Platform Guide

SOaC Enterprise Operations Manual

Comprehensive reference for simulation operations, team game workflows, role definitions, scoring mechanics, replay analysis, and community features.

Simulation Operations

The SOaC Lab is a browser-based simulation environment where security teams execute threat scenarios drawn from the verified MTIP (MITRE Threat-Informed Package) packages. Each simulation exercises realistic detection-to-response workflows mapped to specific MITRE ATT&CK techniques.

Session Lifecycle

Create
Choose scenario + mode
Configure
Select role, invite team
Execute
Walk through steps
Score
Evaluate performance
Review
Replay + AAR

Session Modes

Solo Mode
Single-player walkthrough of all three roles sequentially. Ideal for learning and practice.
Team Mode
Multi-player lobby with SSE real-time sync. Each participant claims a role and executes cooperatively.

How Sessions Work

Every session is backed by a GameSession record in the database. The session stores the scenario steps, participant assignments, event timeline, and final completion state. Steps are organized by role (Red Team, Blue Team, SOC Manager) and by attack phase.

  1. 1Navigate to /lab and select a scenario package from the gallery or the difficulty tiers.
  2. 2Choose solo or team mode. In team mode, share the invite code with teammates.
  3. 3Once in-session, execute steps sequentially within your assigned role panel.
  4. 4Each executed step fires a real-time SSE event visible to all participants.
  5. 5When all critical steps are complete, submit your score to finalize the session.
  6. 6Review performance via the score summary, then access the full replay.

Scenario Difficulty Tiers

Scenarios are organized into three difficulty tiers based on complexity (number of steps, attack surface, and required coordination):

Tier 1 — Foundation
Entry-level scenarios with fewer steps. Ideal for onboarding new team members.
Tier 2 — Intermediate
Mid-complexity scenarios requiring cross-role coordination and deeper MITRE coverage.
Tier 3 — Advanced
Full-scale incidents with 60+ steps, multi-phase attacks, and complex containment workflows.

Team Game / Multiplayer Flow

Team games bring together multiple players into a shared simulation session. The flow uses Server-Sent Events (SSE) for real-time synchronization — no WebSocket dependency, which means it works seamlessly behind corporate proxies and firewalls.

Lobby & Matchmaking

  1. 1The host creates a team session from the Lab, selecting a scenario package.
  2. 2A unique invite code is generated. The host shares it with teammates via the copy-link button.
  3. 3Teammates navigate to /lab/join/[inviteCode] or enter the code manually.
  4. 4Each participant joins the lobby and selects their role (Red Team, Blue Team, or SOC Manager).
  5. 5The lobby shows all connected participants and their ready status in real time via SSE.
  6. 6Once all participants are ready, the host starts the simulation.

Real-Time Synchronization

During gameplay, every step execution, chat message, and state change is broadcast to all participants through the SSE stream at /api/sessions/[id]/stream. This ensures each player sees the evolving scenario state without polling.

Event Types
step_executed, chat_message, participant_joined, session_started, session_completed
Reconnection
SSE auto-reconnects on network interruption. State is server-authoritative.
Chat
In-game team chat is available during the session for coordination.

CISO Observer Role

In team sessions, the CISO role operates as a governance observer. The CISO does not execute technical steps directly but reviews decision points, approves or overrides critical actions, and evaluates whether containment responses align with organizational risk posture. CISO decisions are tracked separately and appear in the After-Action Review.

Roles & Responsibilities

SOaC Enterprise uses a four-role operational model. Each role maps to specific architectural pillars and carries distinct responsibilities in both the simulation lab and production operations.

Red Team

The Body (Detection Telemetry)

  • Execute attack techniques mapped to MITRE ATT&CK
  • Simulate adversary behavior across kill chain phases
  • Validate that detection rules trigger on attack patterns
  • Identify gaps in telemetry coverage

Blue Team

The Brain + The Purpose (AI + CLAW)

  • Monitor SIEM alerts and validate detections
  • Trigger CLAW automated response playbooks
  • Tune detection thresholds and alert fidelity
  • Author and maintain detection-as-code rules

SOC Manager

Cross-Pillar Orchestration

  • Triage alerts and assign severity levels
  • Coordinate Red/Blue team activities
  • Review and approve CLAW playbook executions
  • Manage escalation paths and communication

CISO

Governance & Strategic Oversight

  • Evaluate organizational risk posture
  • Review governance compliance of automated responses
  • Approve critical containment decisions
  • Assess exercise outcomes against business objectives

Role-to-Pillar Mapping

Red Team
The Body
Blue Team
Brain + Purpose
SOC Manager
Orchestration
CISO
Governance

Scoring & Leaderboard

Every completed simulation session generates a score that reflects the player's effectiveness in their chosen role. Scores are stored per-session and aggregated for leaderboard rankings.

