Tracer FIRE Incident Response

Sandia National Laboratories  ·  March 2026

Participated in Tracer FIRE, a hands-on cybersecurity incident response training program run by Sandia National Laboratories. The exercise simulated a real-world post-breach environment, placing participants in a SOC analyst role tasked with reconstructing attacker activity from raw log data.

The primary investigation tool was Azure Data Explorer (ADX), used to write KQL queries against large datasets of event logs, network telemetry, and endpoint activity. Elastic SIEM served as the correlation platform, surfacing alerts and supporting timeline reconstruction across distributed log sources. Wireshark was used to inspect packet captures and validate network-level findings.

The exercise was structured as a CTF — each finding unlocked further investigation paths. Work included identifying indicators of compromise, tracing lateral movement, detecting persistence mechanisms, and producing structured incident documentation matching the format used in professional SOC environments.

The training reinforced a disciplined, query-first approach to threat hunting: forming a hypothesis, writing targeted queries, and following the evidence rather than clicking through dashboards.