// HUNTER_BRIEFING

RULES & FAQ

Everything you need to know before entering the hunt.

// HUNT_PARAMETERS

HUNTS / MONTH

7 DAYS

PER HUNT

$1,035

PRIZE POOL

STATIC

SCORING TYPE

KQL

QUERY LANGUAGE

ATTEMPTS / FLAG

HOW HUNTS WORK

7-day investigation scenarios. Real telemetry. Flag-based scoring across attack phases.

Same dataset. Level playing field.

SCORING SYSTEM

Static scoring. Difficulty weighted. Hints available at a cost. Depth wins, not speed.

Tiebreaker: last flag submission time.

PRIZES

$1,035 per hunt. Top 3 by score. 7 random draws from all participants.

One flag gets you in the draw.

FAIR PLAY

Work independently. No flag sharing. No automation. AI tools permitted.

Violations = disqualification.

How Hunts Work ▾

Each hunt is a 7-day investigation scenario built from real or realistic attack telemetry. You are given access to a SIEM environment with pre-loaded log data and a series of investigation flags to find.

Flags are grouped into investigation sections. Each section focuses on a different phase of the attack. You work through the investigation, build queries, trace the attack chain, and submit your findings.

Hunts run 3 times per month. When a hunt closes, final scores are locked and prizes are distributed. A post-hunt debrief is released covering the full attack timeline, techniques, and detection opportunities.

All hunters work on the same dataset. No randomisation. The playing field is level.

Scoring System ▾

Static scoring. Flag values are fixed regardless of when or how many hunters solve them. You are not punished for starting late. Depth and skill win, not speed.

Difficulty weighting. Flags are weighted by difficulty. Harder investigation questions are worth more points. Values vary by hunt but always reward depth over surface-level answers.

Hints. Two hints per flag. Hint 1 is free and gives you a methodology nudge. Hint 2 costs points and gives data-specific guidance. Use them wisely.

Attempts. Each flag allows up to 50 submission attempts. Read the format carefully before submitting.

Tiebreaker. Time of last flag submission. If two hunters have identical scores, the one who submitted their final correct flag first wins. This is the only speed advantage in the system.

All-Time scores. Every point earned in every hunt adds to your cumulative all-time total. The all-time leaderboard tracks performance across the entire platform.

Prize Distribution ▾

$1,035 per hunt. 10 winners.

Prize	Amount	How
1st Place	$115	Top scorer. Tiebreak by last flag submission.
2nd Place	$110	Second highest score.
3rd Place	$105	Third highest score.
7 Random	$100 each	Random draw from all hunters with at least 1 flag.

Top 3 rewards skill and depth. The 7 random picks keep everyone motivated. Anyone who submits at least one correct flag has a chance to win regardless of skill level.

Fair Play ▾

Work independently. Collaboration during active hunts is prohibited unless explicitly stated.

No flag sharing. Do not share answers, screenshots of solved challenges, or investigation walkthroughs while a hunt is active.

No automation. Brute-forcing scripts and automated solvers are prohibited. The platform has built-in rate limiting.

AI tools are permitted. Using AI to help formulate queries or understand techniques is fine. The skill being tested is your investigation methodology, not whether you can type a string from memory.

Violations. Any attempt to manipulate scores, exploit platform mechanics, or gain an unfair advantage results in disqualification and potential account suspension.

Frequently Asked Questions ▾

What tools do I need? ▾

A web browser. The SIEM environment is provided. You query data directly in Azure Sentinel using KQL. No local tools or VMs required.

What skill level do I need? ▾

Hunts include flags at various difficulty levels. If you can write a basic KQL query and understand log events, you can start earning points. The harder flags will challenge experienced analysts.

How do I get an access code? ▾

Access codes are issued through the Cyber Range community on Skool. Join at skool.com/cyber-range to get started.

Can I start a hunt late? ▾

Yes. Hunts run for 7 days. You can start at any point during the window. Static scoring means your points are worth the same whether you start on day 1 or day 6.

Are hints worth using? ▾

Hint 1 is free and gives you a nudge in the right direction. Hint 2 costs points but gives you data-specific guidance. A solved flag with Hint 2 is still worth more than an unsolved flag. If you are stuck, use them.

What happens after a hunt closes? ▾

Final scores are locked. Prizes are distributed. A post-hunt debrief is released covering the full attack timeline, MITRE ATT&CK mapping, technique analysis, and detection opportunities. This is where the real learning happens.

Can I discuss hunts after they close? ▾

Yes. Once a hunt is closed, you are free to discuss solutions, techniques, and approaches with the community.

How do all-time scores work? ▾

Every point you earn in any hunt is added to your cumulative all-time total. The all-time leaderboard tracks your performance across the entire platform.

Is there a limit on how many hunts I can enter? ▾

No. Every hunt is open to all Cyber Range members. Enter as many as you want.

I found a bug or have an issue. ▾

Report it in the Cyber Range community on Skool. Platform issues are addressed as quickly as possible. If a bug affects scoring, adjustments will be made.

Where do I investigate? ▾

Most investigation happens in Azure Sentinel using KQL. Some hunts may include alerts or data in Microsoft Defender for Endpoint. The challenge description will tell you where to look.

I see an alert in MDE but no logs. Where do I go? ▾

MDE alerts are starting points. The detailed telemetry lives in the Sentinel workspace. Use KQL to query the underlying log tables.

What KQL tables should I know? ▾

Depends on the hunt. Common tables include DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceLogonEvents, SecurityEvent, and Syslog. The challenge context will guide you.

Do I need to know KQL before starting? ▾

Basic KQL is enough to start earning points on easy flags. The Microsoft Learn KQL tutorials cover everything you need. Hard flags will push you further.

Can I use MDE Advanced Hunting? ▾

Yes. Advanced Hunting in MDE queries the same data. Some hunters prefer it. Both MDE Advanced Hunting and the Sentinel workspace are valid approaches.

The flag format is confusing. What do I submit? ▾

Each challenge tells you the expected format. Read the Format line carefully. Common formats include IP addresses, file paths, hostnames, timestamps, and process names. Case sensitivity depends on the flag.

Can I work with a friend? ▾

No. All hunts are solo unless stated otherwise. Discuss techniques after the hunt closes, not during.

I am stuck on a flag. What do I do? ▾

Use Hint 1 first. It is free and gives you a methodology nudge. If you are still stuck, Hint 2 costs points but gives you data-specific guidance. Move on to other flags and come back later.

ENTER THE HUNT COMMUNITY RULES TERMS OF SERVICE