Advanced
Lesson 35 of 35 · ~10 min

Final scenario assessment

The shape of the final assessment, the categories it weights, and worked scenarios that rehearse the judgement framework one last time before the scored run.

The final assessment is the LMS’s recommendation that you are ready for live tickets at the boundary this course describes. This lesson covers the assessment’s shape, what it measures, and three worked scenarios that rehearse the judgement framework one last time.

The shape of the assessment

Fifteen scored scenarios spanning Courses 2 through 8. Each scenario is multi-decision: usually two or three branching choices that test whether you can follow the right reflex through a realistic ticket end-to-end. The scenarios pull from:

  • At least one onboarding decision-point (Course 2).
  • Mixed EDR scenarios (Course 4). Standard workflow on Lows, Highs with paired actions and user verification.
  • Critical scenarios (Course 5). Canary trips, containment-first response, recognition of the markers.
  • ITDR scenarios (Course 6). At least one Google Workspace and one tenant-wide compromise pattern.
  • SIEM scenario if your MSP runs Managed SIEM (Course 7). Otherwise skipped.
  • Communication scenarios (Course 8). Choosing channels, writing close-outs, replying to the SOC.
  • Judgement scenarios (Course 9). Mandatory-escalation categories, calibrated-uncertainty triggers, recognising the traps.

The pass mark

Recommended: 12 of 15 (80%). Your MSP may set a higher or lower bar.

Two scenario categories are weighted for review even when the overall score is above 80%: Critical scenarios (Course 5) and ITDR scenarios (Course 6). These are the highest-blast-radius categories. Getting them wrong on the assessment suggests the calibration is not yet right for live work in those areas. The senior may ask you to revisit specific lessons before sign-off.

What the assessment does not test

  • Memorisation of portal menu paths (these change).
  • Knowledge of specific runbooks (these are your MSP’s).
  • Familiarity with specific customers (you do not have any yet).

If a scenario seems to depend on customer-specific or runbook-specific knowledge, the scenario is testing whether you would ask the right question rather than guess.

Worked scenario 1: customer-versus-SOC tension

The IT manager wants the host released
A customer's IT manager calls: 'Release the isolated host. The user confirmed they were signing in from the airport.' The SOC's Incident Report recommended the isolation and has not yet closed. The remediation is not verified.
What do you do?

Worked scenario 2: unfamiliar detection with extra Evidence

Confident Recommendation, extra signals in Evidence
An EDR Incident Report with a clean, well-formatted Recommendation: approve the autoruns remediation. While reading the Evidence section, you notice additional signals (a scheduled task and a suspicious service) the Recommendation does not mention.
What do you do?

Worked scenario 3: the communication choice

How do you tell the customer?
You have just resolved a High-severity EDR incident on a customer's finance server. Remediation applied, verified, endpoint clean. The customer's IT manager is expecting an update. You need to choose the notification framing.
Which notification framing do you use?

The relationship to your MSP’s sign-off

Passing the assessment is the LMS’s recommendation. Your MSP’s sign-off process is the actual gate to live work.

  1. You pass the assessment

    The LMS recommends you are ready for the boundary the course describes. The assessment-pass triggers the senior review.

  2. Your senior reviews your readiness

    The senior weighs the LMS recommendation alongside context the LMS does not have: shift performance, customer comms, observed reliability.

  3. Shadow sessions

    You shadow live tickets. Your senior works them while you watch, or works them with you watching. Even one or two sessions accelerate pattern recognition.

  4. Supervised work

    You work live tickets under direct senior review. The senior signs off each closure.

  5. Unsupervised work at the boundary

    You are cleared for unsupervised work at the boundary the course describes. The boundary extends over time with experience.

The assessment-pass is one input to the senior’s decision. It is not the decision itself.

How to prepare

Three things worth doing before the assessment:

Re-read pattern lessons. Lessons 1.2 (managed-SOC keystone), 1.8 (recommendation vs. context), 4.5 (when to isolate), 5.1 (Critical markers), 6.1 (identity blast-radius), 9.1 (mandatory escalation), 9.4 (common traps). These are the lessons whose judgement shows up most across scenarios.

Re-read shadow session notes if you have shadowed any live tickets. Real ticket experience calibrates the scenarios.

Glance at the outline. Refreshing which surfaces each course covers helps the scenarios feel mapped rather than novel.

The test you carry in

The two-question test from Course 9 loads throughout the assessment: is this reversible? Do I understand why this is the right action? If either internal answer is no, the scenario’s options usually include “escalate” or “clarify before acting.” That is the calibrated answer.

When in doubt during the assessment, the most reliable instinct is the one this course has been installing: trust the SOC’s Recommendation, act on the action zone, surface context to the right body, escalate at the categories, and do not click-and-see.

Loading quiz…
Take the final quiz