Lightweight practice flow: pick an alert, get pivots, and generate an evidence checklist.
This page is intentionally simple so it works everywhere (even in the cursed browsers).
Select an alert
How this maps to the repo (evidence-first)
Use the triage flow to validate detections in detection-rules/.
Escalation and containment steps map to IR playbooks in incident-response/playbooks/.
Build new scenarios by adding alerts and attaching “expected evidence” to each.