You run threat intel for a private-sector cybersecurity ISAC. Three member firms reported ransomware incidents in the last 90 days: Acme Manufacturing (file rename to .lockedX), Beta Logistics (.encrypted), Gamma Retail (.lockedX). All three reported initial access via VPN credentials matching a known leaked-corpus.
An LLM clustering tool ingested the three incident reports and proposed: 'Same-actor cluster, confidence 0.78, common ransomware family Phantom.' You disagree because the file extensions differ and the ransom note formats vary.
This scenario tests indicator-clustering tradecraft, LLM verification on attribution, and the discipline of confidence calibration. Sources: MITRE ATT&CK TA0040 Impact, CISA #StopRansomware advisories.
One ordered pass through every step. No clock. Each answer scores against the canonical solution.
Hints reduce the points you can earn for that step. Free-text steps queue for manual review.