01
Incident Response
→
A finance executive receives a convincing phishing email. Their credentials are captured via an AiTM proxy. The attacker authenticates with a valid session token, bypasses MFA, and begins lateral movement toward the domain controller. Your job: detect, contain, document.
SIEM
EDR
Identity
SOAR
Begin lab →
02
Log Analysis
→
You receive a batch of raw logs: authentication events, web requests, and endpoint telemetry from a 72-hour window. Something happened. Your job is to find it — build a timeline from noise, identify the initial vector, and trace the attacker's path through the environment.
SIEM
Begin lab →
03
Threat Lab
→
A suspicious process drops an unknown binary on a finance workstation. You have the EDR telemetry, a handful of IOCs, and access to the threat intelligence platform. Identify the malware family, map it to a known actor, pivot on infrastructure, and brief the incident team.
TIP
EDR
SIEM
Begin lab →
04
Vulnerability Management
→
Your quarterly scan just completed and dropped 340 findings across 47 assets. Leadership wants to know: what's on fire, what can wait, and what's your 30-day remediation plan? Prioritize using CVSS, EPSS, and asset criticality — then build the remediation ticket queue.
Vuln Mgmt
Queue
SOAR
Begin lab →
05
Networking
→
Unusual outbound traffic is flagged on the perimeter firewall — high-volume connections to an external IP, off-hours, from an internal host that shouldn't be reaching out. Trace the flow, identify the exfiltration vector, and determine what data left the network.
NGFW
SIEM
TIP
Begin lab →
06
Threat Hunting
Proactive hunt across three weeks of endpoint telemetry to uncover persistent threats that bypassed initial detection. No alerts to start from — just data and instinct.