SOC Labs
Learn security operations by doing the job.
The 24observe SOC Lab puts you in front of real security telemetry on a live detection-and-response platform — not slides. You start a scenario, a genuine attack signal lands, a detection fires an incident, and you investigate and call it like an analyst. Your work is graded against ground truth and against the platform's own AI analyst.
I'm a student →
Log in, start your lab, investigate the incident, and submit your disposition. Start here to learn how to play.
I'm a trainer →
Provision a cohort, hand out logins, run the session, and read each student's call next to the AI's. Start here to learn how to teach.
How it works
- Start a lab. The platform generates real security telemetry in your private sandbox — nothing simulated or pre-baked.
- A detection fires. Within about a minute, a detection rule matches the activity and opens an incident for you to work.
- Investigate. Read the evidence — what happened, from where, how often, how fast — and decide whether it's a real threat.
- Submit your disposition. Make the call (true positive, false positive, benign, or duplicate) and justify it.
- Get graded. You're scored against the scenario's ground truth, with the AI analyst's own verdict shown alongside yours.
New to security operations? Begin with What is the SOC Lab. Running a class? Jump to Running a cohort.