Skip to main content
S
SOCSimulatorDocumentation
Training Modes

Operations Mode

Guided CTF-style training rooms with clear objectives and flags.

Operations Mode

Operations Mode provides structured, guided training through CTF-style rooms. Each room presents a realistic incident scenario with specific objectives to complete.

How It Works

1. Browse Rooms

Visit the Operations page to see available rooms:

  • Filters - By difficulty, tool, category, or MITRE technique
  • Search - Find specific scenarios
  • Tabs - All, In Progress, Completed

2. Select a Room

Each room card shows:

  • Title - Scenario name
  • Difficulty - Easy, Medium, Hard
  • Tool - Primary tool used (SIEM, XDR, Firewall)
  • Points - XP awarded on completion
  • Estimated Time - How long it typically takes

3. Complete Tasks

Rooms contain multiple tasks:

  1. Read the scenario briefing
  2. Complete each task in order (or any order)
  3. Answer questions or find flags
  4. Submit your answers
  5. Review your performance

4. Capture Flags

Flags are hidden answers you discover during investigation:

FLAG{brute_force_detected_192.168.1.100}

Flags are case-insensitive. Spaces are ignored.

Room Difficulty

DifficultyDescriptionPointsTime
EasySingle tool, clear path, simple patterns10010-15 min
MediumMultiple tools, some correlation needed25020-30 min
HardComplex scenarios, advanced techniques50045-60 min

Features

Progressive Hints

Stuck on a task? Use hints:

  1. First hint - Gentle nudge in right direction
  2. Second hint - More specific guidance
  3. Third hint - Near-complete solution

Using hints reduces points earned. Try without hints first!

Rich Task Content

Tasks can include:

  • Text instructions - What you need to do
  • Alert embeds - Pre-loaded alerts to investigate
  • Images - Screenshots and diagrams
  • Code blocks - Queries or commands to run
  • Questions - Multiple choice or free text

Embedded SOC Components

Some tasks embed actual tool interfaces:

  • View a real alert card
  • Query a log viewer
  • Analyze a process tree

Scoring

Points are awarded based on:

FactorImpact
DifficultyHigher = more points
Hints usedEach hint reduces points
AccuracyWrong answers reduce score
CompletionPartial credit for some tasks

Categories

Rooms are organized by attack category:

  • Initial Access - Phishing, exploit, drive-by
  • Execution - PowerShell, macros, scripts
  • Persistence - Scheduled tasks, registry, services
  • Privilege Escalation - Local admin, token manipulation
  • Defense Evasion - Obfuscation, clearing logs
  • Credential Access - Credential dumping, brute force
  • Lateral Movement - RDP, PsExec, WMI
  • Exfiltration - Data theft, C2 channels

Tips for Success

  1. Read the briefing carefully - Context matters
  2. Check all tools - Incidents span multiple sources
  3. Look for timestamps - Build the timeline
  4. Correlate by IP/user - Connect the dots
  5. Use hints wisely - Try without first, but don't waste time

Training Modes Overview

Choose between guided Operations rooms or real-time Shift Mode.

Shift Mode

Real-time SOC analyst shift simulation with live alerts, multi-tool workstation, and hidden attack scenarios.

On this page

Operations ModeHow It Works1. Browse Rooms2. Select a Room3. Complete Tasks4. Capture FlagsRoom DifficultyFeaturesProgressive HintsRich Task ContentEmbedded SOC ComponentsScoringCategoriesTips for Success

We use cookies to improve your experience and measure usage. Learn more