Walk through a full SOC analyst workflow — triage alerts, analyze evidence, reconstruct timelines, and make containment decisions.
Feb 24, 2026, Eric
Select an investigation scenario to begin.
Each scenario simulates a real-world security incident across 5 phases.
A user reported a suspicious email. SIEM correlated a credential-based login from an unusual location shortly after. Investigate whether credentials were compromised.
An attacker gained initial access through a compromised service account and is moving laterally through the network using stolen credentials and RDP sessions.
A departing employee is suspected of exfiltrating sensitive data via cloud storage and USB before their last day. Investigate the scope and confirm the insider threat.
Multiple servers are exhibiting file encryption activity. A ransomware binary was deployed via compromised group policy. Investigate the attack chain and determine the blast radius.
A sophisticated threat actor has established persistent access through a supply chain compromise. Unusual DNS patterns, scheduled tasks, and encrypted C2 channels have been detected over several weeks. Investigate the full scope of the intrusion.