Participant Guide

Engaging with Dynamic Threat Range

Unlike standard training labs, Dynamic Threat Range is designed to mimic the high-pressure environment of a live cyber attack. There are no "correct" or "incorrect" notifications during the session—you must rely on your expertise and the data available in your SIEM.

Step 1: Review the Exercise Dashboard

From the exercise dashboard, review the following information:

  - Scenario overview and organizational context
  - An interactive network diagram showing your team's environment infrastructure and status
  - Exercise guidance and tactical tips
  - Team members and who has joined the environment

This provides important context before you enter the live environment.

Step 2: Join the Exercise

Once your facilitator has initialized the environment, click the Join Exercise button. This will take you into the live participant interface where your team's tools are provisioned.

Step 3: Review the Mission Briefing

Before diving into the logs, thoroughly read the Briefing. This provides critical context, such as:

  - The organizational background (e.g., Orchid Banking Group).
  - The suspected threat actor (e.g., Akira or APT33).
  - Your specific objectives for the session.

Step 4: Conduct the Investigation

Access the SIEM provided for your session (Elastic, Splunk, or Microsoft Sentinel). Your task is to investigate the live attack traffic to answer the questions listed in the Left-Hand Pane.

Important: The platform will not tell you if your answers are correct. You must capture and submit your findings based on the evidence you discover in the logs, mirroring a real-world investigation.

Step 5: Resolution

The final action depends on the focus of your exercise:

  - For Threat Hunting: Escalate based on your playbooks, and conclude once you've captured sufficient evidence.
  - For Incident Response: Respond based on your playbooks, and conclude once you've captured sufficient evidence.

What is Being Measured?

While you won't see your score during the exercise, the platform is tracking:

For Threat Hunting exercises:
  - Time to Detect (TTD): The time elapsed between the start of the live attack and accurate evidence of detection being submitted.
  - Time to Escalate (TTE): The time elapsed between the start of the live attack and escalation of the incident. This metric relies on sufficient evidence of detection having been submitted.
  - Tasks Completed: The number of tasks with a correct final submission.
  - Accuracy: The percentage of correct submissions, calculated by dividing the number of tasks with correct final submissions by the total number of tasks.

For Incident Response exercises:
  - Time to Investigate (TTI): The time elapsed between the team being able to join the exercise and conclusion of the investigation.
  - Tasks Completed: The number of tasks with a correct final submission.
  - Accuracy: The percentage of correct submissions, calculated by dividing the number of tasks with correct final submissions by the total number of tasks.
 

Post-Exercise Debrief

Once the exercise concludes for your team, you will be automatically taken back to the exercise dashboard for a comprehensive debrief.

Performance Metrics

The Debrief tab provides your team's final performance metrics based on the exercise specialization (see "What is Being Measured" above for detailed metric definitions).

Submission Review

Beyond the high-level metrics, you can review your team's complete activity:

  - Submission History: View a chronological log of every answer and piece of evidence your team submitted during the investigation.
  - Validation: See exactly which answers were Correct or Incorrect, providing valuable insights for team discussion and learning.

You can also review the Range tab to see the environment and network diagram, helping you understand the full scope of the infrastructure you were working with during the exercise.