Replay Logo Replay

Replay Scenario Library

Train like it is real, without the risk.

Replay transforms authentic security telemetry into safe, repeatable scenarios so teams can practice, test, and demonstrate with confidence.

Every scenario preserves cadence, enrichment, and artifacts while removing sensitive data. Analysts gain realism, leaders gain assurance, and no production system is exposed.

Practice real incidents

Most SOCs never revisit full telemetry from an event. Replay lets them capture the entire stream, sanitize it, and replay it exactly as it happened.

Improve analyst performance

Students build muscle memory investigating real workloads. Workbooks guide them through validation, scoping, response, and hot wash.

Raise demo credibility

Sales and partner teams show Fluency correlation on live-feeling data, not disconnected screenshots.

Why Replay Matters

Most teams never get to practice real incidents. Replay solves this by letting you capture real telemetry, sanitize it, and replay it exactly as it happened.

Students learn faster. Analysts perform better. AI improves. Demos resonate.

What Teams Achieve with Replay

Faster SOC onboarding with progressive scenarios
Repeatable, instructor-led experiences across partners and classrooms
High-impact malware demonstrations grounded in lab telemetry
Controlled environments for AI workflow and Fluency Assist evaluation
Detections tested and tuned before they reach production
Consistent enablement for VARs, MSSPs, and training academies

How Replay Flows

1

Capture

Select a timeframe, asset, or trigger inside Fluency or the malware lab.

2

Sanitize

Scrub identifiers, apply masking policies, and review for safe redistribution.

3

Package

Version the sanitized payload with workbook context and artifacts.

4

Replay

Stream into Fluency, export for classwork, or share with partners.

5

Learn

Guide teams through validation, scoping, response, and hot wash.

Scenario Definition

Replay scenarios represent real windows of activity exactly as they happened. Each capture preserves timing, behavior, enrichment, and context so analysts can replay an event the same way every time. A scenario may be a five-minute burst of suspicious activity or a multi-hour sequence that shows how an attack unfolds from first action to final impact.

Capture Methods

Replay supports several capture styles, designed for both production and lab use.

How captures are defined:

  • By timestamp (start and end time)
  • By asset or user
  • By behavioral triggers (e.g., privilege escalation, lateral movement)

What gets captured:

  • Malware execution in the lab
  • Privilege escalation attempts
  • Insider activity
  • Configuration changes
  • Cloud control-plane updates
  • Normal operational activity for baselining

Production captures originate from HEC streams.

Lab captures originate from the malware detonation environment.

Storage and Sanitization

Every captured stream goes through a sanitization pipeline that removes identifying data while preserving analytical value. Replay applies masking, field substitution, and structured review to ensure scenarios are safe for redistribution. Each sanitized stream is versioned, stored, and ready for replay or offline use.

Formats and Destinations

Replay scenarios can be delivered wherever teams work and train.

Stream directly into Fluency

Export as a replay file for classes or workshops

Share with partners and VARs

Use in controlled AI workflows for model evaluation

Fluency's scoring system treats each replayed scenario exactly like the original event, making analysis and detection tuning consistent and repeatable.

Scenario Categories

Malware Detonations

Sysmon, SentinelOne, and network captures straight from the malware lab.

Credential Misuse

Privilege escalation attempts, lateral movement, and MFA fatigue patterns.

Cloud Misconfigurations

IAM drift, exposed storage, and control plane changes mapped across SaaS and IaaS.

Insider Activity

Endpoint and SaaS audit trails that track staging, exfiltration, and stealth techniques.

Mixed Replay Scenarios

Combined host, network, OT, and application telemetry for multi-signal investigations.

Adversary Behavior Chains

Chained detections that teach analysts how tactics evolve over hours, not minutes.

Replay + Malware Lab

Complete adversary simulation from execution to correlation.

Malware lab runs feed directly into Replay, giving you sanitized Sysmon, SentinelOne, ArmorX, and network telemetry that behaves exactly like the live infection.

Show how Fluency correlates every hop, then let students replay the same workload the next day.

Explore the Malware Lab

A Scenario in Practice

A user executes ransomware in a lab. SentinelOne captures the behavior. Sysmon records file operations. The firewall logs lateral movement attempts. Replay packages this entire event into a scenario that your students can analyze tomorrow, exactly as it happened. The workbook walks them through every stage, and you can replay the same outcome for the next cohort without touching production.

Featured Scenarios

Malware

Ransomware Detonation

Full kill chain capture from reconnaissance to encryption, sourced from the malware lab.

Learn More

Identity

OAuth Token Theft

Identity provider logs combined with SaaS telemetry to show privilege abuse.

Learn More

Insider

Insider File Exfiltration

Endpoint, DLP, and proxy data illustrate data staging and transfer paths.

Learn More

Multi-Stage

Phishing to Cloud Compromise

Email gateway, EDR, and cloud control-plane events demonstrate cross-layer analysis.

Learn More

Training and Demo Usage

Replay is designed for SOC onboarding, partner workshops, demonstrations, and AI evaluation. Instructors can walk students through realistic events using the Replay workbook.

Partners can use scenarios to show correlation and detection quality. Sales teams can replay malware lab runs to illustrate how Fluency evaluates infections, lateral movement, and cross source behavior.

Future Content

The Scenario Library will continue to grow as new captures are sanitized and published. Expect downloadable scenario cards, filtering tools, and curated collections purpose-built for training programs and workshops.