Difficulty Levels
The 3-tier alert system, difficulty ratios, alert rates, and how to choose the right challenge level.
Difficulty Levels
Shift Mode uses a 3-tier alert system that mirrors the reality of production SOC environments. Understanding the tiers and how difficulty levels adjust them is essential for getting the most out of your training.
The 3-Tier Alert System
Every alert that appears during a shift belongs to one of three tiers:
Baseline Alerts
Routine, expected alerts from normal business operations. These include scheduled scans, automated processes, and known-good activity that happens to trigger detection rules. Baseline alerts should be resolved or marked as false positives quickly.
Examples: Scheduled vulnerability scan alerts, nightly backup job triggers, known admin tool usage, routine DNS queries to internal servers.
Noise Alerts
Suspicious-looking but ultimately benign activity. Noise alerts require more analysis than baseline alerts because they exhibit characteristics that could indicate a threat. They test your ability to investigate without jumping to conclusions.
Examples: A user logging in from a new location (they traveled for work), a PowerShell script execution (it is a legitimate IT automation tool), outbound traffic to a newly registered domain (it is a new SaaS vendor).
True Positives
Genuine malicious activity that is part of an injected attack scenario. True positives form an attack chain that you need to identify, correlate, and escalate. Missing these is the most significant failure mode.
Examples: Credential stuffing from a known malicious IP, lateral movement via PsExec to a domain controller, data exfiltration over DNS tunneling, C2 beaconing to a known threat actor infrastructure.
Difficulty Levels
Each difficulty level adjusts the ratio of alert tiers and the overall alert volume:
| Difficulty | True Positives | Noise | Baseline | Alert Rate |
|---|---|---|---|---|
| Easy | 60% | 20% | 20% | ~12 alerts/hour |
| Medium | 30% | 45% | 25% | ~20 alerts/hour |
| Hard | 15% | 55% | 30% | ~30 alerts/hour |
| Expert | 10% | 60% | 30% | ~45 alerts/hour |
At Easy difficulty, the majority of alerts are true positives. You can focus on learning how attack chains look across tools without being overwhelmed by noise. At Expert difficulty, only 1 in 10 alerts is a genuine threat, buried in a high volume of noise that demands rapid and accurate triage.
Choosing the Right Difficulty
Easy
You are new to SOC work or to the platform. You want to learn what true positive alerts look like across SIEM, XDR, and Firewall without the pressure of distinguishing them from heavy noise.
Medium
You can identify obvious threats and want to practice filtering noise. Medium difficulty is where most analysts should spend the majority of their training time.
Hard
You can triage efficiently at medium and want to build resilience against high alert volumes. Hard difficulty closely matches the conditions in a mid-size enterprise SOC.
Expert
You want to simulate the worst-case scenario: a high-volume, high-noise environment where threats are rare and subtle. Expert difficulty is representative of large enterprise SOCs during active campaigns.
Progression Path
A structured approach to building proficiency:
- Start at Easy -- Complete several shifts to learn the tools, the alert format, and the scoring system.
- Move to Medium -- Once you consistently score above 80% at Easy, switch to Medium to introduce noise pressure.
- Advance to Hard -- When your Medium scores stabilize above 70%, move to Hard for volume pressure.
- Attempt Expert -- After consistent Hard performance above 65%, try Expert for the full production SOC experience.
There is no penalty for training at a lower difficulty. If your scores drop significantly at a new level, return to the previous level and focus on the scoring pillar where you lost the most points. Consistent practice at the right difficulty builds skills faster than struggling at a level beyond your current ability.