“The worst time to learn Incident Response is during the incident itself.”

If you’re an SOC analyst, cybersecurity student, or anyone preparing for incident response, you know that nothing beats hands-on practice.

That’s why I created IR Sim 101, a realistic cybersecurity incident simulation that walks you through the entire incident response workflow, from initial detection to final report writing.

This project is more than just a cybersecurity lab. It’s a story-driven breach investigation where logs, artifacts, and documentation are structured exactly like in a real Security Operations Center (SOC).

The repository mimics real-world IR documentation and evidence handling:

IR-Sim-101/
│
├── detection_notes/
│   ├── MITRE_TTPs.txt
│   ├── analyst_walkthrough.md
│   ├── ioc_list.txt
│   ├── network_analysis.txt
│   └── recommendations.txt
│
├── docs/
│   ├── Incident_Scenario.md
│   ├── incident_logs.md
│   ├── incident_summary.txt
│   └── incident_timeline.md
│
├── simulation/
│   └── artifacts/
│       ├── O365_login_events.csv
│       ├── internal_portal_logs.csv
│       ├── powershell_activity.csv
│       └── credentials/
│           └── harvested_creds.csv
│
└── README.md

In the detection_notes/ folder, I documented every finding as if I were responding live:

• MITRE_TTPs.txt → Map attacker behavior to MITRE ATT&CK
• ioc_list.txt → Indicators of Compromise (IOCs)
• network_analysis.txt → Network anomalies & suspicious patterns
• recommendations.txt → Security improvements
• analyst_walkthrough.md → Step-by-step reasoning

SEO Tip for Readers: Always maintain a centralized IR notebook during investigation, it’s the difference between confusion and clarity.

The docs/ folder is where the full breach narrative lives:

• Incident_Scenario.md → Background and detection context
• incident_logs.md → Raw logs for hunting
• incident_timeline.md → Chronology of attacker actions
• incident_summary.txt → Executive-ready summary

Pro Insight: If your SOC team doesn’t have an incident storyline, you’re just reacting, not responding.

Inside simulation/artifacts/, I uncovered the real attack flow:

• O365_login_events.csv → Suspicious geo-diverse logins
• internal_portal_logs.csv → Sensitive file access
• powershell_activity.csv → Obfuscated persistence scripts
• credentials/harvested_creds.csv → Evidence of credential theft

Key Skill for SOC Analysts: Learn to spot anomalies across different log types, attackers rarely leave all their traces in one place.

Jumping between detection notes and artifacts confirmed suspicions.
For example:

• Matching IPs in ioc_list.txt with O365_login_events.csv confirmed malicious access.
• Linking PowerShell commands to MITRE T1059.001 — PowerShell helped identify attacker techniques.

Why This Matters: In incident response exercises, correlation turns scattered alerts into a cohesive attack narrative.

A well-built incident timeline transforms chaos into clarity:

• Shows cause-and-effect relationships
• Helps IR teams prioritize actions
• Builds stakeholder trust

The recommendations.txt file became the blueprint for prevention:

• Enforce MFA
• Enable advanced PowerShell logging
• Apply geo-restrictions on logins

Incident Response Mindset: Your job isn’t over when the breach ends — it’s over when you’ve reduced the chance it happens again.

By running this simulation, you’ll practice:

• Log analysis & anomaly detection
• IOC extraction & correlation
• MITRE ATT&CK mapping
• Incident timeline building
• IR reporting & recommendations

This isn’t just reading about IR, it’s doing IR.

1. Clone the repo from GitHub
2. Read incident_scenario.md first
3. Analyze logs in simulation/artifacts/
4. Cross-reference with detection_notes/
5. Build the incident timeline
6. Write your final report

“The only way to stay calm in chaos is to practice chaos.”

IR Sim 101 is controlled chaos, the perfect training ground for SOC analysts, cybersecurity students, and blue-teamers preparing for the real thing.

Watch the guided walkthrough video → Where logs become stories, and every alert is a clue.

GitHub: IR Sim 101 Repository
LinkedIn: Yug Shah