Grimoire Build Guide and UGC Submission Expectations

  • Updated
Follow

This article guides users on what Grimoire Labs are and outlines detailed instructions for creating, packaging, and submitting Grimoire exercises, focusing on blue-team investigative skills through realistic artifact analysis. It sets clear expectations for quality, components, and learning outcomes to ensure effective, evidence-driven defensive security training.

What is a Grimoire?

A Grimoire is a blue-team–oriented investigative exercise designed to teach defensive security skills through realistic analysis of telemetry generated by a concrete attack or malware execution. Grimoires are detective-style challenges that focus on understanding what happened, how it happened, and what evidence proves it.

Grimoires may cover areas such as:

  • Threat hunting
  • Incident response (IR)
  • Endpoint, memory, and network forensics
  • Malware analysis
  • Log analysis and correlation
  • Supporting disciplines such as cryptography or signal analysis

All Grimoires are educational and fictitious, even when inspired by real-world techniques. A note that realism is valued and real-world scenarios have higher odds of being accepted via the UGC program. 

Core Design Principles

When building a Grimoire, keep the following principles in mind:

  • Evidence-Driven
    Learners must derive conclusions from provided artifacts, not from guesswork or hidden assumptions.
  • Narrative Coherence
    All artifacts should align to a single, believable attack story or investigative scenario.
  • Defensive Mindset
    The focus is on detection, investigation, and reasoning - not exploitation or red teaming.
  • Realistic Telemetry
    Artifacts should resemble what defenders would encounter in real environments (logs, memory, binaries, PCAPs, etc.).

Required Components

A complete Grimoire typically includes:

  1. Scenario Description
    • High-level context (organization, environment, suspected incident)
    • Clear investigative goal (what the learner is trying to determine)
    • No spoilers or guiding to answers

  2. Artifact Set

    Artifacts must directly support the investigation and may include:

    • Memory dumps or process dumps
    • Executables or scripts (sanitized and safe)
    • Log files (EDR, Windows Event Logs, application logs, etc.)
    • Network captures (PCAPs)
    • Supporting files (configs, registry hives, timelines)

    Artifacts should be:

    • Internally consistent
    • Labeled and structured clearly
    • Recorded/created in a realistic manner

  3. Guiding Questions

    Questions should:

    • Lead the learner through the investigation logically
    • Encourage hypothesis validation using evidence
    • Escalate in difficulty from basic observations to deeper analysis

    Avoid yes/no questions where possible - prefer how, what, when, and why.

  4. Expected Findings (Internal)

    For reviewers and solution authors only:

    • Key investigative milestones
    • Critical artifacts and how they support conclusions
    • Common pitfalls or false leads

Quality Expectations

To meet OffSec standards, a Grimoire should:

  • Be solvable using only the provided artifacts
  • Avoid reliance on obscure, undocumented methods
  • Reward careful analysis rather than tool memorisation
  • Be reproducible and technically sound
  • Teach at least one clear defensive or investigative skill

Learning value, or the submission quality is prioritized over volume or complexity. That said, the files provided need to have enough complexity that they resemble ‘real world’ data - see the Common Pitfalls below. We encourage authors to view OffSec Gauntlet challenges to get an idea on what to expect for a Grimoire, or consult the sample Grimoire submission here

Common Pitfalls to Avoid

  • Missing artifacts required to answer questions
  • Artifacts that contain minimal data
    • Example 1: a PCAP cannot contain only the attack traffic. PCAPs must include malicious traffic and ‘background noise’ (in other words, both legitimate and malicious traffic).
    • Example 2: Artifacts cannot contain a limited volume of data. A PCAP file capturing 30 seconds worth of traffic is undesirable. PCAP files with a duration of less than 20 minutes or minimal Sysmon log datasets will be rejected. 
  • Artifacts that contradict the intended narrative.
  • Overly vague questions with multiple valid interpretations.
  • Including offensive steps the learner could not realistically observe.
  • Hiding answers behind unnecessary rabbit holes.

Success Criteria

A Grimoire is successful when a learner can:

  • Reconstruct the incident timeline
  • Explain attacker behavior using evidence
  • Justify conclusions clearly and defensibly
  • Transfer the learned skills to real-world defensive scenarios

If you design with clarity, realism, and evidence at the core, your Grimoire will provide meaningful blue-team learning value and be more likely to be accepted via UGC. Should you have further questions, please feel free to reach out on OffSec’s Discord, using the user-generated-content channel.

 

 

 

Related articles

Powered by Zendesk