Scoring Engine
Evidence-Based Scoring
Every metric tracked. Every action measured. Forensic-grade timelines capture exactly what your analysts did, when they did it, and how effective they were.
Core Metrics
The Four Metrics That Matter
Incident response performance distilled into four measurable, comparable, and improvable metrics.
Measures the elapsed time from attack start to first detection. Tracks the exact SIEM query, alert, or observation that identified the threat.
“How fast did they notice?”
Measures investigation thoroughness and speed. Tracks which data sources were queried, IOCs identified, and attack scope determined.
“How deep did they go?”
Measures time from investigation to containment action. Tracks account disabling, host isolation, firewall rules, and credential rotation.
“How fast did they act?”
Measures full incident lifecycle from containment to resolution. Tracks documentation quality, remediation steps, and lessons learned.
“How fast did they fix?”
Timeline
Incident Timeline
Every lab session produces a forensic timeline tracking each phase of the incident response lifecycle.
Incident Phases
Attack Begins
AI-driven attack simulation launches. The adversary establishes initial access and begins executing the attack chain. The clock starts.
Detection
Analyst or AI agent identifies the first indicator of compromise. The scoring engine captures the exact query, alert, or observation that triggered awareness.
Investigation Complete
Full scope of the incident is determined. Affected users, compromised hosts, attack vector, and lateral movement paths are mapped.
Containment Achieved
Threat is isolated. Compromised accounts disabled, affected hosts quarantined, malicious processes terminated, and network rules applied.
Resolution & Report
Incident documentation submitted. Root cause, timeline, affected assets, remediation steps, and recommendations captured for the final score.
T0-T4 markers track your incident response: T0 = attack start, T1 = detection, T2 = investigation complete, T3 = containment, T4 = report submitted.
Reporting
Analytics & Reporting
Transform raw performance data into actionable insights for analysts, managers, and compliance teams.
Individual Performance Tracking
Track each analyst's MTTD, MTTI, MTTC, and MTTR across every lab attempt. Identify strengths, weaknesses, and improvement trends over time.
Cohort Comparison
Compare teams, departments, or cohorts against each other and industry benchmarks. Identify top performers and those needing targeted training.
Skill Progression
Visualize improvement trajectories across lab types and difficulty levels. Map progression from junior analyst to incident responder to threat hunter.
NIST & NICE Alignment
Scoring maps to NIST Cybersecurity Framework and NICE Workforce Framework. Generate compliance-ready reports for auditors and leadership.
SOC Report Cards
Every completed lab session generates a SOC Performance Report Card — a shareable, screenshot-ready summary of detection accuracy, skill breakdown, IR timeline, and peer percentile rankings. Built for analysts to track growth and for leaders to assess readiness at a glance.
SOC Report Card
Every Lab Generates a Performance Report
Each completed session produces a shareable SOC Performance Report Card — screenshot-ready for analysts tracking growth and leaders assessing team readiness.
- Overall score with correctness, speed, and process breakdown
- Incident response metrics: MTTD, MTTI, MTTC, MTTR
- Per-skill checkpoint breakdown with mastery tracking
- MITRE ATT&CK techniques practiced
- Peer percentile ranking and strengths analysis
See what evidence-based training looks like.
The evidence-based, enterprise ready, cloud native AI cyber range & SOC training labs — built for teams that need to prove readiness.