Detailed Lab Views

Every lab, expanded like a case file.

Structured case-file views of each security lab — covering the threat scenario, telemetry sources, tool stack, investigation workflow, and evidence outcomes.

SOC Lab Phishing IR IAM Notes

3 Lab case views

4 Workflow phases

80+ Logons detected

1 Published deep dive

All Labs

Lab cases organized by security discipline.

Each case file documents the threat model, data sources, detection methodology, and analyst workflow behind the lab — mapped to core security operations competencies.

SOC Automation Phishing IR IAM Security

Published Detection Engineering Lab

SOC Automation with Splunk

Simulates a credential-based brute-force attack by ingesting Windows Security Event Logs into Splunk, building SPL detection queries, and producing a structured analyst response workflow with documented triage decisions and measurable detection outcomes.

Scenario

Repeated failed logons indicate possible credential attack behavior.

Telemetry

Windows Security Logs reviewed and normalized inside Splunk.

Evidence

80+ failed logon attempts identified inside a defined time window.

Open Full Case GitHub

Splunk SPL Windows Logs Detection Engineering

Ingest

Collect and normalize Windows authentication events for investigation.

Detect

Build SPL queries to group failed logon volume by source, user, and time.

Triage

Review correlated events, tune thresholds, and separate noise from signal.

Respond

Document analyst actions, escalation logic, and reusable case notes.

Staged Incident Response Lab

Simulated Phishing and IR Lab

Models a phishing-to-malware intrusion chain — from initial user report through host-based indicator analysis, containment decisions, and structured incident documentation aligned with incident response best practices.

Scenario

User reports suspicious email followed by unusual host behavior.

Telemetry

Host process review, Windows Event Logs, and endpoint investigation notes.

Evidence Goal

Construct an attack timeline linking initial delivery, code execution, persistence mechanisms, and containment actions.

Incident Response Sysinternals Event Logs Containment

Report

Capture user report, suspected sender, attachment or link, and affected endpoint.

Analyze

Review process activity, log entries, indicators, and suspicious file behavior.

Contain

Define isolation, account protection, blocking, and cleanup actions.

Report

Write an incident summary with impact, evidence, decisions, and next steps.

Staged Identity Security Lab

IAM and Access Security Notes

Documents operational identity security scenarios covering role-based access control (RBAC) review, MFA enforcement, account lifecycle governance, privileged access management, and least-privilege enforcement workflows.

Scenario

Access request or recovery workflow needs validation before approval.

Telemetry

Directory attributes, access groups, MFA state, and support request context.

Evidence Goal

Demonstrate least-privilege enforcement and escalation-resistant access control decision workflows.

IAM MFA Active Directory Least Privilege

Request

Define the access, account, recovery, or MFA support need.

Verify

Validate identity, ownership, approval path, and business justification.

Control

Apply least-privilege, recovery, MFA, and group-membership safeguards.

Record

Document decision rationale, access changes, and follow-up review points.