Skip to content

Interactive MicroSims

Hands-On Security Operations Simulations

MicroSims are browser-based interactive simulations that let you practice SOC workflows with synthetic data. No installation or lab environment required — everything runs in your browser.

Available Simulations

Working Simulations

1. Alert Triage Simulator

Chapter: Chapter 1: Introduction | Chapter 6: Triage & Investigation

Learning Objectives: - Practice classifying alerts as True Positive, False Positive, or Benign - Understand the impact of decisions on precision and recall metrics - Experience the trade-offs in triage speed vs. accuracy

Skills Developed: Alert triage, decision-making under uncertainty, metrics interpretation

Launch Sim →

2. Correlation Rule Tuning

Chapter: Chapter 4: SIEM & Data Lake | Chapter 5: Detection Engineering

Learning Objectives: - Adjust correlation thresholds and time windows - Balance alert volume vs. detection coverage - See real-time impact of tuning decisions

Skills Developed: Detection tuning, threshold optimization, false positive reduction

Launch Sim →

3. Anomaly Detection Thresholds

Chapter: Chapter 5: Detection Engineering | Chapter 10: AI/ML in SOC

Learning Objectives: - Visualize the false positive/false negative trade-off - Adjust anomaly sensitivity thresholds - Understand ROC curves and model performance

Skills Developed: Anomaly detection, threshold tuning, model evaluation

Launch Sim →

4. SOAR Playbook Designer

Chapter: Chapter 8: SOAR & Automation

Learning Objectives: - Build a multi-step SOAR playbook with human approval gates - Add pre-action safety checks and enrichment steps - Trace execution through the playbook steps

Skills Developed: SOAR design, playbook safety, human-in-the-loop gating

Launch Sim →

5. Threat Intelligence Enrichment

Chapter: Chapter 7: Threat Intelligence

Learning Objectives: - Feed an IOC through multiple TI sources - Observe confidence scoring and source weighting - Understand TI enrichment pipeline behavior

Skills Developed: Threat intelligence, IOC enrichment, TI confidence scoring

Launch Sim →

6. Data Normalization Pipeline

Chapter: Chapter 3: Data Modeling

Learning Objectives: - Transform raw logs through parsing, normalization, and enrichment stages - See how different schemas (ECS, OCSF, CIM) represent the same event - Identify data quality issues in normalization

Skills Developed: Log normalization, schema mapping, pipeline design

Launch Sim →

7. LLM Prompt Injection Demo

Chapter: Chapter 11: LLM Copilots & Guardrails

Learning Objectives: - Submit benign and malicious prompts to an LLM guardrail system - Observe prompt injection detection and filtering - Understand where guardrails succeed and fail

Skills Developed: LLM safety, prompt injection awareness, guardrail design

Launch Sim →

8. SOC Metrics Dashboard

Chapter: Chapter 12: Evaluation & Metrics

Learning Objectives: - Adjust SOC parameters (maturity level, analyst count, alert volume) - Observe impact on MTTD, MTTR, FP rate, and automation rate - Explore metric trends over simulated time

Skills Developed: SOC metrics, KPI management, capacity modeling

Launch Sim →

9. Detection Coverage Mapper

Chapter: Chapter 5: Detection Engineering

Learning Objectives: - Map detection coverage across MITRE ATT&CK tactics and techniques - Identify critical coverage gaps - Compare coverage between different SOC maturity profiles

Skills Developed: MITRE ATT&CK, coverage analysis, detection gap assessment

Launch Sim →

10. Incident Timeline Builder

Chapter: Chapter 9: Incident Response

Learning Objectives: - Build an incident timeline from individual events - Calculate MTTD, MTTI, MTTR, and dwell time automatically - Analyze a pre-built ransomware attack timeline

Skills Developed: Incident timeline analysis, metric calculation, chronological reconstruction

Launch Sim →

11. Concept Graph Explorer

Chapter: All chapters — knowledge graph navigation

Learning Objectives: - Explore relationships between security concepts via interactive graph - Discover prerequisite chains and topic dependencies - Navigate the full Nexus SecOps knowledge map

Skills Developed: Knowledge navigation, concept relationships, learning path planning

Launch Sim →

12. Attack Path Visualizer

Chapter: Chapter 16: Penetration Testing | Chapter 17: Red Team Operations

Learning Objectives: - Visualize complete attack chains mapped to MITRE ATT&CK - Animate attacker progression through APT, ransomware, and insider threat scenarios - Identify detection opportunities at each node

