Trainers · Scenario catalog
Scenario catalog
Every lab scenario pairs generated telemetry with a known correct answer — the ground truth used for auto-grading. This is the living list of what you can assign today, and where it's headed.
Scenarios are published into your environment when you seed the catalog from the instructor view. If a scenario below isn't showing in Training → Labs, seed the catalog first — see Running a cohort.
How a scenario works
Each scenario is a self-contained lab. Starting it generates real telemetry in the student's private sandbox; a detection rule fires an incident; the student investigates and submits a disposition. Because every scenario ships with a known correct answer, the platform can grade the disposition automatically — 70 points for matching ground truth, 30 for a specific rationale. The student also sees the AI analyst's independent verdict alongside their own.
Available scenarios
| Scenario | Difficulty | Technique | Ground truth | Focus / objectives |
|---|---|---|---|---|
| SSH brute-force T1110 · Brute Force | Beginner | MITRE ATT&CK T1110 | True positive | Recognise an automated credential-guessing attack from authentication telemetry — 25 failed root logins from a single source IP (203.0.113.66) inside a 5-minute window, over a detection threshold of 20. Teaches the what / from where / how much / how fast evidence method and how to write an evidence-bearing rationale. |
The catalog is growing
This list is the starting point, not the limit. Additional scenarios are on the roadmap — and importantly, that includes false-positive and benign cases, so students practise not crying wolf. A program that only ever serves true positives teaches students to reflexively confirm; a balanced catalog teaches judgement. Expect harder techniques and ambiguous calls as the catalog matures.
Need a scenario tailored to your curriculum? New scenarios can be authored on request. Reach out with the technique, difficulty, and the ground-truth call you want students to reach, and it can be added to the catalog.
Ready to teach the brute-force lab? Use the facilitation guide for a ready-to-run lesson plan, then Running a cohort to provision your class.