Skip to main content

Training Operations

Hands-On SOC Training Operations

SOCSimulator training operations are free, browser-based cybersecurity investigation exercises. Each operation places you inside a realistic SIEM, XDR, or Firewall console to practice alert triage, threat detection, and incident response against scenarios mapped to the MITRE ATT&CK® framework.

15

Operations

120

Tasks

4

Tool Types

15 operations found

Scattered Spider: Identity-First Attack Chain
PRO
Advanced

Scattered Spider: Identity-First Attack Chain

Investigate a high-sophistication intrusion by UNC3944 (Scattered Spider). This scenario simulates a multi-stage attack starting from social engineering and MFA fatigue, progressing through the exploitation of unmanaged edge devices, and culminating in a 'Bring Your Own Vulnerable Driver' (BYOVD) technique to blind kernel-level security agents. Analysts must correlate identity providers, cloud sign-ins, and deep endpoint forensics to reconstruct the timeline and identify the breakout speed of this financially motivated threat actor.

SIEMXDR
1h 30m
100 pts
10 tasks
View Operation
Fake Zoom to Ransomware: The Social Engineering Pipeline
Advanced

Fake Zoom to Ransomware: The Social Engineering Pipeline

In this advanced SOC simulation, you will investigate a multi-stage intrusion that began with a drive-by download of a trojanized Zoom installer. The attack progressed through several stages of loader execution, including d3f@ckloader and IDAT loader, eventually leading to the deployment of high-end C2 frameworks like Cobalt Strike and Brute Ratel. You must trace the attacker's path from the initial web-based compromise, through lateral movement via RDP tunneling and proxy tools, to the final mass-deployment of BlackSuit ransomware via enterprise management software. This scenario is based on real-world 2025 threat intelligence and requires deep analysis of SIEM, XDR, and Firewall telemetry to reconstruct the full kill chain.

SIEMXDRFirewall
1h 40m
100 pts
10 tasks
View Operation
Black Basta: Email Bomb to Encryption
PRO
Advanced

Black Basta: Email Bomb to Encryption

Investigate a Black Basta-style ransomware intrusion that begins with email bombing and Microsoft Teams impersonation, escalates through Quick Assist remote control, establishes BackConnect-style command and control through OneDrive DLL side-loading, exfiltrates data with WinSCP, and ends in ransomware encryption. Correlate SIEM, XDR, and firewall telemetry carefully: external C2 IPs identify adversary infrastructure, while internal srcIp values identify compromised hosts. Note: there is no separate email console in this operation - all mail-gateway telemetry for the email-bombing wave lives in the SIEM logs (source: email-gateway), alongside Windows, IDS, EDR, and Azure AD events.

SIEMXDRFirewall
1h 35m
100 pts
10 tasks
View Operation
Akira Ransomware: Full Kill Chain IR
PRO
Advanced

Akira Ransomware: Full Kill Chain IR

The intrusion began with a search engine advertisement and ended with the deployment of Akira ransomware. This scenario covers the full 2025 threat landscape, emphasizing identity-based compromise, MFA bypass via AiTM kits, and rapid lateral movement toward Active Directory. Analysts must navigate a complex environment of Windows workstations, Domain Controllers, and Cisco VPN infrastructure to reconstruct the timeline from initial access to data exfiltration and final encryption.

SIEMXDRFirewall
2h
100 pts
10 tasks
View Operation
Edge Device Exploitation: VPN Zero-Day
Intermediate

Edge Device Exploitation: VPN Zero-Day

Investigate a breach targeting exposed edge security appliances. In this scenario, an attacker exploits Ivanti Connect Secure CVE-2025-22457 to obtain unauthenticated code execution, spawns a shell from the gateway web process, retrieves a Linux payload, and attempts to preserve access using edge-device service abuse patterns similar to FortiGate SSL-VPN post-exploitation tradecraft. Analyze SIEM, XDR, and firewall evidence to identify the spawned shell, suspicious domain, local sync script, and defensive block policy.

SIEMXDRFirewall
55m
50 pts
8 tasks
View Operation
Bumblebee to Akira: Search Engine Poisoning Pipeline
Intermediate

Bumblebee to Akira: Search Engine Poisoning Pipeline

Investigate a high-stakes 2025 intrusion where a simple search engine result led to a full-scale Akira ransomware deployment. This scenario tracks the transition from initial access via Bumblebee to post-exploitation via AdaptixC2, culminating in domain-wide encryption. You will analyze the browser-to-endpoint execution chain, identify lateral movement via administrative tools, and uncover the specific techniques used by the Howling Scorpius group to evade modern EDR solutions.

SIEMXDR
1h
50 pts
8 tasks
View Operation
CI/CD Pipeline Hijack: GitHub Actions Compromise
Intermediate

CI/CD Pipeline Hijack: GitHub Actions Compromise

Investigate the March 2025 GitHub Actions supply-chain compromise involving tj-actions/changed-files and reviewdog/action-setup. A compromised action version tag caused Linux CI runners to execute malicious payload logic and expose CI/CD secrets in workflow logs using double-base64 encoding. Analyze SIEM and XDR telemetry to identify the affected action, runner identity, payload execution, detection source, and secret-exposure pattern, then decide which artifacts are malicious versus benign threat-intelligence lookups.

