24observe SOC Labs

Trainers · Overview

Trainer overview

SOC Labs teaches security operations the way the job is actually done — by working real incidents, not by watching slides. This page explains the teaching model so you know what your students experience and where the strongest teaching moments come from.

i

You need a platform-administrator (instructor) account to run a cohort. Students cannot create accounts or cohorts — provisioning is the only way in. If you don't yet have instructor access, that's your first prerequisite.

The teaching model

Every lab puts a student in their own private sandbox and generates real telemetry there. A detection rule watches that sandbox and opens a genuine incident when activity crosses its threshold. The student then does what an analyst does: gather evidence, decide what happened, and commit to a verdict. There's no multiple-choice quiz layered on top — the assessment is the investigation.

This matters pedagogically. Reading about a brute-force attack is forgettable. Watching one fire in a system you control, chasing the evidence yourself, and being held to a call you have to justify — that sticks.

What students experience, end to end

  1. They sign in and click Start lab themselves. Real telemetry begins flowing into their private sandbox.
  2. Within about a minute, a detection rule fires and an incident opens automatically.
  3. They investigate the evidence and answer the analyst's core questions: what happened, from where, how much, how fast.
  4. They submit a disposition (true positive / false positive / benign / duplicate) with a written rationale.
  5. They're auto-graded out of 100 — 70 points for matching the scenario's ground truth, 30 for a specific, evidence-bearing rationale.

For the full play-by-play your students will follow, see the student walkthrough.

Why this creates strong teaching moments

Two design choices do most of the work.

First, auto-grading splits the call from the reasoning. A student can land the right disposition and still score low on rationale — which immediately surfaces the difference between guessing and reasoning. That split is a conversation starter you don't have to manufacture.

Second, and most importantly, the platform's AI analyst independently records its own verdict on the same incident, with a confidence level. Your students see their call side by side with the AI's. Where they agree, that's confirmation. Where they disagree, you have the richest possible discussion already framed and waiting: who's right, what evidence each leaned on, and why a confident verdict can still be wrong. That human-call-versus-AI-verdict comparison is the signature teaching signal of the whole program.

Frame the AI analyst as a sparring partner, not an answer key. The goal is for students to form their own call first, then defend or revise it against the AI's. Disagreement is the lesson, not a failure.

The program gets sharper every cohort

Every graded attempt is a real, labeled human judgement on a real incident — a genuine SOC decision, recorded. As cohorts run, those judgements accumulate into a growing body of how analysts actually call these situations. In practical terms: the more classes you teach, the more grounded the program becomes. Your students aren't just consuming a course; each cohort leaves it a little sharper than it found it.

What to read next

Running a cohort →

Provision accounts, distribute logins, and launch a class from the instructor console.

Reading results →

Turn the live Cohort progress table into teaching moments.

That's the model. When you're ready to run a class, start with Running a cohort, then keep Reading results open during the session.