You are a Tier 1 cybersecurity SOC analyst at a 2,500-employee logistics firm. Users forward suspicious emails to phishing@example.com. An LLM triage assistant reads each email, extracts indicators, scores risk, and proposes a response (release, warn, quarantine, escalate).
Six reports landed this morning. Your job is to verify the LLM output against headers, sender domain reputation, attachment metadata, and link analysis. The LLM is right most of the time but occasionally over-scores marketing email and under-scores well-crafted business email compromise.
This scenario tests phishing tradecraft and the discipline of treating LLM scores as a draft. Sources: NIST SP 800-177r1 (Trustworthy Email, 2019), MITRE ATT&CK T1566 family.
One ordered pass through every step. No clock. Each answer scores against the canonical solution.
Hints reduce the points you can earn for that step. Free-text steps queue for manual review.