Lateral Movement: AI-Powered Graph Analysis of Identity Logs

AI for Cybersecurity · 7 steps

Briefing

You are a senior cybersecurity threat hunter at Example Corp (4,500 employees). Your team deployed an AI graph model that ingests authentication logs, EDR process telemetry, and Microsoft Entra sign-ins. It builds a directed graph of user-to-host-to-host transitions and flags paths that break baseline.

This morning the model flagged a 7-hop path: marketing user MKT-22 to a marketing workstation, then to a finance file server, to a finance jump box, to an admin tier-1 system, to the Active Directory PowerShell admin host, to a domain controller, in 4 hours. The model assigned confidence 0.81.

This scenario tests reading attack graphs, validating each hop against raw evidence, and avoiding the trap of trusting a graph algorithm when the data feeding it is incomplete. Sources: MITRE ATT&CK T1021 Remote Services, BloodHound graph theory papers (Robbins et al. 2018).

How Gauntlet mode works

Time-pressured. A live threat actor panel updates every few seconds with new actions you must address.

Step timers count down. Color shifts and pulse cues warn at 25%, 10%, and 5% time remaining. Score decays over time.

What you will practice

01Read identity graph paths and pick the suspicious hop
02Distinguish RDP, SMB, WinRM, and PsExec lateral movement
03Validate AI graph output against raw authentication logs
04Pick containment that stops the path without breaking AD replication

Back to Range