You work on a 5,000-person SOC. The EDR raised a Discovery-tactic alert on FIN-WS-031: net.exe, whoami.exe, ipconfig.exe, and nltest.exe ran in sequence within 12 seconds. An LLM summarizer reads the process tree and drafts a one-paragraph verdict.
The raw telemetry shows the user logged in 90 seconds before the discovery activity. The user is a financial analyst with no scripting history. The LLM proposes: 'Likely benign troubleshooting.' You disagree.
This scenario tests Discovery-tactic recognition, the use of LLM summaries as a drafting tool, and the analyst's job to reject summaries that contradict raw evidence. Sources: MITRE ATT&CK TA0007 Discovery, NIST SP 800-61r2 (2012).
One ordered pass through every step. No clock. Each answer scores against the canonical solution.
Hints reduce the points you can earn for that step. Free-text steps queue for manual review.