Scoring & Progression
Four-pillar scoring methodology, grade thresholds, SLA targets, and leaderboard progression.
Scoring & Progression
SOC Simulator uses a unified scoring system across all training modes. Points earned from Operations rooms and Shift Mode feed into a single leaderboard rank that tracks your growth as an analyst.
Shift Mode Scoring -- The Four Pillars
Your shift performance is measured across four pillars. Each pillar evaluates a distinct aspect of SOC analyst competency:
Detection Rate (40%)
The percentage of true positive alerts you correctly identified and escalated. This is the most heavily weighted pillar because missing real threats is the most consequential failure in SOC operations.
Calculation: (True positives correctly escalated / Total true positives in the shift) x 100
Example: A shift contains 8 true positive alerts. You escalate 6 of them correctly. Your detection rate is 75%.
Precision (25%)
The accuracy of your escalations. A high detection rate means nothing if you are also escalating every noise alert. Precision measures your ability to distinguish genuine threats from false alarms.
Calculation: (Correct escalations / Total escalations you made) x 100
Example: You escalate 10 alerts during a shift. 6 are true positives and 4 are noise. Your precision is 60%.
Response Time (20%)
How quickly you triage alerts relative to their severity. Each severity level has an SLA target (see below). Alerts triaged within the SLA window earn full marks. Alerts triaged late receive partial credit based on how far outside the window they fell.
Calculation: Weighted average of per-alert SLA compliance, adjusted by severity.
Procedure (15%)
Whether you followed proper investigation procedures before making a decision. Did you check related alerts before escalating? Did you look up IOCs in threat intelligence? Did you document evidence in Case Management? Procedure captures the quality of your investigative process, not just the outcome.
Calculation: Based on tracked investigation actions per alert -- pivoting between tools, IOC lookups, evidence pinning, and case notes.
SLA Targets
Response time expectations vary by alert severity:
| Severity | SLA Target | Description |
|---|---|---|
| Critical | 2 minutes | Immediate response required |
| High | 5 minutes | Rapid assessment needed |
| Medium | 15 minutes | Standard triage timeline |
| Low | 30 minutes | Address when higher priorities are clear |
| Info | 60 minutes | Review at your discretion |
SLA targets are measured from when the alert first appears in your queue, not from when you first open it. Unread alerts are still accumulating SLA time.
Grade Thresholds
Your composite score (the weighted sum of all four pillars) maps to a letter grade:
| Grade | Score Range | Label |
|---|---|---|
| S | 95 -- 100 | Exceptional |
| A | 85 -- 94 | Advanced |
| B | 75 -- 84 | Proficient |
| C | 60 -- 74 | Developing |
| D | 40 -- 59 | Needs Improvement |
| F | 0 -- 39 | Unsatisfactory |
Bonuses and Penalties
Certain actions during a shift apply modifiers to your composite score:
| Modifier | Effect | Condition |
|---|---|---|
| Full Chain Bonus | +5 points | Escalate every alert in an attack chain |
| Early Detection Bonus | +3 points | Escalate the first attack alert within its SLA |
| Zero False Escalation | +3 points | No noise or baseline alerts escalated |
| Missed Critical | -5 points per alert | A critical true positive was not escalated |
| Excessive Escalation | -2 points | More than 50% of all escalations were incorrect |
Debrief Walkthrough
After every shift, the debrief screen provides a structured review of your performance:
Pillar Breakdown
A visual breakdown of your score across all four pillars. Each pillar shows your raw score, the weighted contribution, and specific alerts that impacted the score positively or negatively.
Scenario Reveal
The hidden attack scenario is fully revealed. You see the complete attack chain, which alerts were true positives, which you caught, and which you missed. The scenario is mapped to MITRE ATT&CK techniques so you can study the tactics involved.
Fatigue Analysis
An hourly accuracy chart shows how your triage performance changed over the course of the shift. This section highlights your personal fatigue threshold and identifies whether later errors were false negatives or false positives.
Top Mistakes
The three decisions that had the largest negative impact on your score are listed with explanations of why they were scored as incorrect and what the correct action would have been.
Room Scoring
Points are earned by completing tasks in Operations rooms. Each task requires submitting the correct flag, and each correct submission awards points toward the room total.
