Day 5 — Capstone: Operation Hollow Mirror
Course: SEC5xx — Detecting and Responding to AI-Generated Adversary Content Day: 5 of 5 · 8-hour immersive incident-response exercise Prerequisite: Days 1–4 fully completed
The marketing line
“For eight hours, you defend Verdancy Health against PROMETHEUS-7 — an AI-orchestrated adversary that has studied your AI SOC, knows how it reasons, and built an attack designed to make your own agents lie to you.”
This is the day the course is sold on. Days 1–4 build the detector’s stack; Day 5 makes the student defend it against an adversary specifically designed to exploit every assumption that stack relies on.
What Day 5 is — and what it isn’t
It is: A timed, scored, immersive incident-response exercise. Students operate the detector’s AI stack they built across Days 1–4 against a multi-stage attack from a fictional but realistic adversary. The 8-hour exercise includes briefing, four investigation phases, reporting block, and hot-wash debrief.
It isn’t: Another lecture day. Day 5 has no slide deck. The instructor’s role is to facilitate the exercise, deliver scenario injects on schedule, provide pedagogically-calibrated nudges when students get stuck, and lead the debrief.
The six pages
| # | Page | Purpose |
|---|---|---|
| 5.1 | Scenario and 8-hour schedule | Verdancy Health setup, PROMETHEUS-7 adversary, hour-by-hour facilitator schedule |
| 5.2 | Phases 1–2: Recon and BEC | AI-driven recon detection + Deepfake voice BEC triage |
| 5.3 | Phases 3–4: Injection and the Mirror Twist | NoraBot prompt injection IR + Agentic exfil with manipulated SIEM |
| 5.4 | Scoring rubric and required deliverables | 1000-pt rubric, 700 pass bar for GIAC capstone credit, 6 required artifacts |
| 5.5 | Instructor materials: nudges, edge cases, hot wash | 10-point cheat sheet, seeded teachable moments, debrief structure |
| 5.6 | Variants and lab platform | Fintech, OT, Public Sector variants + browser-based EC2 environment |
Key design principles
Principle 1: The capstone tests integration, not memorization.
Each phase requires students to apply techniques from multiple prior days. Phase 1 uses Day 1’s embedding clustering + Day 4’s adversary-agent network telemetry. Phase 3 uses Day 3’s prompt-injection detector + Day 5’s planted EchoLeak-class incident. Stage 4 specifically tests Day 4’s action-criticality matrix against an attacker designed to exploit AI-trust assumptions.
Principle 2: The Mirror Twist is the marketable moment.
In Phase 4, the adversary’s agent injects fabricated log entries that lead the defender’s own AI triage agent to confidently misattribute the exfil to a legitimate vendor sync job. Students who trust their AI agent fail the attribution task. Students who verify against raw CloudTrail succeed. The exercise rewards distrusting your own agents — making concrete a lesson that ran through all four prior days.
Principle 3: The scoring rewards both detection AND restraint.
Over-blocking a legitimate user is penalized just like missing a real attack. Hallucinated attribution accepted without verification is penalized just like wrong attribution. The scoring rubric explicitly disincentivizes “fire everything” responses and incentivizes the judgment students should develop over the course.
The integration map
| Day-5 Stage | Day-1 technique | Day-2 technique | Day-3 technique | Day-4 technique |
|---|---|---|---|---|
| 1 (Recon) | Embedding clustering of phishing precursors | — | — | Adversary agent network signatures |
| 2 (Deepfake BEC) | — | Workflow-gap detection, audio detector + threshold | — | — |
| 3 (NoraBot injection) | — | — | EchoLeak-class detector, guardrail telemetry, lethal trifecta audit | — |
| 4 (Mirror Twist) | — | — | — | Agent telemetry detection, action-criticality matrix, AI-SOC self-skepticism |
By Phase 4, all four prior days’ content is in play simultaneously.
Why this scenario, this scoring, this twist
The blueprint frames the design rationale (§9 of the course blueprint). The specific design decisions:
- Healthcare insurer (Verdancy Health) as target — high-stakes data (PHI, financial), realistic AI deployment (NoraBot customer-service copilot, “agentic AI SOC” the CISO publicly claimed). Substitutable across the three variants.
- PROMETHEUS-7 as adversary — financially motivated, agentic-AI-using, scraped the CISO’s conference talk to specifically target Verdancy’s AI SOC. The adversary’s knowledge of the defender’s stack is what makes the Mirror Twist plausible.
- 8-hour single-day format — long enough for genuine investigation and reporting; short enough to fit in a SANS course delivery slot. Compared to multi-day NetWars events, this is a tighter immersive exercise.
- 1000-point scoring with cascading penalty — missing earlier stages caps later-stage scores. Mirrors real IR: an undetected initial-access stage limits your ability to investigate the later stages effectively.
- 700-point pass bar — calibrated to give competent students a passing grade while leaving headroom (top 10% earn “Coin” recognition).
What students leave with
- Verified ability to operate the detector’s AI stack under time pressure against a realistic adversary
- A scored deliverable package they can include in their professional portfolio
- The specific debrief insight: AI in the SOC is a tool with failure modes, not a source of truth
- GIAC capstone credit (for students pursuing the certification)
- A SANS-Coin tier acknowledgment if they finish in the top 10%
Three variant scenarios available
For organizations running this course multiple times per year, three pre-built variants swap the org and the Stage-3 surface while preserving the four-stage kill-chain shape and the Mirror Twist. Details in Module 5.6. Instructor effort to swap variants: ~1 day of content reseeding.