Cyber Academy — Live Incident Response Lab
INCIDENT ALERT — ACTIVE THREAT DETECTED

It is 03:14 UTC. You are the on-call analyst at Meridian Financial Services. A SIEM alert just fired. An attacker has been inside the network for 18 days.

Threat meters are climbing. Every second you delay, the attacker gets closer to deploying ransomware. You have four phases to contain the breach, respond to regulators, and brief the board.

This is not a quiz. You make decisions. You click actions. Some are right — they contain the threat and earn points. Some are wrong — they make things worse and lose time. Read the evidence. Think before you act.

Threat MetersWatch the gauges — wrong decisions push them higher. Right ones bring them down.
ClockEach phase has a time limit. Run out and you lose control of that phase.
ActionsEach phase gives you a set of actions. Some are correct. Some will backfire. Choose carefully.
ScoringRight actions earn points. Wrong ones cost points. Your final rank reflects your decisions.
INC-2026-0441 — CRITICAL
PHASE 1/4
03:00
Threat Meters
Attacker progress0%
Data exposure0%
Legal exposure0%
Containment0%
Analyst Score
Points0
Good calls0
Mistakes0
Incident Timeline
PHASE 1 — INITIAL TRIAGE
Active Threat on Domain Controller
SIEM alert fired 03:14 UTC. J.Harris credentials compromised. Attacker confirmed on DC01.
Live Alert Feed
Actions you take appear here in real time
03:14:22
CRITSIEM alert INC-2026-0441 auto-escalated to analyst
System Status
DC01
COMPROMISED
VPN Gateway
ACTIVE SESSION
Backups
AT RISK
ICO Clock
NOT STARTED