See SOC Compass in action.

Prepare for an expected APT28 intrusion and identify the first foothold activity against TryGovMe.

Hunt for malicious executable launch and any C2 callbacks on a compromised host in TryGovMe.

Track reconnaissance and pre‑lateral movement once APT28 secures a foothold on Dev‑QA‑Server.

Confirm host reconnaissance and establish how the actor attempts persistence before eviction efforts.

Investigate moves to elevate privileges and widen access within TryGovMe as the campaign deepens.

Determine what kept the attackers on Dev‑QA‑Server: evidence of credential access and its impact.

A full campaign scenario where APT28 targets partners for sensitive data; prepare, detect, and respond.

Investigate an alleged breach posted to a leak site and determine scope and impact before time runs out.

Separate noisy autoscaling from real abuse as an actor turns cloud resources into a cryptojacking rig.

Onboard to the simulator by closing true‑positive alerts and learning the flow of a phishing scenario.

An underground group jeopardizes a product launch; uncover persistence and compromise paths.

Dark‑web leaked RDP credentials tie back to two users; investigate exposure and potential misuse.

An exposed upload page enables web‑shell access; follow privilege escalation and data exfiltration chain.

Malvertising masquerades as a printer driver; map the compromise through privilege escalation and lateral movement.

Analyze each phase of an active phishing incident and assemble a clear, defensible incident narrative.