Investigation Flow Tests (Decision Trees)

Interactive decision-tree investigations that simulate real alert triage workflows. Start with an initial alert, choose your investigation path at each step, evaluate evidence, and reach a final verdict. Each scenario branches based on your decisions—there's no single right answer, but some paths are more efficient than others.

Choose Your OS

🛡️ Practitioner

Windows Investigations

Triage Windows alerts: analyze Sysmon events, EDR telemetry, registry changes, and process trees. Follow investigation branches to determine scope and severity.

Start Windows investigations →
🐧 Practitioner

Linux Investigations

Triage Linux alerts: investigate auditd logs, crontab modifications, suspicious processes, and network connections. Navigate branching investigation paths.

Start Linux investigations →
🍎 Practitioner

macOS Investigations

Triage macOS alerts: examine ESF telemetry, LaunchAgent persistence, TCC access, and endpoint logs. Choose investigation steps to reach a conclusion.

Start macOS investigations →