Launch Labs
59 Labs launched with Defend the Org on May 6, 2026.
Detect Lateral Movement via WMI Remote Execution
Identify lateral movement activity where an attacker uses Windows Management Instrumentation (WMI) to execute commands on remote hosts across the network.…
Detect Suspicious Service Account Activity
Identify Windows service accounts performing interactive or remote desktop logons, which violates normal service account behavior and may indicate credential…
Detect Data Exfiltration to External Storage
Identify outbound web traffic to known cloud storage and file-sharing services where the upload volume is anomalously large, suggesting data exfiltration by an…
Detect Outbound Traffic on Non-Standard Ports
Identify outbound network connections on ports not commonly used by legitimate services. Attackers frequently use non-standard ports like 4444, 8888, or random…
Anomalous Outbound Connection Hunt
The network operations team reported that a workstation in the engineering department has been generating an unusual amount of outbound HTTPS traffic during…
Rogue Service Installation Hunt
The endpoint detection team noticed that a workstation in the finance department triggered a low-confidence alert for unusual process activity. Rather than…
Suspicious Login Pattern Hunt
Your organization's threat intelligence team flagged a credential dump on a dark web forum that may include employee credentials. You have been asked to…
Scheduled Admin Tool Usage During Maintenance Window
An EDR alert fired for "Remote Administration Tool Execution" after detecting PsExec usage on a domain controller. PsExec is a legitimate Microsoft…
EDR Alert for Developer Test Binary
An EDR alert fired for "Unsigned Binary Execution with Network Connection" on a developer workstation. The process build-test-runner.exe was flagged because it…
Multiple Failed Okta Logins Followed by Success
An Okta identity alert fired after detecting 8 failed login attempts against a single user account from multiple IP addresses within a 10-minute window,…
Detect VPN Login from New Country Without MFA
After confirming that an attacker used stolen VPN credentials to log in from a country the employee had never connected from — without triggering MFA — your…
Detect DNS Queries to Known Malicious Domains
The threat intelligence team has identified three domains associated with active command-and-control infrastructure and handed them off for detection…
Detect Suspicious Process Execution
An endpoint detection agent has flagged unusual activity on several workstations. Your task is to write a detection query that identifies the execution of…
VPN Credential Brute Force with Successful Login
Detect repeated VPN authentication failures from a single source IP followed by a successful login, indicating a potential credential brute force attack.…
Detect Suspicious S3 Bucket Enumeration and Data Access
A compromised IAM role session is being used to enumerate S3 buckets and bulk-download sensitive objects. Identify the anomalous principal performing…
Anomalous Service Account Activity
CloudTrail monitoring detected the svc-backup-prod service account accessing a large number of S3 buckets in a short time window, including buckets outside its…
Potential Data Exfiltration via DNS
The network monitoring system detected an unusually high volume of DNS queries to a suspicious top-level domain from a single internal host. DNS tunneling is a…
Encoded PowerShell Execution Detected
The EDR platform flagged a PowerShell process executing with the -EncodedCommand parameter on a corporate workstation. Encoded PowerShell is commonly used by…
Suspicious VPN Login from Unusual Location
The VPN gateway generated an alert after detecting multiple failed authentication attempts followed by a successful login from an IP address geolocated to…
Build a Phishing Email Detection Rule
Create a comprehensive detection rule for identifying phishing emails using email gateway logs. You must consider sender authentication failures, suspicious…
Detect Brute Force Login Attempts
Identify accounts experiencing multiple failed login attempts from the same source IP, which may indicate a brute force attack against the Okta authentication…
Detect C2 Beaconing via DNS and Network Correlation
Identify command-and-control beaconing patterns by correlating DNS query logs with firewall connection logs. Detect periodic communications to suspicious…
Detect Encoded PowerShell Execution
Identify PowerShell processes launched with encoded commands, execution policy bypasses, or download cradle patterns that are commonly used by attackers to…
Detect Living-off-the-Land Binary Usage
Identify suspicious use of Windows built-in binaries (LOLBins) that attackers commonly abuse for execution, such as certutil, mshta, rundll32 with unusual…
Hunt Multi-Stage Intrusion Campaign
Investigate a suspected multi-stage intrusion across endpoint, DNS, and web proxy logs. Identify the attack kill chain from initial access through data…
Anomalous Application Access from Marketing User
Okta logs show a marketing manager accessing sensitive applications — the HR portal, finance dashboard, and code repository admin panel — that they have never…
APT Campaign: Operation Silent Horizon
A nation-state APT conducted a multi-phase intrusion against a defense contractor. Reconstruct the complete attack chain with exact MITRE ATT&CK mappings.…
Broken Lock
A brute-force credential attack against a corporate VPN leads to persistent access via a scheduled reverse shell.
Compromised Web Server
An internet-facing web application was exploited to gain a foothold. Identify the tactics and specific techniques used.
