Training Operations
SOCSimulator training operations are free, browser-based cybersecurity investigation exercises. Each operation places you inside a realistic SIEM, XDR, or Firewall console to practice alert triage, threat detection, and incident response against scenarios mapped to the MITRE ATT&CK framework.
17
Operations
157
Tasks
3
Tool Types
17 operations found
An investigation into a sophisticated cloud-native attack where exposed IAM credentials led to serverless exploitation, lateral movement via SSH key injection, and large-scale data exfiltration. You will analyze CloudTrail logs, VPC Flow logs, and GuardDuty alerts to trace the attacker's path from a leaked .env file to a full environment takeover.
In 2025, 79% of initial access is malware-free. This training scenario challenges analysts to identify sophisticated 'Living off the Land' (LotL) techniques where attackers use legitimate administrative tools like ntdsutil, netsh, and PowerShell to blend into normal network traffic. You will investigate a campaign targeting a manufacturing firm's Active Directory infrastructure, focusing on identity-based threats that have seen an 850% increase year-over-year.
Analyze a high-speed identity-based attack where an adversary pivots from a VPN compromise to Active Directory dominance in under 4 hours. This scenario focuses on detecting Kerberoasting (T1558.003) via service ticket anomalies and tracking the rapid escalation to Domain Admin privileges.
Analyze a sophisticated intrusion involving the exploitation of an Atlassian Confluence server, leading to Cobalt Strike beacon deployment and LockBit ransomware. This scenario focuses on identifying malleable C2 profiles, process injection into legitimate Windows processes, and the use of SOCKS proxies for lateral movement. You will navigate through SIEM logs and XDR process trees to reconstruct the attack timeline from initial access to final impact.
In 2025, Remote Monitoring and Management (RMM) abuse surged by 277%. Threat actors increasingly leverage legitimate tools like ScreenConnect and AnyDesk to bypass security controls and maintain persistent access. In this scenario, you will investigate a suspicious installation on an accounting department workstation. You'll need to distinguish between authorized administrative activity and a 'SilentConnect' infection that utilizes VBScript lures and PEB masquerading to hide its presence.
In this guided walkthrough, you will investigate a sophisticated identity-led intrusion. An attacker leveraged social engineering via Microsoft Teams and MFA push-bombing to 'log in' rather than 'break in'. You will analyze SIEM authentication patterns and XDR behavioral data to trace the attacker's path from a simple voice call to full environment compromise.
An investigation into a modern phishing campaign targeting critical infrastructure. You will analyze email headers for domain spoofing, identify 'Paste and Run' execution chains, and track the delivery of the LummaC2 information stealer through SIEM logs.
Investigate a drive-by download attack where a compromised WordPress site delivered a highly obfuscated JavaScript loader using UTF-8 homoglyphs to evade detection. Trace the execution from the browser to system reconnaissance and the deployment of a Python-based backdoor used by RansomHub affiliates.
Step into the shoes of a Tier 3 SOC Analyst to investigate a high-impact ransomware intrusion by the Howling Scorpius group (Akira). This scenario covers the full lifecycle of a modern double-extortion attack, from initial VPN credential abuse and SEO poisoning to lateral movement, credential dumping, and final data exfiltration. You will need to correlate evidence across SIEM logs, XDR process trees, and Firewall traffic to reconstruct the timeline and identify the root cause of the breach.
Investigate a modern 'ClickFix' social engineering attack where a user was tricked into executing a malicious PowerShell command via a fake CAPTCHA interface. You will analyze SIEM and XDR telemetry to trace the infection from the initial web lure to the deployment of an infostealer.
Investigate a sophisticated social engineering campaign targeting manufacturing supply chains. You will analyze a 'reversed' phishing flow where attackers use 'Contact Us' forms to trick employees into initiating email conversations, leading to the deployment of the custom MixShell in-memory implant via DNS tunneling.
Investigate a resurgence of the Emotet botnet (Epoch 4) utilizing advanced defense evasion techniques. Trace the infection from a macro-enabled document to the deployment of inflated DLL payloads designed to bypass sandbox and scan engine limitations through binary padding. Analyze process hollowing of system utilities and the deployment of modular stealer components.
Investigate a sophisticated phishing campaign where threat actors distributed the NetSupport Remote Administration Tool (RAT) by disguising it as a popular Pokemon card game. You will analyze the infection chain from the initial web download through persistence mechanisms and command-and-control configuration using SIEM, XDR, and Firewall logs.
A deep-dive investigation into a sophisticated multi-stage attack targeting financial institutions in Francophone Africa. Analysts will trace the infection from malicious ISO mounts through GuLoader execution, defense evasion via signed kernel drivers, and lateral movement using dual-use tools like Ngrok and PsExec. This scenario is based on real-world threat intelligence from the Symantec Threat Hunter Team regarding the Bluebottle/OPERA1ER group.
Investigate a sophisticated supply chain attack targeting Python developers through malicious PyPI packages. You will analyze a multi-stage infection chain involving obfuscated PowerShell, Cloudflare Tunnels, and a Flask-based RAT used for data exfiltration and remote control.
Investigate a RedLine Stealer infection originating from a malicious 'Netflix Checker' application. Analysts will trace the execution from the initial dropper to the final payload, identify the specific sensitive data targeted (browsers, crypto wallets, VPNs), and analyze the SOAP-based C2 communication used for exfiltration.
Investigate the sophisticated TTPs of the ALPHV (BlackCat) ransomware group following the breach of a major healthcare entity. You will analyze initial access via social engineering, command-line execution patterns, registry modifications for lateral movement, and the technical mechanics of their Rust-based encryption engine.
Create your free account and start investigating real-world attack scenarios. No credit card required. Track your progress, earn points, and build job-ready SOC analyst skills.
Get Started FreeWe use cookies to improve your experience and measure usage. Learn more