Point Budgets by Difficulty
Every room has a point budget determined by its difficulty level:
| Difficulty | Max Room Points |
|---|---|
| Easy | 75 |
| Medium | 150 |
| Hard | 300 |
Room creators distribute points across tasks within this budget. Harder tasks within a room are worth more points.
Leaderboard Multiplier
A difficulty multiplier is applied when room points are added to the leaderboard:
| Difficulty | Multiplier | Max Leaderboard Points |
|---|---|---|
| Easy | 1.0x | 75 |
| Medium | 1.5x | 225 |
| Hard | 2.0x | 600 |
Points are only awarded on first completion. Replaying a room is great for practice, but it does not earn additional leaderboard points.
Shift Mode Leaderboard Points
Shift Mode awards leaderboard points based on both the duration of your shift and how well you performed:
Base Points by Duration
| Duration | Base Points |
|---|---|
| 30 minutes | 50 |
| 60 minutes | 75 |
| 120 minutes | 125 |
| 180 minutes | 175 |
Performance Quality Multiplier
| Rating | Composite Score | Multiplier |
|---|---|---|
| Poor | 0 -- 40 | 0.5x |
| Developing | 41 -- 60 | 0.75x |
| Proficient | 61 -- 80 | 1.0x |
| Advanced | 81 -- 90 | 1.25x |
| Expert | 91 -- 100 | 1.5x |
For example, an Expert-rated 60-minute shift earns 75 x 1.5 = 112.5 leaderboard points.
Daily Shift Limit
A maximum of 3 scored shifts per day count toward your leaderboard points. You can run as many shifts as you want beyond that limit, but they function as practice-only and do not award points.
Practice shifts still generate full performance reports. They are a great way to improve your metrics without worrying about score.
Daily Earning Cap
To maintain a healthy leaderboard and reward consistent practice over marathon sessions, a daily soft cap is applied:
- The first 500 points earned each day are awarded at full value
- Points earned beyond 500 in a single day are awarded at 25% value
- The cap resets daily at midnight UTC
The daily cap applies to the combined total from both Operations rooms and Shift Mode. Plan your training sessions accordingly.
Rank Progression
As you accumulate leaderboard points, you progress through 15 ranks:
| Rank | Points Required |
|---|---|
| Security Trainee | 0 |
| Junior Analyst | 100 |
| SOC Analyst I | 300 |
| SOC Analyst II | 600 |
| Senior Analyst | 1,000 |
| Threat Hunter | 1,500 |
| Incident Responder | 2,200 |
| Security Specialist | 3,000 |
| Lead Analyst | 4,000 |
| SOC Supervisor | 5,200 |
| Detection Engineer | 8,000 |
| Security Architect | 12,000 |
| Threat Intelligence Lead | 18,000 |
| SOC Manager | 25,000 |
| Cyber Defense Commander | 35,000 |
Your current rank and progress toward the next rank are displayed on your profile and in the dashboard sidebar.
Early ranks come quickly to keep you motivated. Higher ranks require sustained effort over weeks and months, mirroring real career progression timelines.
Leaderboards
Three leaderboard periods let you compete on different timescales:
| Period | Resets | Best For |
|---|---|---|
| Weekly | Every Monday at midnight UTC | Short-term competition |
| Monthly | First day of each month at midnight UTC | Medium-term goals |
| All-Time | Never | Career achievement |
Tips for Improving Each Pillar
Detection Rate
Focus on learning what true positive attack chains look like. Practice at Easy difficulty where 60% of alerts are genuine threats. Study the scenario reveal in your debrief to understand the attack patterns you missed.
Precision
Before escalating, take a moment to check the IOC in Ember ThreatInt. Cross-reference the alert with other tools using pivoting. If the evidence is ambiguous, mark as investigating rather than escalating immediately.
Response Time
Learn the keyboard shortcuts. Use R, F, I, and E to triage without reaching for the mouse. Prioritize critical and high severity alerts first to stay within SLA targets.
Procedure
Build the habit of checking at least two tools before making a decision. Pin evidence to your case. Look up IOCs in threat intelligence. These investigative actions are tracked and directly improve your procedure score.