Score Calculation

The scoring algorithm evaluates multiple dimensions of performance. Each executed step earns base points, with multipliers applied for role-specific effectiveness:

Steps Executed
Percentage of role-specific steps completed (0–100%)
Detection Rate
Ratio of steps executed to total steps in the role
Role Score
Composite: (steps_executed / total_steps) × 100, normalized per role
Total Score
Weighted sum across all executed roles in the session

Badge System

Badges are awarded automatically based on achievement milestones. Each badge has a rarity tier (Common, Uncommon, Rare, Epic, Legendary) and is permanently attached to the user's profile.

First Blood
Complete your first simulation session
Common
Hat Trick
Complete 3 sessions
Common
Threat Hunter
Achieve 80%+ detection rate
Uncommon
Perfect Execution
100% step completion in any session
Rare
Team Player
Complete a team session
Uncommon
Veteran
Complete 10+ sessions
Rare
Role Master
Complete sessions in all 3 roles
Epic
Package Collector
Complete 5 different packages
Epic
Elite Operator
Score 90+ across 5 sessions
Legendary

Leaderboard Logic

The global leaderboard at /leaderboard ranks players by their highest total score across all sessions. Rankings update in real time as new scores are submitted. The leaderboard supports filtering by time period (all-time, monthly, weekly) and displays the player's name, top score, total sessions, and earned badges.

Replay & After-Action Review

Every completed session generates a detailed replay record. Replays capture the full timeline of events — every step execution, role transition, and decision point — enabling post-incident analysis and team debriefs.

Replay Features

Timeline View
Chronological event stream showing who did what and when
Role Filtering
Toggle visibility per role (Red/Blue/SOC) to focus analysis
Playback Controls
Play/pause through the event timeline at adjustable speed
MITRE Mapping
Each replay step shows its MITRE ATT&CK technique ID
Public Sharing
Session creators can toggle replay visibility to generate a shareable link
OG Preview
Shared replays generate dynamic Open Graph images for social embedding

After-Action Review (AAR) Workflow

The AAR process follows a structured debrief format, typically completed within 30 minutes of session end. It highlights key performance metrics, response timeline, and actionable improvements.

  1. 1Complete the simulation session and submit scores.
  2. 2Navigate to the session replay page from the Lab or the score summary link.
  3. 3Review the full event timeline, filtering by role as needed.
  4. 4Identify key moments: missed detections, delayed responses, or governance gaps.
  5. 5For team sessions: use the AAR preview modal to review cross-role performance.
  6. 6Export or share the replay link for asynchronous team review.

AAR Report Components

The AAR report (accessible from the session replay page) includes an executive summary with key metrics (total score, detection rate, response time), a role-by-role performance breakdown, a CLAW playbook execution timeline, compliance validation results (PASS/PARTIAL/FAIL), and recommended improvements based on gaps identified during the session.

Community & Referrals

The Community section at /community provides a live activity feed and GitHub integration hub for the SOaC community.

Activity Feed

The Activity Feed tab shows a real-time stream of community events. Feed events are generated automatically when users complete sessions, earn badges, or achieve leaderboard milestones. Each event supports claps (one per user) and threaded comments (500 characters max).

Event Types
session_completed, badge_earned, leaderboard_rank, referral_joined
Claps
Toggle-style reactions, one per user per event. Clap counts are visible to all.
Comments
Threaded replies on any feed event. 500-character limit. Newest first.
Pagination
Cursor-based infinite scroll for efficient loading of historical events.

Referral Program

Every registered user receives a unique referral code, accessible from their profile page at /profile. Sharing the referral link allows new users to sign up with the code pre-filled.

Share
Copy your referral link
Sign Up
Friend creates account
First Session
Friend completes a sim
Reward
+1 session credit for you
Referral Link
soacframe.io/signup?ref=YOUR_CODE — auto-generated on first profile visit
Conversion
Triggered when the referred user submits their first session score
Bonus
+1 session credit awarded to the referrer upon conversion
Expiry
Referral bonus window: 7 days from signup
Dashboard
Profile page shows total referred, converted, and credits earned

Profile Analytics

Advanced analytics are available on every user's profile page — completely free, no tier restrictions. The analytics dashboard provides deep insight into simulation performance over time.

Key Metrics

Percentile Rank
Your average score compared to all platform users (e.g., "Top 15%")
Current Streak
Consecutive days with at least one completed session
Packages Completed
Total unique scenario packages finished
Average Score
Mean score across all completed sessions

Score Trend Chart

A bar chart displaying your last 20 session scores over time. This reveals performance trajectory — whether scores are trending upward, plateauing, or identifying areas for improvement.

Role Proficiency Bars

Horizontal bars showing your average detection rate broken down by role — Red Team, Blue Team, and SOC Manager. This helps identify which operational role is strongest and where additional practice would be most beneficial.

Start a SimulationCommunity FeedBack to Docs