Write a cybersecurity operations prompt. The AI runs it against a real synthetic incident scenario and scores it on structure, relevance, and actionability. Hit 10 out of 15 and it enters the review queue for the community library.
Pass — your prompt enters the moderation queue. If approved, it appears in the library credited to your handle.
Fail — you get an instant score breakdown and feedback on what to improve. Revise and resubmit.
Actively developed. The scoring, scenarios, and evaluation criteria evolve based on practitioner feedback.
If something doesn't work as expected — wrong verdict, confusing feedback, anything — tell us. Your feedback directly shapes what this becomes.
// Example — a real submission that passed
This is what your score receipt looks like. Real prompt, real scenario, real output — permanently attached to the submission.
You are an incident responder hunting persistence across a compromised Windows environment.
Write SPL to detect the following persistence techniques:
- Scheduled tasks created by non-admin users or from unusual paths (Event ID 4698)
- New services with suspicious binary paths — unsigned, temp dirs, user profiles (Event ID 7045)
- Registry run key writes (Sysmon Event ID 13: HKLM\Software\Microsoft\Windows\CurrentVersion\Run and equivalent)
- Files dropped in startup folders (Sysmon Event ID 11)
- WMI event subscription creation (Sysmon Event ID 19, 20, 21)
Filter known management tools: {{known_baselines}}
IOCs to cross-reference: {{ioc_list}}
Time window: {{time_range}}
Output: host, user, technique, artifact_name, artifact_path, created_at, parent_process, signed
Windows IR engagement: analyst hunting persistence across 3 endpoints after a phishing compromise. Baselines exclude SCCM/Intune. IOCs include two suspicious hashes and a C2 domain. Time window: last 72 hours.
**Scenario:** Hosts: WS-FINOPS01, WS-DEVBOX03, SRV-JUMP02 | User: jharper, svc_deploy | Baselines: SCCM, Intune | IOCs: hash=4a3b...f91c, domain=update-cdn[.]xyz | Window: last 72h
```spl
index=wineventlog OR index=sysmon earliest=-72h
| eval technique=case(
source="WinEventLog:Security" AND EventCode=4698, "T1053.005 - Scheduled Task",
source="WinEventLog:System" AND EventCode=7045, "T1543.003 - New Service",
source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode=13, "T1547.001 - Registry Run Key",
source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode=11, "T1547.009 - Startup Folder",
source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode IN (19,20,21), "T1546.003 - WMI Subscription",
true(), null()
)
| where isnotnull(technique)
| where NOT match(coalesce(ParentImage,ServiceFileName,Image,""), "(?i)(sccm|ccmexec|intunemanagement)")
| eval ioc_hit=if(match(coalesce(Hashes,TargetFilename,ImagePath,""), "4a3bf91c") OR
match(coalesce(CommandLine,ServiceFileName,""), "update-cdn\[?\.\]?xyz"), "YES", "NO")
| where technique!="T1053.005 - Scheduled Task" OR
match(coalesce(TaskContent,CommandLine,""), "(?i)(\\temp\\|\\appdata\\|\\users\\|\.ps1|\.vbs|\.bat)")
| where technique!="T1543.003 - New Service" OR
match(ServiceFileName, "(?i)(\\temp\\|\\appdata\\|\\users\\)")
| eval signed=coalesce(Signed, "unknown")
| table _time host user technique
coalesce(TaskName,ServiceName,TargetObject,TargetFilename,Name) AS artifact_name
coalesce(CommandLine,ServiceFileName,Details,TargetFilename,Query) AS artifact_path
ParentImage AS parent_process signed ioc_hit
| rename _time AS created_at
| sort -ioc_hit created_at
```
**Note:** Replace placeholder IOC values and baseline strings before deployment. Validate field names against your Sysmon schema version.