Sign In
Navigate to your organization’s ThreatLab URL. On the login page, enter your email address and password and click Sign In, or click the Sign in with Microsoft button to authenticate through your organization’s Entra ID SSO. After a successful login you are taken directly to the dashboard.
Explore the Exercise Catalog
In the left sidebar, select Exercises to open the catalog. Each exercise card displays:
- Difficulty — a rated level indicating the expected analyst skill required
- Estimated duration — the approximate time to complete the investigation
- Points — the reward awarded on successful completion
- MITRE ATT&CK tags — technique and tactic tags that map the scenario to the framework
Start an Exercise
Click an exercise title to open its detail page. Review the scenario description, then click Start. ThreatLab immediately ships the exercise’s log archive to your configured SIEM destination so the events are ready to query before you begin your investigation.
Work Through the Investigation Steps
Each exercise is divided into ordered investigation steps. Every step presents:
- A prompt describing what you need to find or answer
- An artifact submission field where you enter your answer
Complete the Exercise and Earn Points
Once you submit a correct artifact for every step, ThreatLab records your completion, awards the exercise’s full point value to your profile, and updates the team leaderboard. Your completion streak increments if you have completed at least one exercise on each of the preceding days.
Your Dashboard at a Glance
The dashboard gives you an immediate picture of where you stand. The four summary tiles show:Available Exercises
The total number of exercises you are eligible to start right now.
Completed
The number of exercises you have fully completed.
In Progress
Exercises you have started but not yet finished.
Streak Days
Your current consecutive daily completion streak.