Investigation Flow Tests (Decision Trees)
Interactive decision-tree investigations that simulate real alert triage workflows. Start with an initial alert, choose your investigation path at each step, evaluate evidence, and reach a final verdict. Each scenario branches based on your decisions—there's no single right answer, but some paths are more efficient than others.
Choose Your OS
Windows Investigations
Triage Windows alerts: analyze Sysmon events, EDR telemetry, registry changes, and process trees. Follow investigation branches to determine scope and severity.
Start Windows investigations →Linux Investigations
Triage Linux alerts: investigate auditd logs, crontab modifications, suspicious processes, and network connections. Navigate branching investigation paths.
Start Linux investigations →macOS Investigations
Triage macOS alerts: examine ESF telemetry, LaunchAgent persistence, TCC access, and endpoint logs. Choose investigation steps to reach a conclusion.
Start macOS investigations →