Skills Developed: Attack path analysis, detection opportunity mapping, ATT&CK navigation

Launch Sim →

13. Ransomware Kill Chain Simulator

Chapter: Chapter 23: Ransomware Deep Dive

Learning Objectives: - Deploy defenses against an animated ransomware kill chain - Score your defense coverage across 9 attack phases - See how SIEM auto-detection works alongside manual controls

Skills Developed: Defense-in-depth, ransomware lifecycle, control prioritization

Launch Sim →

14. Threat Actor TTP Matrix

Chapter: Chapter 22: Threat Actor Encyclopedia

Learning Objectives: - Compare TTPs across 8 major threat actors (APT29, APT28, Lazarus, APT41, Volt Typhoon, LockBit, ALPHV, Cl0p) - Filter by nation-state, criminal group, or tactic - View detection guidance for each technique

Skills Developed: Threat intelligence, actor attribution, TTP comparison

Launch Sim →

15. Sigma Rule Builder

Chapter: Chapter 5: Detection Engineering | Chapter 36: Purple Team Operations

Learning Objectives: - Build Sigma detection rules with an interactive form and live YAML preview - Load 6 pre-built templates (LSASS, Kerberoasting, VSS deletion, and more) - Validate, copy, and download completed rules

Skills Developed: Sigma rule writing, detection engineering, ATT&CK mapping

Launch Sim →

16. Zero Trust Architecture Designer

Chapter: Chapter 39: Zero Trust Implementation

Learning Objectives: - Deploy 14 controls across 6 Zero Trust pillars (Identity, Devices, Network, Apps, Data, Visibility) - Simulate 12 attack types and observe which controls block each - Score your ZT architecture and optimize coverage vs. cost

Skills Developed: Zero Trust design, control prioritization, defense-in-depth reasoning

Launch Sim →

17. CVSS v3.1 Score Calculator

Chapter: Chapter 29: Vulnerability Management

Learning Objectives: - Adjust all 8 base CVSS metrics and see real-time score updates - Understand scope-adjusted privilege weights and ISS/ISC/ESC formula mechanics - Load real CVE examples (Log4Shell, EternalBlue, Heartbleed) and compare severity ratings

Concept Tags: CVSS Vulnerability Scoring Risk Prioritization CVE

Launch Sim →

18. Windows Registry Forensic Explorer

Chapter: Chapter 27: Digital Forensics

Learning Objectives: - Navigate a synthetic Windows registry hive and examine forensic artifacts - Identify persistence mechanisms (Run keys, Winlogon, Services) and ATT&CK techniques - Use "Find Persistence" mode to highlight malicious keys and understand anti-forensic indicators

Concept Tags: DFIR Registry Forensics Persistence Anti-Forensics ATT&CK

Launch Sim →

19. Network Traffic Sequence Reconstructor

Chapter: Chapter 9: Incident Response | Chapter 27: Digital Forensics

Learning Objectives: - Reconstruct three complete attack timelines (APT intrusion, ransomware C2, insider exfil) by ordering scrambled network events - Identify C2 beacons, lateral movement indicators, and data exfiltration patterns in packet metadata - Understand TCP/IP flow sequencing and why protocol order matters forensically

Concept Tags: Network Forensics PCAP Analysis C2 Detection Exfiltration Incident Timeline

Launch Sim →

20. STRIDE Threat Model Builder

Chapter: Chapter 13: Security Governance, Privacy & Risk | Chapter 35: DevSecOps Pipeline

Learning Objectives: - Apply STRIDE threat modeling to a multi-component system architecture - Map threats to system components and assign risk ratings (Critical/High/Medium/Low) - Generate and export a structured markdown threat model report

Concept Tags: STRIDE Threat Modeling Risk Assessment Secure Design DevSecOps

Launch Sim →

21. OT/ICS Attack Simulation

Chapter: Chapter 21: OT/ICS/SCADA Security

Learning Objectives: - Simulate attacks against Purdue Model layers in an OT environment - Understand ICS protocol vulnerabilities (Modbus, OPC UA) - Practice OT-specific detection and response procedures

Concept Tags: OT/ICS SCADA Purdue Model Industrial Security

Launch Sim →

22. Purple Team Scorecard

Chapter: Chapter 36: Purple Team Operations

Learning Objectives: - Score detection coverage against ATT&CK techniques - Track purple team exercise outcomes and gaps - Prioritize detection engineering improvements

