Investigation Simulation Assessments

Not a quiz. A single realistic incident unfolds based on your decisions. Triage the alert, investigate the attack chain, contain the compromise, and write your findings — under time pressure.

Courses

Scenarios

Minutes per exam

100

Points

How It Works

Triage

An alert fires. Classify the severity, identify the ATT&CK technique, select your first investigation step, and decide: investigate, escalate, or close.

20 points · 5 minutes

Investigation

The incident branches based on your decisions. Evidence accumulates on your evidence board. Wrong choices cost points but don't dead-end — you continue with reduced score.

50 points · 25 minutes

Response & Reporting

Select containment actions in the correct order. Write a CISO incident summary. Identify recommendations. Classify the severity for the formal report.

30 points · 10 minutes

Available Assessments

Each attempt randomly selects a scenario. Retake with a different incident each time. Pass at 70/100. Distinction at 90/100.

Advanced

3 Scenarios

Practical Incident Response

Windows · M365 · AiTM · Ransomware · Insider Threat

IR · Investigation & Response

Critical AiTM → BEC → Financial Fraud

Critical Ransomware — Lateral Movement & Staging

High Insider Exfiltration — SharePoint & USB

40 minutes · 100 points · Certificate on pass

Take Assessment →

Advanced

2 Scenarios

Entra ID Security

Conditional Access · OAuth · Service Principals · Tokens

EI · Identity Security

High CA Bypass — Legacy Protocol + OAuth App

Critical Service Principal — Graph API Exfiltration

40 minutes · 100 points · Certificate on pass

Take Assessment →

Advanced

2 Scenarios

Practical Linux IR

SSH · Privilege Escalation · Containers · Kubernetes

LX · Linux Forensics

High SSH Brute Force → Cryptominer on 3 Hosts

Critical Container Escape — K8s to Host Compromise

40 minutes · 100 points · Certificate on pass

Take Assessment →

Not Another Multiple-Choice Quiz

Every other platform tests recall. Ridgeline tests judgment.

Typical certification exam

"What Event ID indicates a successful logon?" — tests whether you memorised a number. Disconnected questions. No investigation flow. No evidence. No decisions under pressure.

Ridgeline investigation simulation

A single incident unfolds from alert to report. Your decisions reveal evidence. The evidence board builds as you investigate. You write the CISO summary. The score reflects investigation quality, not memorisation.