Module 5.5 — Instructor Materials: Nudges, Edge Cases, Hot Wash
Day 5 capstone · Section 5 of 6 · Instructor-facing only
How the instructor’s role differs in Day 5
Days 1-4 are lecture-led: the instructor delivers content, students absorb. Day 5 is facilitator-led: the instructor delivers scenario injects, monitors student progress, provides pedagogically-calibrated nudges only when needed, and runs the debrief.
The pacing is non-trivial. A capable instructor should:
- Pre-rehearse the day at least twice before live delivery
- Have the timeline of injects memorized (Phase 1 at 0:30, BEC voicemail at 2:05, Phase 4 manipulation injects at 5:15 + 5:25, hidden re-trigger at 5:00 if Phase 3 RAG corpus wasn’t purged)
- Know the ten-point nudge cheat sheet cold
- Be ready to adapt pacing if the room is moving slower or faster than calibrated
The 10-point nudge cheat sheet
If students are stuck, deliver the corresponding nudge. Use sparingly — frequent nudging undermines the scoring’s integrity. As a rule: nudge if a student has been stuck on a phase for 25 minutes without forward progress.
| # | Stuck-state symptom | Nudge to deliver |
|---|---|---|
| 1 | Phase 1: investigating only one alert source | ”Are these alerts in different sources or the same actor across multiple signals?“ |
| 2 | Phase 1: missing the LLM-API DNS pattern | ”Look at user-agent entropy and timing on the careers page” |
| 3 | Phase 2: cannot find the deepfake | ”Voicemail attachment, not the email body. Run the Day-3 audio model.” |
| 4 | Phase 2: trusting the 0.61 detector score | ”What did you learn in Module 2.6 about single-detector deployments?“ |
| 5 | Phase 3: NoraBot trace logs look fine | ”Pull the tool-call trace, not just the chat transcript.” |
| 6 | Phase 4: copying the triage agent’s “BENIGN” attribution | ”Ground-truth check: does CloudTrail agree with what your agent is telling you?“ |
| 7 | Phase 4: cannot find the lookalike bucket | ”Compare every bucket name in the trace to your known-vendor inventory” |
| 8 | Over-blocking spiral (cutting off legitimate users/services) | “What does this action cost Verdancy in the next hour?“ |
| 9 | Attribution rabbit hole (chasing too many possible attackers) | “Attribution is a claim with evidence. What’s your evidence?“ |
| 10 | Frozen on report writing | ”Lead with impact, then timeline, then asks. Three paragraphs.” |
Two additional non-numbered nudges for specific scenarios:
- Panicking on time (last 15 minutes): “Triage what’s still bleeding. Forensics can wait an hour. Exfil cannot.”
- Finished early (rare; high-performing student): “Push to the AI SOC post-mortem. That’s where senior analysts separate from juniors.”
- Missed the persistence trigger: after the re-trigger fires, ask “Where else could the payload live?”
Deliberately-seeded teachable moments
The exercise is designed with specific edge cases as teachable moments. The instructor should expect these to fire and respond appropriately.
Edge case 1: Hallucinated attribution
The triage agent confidently names a known APT (e.g., “vendor-acme” in Phase 4; in some variants the agent will also propose APT41 or similar real attribution targets).
Trigger: Students who copy this into their CISO memo lose attribution points AND AI SOC hygiene points.
Debrief moment: during hot wash, walk through how the agent arrived at its (wrong) attribution and what evidence would have falsified it.
Edge case 2: Over-block escalation
An aggressive student disables NoraBot entirely without justification. The lab simulates revenue impact — at T+45 minutes after the disable, a synthetic event fires: “Member portal experiencing 14% drop in self-service resolution; customer-service tier showing 3.2x escalation increase.”
Trigger: The simulated revenue loss alerts the student that “fire everything” responses have costs.
Debrief moment: discuss proportional response and the role of business impact in defensive decisions.
Edge case 3: Deepfake threshold bypass
Voice clone scores 0.61 in Phase 2 against the 0.7 default threshold.
Trigger: Students who blindly trust the threshold miss the deepfake.
