Range Scenario · crucible · 40 min
Threat Hunting: AI-Assisted Hypothesis Generation
This cybersecurity training scenario simulates a working incident. A new vulnerability disclosure breaks. Use an LLM to generate cybersecurity hunt hypotheses against the new exploit chain. Score the hypotheses, pick the testable ones, write the queries.
Scenario briefing
You run threat hunting at a 12,000-person SaaS company. CISA published an advisory this morning on a new exploit chain affecting Apache HTTP Server (fictional CVE-2026-12345, public-facing application exploitation followed by a deserialization gadget that drops a webshell).
You have 4 hours to design a hunt. You will use an LLM to generate hypotheses, score them by detectability against your telemetry, and pick the 3 best to convert into Sigma queries against your SIEM.
This scenario tests the NIST CSF Threat Hunting maturity dimension (DE.AE-3): can you turn unstructured intel into structured hypotheses with measurable outcomes? Sources: NIST CSF 2.0 Detect Function, MITRE ATT&CK T1190.
What you will practice
- Convert a CVE advisory into testable hunt hypotheses
- Score hypotheses by signal strength, telemetry coverage, and false-positive cost
- Translate hypotheses into Sigma-style detection logic
- Document hunt outcomes for the detection engineering pipeline
How this scenario is scored
The scenario has 6 ordered steps. Most steps are exact-match (a MITRE ATT&CK technique ID, a tool name, or a yes/no decision) or multiple choice. Free-text steps queue for manual review and do not affect the auto-final-score in the MVP.
Each step has a max score of 100 points. Hints deduct points up front, listed before you reveal them. Your final score is the sum across steps. Range Elo updates on completion based on scenario difficulty (Advanced) and your final score percentage.
Frequently asked questions
What is a hunt hypothesis?
A hunt hypothesis is a testable claim about what an attacker would leave behind. Format: 'If [adversary action] occurred in our environment, we would see [observable] in [data source].' Hypotheses must be falsifiable, time-bounded, and produce a clean outcome (found / not found / inconclusive with reason).
How does an LLM help with hypothesis generation?
LLMs read advisories and known-good detections fast and propose candidate hypotheses across multiple data sources. The trade-off is the same as ever: LLMs propose plausible-sounding ideas that may not match your environment. Score each hypothesis against your real telemetry coverage before adopting.
What is the relationship between hunting and detection engineering?
Hunting finds the attack pattern. Detection engineering codifies the find as a SIEM rule that fires every time. Most mature programs run hunts as a feeder for detection engineering: every successful hunt outcome converts to a Sigma rule with a documented signal, false-positive rate, and tuning history.
Course content is for educational purposes only and does not constitute professional advice. All claims are supported by cited peer-reviewed academic research. DecipherU does not teach or reproduce any proprietary sales methodology. Verify all referenced sources independently.
Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
By subscribing you agree to our privacy policy. Unsubscribe anytime.