Sign In

Can You Investigate an Incident You Haven't Seen Before?

That's the test that matters. Not whether you can follow a walkthrough — whether you can scope, investigate, and contain when you don't know the answer yet. These scenarios give you an incident brief, sample data, and investigation questions. You work through it independently. Then you check your reasoning against a detailed solution walkthrough.

7
Challenges
3
Course tracks
2–4 hrs
Each challenge
M365 Security Operations

M365 Investigation Scenarios

After these challenges, you've investigated a consent phishing campaign across four users, conducted a covert insider threat investigation without tipping off the subject, and traced a BEC attack from initial sign-in to mailbox forwarding rule. These are the incidents you'll see at work — now you've already worked them.

Intermediate
2–3 hrs
The Midnight OAuth
Consent phishing · OAuth abuse · Token analysis
M365 Sec Ops · Modules 6, 9, 10, 15
  • Four users consented at 02:00
  • Scope the campaign, assess exposure, contain
  • Full solution walkthrough included
Open Challenge →
Intermediate
3–4 hrs
The Departing Engineer
Insider threat · UEBA · Covert investigation
M365 Sec Ops · Modules 2, 6, 11, 16
  • Senior engineer resigned to a competitor
  • Investigate without alerting subject
  • Full solution walkthrough included
Open Challenge →
Intermediate
2 hrs
The Forwarding Rule
BEC · Mailbox audit · Sign-in correlation
M365 Sec Ops · Modules 1, 6, 9, 13
  • CFO mailbox: inbox forwarding from unusual IP
  • Prove BEC or legitimate travel with evidence
  • Full solution walkthrough included
Open Challenge →
SOC Operations

SOC Investigation Scenarios

After these challenges, you've traced an AiTM token replay across multiple accounts under time pressure, and contained a ransomware event before encryption completed. The scenarios where your SOC playbooks either work or they don't — tested here instead of at 2AM on a Tuesday.

Intermediate
2–3 hrs
The Credential Harvest
AiTM · Token replay · Multi-account compromise
SOC Ops · Modules 3, 4, 7, 8
  • User reports unexpected MFA prompts
  • Trace token replay, inbox forwarding, 2nd account
  • Full solution walkthrough included
Open Challenge →
Advanced
2–3 hrs
The Ransomware Race
VSS deletion · Time pressure · Containment
SOC Ops · Modules 5, 7, 9
  • DET-SOC-019 at 02:14 — VSS deletion on 3 servers
  • Minutes before encryption begins
  • Full solution walkthrough included
Open Challenge →
Claude for Security Professionals

AI-Assisted Investigation Scenarios

After these challenges, you've used AI to trace a BEC campaign and produce a court-defensible IR report in hours instead of days, and built three detection rules from a post-incident review that closes the gaps the attacker exploited. AI as an accelerator for work you already know how to do — tested against scenarios where bad AI judgment would make things worse.

Intermediate
2–3 hrs
The Vendor Invoice
BEC · AI-assisted analysis · IR reporting
Claude for Security · Modules C4, C6, C7
  • Finance team reports suspicious payment request
  • Trace BEC, scope account compromise, IR report
  • Full solution walkthrough included
Open Challenge →
Advanced
2–3 hrs
The Detection Gap
PIR analysis · Detection rule authoring · Action plan
Claude for Security · Modules C5, C6, C8
  • Adversary operated 8 days before detection
  • Build 3 detection rules + PIR action plan
  • Full solution walkthrough included
Open Challenge →

The next incident won't come with a walkthrough.

These challenges build the muscle memory so that when the real alert fires, you've already worked something similar. Start with the course to learn the methodology, then prove you own it here.

Browse Courses Labs & Practice