Contain the Meridian Financial Breach
You are the incident response lead at Meridian Financial Services. A confirmed breach has been detected: an attacker used stolen VPN credentials to access the…
Credential Stuffing on Okta SSO
Investigate authentication logs to find evidence of a credential stuffing attack against corporate Okta SSO. Identify the compromised account and trace the…
Hunt for Data Staging via Compromised Service Account
The DLP team flagged an unusual pattern from a service account that normally runs automated backup jobs. Storage monitoring shows a spike in local disk writes…
Hunt for Lateral Movement via RDP
After confirming that an attacker used stolen VPN credentials to access the Meridian Financial network, your threat hunting team needs to determine what the…
Hunt for Living-off-the-Land Persistence via Scheduled Tasks
Endpoint telemetry shows a developer workstation generating unusual outbound connections to an uncategorized external domain every 4 hours. The regular pattern…
Hunt for Suspicious VPN Access and Internal Reconnaissance
HR confirmed that an employee is on approved leave with no business need to access corporate systems, yet their VPN account has been actively connecting from a…
Hunt for Unauthorized Cloud Resource Abuse
An unstructured hunt triggered by a massive cloud cost anomaly. Finance flagged a 340% AWS bill increase in a region with no approved workloads.…
Hunt: Unauthorized Cloud Access via Stolen Developer Credentials
A developer's credentials were compromised after a session token was inadvertently committed to a public repository. The attacker used these credentials to…
Internal Network Scan from Unauthorized Host
The perimeter firewall detected a burst of ICMP echo requests and TCP SYN packets from a single internal IP address targeting multiple hosts across a /24…
Kerberoast in the Helpdesk
A help-desk technician's workstation gets popped via a malicious resume attachment. Three days later, the SOC sees LDAP enumeration, a burst of RC4-encrypted…
Large Outbound Data Transfer to Uncategorized Domain
The web proxy flagged a series of large outbound POST requests from an internal workstation to an uncategorized cloud domain. The user uploaded over 45 MB of…
Lateral Movement via Compromised Service Account
A routine alert about failed authentication attempts from a payment processing service account reveals a much larger problem. An attacker has compromised the…
Map the Meridian Financial Campaign
Review the full timeline of the Meridian Financial breach — from the initial phishing email that stole Sarah Chen's credentials through the final data…
Midnight Download
A trusted database administrator abuses legitimate access to bulk-export and exfiltrate sensitive patient records after hours.
New Local Admin Account Created on Domain Controller
Windows Security logs show a new local administrator account was created on a domain controller, followed by multiple RDP sessions from that account to…
Operation Crimson Veil
A logistics firm endures a seven-day ransomware operation: macro-laden phishing → encoded PowerShell beacon → LSASS credential dump → SMB lateral movement to…
Phishing Email Leads to Credential Theft
A suspicious email alert triggers an investigation into a credential harvesting attack targeting a single employee. Walk through the full IR lifecycle from the…
Ransomware on a Single Workstation
A help desk ticket reports that an employee cannot access their files. Investigation reveals ransomware has encrypted a single workstation. Walk through…
Supply Chain Compromise via CI/CD Pipeline
A sophisticated attack targeting your organization through a compromised third-party dependency and CI/CD pipeline manipulation. Map each phase of the attack…
Supply Chain Compromise via Malicious NPM Package Update
A routine dependency update to a popular internal NPM package introduces a backdoor into your CI/CD pipeline. The compromised package exfiltrates environment…
Suspicious After-Hours VPN Login
A VPN authentication alert has fired for a senior accountant logging in at 2:14 AM from Bucharest, Romania. The employee is based in Chicago and has never…
Suspicious Email Attachment
A user reports a suspicious email with a macro-enabled Word document. Identify the high-level attack tactics involved.
Suspicious Outbound Callbacks After Open-Source Tool Download
The web proxy detected periodic outbound HTTPS connections from a developer workstation to an external domain shortly after the user downloaded an open-source…
Suspicious Outbound DNS Tunneling
A network monitoring alert flagged unusually high DNS query volumes from a single workstation. Investigate the DNS logs to determine if data is being…
The Beacon in the Noise
A compromised workstation maintains persistent C2 communication disguised as normal HTTPS traffic while downloading and executing remote payloads.
The DocuSign That Wasn't
An A/P clerk consents to a malicious OAuth app posing as DocuSign. The attacker reads the mailbox via Microsoft Graph, plants an inbox rule that hides any…
The Stolen Badge
A physical social engineering scenario where an attacker uses a lost corporate access badge to gain entry and browse internal systems.
The Unlocked Cloud
An exposed cloud storage bucket leads to source code theft and production API enumeration.
Unusual After-Hours Outbound Connections from Internal Server
The perimeter firewall flagged a pattern of outbound connections originating from an internal server during non-business hours. The server is initiating…
Vendor Invoice Email with Suspicious Link
The email gateway flagged an inbound message to a finance team member containing a link to an external invoice portal. The email claims to be from a known…