Range Scenario · gauntlet · 50 min
LLM-Assisted Threat Intel Correlation: Four Vendor Reports
This cybersecurity training scenario simulates a working incident. Four cybersecurity vendor reports landed this morning. Use an LLM to extract IOCs, deduplicate across reports, and build an attribution argument under time pressure. Validate every claim before publishing.
Scenario briefing
You are the cybersecurity threat intel lead. Four reports from four vendors landed this morning, each describing what looks like the same intrusion campaign with different naming and partial overlap. You have an LLM intel tool that ingests reports and drafts structured IOC extracts.
50 minutes to deliver: a deduplicated IOC list, a unified MITRE ATT&CK technique chain, an attribution argument with confidence levels, and a one-paragraph brief for SOC consumption. The trap: each vendor uses its own threat-actor naming, the LLM tends to assert attribution beyond evidence, and IOCs across reports do not cleanly merge.
This scenario tests directing an LLM for structured extraction from unstructured reports, validating LLM output against the source, and writing attribution language that survives expert review.
What you will practice
- Direct an LLM to extract structured IOCs from unstructured intel reports
- Deduplicate IOCs across reports with conflicting vendor naming
- Build attribution arguments with explicit confidence levels
- Recognize when LLM-generated attribution outruns the evidence
How this scenario is scored
The scenario has 8 ordered steps. Most steps are exact-match (a MITRE ATT&CK technique ID, a tool name, or a yes/no decision) or multiple choice. Free-text steps queue for manual review and do not affect the auto-final-score in the MVP.
Each step has a max score of 100 points. Hints deduct points up front, listed before you reveal them. Your final score is the sum across steps. Range Elo updates on completion based on scenario difficulty (Advanced) and your final score percentage.
Frequently asked questions
Why do different vendors use different threat-actor names?
Each vendor names actors based on their telemetry and disclosure preferences. Mandiant uses APT and UNC numbers, CrowdStrike uses Bear, Panda, and other adversary nicknames, Microsoft uses weather-themed names. Naming bridges exist (CISA's joint advisories, the MITRE ATT&CK Groups page) but always require validation. The same actor can have five names across five vendors.
What confidence levels should appear in attribution language?
Use the intelligence community standard: low, moderate, or high confidence. Low means consistent with one or two indicators but plausibly other actors. Moderate means a tooling, infrastructure, or TTP overlap that fits the actor better than alternatives. High means independent corroborating evidence (multiple TTP families, infrastructure overlap, victimology). Avoid 'definitely' or 'almost certainly' unless the evidence supports it.
Can LLMs generate attribution claims?
LLMs can summarize attribution claims made by source reports. They cannot generate new attribution unless you give them explicit, verifiable indicators and a known-actor library. Even then, demand the LLM cite the indicators behind every attribution claim. Treat unsourced LLM attribution as fiction until proven otherwise.
Course content is for educational purposes only and does not constitute professional advice. All claims are supported by cited peer-reviewed academic research. DecipherU does not teach or reproduce any proprietary sales methodology. Verify all referenced sources independently.
Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
By subscribing you agree to our privacy policy. Unsubscribe anytime.