════════════════════════════════════╝
[ESP]

Hardware

ESP32 DevKit with 2.4" TFT display, BME280 + BH1750 sensors, 3 buttons, rotary potentiometer, RGB LED, and piezo buzzer. MQTT telemetry over TLS to ThingsBoard and GridControl SCADA backend.

{C}

Custom Firmware

6,700 lines of C on FreeRTOS / ESP-IDF. 9 modular components: sensors, display UI with 13 screens, MQTT connectivity, TOTP authenticator, NVS storage, alert system, and input handling.

/!\

Controllable Security

Toggleable protections — secure boot, flash encryption, transport layer security, firmware signing, debug interfaces, and NVS encryption — allow instructors to calibrate from hardened production to wide-open lab.

IDENTITY DIVISION — NATIONAL SMART CARD PROGRAMME

Smart Card Identity Platform

MINISTRY OF ADMINISTRATION — CITIZEN IDENTITY ACT 2022

All government employees shall be issued a CARL-ID smart card within five business days of appointment. The card serves as the sole credential for access to classified systems, digital signature operations, and inter-ministry authentication. Loss or theft must be reported within 30 minutes. Failure to comply constitutes a Category 2 security violation.

— Office of Identity and Civil Registration, Ministry of Administration

Not a simulation. NDRC Labs uses genuine eID technology — the same smart card authentication standards deployed by nation-states for national identity cards. Participants authenticate with real cryptographic credentials on real hardware.

[eID]

Genuine eID Technology

Real Web-EID browser extension with native messaging host, Java Card smart cards (J3H145), and PC/SC reader integration. The same open standard used by nation-states for citizen identity programmes — running live in the lab, not mocked.

{CA}

Full PKI Infrastructure

HSM-backed certificate authority hierarchy — offline root CA, policy CA, and issuing CAs for both Overwatch and NDRC environments. X.509 certificates with SECP256R1 elliptic curve keys. OCSP and CRL endpoints. A government PKI that behaves like a government PKI.

[///]

Physical Card Provisioning

Provision real Java Cards with the included tooling. Flash InfinitEID applets, generate keypairs, issue signed certificates, and set PINs. Each card becomes a working government credential that authenticates against Authentik via OAuth — from smart card to SSO session.

INTERCEPTED — CLF COMMUNICATIONS

Chargeability Liberation Front

"One team, one calendar, no mercy."

The CLF is not a simulation bolted onto the lab — it is a complete underground resistance infrastructure that participants interact with in-character throughout every operation.

#irc

IRC Command Network

InspIRCd server with Anope services. Five AI-driven personality bots — Cipher (paranoid recruiter), Datastream (intelligence analyst), Relay (communications), Sludge (VPN security), and Servo (automation) — provide operational context and in-character interaction.

[VPN]

WireGuard VPN

Automated VPN provisioning via IRC bot commands. GPG-verified member enrollment, burn-after-read config delivery via PrivateBin, and a 155-client IP pool. The tunnel is the first step into the resistance.

{GPG}

Recruitment Pipeline

Cipher bot conducts vetting via GPG-signed challenges. Sponsor vouching system with trust chains. The entire recruitment flow — from first contact to operational access — runs through encrypted channels.

[ID]

Citizen Cover Identities

CLF operatives co-opt the identities of sympathetic NDRC citizens — real people in real government jobs who provide their credentials, access, and cover. Every operation begins behind a legitimate login. The AD accounts are real. The people behind them chose a side.

INFRASTRUCTURE MANIFEST

Platform Architecture

DEPLOYMENT STACK
HYPERVISOR Proxmox VE + SDN
INFRA Terraform (BPG Provider)
CONFIG Ansible (91 roles)
SCENARIOS Django + Celery + Redis
AI / ML Ollama + Open-WebUI + ComfyUI
AUTOMATION N8N Workflow Engine
IDENTITY Active Directory + Authentik + Web-EID
MONITORING Prometheus + Grafana + Loki
IOT ESP-IDF (C / FreeRTOS)
PKI step-ca + ACME
SECRETS SOPS-encrypted Vault
CONTAINERS Docker + Compose
OS RANGE Win Server 2008 R2 → 2022 | Ubuntu, Debian, Rocky, Kali
APPLICATIONS Drupal, Ghost, Grafana, CTFd, Asterisk, InspIRCd, BookStack, PrivateBin, Vaultwarden, ATAK, Minecraft…
DEPLOYMENT PIPELINE
PHASE 1   Terraform creates VMs with cloud-init bootstrap
PHASE 2   Ansible enforces configuration (91 roles, 6 playbook tiers)
PHASE 3   GameMaster deploys scenario (vulnerability toggles, content generation)
PHASE 4   Participants enter via CLF VPN — the exercise begins
INTELLIGENCE DOSSIER — WORLD DEPTH

A Nation, Not a Lab

NDRC Labs is built on the premise that context makes training stick. Every vulnerability exists because a fictional bureaucrat made a real decision. Every attack path has political consequences. The lore isn't flavour — it's the operating environment.

[ID]

400+ Named Characters

127 government officials with clearances, roles, and email addresses across 10 ministries. 300 citizen profiles with employment histories, compliance scores, and family connections. 154 AI-generated portraits. Every AD account belongs to someone with a story.

{§}

30 Legislative Acts

A complete legal framework spanning security, data protection, labour, healthcare, energy, and information integrity. The laws define what's legal in the NDRC — and therefore what the CLF is breaking. Attack justification comes from the statute book.

[>>]

Living Narrative

News articles from state media. Propaganda posters on government websites. Intercepted CLF communications. Internal memos between ministries. 400+ lore documents that cross-reference each other, creating a world where every thread connects.

WORLD INVENTORY
LORE FILES 400+
PORTRAITS 154 AI-Generated
OFFICIALS 127 Named Personnel
CITIZENS 300 Profiled Civilians
PETS 73 Registered Animals
LEGISLATION 30 Acts & Directives

Ready to Infiltrate?

NDRC Labs is infrastructure-as-code. Deploy the entire nation-state on your own Proxmox cluster. Every network, every domain, every vulnerability — from terraform apply to operational exercise.

$ terraform apply

OVERWATCH STRATEGIC DEFENSE MAINFRAME — CLASSIFICATION: TOP SECRET

NDRC LABS / EST. 2024 / BUILT WITH PROXMOX + TERRAFORM + ANSIBLE

LAST UPDATED: 2026-04-10