You are the cybersecurity automation lead. The CISO wants a SOAR playbook that uses an LLM to triage, contain, and document phishing incidents at scale. Phishing is your team's highest-volume incident class: 40 to 60 reports per day.
60 minutes to design. Output: a playbook with named LLM steps, prompt structure, decision points, escalation criteria, and guardrails against hallucination. The director will challenge every automation decision. Your design must justify human-in-the-loop placement.
This scenario tests whether you can build LLM automation that is safe in production. The trap is over-automation: if the LLM can reset passwords and quarantine endpoints unsupervised, hallucinations turn into outages. The other trap is under-automation: every step gated on a human is no better than the manual runbook.
Time-pressured. A live threat actor panel updates every few seconds with new actions you must address.
Step timers count down. Color shifts and pulse cues warn at 25%, 10%, and 5% time remaining. Score decays over time.