The Submission Workflow

At CyberDefenders, we streamline lab submissions to ensure quality and educational value while respecting contributors’ time. Here’s how it works:

Draft Submission: Submit your lab concept via our Create Lab page, including lab name, category, brief idea description, artifact type, artifact description, optional reference links, and an optional attack diagram.
Initial Review: Our engineers evaluate alignment with BlueYard’s mission (e.g., relevance to SOC scenarios, DFIR artifacts, or threat hunting). Feedback is provided within 3–5 business days.
Approval & Lab Initiation: Once your idea is approved, you'll receive an email confirmation and an invitation to our exclusive Discord channel for direct support. At this stage, you can begin creating detailed lab content.
QA & Final Review: Our team verifies technical accuracy, realism, and adherence to difficulty guidelines. Ethical checks ensure no sensitive/real customer data is included.
Rejection Support: If your lab requires revisions, you'll receive mentorship via our Discord community, including live troubleshooting tips and guidance for aligning with MITRE ATT&CK frameworks or addressing other creation issues.
Publication: Approved labs go live with contributor credit! Rejected submissions receive actionable feedback for resubmission.

Lab Content Requirements

Labs must balance challenge and education:

1. Scenario Design

Craft scenarios mimicking actual breaches (e.g., “Ransomware attack on a retail POS system”) with actionable context.
Avoid hypotheticals (e.g., “Imagine you’re an analyst…”). Instead, provide forensic evidence trails.

2. Question Framework

8–12 questions per lab, progressing from easy to complex (attack reconstruction).
Answers must require artifact analysis—no “trivia” or guesswork.

3. Tool Integration

4. MITRE ATT&CK Alignment

5. Walkthrough Documentation

Solution Path: Document the intended investigation path with detailed explanations.
Evidence Analysis: Show how each piece of evidence contributes to answering the lab questions.
Tool Usage: Demonstrate how specific tools should be used to analyze artifacts.
Screenshots: Include visual evidence of the analysis process and findings.

The quality and authenticity of artifacts are crucial for creating a practical learning experience.

All lab artifacts must be entirely created by you and must not infringe upon any copyrights.
Network Setup: Create realistic network configurations that represent common organizational structures
Noise Background: Artifacts must include malicious activity with benign user-generated data (e.g., scheduled backups and web browsing traces, etc.).
Any artifacts must be compressed and password-protected with the standard password "infected."

Difficulty	Criteria
Easy	Designed for beginners or those new to the specific DFIR area. It requires 1–2 hours to solve, with straightforward attack vectors and high log visibility. Single artifact type. Focus on foundational concepts and basic technical skills.
Medium	Targeted at intermediate-level analysts with some prior knowledge. Intermediate scenarios require 2–4 hours to solve. Multistage attacks, varying log granularity. Balanced complexity with clear yet challenging investigative tasks.
Hard	Intended for advanced professionals looking to challenge and extend their skills. Advanced scenarios requiring 5+ hours to solve. Complex attack chains, realistic APT simulations. Encourages independent research and complex problem-solving.
Insane	Extremely challenging scenarios designed for expert-level analysts. It may require multiple days, extensive investigation, and deep domain knowledge to solve. Highly sophisticated attack scenarios, multiple artifact types, minimal hints. Extensive use of advanced methodologies and investigative tools, pushing the boundaries of DFIR expertise.