You are the cybersecurity threat intel lead. Four reports from four vendors landed this morning, each describing what looks like the same intrusion campaign with different naming and partial overlap. You have an LLM intel tool that ingests reports and drafts structured IOC extracts.
50 minutes to deliver: a deduplicated IOC list, a unified MITRE ATT&CK technique chain, an attribution argument with confidence levels, and a one-paragraph brief for SOC consumption. The trap: each vendor uses its own threat-actor naming, the LLM tends to assert attribution beyond evidence, and IOCs across reports do not cleanly merge.
This scenario tests directing an LLM for structured extraction from unstructured reports, validating LLM output against the source, and writing attribution language that survives expert review.
Time-pressured. A live threat actor panel updates every few seconds with new actions you must address.
Step timers count down. Color shifts and pulse cues warn at 25%, 10%, and 5% time remaining. Score decays over time.