ti3lab is a high-fidelity training environment for security operations analysts, digital forensics investigators and incident responders. Real playbooks, real logs, real time-pressure.
> ti3lab connect --workspace soc-alpha [ok] tunnel established · latency 14ms [ok] EDR telemetry: 12 endpoints streaming > ti3lab case open 9982 [case] #9982 · Emotet Lateral Movement severity : CRITICAL techniques: T1021.002, T1059.001, T1112 assigned : you > analyze evtx --tag mitre:T1059 [hit] 4104 · ScriptBlock IEX (New-Object Net.WebClient)… [hit] 4688 · powershell.exe -EncodedCommand JAB… [hit] 1102 · audit log cleared on PC-DEFENDER-01 [!] anomalous outbound: 185.244.25.187:443 > playbook run --step 3 [✓] endpoint isolated via EDR containment [✓] +120 XP awarded
Everything an analyst does during a shift — triage, hunt, contain, report — happens without leaving the console.
Threat landscape, daily alert cadence, XP progression and open case queue on one command surface.
Interactive EVTX-ATTACK-SAMPLES parser. Windows Event IDs mapped to MITRE ATT&CK techniques, anomalies highlighted in cyber-blue.
Handle real tickets end-to-end. Isolate hosts, launch scans, pivot to IOCs — every action recorded on the threat timeline.
Deterministic containment and eradication runbooks scoped to the active case. Check off steps, generate the executive brief.
Gamified progression. Earn XP for correct triage decisions, promotion badges for closed criticals, worldwide ranking.
Email + password authentication backed by Firebase Auth and locked-down Firestore security rules on every collection.
Provision your analyst credentials, drop into the console, and take your first case within 60 seconds.