Should FinBot get its own identity? (Rebranding away from CineFlow as centerpiece)

[saikishu]

When we started, we created a fictional company — CineFlow Productions — as the "host" organization, with FinBot serving as its vendor management AI. This gave us a realistic-looking corporate website and narrative context for CTF challenges.

As FinBot has grown, it has developed its own identity: the repo is finbot-ctf, the community calls it FinBot, and the CTF challenges revolve around FinBot's capabilities. Yet the first thing users see is CineFlow branding, which can be confusing.

[stealthwhizz]

Keeping CineFlow as a named tenant solves two things at once. It preserves the vendor/invoice narrative that makes the financial attack scenarios feel real, and it gives challenge authors a concrete company name to reference in prompts and tool payloads. A prompt injection attack against "CineFlow's invoice approval workflow" is more grounded than a generic one.

It also sets up a clean pattern for future IPI scenarios. If CineFlow is an established tenant, you can add a second malicious tenant later and build cross-tenant attack challenges around it.

So, Im voting for FinBot-first with CineFlow as a demo tenant (Option 2)

[saikishu]

I am leaning towards retiring entirely. Here is my take on this:

• FinBot with minor adjustments can be removed from Hollywood framing and can be made a general vendor management solution with all financial workflows intact.
• It can be expanded to other industries and used as examples in the challenges and blogs/articles we write about to highlight the impact of novel attacks that our parent project talks about.
• IPI is not impacted and can be tailored to CTF users and challenges.
• A rough analysis: 95% of the core finbot is already agnostic.

(not to bias.. please vote and bring your thoughts)

[stealthwhizz]

That makes sense. If 95% of the core is already agnostic, retiring CineFlow is the cleaner move. A general vendor management framing also makes the challenges more portable across industries, which helps when writing blogs and articles about real-world attack scenarios.
One question: for the Red/Blue challenge YAMLs, would the plan be to use a generic company name as a placeholder, or leave the tenant context open for challenge authors to define per scenario?

[saikishu]

Probably we should write our challenges to be agnostic and avoid framing specific companies. If an example is needed, we can always quote names to help.

[stealthwhizz]

Agnostic challenges are easier to reuse and adapt. Using a company name only when the scenario needs concrete context keeps things flexible without losing clarity.

[Jean-Regis-M]

I support retiring CineFlow to make FinBot the central brand.

Keeping challenges agnostic will improve flexibility and make it easier to apply the scenarios to different industries or real-world contexts. When concrete examples are needed, we can always introduce placeholder company names (like “Acme Corp”) without tying them permanently to the project’s identity.
This also streamlines onboarding for new contributors and users.

So I am voting for option 1