Shift Mode
Real-time SOC analyst shift simulation with live alerts, multi-tool workstation, and hidden attack scenarios.
Shift Mode
Shift Mode places you inside a fully functional SOC Workstation where live alerts stream across multiple security tools simultaneously. Hidden attack scenarios are injected into the noise. Your job is to triage, investigate, and respond -- exactly as you would in a production security operations center.
Quick Start
1. Configure Your Shift
Select your shift parameters before starting:
| Setting | Options |
|---|---|
| Duration | 30 minutes, 1 hour, 2 hours, 3 hours |
| Difficulty | Easy, Medium, Hard, Expert |
| Scenario Focus | Random, or a specific MITRE ATT&CK category |
2. Briefing
Before your shift begins, you receive a briefing that describes the organization you are defending, the threat landscape, and any active advisories. Read it carefully -- it contains context that will help you distinguish real threats from noise.
3. Triage
Your workstation opens with multiple tool windows. Alerts stream in across SIEM, XDR, and Firewall panels. For each alert, decide:
| Action | When to Use |
|---|---|
| Investigate | Needs deeper analysis before a decision |
| Escalate | Confirmed or high-confidence threat requiring response |
| Resolve | Legitimate activity, handled, no further action |
| False Positive | Benign activity that triggered a detection rule |
Hidden in the alert flow are true positive attack chains. Finding and correctly escalating them is the core challenge.
4. Debrief
When the shift ends, a full performance report breaks down your decisions across four scoring pillars: Detection Rate, Precision, Response Time, and Procedure. The debrief also reveals the hidden scenario, shows which alerts were part of the attack chain, and provides fatigue analysis.
Tool Windows
The SOC Workstation provides six tool windows, each replicating a real-world SOC platform:
| Window | Purpose |
|---|---|
| SIEM | Log search, correlation rules, alert timeline |
| XDR | Endpoint telemetry, process trees, detection alerts |
| Firewall | Network traffic, connection logs, blocked requests |
| Ember ThreatInt | Real-time threat intelligence from 20+ open-source feeds |
| Case Management | Ticket creation, evidence pinning, incident tracking |
| Comms | SOC team communication channel with simulated colleagues |
Learn More
SOC Workstation
Window management, layout presets, cross-tool pivoting, and taskbar guide.
Difficulty Levels
The 3-tier alert system, difficulty ratios, and progression path.
Scoring Methodology
Four-pillar scoring, grade thresholds, SLA targets, and debrief walkthrough.
Ember ThreatInt
Real threat intelligence feeds integrated into every shift.
Fatigue Mechanics
How progressive fatigue effects simulate real SOC conditions.
Keyboard Shortcuts
Full reference for fast triage and workstation navigation.