SIEMXDR
50m
50 pts
8 tasks
View Operation
Cloud Token Theft: Identity Under Siege
Intermediate

Cloud Token Theft: Identity Under Siege

Analyze a sophisticated attack targeting Azure Blob Storage and Entra ID. This scenario covers the transition from initial OAuth phishing to token replay and persistent cloud access. You will investigate impossible travel alerts, rogue application consent, and unauthorized storage enumeration using real-world cloud telemetry.

SIEMXDRFirewall+1
1h
50 pts
8 tasks
View Operation
Kerberoasting: Service Ticket to Domain Admin
PRO
Intermediate

Kerberoasting: Service Ticket to Domain Admin

In this scenario, you will investigate a high-speed identity-based attack. Starting from an edge device exploitation, an adversary moves laterally to a domain-joined workstation and targets Active Directory. You must analyze SIEM logs for Kerberos ticket anomalies (RC4 encryption), correlate XDR process trees for Impacket usage, and identify the 'malware-free' techniques used to escalate privileges to Domain Admin.

SIEMXDR
55m
50 pts
8 tasks
View Operation
Evilginx AiTM: Session Cookie Hijack
Intermediate

Evilginx AiTM: Session Cookie Hijack

In this scenario, you will investigate a sophisticated Adversary-in-the-Middle (AitM) attack targeting a finance employee. You'll analyze cloud sign-in logs, proxy traffic, and XDR telemetry to identify session cookie theft, token replay, and post-compromise persistence. This lab focuses on the Tycoon 2FA PhaaS kit and its ability to bypass MFA by proxying live authentication sessions.

SIEMXDR
45m
50 pts
8 tasks
View Operation
Cobalt Strike: Beacon Detection
PRO
Intermediate

Cobalt Strike: Beacon Detection

In this scenario, a sophisticated threat actor has gained a foothold in a corporate environment. You will serve as a SOC Analyst tasked with identifying the initial infection vector, tracing lateral movement, and uncovering the final objectives of the intrusion. This room focuses on detecting Cobalt Strike malleable C2 profiles, process injection patterns, and the deployment of LockBit ransomware. You will utilize SIEM logs and XDR telemetry to reconstruct the attack timeline and identify critical Indicators of Compromise (IOCs).

SIEMXDR
1h
50 pts
8 tasks
View Operation
MFA Fatigue: The Notification Flood
Beginner

MFA Fatigue: The Notification Flood

In this guided walkthrough, you will step into the shoes of a SOC analyst investigating a modern identity-based attack. The threat landscape in 2026 has shifted: adversaries are no longer just 'breaking in'—they are logging in. You will analyze real-time identity signals, correlate disparate log sources across a hybrid cloud environment, and identify the markers of an MFA fatigue attack used by the FlowerStorm phishing kit. This scenario highlights the critical importance of behavioral analysis over simple IOC matching in an era of malware-free intrusions and compromised human identities.

SIEMXDR
30m
50 pts
6 tasks
View Operation
QR Code Phishing: Scan to Compromise
Beginner

QR Code Phishing: Scan to Compromise

In this scenario, you will investigate a modern 'Quishing' (QR phishing) attack that bypassed traditional email filters by hiding its payload inside an image. You will trace the full chain: a spoofed MFA-enrollment lure sent from purpose-built infrastructure, a redirect server that conceals the final destination, and an Evilginx-style adversary-in-the-middle page that stole an authenticated session cookie despite MFA. You will then follow the attacker's post-compromise moves — Graph API mailbox enumeration, SharePoint exfiltration, and a hidden inbox forwarding rule — and choose the containment action that actually evicts them.

SIEM
30m
50 pts
6 tasks
View Operation
Credential Harvesting: The Lookalike Login
Beginner

Credential Harvesting: The Lookalike Login

Investigate an adversary-in-the-middle (AiTM) credential phishing campaign that lured an employee to a lookalike Microsoft 365 login page. Working entirely from SIEM logs, you will identify the lookalike domain, reconstruct the multi-hop redirect chain through a compromised legitimate site, uncover a secondary phishing wave against another employee, and confirm account takeover in Azure AD sign-in logs via impossible travel and session-token replay. You finish by choosing the containment action that actually evicts an attacker holding a valid session token. Foundational skills for SOC analysts in lookalike-domain analysis and identity-centric incident response.

SIEM
40m
50 pts
7 tasks
View Operation
ClickFix: The Fake CAPTCHA Trap
Beginner

ClickFix: The Fake CAPTCHA Trap

The ClickFix social engineering technique uses dialogue boxes containing fake error messages to trick victims into copying, pasting, and running malicious content. In this scenario, a user was targeted with a 'Verify You Are Human' CAPTCHA check that led to a significant endpoint compromise. You will analyze the 'paste-and-run' execution chain, investigate PowerShell activity initiated via the Windows Run dialog, and identify the deployment of an information stealer.

SIEMXDR
30m
40 pts
5 tasks
View Operation

Start Training — Free Forever

Create your free account and start investigating real-world attack scenarios. No credit card required. Track your progress, earn points, and build job-ready SOC analyst skills.

Get Started Free

We use cookies to improve your experience and measure usage. Learn more