Range Scenario · gauntlet · 45 min
LLM-Assisted Incident Investigation: Multi-Stage Intrusion
This cybersecurity training scenario simulates a working incident. A multi-stage cybersecurity intrusion needs working out fast. You have an LLM analyst tool that reads logs and a 45-minute clock. Direct the LLM, cross-check its conclusions against raw evidence, deliver a clean timeline.
Scenario briefing
You are an IR analyst at a 6,000-employee retail cybersecurity team. A confirmed intrusion spans seven days. You have access to web server logs, identity logs, EDR telemetry, and an LLM analyst tool that ingests log fragments and drafts narrative timelines.
The clock is 45 minutes. Output: a five-bullet timeline backed by raw-evidence pointers, the technique chain mapped to MITRE ATT&CK, and an executive one-paragraph for the CISO. The LLM is fast but lies under pressure. Verify before quoting.
This scenario tests prompt engineering for log analysis, structured cross-checking against raw evidence, and resistance to confident-sounding LLM conclusions that do not match the data.
What you will practice
- Direct an LLM to extract structured timelines from unstructured logs
- Cross-check LLM conclusions against raw evidence before quoting
- Map a multi-stage intrusion to MITRE ATT&CK technique chains
- Write a CISO-grade executive summary in under 5 sentences
How this scenario is scored
The scenario has 7 ordered steps. Most steps are exact-match (a MITRE ATT&CK technique ID, a tool name, or a yes/no decision) or multiple choice. Free-text steps queue for manual review and do not affect the auto-final-score in the MVP.
Each step has a max score of 100 points. Hints deduct points up front, listed before you reveal them. Your final score is the sum across steps. Range Elo updates on completion based on scenario difficulty (Intermediate) and your final score percentage.
Frequently asked questions
Why use an LLM for log analysis instead of SIEM queries?
SIEM queries are precise but rigid. They find what you ask for. LLMs read narrative context and surface patterns across formats, including the awkward middle ground between structured logs and free-text comments. The trade-off is verification overhead. LLM output is a starting hypothesis, not an answer.
What is the right prompt structure for log timeline extraction?
Name the role, name the output schema, name the source-of-truth rule. Example: 'Extract a timeline from these logs. Output JSON with fields timestamp, source_log, event, evidence_pointer. If you cannot find a timestamp, write UNKNOWN. Do not invent events. Cite the line number for every event.'
How do I cross-check LLM output efficiently?
Demand line-number citations for every claim. Spot-check three random claims against the raw log. If any check fails, treat the entire output as untrusted and re-prompt with stricter constraints. Mature teams build a verification loop into their tooling, not their analyst's habit.
Course content is for educational purposes only and does not constitute professional advice. All claims are supported by cited peer-reviewed academic research. DecipherU does not teach or reproduce any proprietary sales methodology. Verify all referenced sources independently.
Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
By subscribing you agree to our privacy policy. Unsubscribe anytime.