Defend Your CI/CD Pipeline Against Lazarus Group Tradecraft, Now on Immersive One

Last month, we released our Orchid Corp: Mustang Panda exercise to help teams identify Chinese state-sponsored lateral movement using Immersive One’s Dynamic Threat Range capability. Today, we’re expanding that capability by introducing Orchid Emporium, a new e-commerce-focused range built to reflect the internal development environments, systems, and pressures that shape modern retail attacks. This release includes two new simulations, each tailored to a specific SOC specialization—Incident Response and Threat Hunting— enabling teams to validate their skills against specific threats, within their own environments, through exercising. 

In e-commerce, the CI/CD pipeline is often the shortest route to customer data. Security teams rely on third-party Node.js packages, private registries, and Jenkins servers to keep digital storefronts operational, but because these systems are so trusted, they are also prime targets and threat actors like Lazarus Group are already capitalizing. Rather than relying on obvious malware, they hide inside developer workflows, impersonate legitimate users, and move through the software supply chain without triggering immediate suspicion.

Defending against that kind of intrusion requires more than spotting isolated indicators. Teams must connect early signs of compromise to downstream activity before meaningful damage is done. Orchid Emporium: Lazarus Group simulations force that shift. By practicing against realistic adversary behavior, SOC teams strengthen detection and response skills while benchmarking readiness against the tradecraft seen in major global supply chain compromises.

Validate Defense Against Lazarus Tradecraft

These new Dynamic Threat Range simulations recreate a DPRK-linked breach designed to test how security teams operate under real conditions. It isn’t about following a predefined attack path; it’s about challenging analysts to identify adversarial behavior across your actual security stack, where legitimate developer activity and malicious intent are often indistinguishable. 

• Correlate Signals Across Siloed Environments: Modern attacks don’t unfold neatly within one system, yet analysts often investigate them in isolation. Here, they must connect activity across environments that are often monitored in isolation, strengthening their ability to recognize when scattered signals point to a larger compromise. This ensures faster recognition of meaningful risk before it reaches customer-facing systems.
• Detect Memory-Only Evasion: Not every attack leaves footprints. Scenarios help analysts strengthen their ability to detect suspicious behavior that may evade traditional approaches, giving teams a more realistic view of how well their defenses hold up against modern techniques.
• Audit Developer Environment Visibility:  Some of the most important gaps sit closest to the developer. The new simulations reveal where visibility weakens across endpoint, application, and cloud layers, helping teams pinpoint where an attacker could move unnoticed and where stronger monitoring is needed before a real breach occurs.
• Benchmark Forensic Reconstruction: Effective response depends on more than speed. Analysts also need to accurately reconstruct events as they unfold. Practicing how to investigate a complex attack under pressure creates a more credible benchmark for readiness, i.e., based on how the team actually performs in a live environment. This ensures they can map a kill chain and stop data destruction before it begins.

Validate Your Technical Readiness

The question isn’t whether your tools alert; it’s whether your team can recognize what matters in time. Supply chain compromises accounted for 35.5% of breaches in 2024, underscoring the importance of readiness as a board-level metric. Protecting the modern enterprise requires a SOC that has practiced against live-fire APT tradecraft and can prove it can quickly and effectively. 

By integrating the Orchid Emporium range with your own SIEM, you gain a data-driven view of your Incident Response and Threat Hunting teams' ability to defend the CI/CD pipeline and protect your core intellectual property. This transforms your security posture from a set of assumptions into proven, audit-ready resilience.

Get Started

• Immersive One customer? Start leveraging the new Orchid Emporium exercises by navigating to the Exercise tab on the platform.
• Exploring Immersive One? Book a demo to see how you can benchmark your team’s supply chain attack readiness before a threat infiltrates your system.

‍