You are an IR analyst at a 6,000-employee retail cybersecurity team. A confirmed intrusion spans seven days. You have access to web server logs, identity logs, EDR telemetry, and an LLM analyst tool that ingests log fragments and drafts narrative timelines.
The clock is 45 minutes. Output: a five-bullet timeline backed by raw-evidence pointers, the technique chain mapped to MITRE ATT&CK, and an executive one-paragraph for the CISO. The LLM is fast but lies under pressure. Verify before quoting.
This scenario tests prompt engineering for log analysis, structured cross-checking against raw evidence, and resistance to confident-sounding LLM conclusions that do not match the data.
Time-pressured. A live threat actor panel updates every few seconds with new actions you must address.
Step timers count down. Color shifts and pulse cues warn at 25%, 10%, and 5% time remaining. Score decays over time.