Scenario Library

Learn the portal through real defender situations.

Use these scenarios when you know what happened but not which page to open. Each scenario gives the safest route through the portal and the decision you should avoid rushing.

How to use scenarios: pick the case closest to your situation, follow the linked path, collect evidence, and only then send a handoff or patch request.

Scenarios

8practical routes through the portal

Best for

Learninguse when the menu feels too broad

Pattern

Signal to actiondecide, validate, communicate, track

Guardrail

No shortcutsevidence before urgency

Common Scenarios

What to open when a real-world question lands on your desk

Open Role Paths

Patch emergency

A KEV item affects an internet-facing product

Path: Defenders Today -> Detail -> Decision Matrix -> Evidence Checklist -> Patch Window -> Handoff Center.

Do not rush: confirm affected version, fixed version, owner, exposure, and rollback path.

Start Today Patch Window

No patch

The vendor has no safe fix yet

Path: No Patch -> Mitigation Operations -> Exception Register -> Evidence Checklist -> Action Tracker.

Do not rush: document residual risk, mitigation scope, owner, approval, and review date.

No Patch Exception Register

SOC handoff

A public PoC appears and detection is needed

Path: Detection Starter Pack -> IOC Extractor -> Hunt Query Helper -> Sigma Helper -> Handoff Center.

Do not rush: validate telemetry fields, noise risk, and whether indicators are actually relevant.

Detection Pack Hunt Helper

Exposure uncertainty

A scary CVE may not affect your environment

Path: Exposure Operations -> Attack Surface -> Exposure Checker -> Evidence Checklist -> Action Tracker.

Do not rush: do not escalate until product, version, reachability, auth, and owner are known.

Exposure Ops Exposure Tool

Ransomware concern

A vulnerability resembles initial access or disruption

Path: Ransomware Watch -> Exploit Chain Watch -> Decision Matrix -> Brief Builder -> Executive Report.

Do not rush: separate plausible business impact from unconfirmed attribution.

Ransomware Watch Executive Report

Identity risk

The issue touches auth, SSO, tokens, or sessions

Path: Identity Attack Surface -> JWT Decoder -> Email Header Analyzer -> Evidence Checklist -> Handoff Center.

Do not rush: confirm session/token impact and whether privileged accounts are exposed.

Identity Hub JWT Tool

Trust issue

A record is disputed, rejected, stale, or low-confidence

Path: Trust Review -> Methodology -> Source Analytics -> Status -> Saved.

Do not rush: do not turn uncertain data into deadlines until the original source and freshness are confirmed.

Trust Review Methodology

Weekly reporting

You need a calm summary for stakeholders

Path: Action Tracker -> Brief Builder -> Executive Report -> Quality Center.

Do not rush: separate live signal, confirmed exposure, blockers, and accepted risk.

Brief Builder Action Tracker

Recommended next move: if none of the scenarios fit, start with Role Paths and then use Decision Matrix.

Role Paths Decision Matrix