TASKS
Security Education

Operational Security Scenarios

Learn security through attack chains, observable evidence, operator response, and WitnessOps controls.

Problem this page solves

Most security education stops at "spot suspicious behavior" and leaves operators without a response model. This section defines how to move from a reported event to a controlled decision with evidence and boundaries.

Reader outcome

After this section, you should be able to:

  • map a report to an attack-chain stage
  • separate direct signals from assumptions
  • choose a response action that matches evidence quality
  • document containment and escalation decisions under WitnessOps controls

Mechanism-first education model

Each lesson uses the same operational sequence:

  1. Attack chain — what the attacker is attempting at this stage.
  2. Signals — what can be observed directly (email headers, sign-in telemetry, endpoint events, rule changes).
  3. Response decisions — contain, investigate, escalate, or hold.
  4. Control boundary — which actions require runbook execution, policy-gate approval, and signed receipts.

This maps education to response mechanics: chain -> signals -> decisions -> controlled action.

What these pages can teach vs what they cannot guarantee

These pages can teach:

  • repeatable triage patterns for common attacker paths
  • evidence collection priorities before destructive cleanup
  • escalation triggers for high-impact or high-uncertainty cases
  • where to apply Runbooks, Policy Gates, and Receipts

These pages cannot guarantee:

  • prevention of all compromise attempts
  • complete visibility when logs are missing or tampered with
  • attacker attribution from a single artifact
  • correctness of intrusive response actions without required approvals

Observed vs inferred separation

Treat every claim as either observed or inferred:

  • Observed: directly recorded evidence (message artifact, timestamped sign-in, mailbox rule change, endpoint alert).
  • Inferred: analyst conclusion built from observed facts (credential theft, attacker objective, blast radius).

Use observed facts to justify immediate containment. Use inferred claims to guide investigation, not to skip evidence requirements.

Trust assumptions and limits

This section assumes:

  • source telemetry is available and time-aligned enough to reconstruct sequence
  • operators preserve original artifacts before remediation
  • escalation and intrusive actions stay bounded by policy gates

Limits remain explicit:

  • delayed reporting can hide first access
  • missing telemetry can block confident scope determination
  • some conclusions remain probabilistic until corroborated

Next-page handoff

Continue to Why Phishing Works to apply this model to the most common identity-entry path and its first response decisions.