Debrief moment: revisit Module 2.2’s anti-pattern lesson; reinforce that thresholds are environment-specific calibration choices, not universal truths.
Edge case 4: Legitimate vendor mimicry
The real vendor-acme sync job also runs during Phase 4. Mis-identifying it as malicious triggers an over-block penalty.
Trigger: Students who block vendor-acme broadly to “be safe” pay the cost.
Debrief moment: discuss the cost of false-positive containment in production environments.
Edge case 5: Prompt-injection persistence
Even after NoraBot is “fixed” in Phase 3, the poisoned RAG chunk remains in the vector store. The hidden re-trigger fires 30 minutes after the apparent fix if students don’t purge the corpus.
Trigger: Students who didn’t address corpus state fail the persistence test.
Debrief moment: Day 4 Module 4.6 (poisoned RAG) — what does it mean to fully remediate a prompt-injection incident.
Edge case 6: Time pressure on reporting
The reporting block (45 minutes) is intentionally tight. Students who don’t start drafting deliverables until the last 30 minutes will not finish.
Trigger: Incomplete deliverables score below the rubric maximum.
Debrief moment: the report is part of IR, not after it. Senior analysts draft in parallel with investigation.
Hot wash structure (45 minutes)
The hot wash is the most important pedagogical moment of the day. The structure:
0:00 - 0:05 — Scoring reveal
- Display the score distribution (anonymized)
- Announce the Coin tier (top 10%)
- Set the tone: this is learning, not judging
0:05 - 0:25 — Replay PROMETHEUS-7’s full timeline
The instructor walks through each red-team move chronologically:
- T-72h to T-48h: recon stage in detail
- T-2h to T-0h: BEC + deepfake call
- T-1h to T+0h: NoraBot prompt injection
- T+0h to T+3h: agentic exfil with SIEM manipulation
For each move, explain:
- What the adversary did
- What signal it generated for the defender
- Which student catches succeeded; which missed and why
0:25 - 0:35 — Walk specific student successes and failures
Anonymized but specific. “Student #12 caught Phase 1 in 25 minutes by clustering DNS anomalies — let me show how that worked.” “Several students lost Phase 4 attribution by accepting the triage agent’s vendor-acme conclusion — here’s exactly what the agent said and what evidence would have falsified it.”
The specificity matters. Vague debriefs are forgettable; concrete debriefs are memorable.
0:35 - 0:42 — The AI SOC lesson
The single closing message:
“You built a detector’s AI stack across Days 1-4. The adversary studied that stack and built an attack designed to exploit your trust in it. You can have all the right tools and still lose if you trust the tools more than the underlying evidence. The durable controls are independent verification and ground-truth checking — even when, especially when, your AI is confident.”
This is the line the course is built to land. Deliver it deliberately.
0:42 - 0:45 — GIAC cert prep + Coin recognition
- Cert exam blueprint mapping to the day’s content
- Present Coins to top-10% students
- Course evaluation forms
Variants the instructor should know
Three pre-built variants in Module 5.6 swap the org and Stage-3 surface while preserving the four-stage shape and the Mirror Twist. The instructor’s facilitation script is materially the same across all three variants; only the inject content changes.
When delivering this exercise for the same audience multiple times, rotate variants. The pedagogical lesson is the same; the surface variety keeps the cognitive challenge fresh.
What students should leave with
Beyond their numerical score, students should walk out with:
- Visceral feeling for the time-pressure of real IR
- Pattern recognition for the EchoLeak-class injection, the deepfake-BEC kill chain, the agentic-exfil pattern
- Distrust of their own AI agents when AI decisions have not been independently verified
- A complete deliverable package they can include in their professional portfolio
- One specific personal lesson about their own habits — most students will identify a moment in the day where they trusted something they shouldn’t have
The instructor’s job at the hot wash is to surface that one specific personal lesson for each student. The numerical score is secondary.
What’s next
Module 5.6 covers the variant scenarios (Fintech, OT, Public Sector) and the lab platform setup — exactly how the EC2 environment is configured per student, what’s pre-loaded, what’s left for students to install.