Blue Team · DFIR · SOC

Defend production
like the adversary
is already inside.

ti3lab is a high-fidelity training environment for security operations analysts, digital forensics investigators and incident responders. Real playbooks, real logs, real time-pressure.

Live cases
128
MITRE techniques
217
EVTX samples
4.3k
ti3lab://console/soc-01
LIVE
> ti3lab connect --workspace soc-alpha
[ok] tunnel established · latency 14ms
[ok] EDR telemetry: 12 endpoints streaming

> ti3lab case open 9982
[case] #9982 · Emotet Lateral Movement
       severity : CRITICAL
       techniques: T1021.002, T1059.001, T1112
       assigned : you

> analyze evtx --tag mitre:T1059
[hit] 4104 · ScriptBlock IEX (New-Object Net.WebClient)…
[hit] 4688 · powershell.exe -EncodedCommand JAB…
[hit] 1102 · audit log cleared on PC-DEFENDER-01

[!] anomalous outbound: 185.244.25.187:443

> playbook run --step 3
[✓] endpoint isolated via EDR containment
[✓] +120 XP awarded
Architecture

Six modules. One operational plane.

DSH

Analyst Dashboard

Threat landscape, daily alert cadence, XP progression and open case queue on one command surface.

DFR

DFIR Log Workbench

Interactive EVTX-ATTACK-SAMPLES parser. Windows Event IDs mapped to MITRE ATT&CK techniques, anomalies highlighted in cyber-blue.

IR

Live Incident Lab

Handle real tickets end-to-end. Isolate hosts, launch scans, pivot to IOCs — every action recorded on the threat timeline.

PLY

SOC Playbooks

Deterministic containment and eradication runbooks scoped to the active case. Check off steps, generate the executive brief.

LDR

Global Leaderboard

Gamified progression. Earn XP for correct triage decisions, promotion badges for closed criticals, worldwide ranking.

AUTH

Secure Access

Email + password authentication backed by Firebase Auth and locked-down Firestore security rules on every collection.

Access defense portal

Your next shift starts now.

Provision your analyst credentials, drop into the console, and take your first case within 60 seconds.