⛨ PS_CAFE_THREAT_SIMULATOR
Interactive educational dashboard — see how common attacks work. Understanding the attack is the first move in defense.
🔒 Sandboxed demo — nothing here connects to any real system. All inputs stay in your browser.
01BRUTE FORCE / CREDENTIAL STUFFINGpasswords
🔐 P.S. Cafe — Staff Portal
// wordlist + breached-password lists loaded. Press INITIATE.
Defense: length beats complexity, and a unique passphrase never appears on breached-password lists. MFA blocks the login even when the password is correct.
02SQL INJECTION VISUALIZERapp security
🍽️ Reservation Admin — Login
Defense: built properly, the app uses parameterised queries so input is treated as data, never code. This is the 98% you own — secure-by-design booking & POS systems, not the tool itself.
03PHISHING CLONE + DOMAIN ANALYSISsocial engineering
P.S. Cafe 365
Sign in to continue to your mailbox
ATTACK_ANALYSIS // read the URL right-to-left
https:// pscafe-staff.m365-mailcheck.net /login
▸ .net — top-level domain
▸ m365-mailcheck — the real owner. This is NOT Microsoft or P.S. Cafe.
▸ pscafe-staff. — just a subdomain the attacker chose to look trustworthy.
▸ m365-mailcheck — the real owner. This is NOT Microsoft or P.S. Cafe.
▸ pscafe-staff. — just a subdomain the attacker chose to look trustworthy.
Anything left of the real domain is bait. Brand names in the subdomain mean nothing.
Defense: this is the same skill from the inbox trainer. Type the address yourself, or check it on urlscan.io / virustotal.com. A real Microsoft login is always on login.microsoftonline.com.
