Seoul Metro Credential Spray Replay

Description

This scenario drops analysts into a synthetic Seoul-region enterprise perimeter where authentication telemetry spikes overnight. You will pivot from volume charts to host-level evidence, correlate VPN posture checks, and narrate why certain sequences resemble credential stuffing rather than misconfigured automation. The storyline stresses quality standards for evidence packaging so downstream teams can act without rework.

Features

• Synthetic alert bundles tuned to KR business hours
• Host timeline stitching with session correlation
• Decision log templates aligned to analyst runbooks
• Escalation prompts that avoid over-claiming attribution
• Manager-ready recap paragraphs with cited artifacts
• Optional purple-team annotations for detection tuning
• Exportable activity log entries for ticket systems

Outcomes

• Produce a triage packet that holds up under peer review
• Prioritize containment steps without blocking benign automation
• Explain uncertainty explicitly when data is incomplete