BREACH.MMO v0.4.0 — Consequences, Planning, and Social Engineering

Getting caught used to just play a sound effect. In v0.4.0, getting caught means something. You go to jail. Your teammates can bail you out or organize a jailbreak from the Visitor Center. You can attempt a library escape mini-challenge. And when the sentence panel appears, it tells you exactly which exploit triggered your arrest, which detection rule fired, and what that means in the real world — the CEH module, the Security+ objective, the OPSEC lesson.

The criminal justice loop is live

The backend for arrests, sentencing, and JailScene has existed since v0.2.0. v0.4.0 wires the client side: the scene transition fires on arrest notification, the sentence panel shows educational context, and bail/jailbreak coordination works through WebSocket messaging between teammates. The library escape mini-challenge now validates against the server — it was local-only before, which meant it didn't count.

Matches now have a planning phase

For the first time, matches don't start the moment the lobby fills. There's a 60-second planning phase: attackers pick roles, allocate resources, set initial targets. Defenders configure their first detection rules. Bots handle planning via the Autopilot tier (no LLM calls, no Compute Unit cost) — they pre-assign roles and targets based on team composition and then go active when the timer expires.

Your reputation follows you between matches

BREACH is supposed to feel like an MMO, not a series of isolated sessions. v0.4.0 adds cross-match persistence: every player now has an attacker ELO and a defender ELO that update after each match based on performance — exploits landed, arrests made, arrests survived. Criminal records track arrest count and conviction rate. Faction affinities update based on which side you play. The leaderboard (L key) surfaces the top 20 by both ELO tracks.

Three social engineering exploits (CEH Domain 4-5)

The exploit library expands with the social engineering and privilege escalation curriculum:

• Phishing email simulation (P key) — craft a targeted phishing email at an NPC; if they click, you gain credential access to one service. Educational overlay: spear phishing methodology, CEH Domain 4, Security+ SY0-701 §1.1. Blue team can catch you via email security logs.
• Password spraying (W key) — spray common passwords across discovered accounts; the blue team's password policy determines success rate; rate limiting and lockout are visualized in real time. CEH Domain 3 password attack coverage.
• Privilege escalation chain (V key) — once inside a service, hunt for SUID binaries and sudo misconfigurations in a staged mini-challenge. CEH Domain 5. Getting this wrong increases your arrest risk.

Play at play.multiversestudios.xyz/breach/ — no account required.