Students · Anatomy of a lab
Anatomy of a lab
Every lab follows the same shape. Once you understand the lifecycle, you'll know exactly what's happening behind the scenes — and what to do at each stage.
A lab is a complete, miniature shift: real activity appears, a detection catches it, you investigate, and you make a graded call. Here's that lifecycle, stage by stage.
The lifecycle, stage by stage
- You start the lab. On your lab card under Training → Labs, you click Start lab. This is the only manual trigger in the whole flow — everything after it happens on its own.
- Telemetry is generated in your sandbox. Starting the lab produces real security activity in your private sandbox — the same kind of signal a production system would see. Nothing is pre-recorded; the platform is genuinely watching live activity.
- A detection rule matches and opens an incident. A detection rule continuously evaluates that activity. When it crosses the rule's threshold, an incident opens automatically and appears under Monitoring → Incidents. This usually takes about a minute.
- You investigate. Open the incident — it's your case file. It tells you which detection fired, how severe it is, when it started, and which attack technique it maps to. Gather your evidence from there.
- You submit a disposition. Back on your lab card, you choose a disposition — your verdict on the incident — and write a short rationale explaining it. (More on the four disposition types in Dispositions & grading.)
- You're graded, with the AI's verdict alongside. The moment you submit, you're scored out of 100. The platform's AI analyst also recorded its own verdict on the same incident, shown next to yours so you can compare.
Treat the AI analyst's verdict as a second opinion, not a crutch. Make your own call first, then look at the AI's. Where you agree, you've got confirmation; where you differ, that's the most useful thing on the page.
Reading your lab card status
Your lab card changes as you move through the lifecycle. In plain terms:
| Status | What it means | Your next move |
|---|---|---|
| Assigned | The lab is waiting for you. No telemetry yet, no incident yet. | Click Start lab when you're ready. |
| Seeded / in progress | You've started it. Telemetry is flowing and a detection is about to fire (or already has). | Check Monitoring → Incidents and start investigating. |
| Graded | You submitted your disposition. Your score and the AI's verdict are recorded. | Review your score and compare verdicts. |
Setting expectations
A couple of things are normal and worth knowing up front, so they don't throw you:
- The ~1-minute wait is expected. A detection rule evaluates activity on a short cycle, so the incident opens shortly after you click Start — not instantly. This mirrors how real detections work.
- The telemetry is real. What you investigate isn't a screenshot or a script — it's live activity in your sandbox. Treat it like a real shift.
- You get one clean run at the call. Investigate thoroughly before you submit. Your disposition and rationale are what get graded, so make them count.
Your sandbox is yours alone. The activity, the incident, and your grade are private to your account — you'll never see, or be seen by, another student's lab.
That's the whole lifecycle. Now go deeper on the middle stage — the investigation itself — in Investigating incidents, or follow a complete run from Start to score in the brute-force walkthrough.