Concept Tags: Purple Team ATT&CK Detection Coverage Scoring

Launch Sim →

23. Threat Actor Intelligence Database

Chapter: Chapter 22: Threat Actor Encyclopedia

Learning Objectives: - Search and filter threat actors by motivation, capability, and target sector - Analyze threat actor TTP profiles mapped to ATT&CK - Understand attribution confidence levels and intelligence sourcing

Concept Tags: Threat Intel Threat Actors Attribution CTI

Launch Sim →

24. ADCS Attack Path Simulator

Chapter: Chapter 45: AD Red Teaming

Learning Objectives: - Explore ESC1-ESC8 AD Certificate Services attack paths - Analyze certificate template configurations for vulnerabilities - Build detection rules for certificate-based attacks

Concept Tags: ADCS Active Directory Certificate Attacks ESC1-ESC8

Launch Sim →

25. RAG Security Tester

Chapter: Chapter 37: AI Security | Chapter 50: Adversarial AI

Learning Objectives: - Test RAG pipeline security against prompt injection and data poisoning - Evaluate guardrail effectiveness for retrieval-augmented generation - Understand vector database security and embedding attack vectors

Concept Tags: RAG Security LLM Prompt Injection AI Security

Launch Sim →

26. AI Red Team Toolkit

Difficulty: Advanced | Duration: 30-45 min | Chapters: Ch 37, Ch 50

An interactive AI red team toolkit featuring five modules: Prompt Injection Lab (direct/indirect injection, jailbreaking, prompt leaking), Model Security Scanner (configuration auditing), RAG Attack Simulator (vector poisoning, context manipulation, retrieval hijacking), AI Incident Response (decision tree scenarios), and Quiz Mode (10 AI security questions). Uses MITRE ATLAS technique references throughout.

Learning Objectives:

  • Practice AI-specific red team techniques in a safe simulated environment
  • Understand MITRE ATLAS attack taxonomy for ML systems
  • Develop AI incident response decision-making skills
  • Evaluate model security configurations and identify vulnerabilities

Concept Tags: AI Red Team Prompt Injection MITRE ATLAS RAG Security Model Security

Launch Sim →

Sim 27: Detection Pipeline Builder

Build and validate a complete detection pipeline from log source selection through alert generation. This interactive simulator lets you:

  • Select log sources and see which ATT&CK tactics they cover
  • Build Sigma detection rules with real-time YAML generation
  • Visualize the end-to-end detection pipeline with animated data flow
  • Assess detection coverage across all 14 ATT&CK tactics
  • Monitor pipeline performance metrics and maturity scoring

Concept Tags: Detection Engineering Sigma MITRE ATT&CK Pipeline Coverage

Launch Sim →

n### Sim 28: Incident Timeline Reconstructor

Reconstruct a complete incident timeline from disparate evidence sources. This interactive simulator lets you:

  • Ingest and organize evidence cards from multiple log sources
  • Build a visual timeline with drag-and-drop event placement
  • Map timeline events to MITRE ATT&CK kill chain phases
  • Trace root cause through an interactive decision tree
  • Auto-generate structured incident reports

Concept Tags: Incident Response DFIR Timeline Analysis Kill Chain Evidence Correlation

Launch Sim →

How to Use MicroSims

  1. Launch the simulation by clicking the button above
  2. Read the scenario and instructions shown in the sim panel
  3. Interact with the controls — sliders, buttons, and dropdowns
  4. Observe the results — charts and metrics update in real time
  5. Reflect on what you learned — what surprised you?
  6. Try again with different inputs to explore edge cases

Learning Tips

Experiment Freely

MicroSims use 100% synthetic data. Push sliders to extremes and see what breaks — that's the point.

Connect to Chapter Content

Each sim links to its reference chapter. After interacting, read the theory to understand the mechanics behind what you observed.

Use Before the Labs

MicroSims are lighter-weight than full labs. Use them as a warm-up before attempting the corresponding lab exercise.

Technical Notes

  • Requirements: Modern browser with JavaScript enabled; no external libraries or CDN dependencies
  • Data: All simulations use 100% synthetic data — no real organizations, users, or threats
  • Privacy: Simulations run entirely in your browser — no data is transmitted externally
  • Offline: All sims work without internet connectivity once the page is loaded

Start here: Alert Triage Simulator →