This article guides users on what Grimoire Labs are and outlines detailed instructions for creating, packaging, and submitting Grimoire exercises, focusing on blue-team investigative skills through realistic artifact analysis. It sets clear expectations for quality, components, and learning outcomes to ensure effective, evidence-driven defensive security training.

What is a Grimoire?

A Grimoire is a blue-team–oriented investigative exercise designed to teach defensive security skills through realistic analysis of telemetry generated by a concrete attack or malware execution. Grimoires are detective-style challenges that focus on understanding what happened, how it happened, and what evidence proves it.

Grimoires may cover areas such as:

• Threat hunting
• Incident response (IR)
• Endpoint, memory, and network forensics
• Malware analysis
• Log analysis and correlation
• Supporting disciplines such as cryptography or signal analysis

All Grimoires are educational and fictitious, even when inspired by real-world techniques. A note that realism is valued and real-world scenarios have higher odds of being accepted via the UGC program. 

Core Design Principles

When building a Grimoire, keep the following principles in mind:

• Evidence-Driven
  Learners must derive conclusions from provided artifacts, not from guesswork or hidden assumptions.
• Narrative Coherence
  All artifacts should align to a single, believable attack story or investigative scenario.
• Defensive Mindset
  The focus is on detection, investigation, and reasoning - not exploitation or red teaming.
• Realistic Telemetry
  Artifacts should resemble what defenders would encounter in real environments (logs, memory, binaries, PCAPs, etc.).

Required Components

A complete Grimoire must includes:

1. Grimoire Difficulty

The difficulty ratings below are defined from the perspective of a practitioner in a defensive role with the appropriate skills and contextual knowledge. Learners with a primarily offensive background may perceive these Grimoires as more challenging, which should not impact the difficulty score when submitting via UGC.

Easy

These Grimoires should:

• Cover foundational concepts
• Require straightforward methods or simple application
• Involve fewer steps and requires limited tools/techniques

How it feels: Predictable outcome, quicker answers

Medium

These Grimoires should:

• Require combining multiple basic skills
• Need some reasoning and judgment
• May involve short exploratory steps

How it feels: Moderate problem solving, some critical thinking

Hard

These Grimoires should:

• Require synthesis of multiple tools/ideas
• Needs careful understanding and a high level of skill
• Involve several steps in order to find the solution

How it feels: Demands deep understanding and time

Insane

These Grimoires should:

• Be open-ended or highly complex
• Require deep reasoning, creativity, and persistence to solve multi-stage problems with unexpected challenges
• Include hidden pitfalls, complex scenarios; no obvious linear path or requires advanced pattern recognition.

How it feels: Requires expert-level reasoning

2. Scenario Description

• High-level context (organization, environment, suspected incident)
• Clear investigative goal (what the learner is trying to determine)
• No spoilers or guiding to answers

3. Artifact Set

Artifacts must directly support the investigation and may include:

• Memory dumps or process dumps
• Executables or scripts (sanitized and safe)
• Log files (EDR, Windows Event Logs, application logs, etc.)
• Network captures (PCAPs)
• Supporting files (configs, registry hives, timelines)

Artifacts should be:

• Internally consistent (e.g. the attackers IP in a PCAP must match the IP in the logs)
• Labeled and structured clearly (but the filename should not give any hints)
• Recorded/created in a realistic manner (realistic attacks take time - longer than a few minutes)

Submission format:

• Your Grimoire submission must include a readme, walkthrough, questions-and-answers document, and a separate password protected zip file that contains only the artifacts for the Grimoire (pcaps, logs, etc.). The protected zip file’s password must use this format: WordWordWord123 (three words with the first letter capitalised, followed by three numbers, without any spaces)

4. Questions

Questions should:

• Guide the learner through the investigation logically
• Encourage hypothesis validation using evidence
• Escalate in difficulty from basic observations to deeper analysis
• Explain what format the answer should be in; for example if a filename is required, does the answer require just the filename itself or need the full path?

Questions should not:

• Be leading. These are questions that prompt or partially divulge the answer. 
• Require yes/no answers - rather consider asking how, what, when, and why.

5. Points

Every Grimoire should contain several questions (5-10), and each question needs to be worth a certain amount of points. The total number of points is linked to the overall difficulty of the Grimoire, as outlined below:

As the Grimoire creator, you will determine the number of points per question in your Grimoire equalling the total points. Harder questions should be worth more points than easier questions. 

For example, an Easy difficulty Grimoire with 6 questions could have the following point breakdown:

• Question 1 (easy) = 2 points
• Question 2 (medium) = 4 points
• Question 3 (hard) = 8 points
• Question 4 (medium) = 10 points
• Question 5 (medium) = 10 points
• Question 6 (easy) = 6 points
• Total: 40 points

NOTE: In the example above, the labels “easy,” “medium,” and “hard” indicate relative difficulty within the context of a single Grimoire. As a result, a “hard” question in an Easy difficulty Grimoire does not represent the same level of difficulty as a “hard” question in a Hard difficulty Grimoire.

6. Expected Findings (Internal)

For reviewers and solution authors, a full investigative walkthrough must be included (this information is not shared with the Grimoire when it becomes student facing):

• Key investigative milestones
• Critical artifacts and how they support conclusions
• Common pitfalls or false leads

Quality Expectations

To meet OffSec standards, a Grimoire should:

• Be solvable using only the provided artifacts
• Avoid reliance on obscure, undocumented methods
• Reward careful analysis rather than tool memorisation
• Be reproducible and technically sound
• Teach at least one clear defensive or investigative skill

Learning value, or the submission quality is prioritized over volume or complexity. That said, the files provided need to have enough complexity that they resemble ‘real world’ data - see the Common Pitfalls below. We encourage authors to view OffSec Gauntlet challenges to get an idea on what to expect for a Grimoire, or consult the sample Grimoire submission here. 

Common Pitfalls to Avoid

• Missing artifacts required to answer questions
• Artifacts that contain minimal data
  • Example 1: a PCAP cannot contain only the attack traffic. PCAPs must include malicious traffic and ‘background noise’ (in other words, both legitimate and malicious traffic).
  • Example 2: Artifacts cannot contain a limited volume of data. A PCAP file capturing 30 seconds worth of traffic is undesirable. PCAP files with a duration of less than 20 minutes or minimal Sysmon log datasets will be rejected. 
• Artifacts that contradict the intended narrative.
• Overly vague questions with multiple valid interpretations.
• Including offensive steps the learner could not realistically observe.
• Hiding answers behind unnecessary rabbit holes.
• Do not use your name, nickname or handle as usernames within the Grimoire

Success Criteria

A Grimoire is successful when a learner can:

• Reconstruct the incident timeline
• Explain attacker behavior using evidence
• Justify conclusions clearly and defensibly
• Transfer the learned skills to real-world defensive scenarios

If you design with clarity, realism, and evidence at the core, your Grimoire will provide meaningful blue-team learning value and be more likely to be accepted via UGC. Should you have further questions, please feel free to reach out on OffSec’s Discord, using the user-generated-content channel.