Range Scenario · crucible · 30 min
AI-Augmented SOC Triage: Twelve Morning Alerts
This cybersecurity training scenario simulates a working incident. Your shift opens with twelve overnight cybersecurity alerts and an LLM copilot. The copilot writes summaries, drafts priorities, and proposes next steps. Verify every output. Catch the hallucinations before they reach your queue manager.
Scenario briefing
You are a Tier 1 cybersecurity SOC analyst. Your team rolled out an LLM-based copilot last quarter. The copilot reads alert payloads, drafts a one-paragraph summary, and recommends a priority. Your job is to verify the copilot output before it lands in the queue manager's view.
Twelve alerts hit overnight. The copilot has already drafted summaries for all of them. You have 30 minutes to triage. The trap: the copilot occasionally invents indicators (hallucinated hostnames, fabricated MITRE technique IDs), and it tends to over-prioritize benign automation.
This scenario tests prompt construction, output verification, and the discipline of treating LLM output as a draft, not a verdict.
What you will practice
- Construct an alert-summarization prompt that names the copilot's job
- Verify LLM output against raw evidence before acting
- Recognize hallucinated indicators and fabricated technique IDs
- Prioritize alerts using LLM assistance without abdicating judgment
How this scenario is scored
The scenario has 6 ordered steps. Most steps are exact-match (a MITRE ATT&CK technique ID, a tool name, or a yes/no decision) or multiple choice. Free-text steps queue for manual review and do not affect the auto-final-score in the MVP.
Each step has a max score of 100 points. Hints deduct points up front, listed before you reveal them. Your final score is the sum across steps. Range Elo updates on completion based on scenario difficulty (Beginner) and your final score percentage.
Frequently asked questions
How is using an LLM copilot different from using SOAR automation?
SOAR runs deterministic rules: if alert matches signature X, do action Y. An LLM copilot reads natural-language context and drafts narrative summaries. SOAR fails predictably. LLMs fail unpredictably with confident-sounding hallucinations, so verification discipline is the analyst's primary skill.
What does a good alert-summarization prompt look like?
A good prompt names the role, the input format, the output format, the constraints, and the failure mode. Example: 'You are summarizing one EDR alert. Use only fields present in the JSON. If a field is missing, write UNKNOWN. Do not infer technique IDs. Output: severity, summary, suggested next step.'
What are the most common LLM hallucinations in SOC work?
Fabricated hostnames or IPs that look plausible but were not in the input, invented MITRE technique IDs (especially mid-sub-technique digits), and confident attributions to threat actors based on weak signals. Counter by demanding source citations and refusing summaries that introduce facts not present in the raw alert.
Course content is for educational purposes only and does not constitute professional advice. All claims are supported by cited peer-reviewed academic research. DecipherU does not teach or reproduce any proprietary sales methodology. Verify all referenced sources independently.
Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
By subscribing you agree to our privacy policy. Unsubscribe anytime.