Lab

Alert Triage Simulator

Practice SOC alert triage under pressure. Learn to spot real threats in a sea of noise.

Alert Triage Simulator

Practice SOC alert triage under pressure. Spot real threats in a sea of noise.

Client-side Procedural alerts

How it works

  • Security alerts appear one at a time
  • Read the alert, expand context if needed
  • Choose: Escalate, Investigate, Dismiss, or Tune
  • Get immediate feedback and learn from each decision

Keyboard shortcuts

1 or E Escalate
2 or I Investigate
3 or D Dismiss
4 or T Tune
C Toggle context
Enter Continue

Select Difficulty

Action Reference

Escalate
Real threat requiring immediate response. Page the IR team.
Investigate
Needs more context. Safe choice when uncertain.
Dismiss
False positive. Close without action.
Tune Out
Known-benign pattern. Suppress future alerts like this.

Key Triage Concepts

True vs False Positives

A true positive is a real threat correctly flagged by the detection system. A false positive is benign activity wrongly flagged as malicious. SOC analysts spend most of their time filtering false positives; at high volumes this causes alert fatigue, where real threats get missed in the noise.

Alert Fatigue

When analysts face hundreds of alerts per shift (most of them false positives), attention degrades and response times increase. Tuning out known-benign patterns and setting proper thresholds reduces noise so analysts can focus on genuine threats.

Attack Chains

Sophisticated attackers generate multiple alerts across different stages: initial access, lateral movement, and exfiltration. Individually each alert may seem low-severity, but correlated together they reveal a coordinated intrusion. Higher difficulty levels include these multi-stage attack chains.

Triage Priority

Not all alerts deserve the same urgency. Escalate when you see clear indicators of compromise. Investigate when context is ambiguous. Dismiss obvious false positives. Tune recurring benign patterns to reduce future noise.