Range Scenario · crucible · 25 min
Triage the SOC: A Phishing-Borne Incident
This cybersecurity training scenario simulates a working incident. A finance employee clicked a link, entered their password, and the EDR fired thirty minutes later. You take the handoff at 7am. Work the alert, scope the blast radius, and decide what to escalate.
Scenario briefing
You are a Tier 1 cybersecurity SOC analyst at a 1,800-employee financial services firm. Your shift starts at 7am Eastern. Overnight, a phishing email landed in eight inboxes through a third-party invoicing brand impersonation. One user clicked the link, entered their password on a credential-harvesting page, and approved an MFA push.
The EDR raised an alert on the user's laptop thirty minutes after credential entry: an unusual PowerShell process spawned by Outlook. The endpoint is still online. The user is on PTO this week.
Your job for this scenario is to read the artifacts, identify the technique, scope the impact, and pick the correct first response. Each step has progressive hints if you get stuck. Hint usage reduces step score by the listed amount.
What you will practice
- Map a phishing chain to MITRE ATT&CK techniques
- Read EDR process telemetry under time pressure
- Choose the correct first response action by impact and reversibility
- Document the decision in language that hands off cleanly
How this scenario is scored
The scenario has 6 ordered steps. Most steps are exact-match (a MITRE ATT&CK technique ID, a tool name, or a yes/no decision) or multiple choice. Free-text steps queue for manual review and do not affect the auto-final-score in the MVP.
Each step has a max score of 100 points. Hints deduct points up front, listed before you reveal them. Your final score is the sum across steps. Range Elo updates on completion based on scenario difficulty (Beginner) and your final score percentage.
Frequently asked questions
What is a SOC analyst expected to know for a phishing triage?
A SOC analyst should recognize the credential-phishing chain (T1566 to T1078 to follow-on activity), read EDR process trees, query identity logs for impossible-travel or unusual sign-in locations, and apply the runbook for containment. Pattern recognition matters more than tool depth at Tier 1.
How is this Range scenario scored?
Each step has a max score of 100 points. Hints deduct points up front. Free-text steps in the MVP queue for manual review, so the auto-final-score reflects exact-match and multiple-choice steps. Range Elo updates on completion based on scenario difficulty and final score.
Does this scenario use real customer data?
No. All artifacts in DecipherU Range scenarios are original training material written for educational use. Indicator strings are synthetic and do not represent real victim organizations or threat campaigns.
Course content is for educational purposes only and does not constitute professional advice. All claims are supported by cited peer-reviewed academic research. DecipherU does not teach or reproduce any proprietary sales methodology. Verify all referenced sources independently.
Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
By subscribing you agree to our privacy policy. Unsubscribe anytime.