You run threat hunting at a 12,000-person SaaS company. CISA published an advisory this morning on a new exploit chain affecting Apache HTTP Server (fictional CVE-2026-12345, public-facing application exploitation followed by a deserialization gadget that drops a webshell).
You have 4 hours to design a hunt. You will use an LLM to generate hypotheses, score them by detectability against your telemetry, and pick the 3 best to convert into Sigma queries against your SIEM.
This scenario tests the NIST CSF Threat Hunting maturity dimension (DE.AE-3): can you turn unstructured intel into structured hypotheses with measurable outcomes? Sources: NIST CSF 2.0 Detect Function, MITRE ATT&CK T1190.
One ordered pass through every step. No clock. Each answer scores against the canonical solution.
Hints reduce the points you can earn for that step. Free-text steps queue for manual review.