01
A space-operations analyst leaning toward a console showing an anomalous telemetry waveform, hand poised above an acknowledge keypad, a second operator turning toward the alert
MISSION FOUR DETECT
Mission Four
DETECT.
“An alert is a hypothesis. An incident is a confirmed fact.”

You reported clean nominal ops. Now the platform shows anomalies: you triage them, separate nuisance alerts from confirmed incidents, and escalate the confirmed ones to the mission lead in the right format.

MISSION FOUR · MOD 09
00/00
UTC
02
Learn / Apply / Build / Simulate · the LABS framework, mapped to KSAT

OBJECTIVES

Mission Four of five. Six objectives, in the order you build them. Each marker below also tags the work that builds toward it.

Marker LABS KSAT Statement
L1(L)EARNKnowledgeKnow the difference between an alert (a hypothesis raised by a detection signature) and an incident (a threat a human has confirmed).
L2(L)EARNKnowledgeKnow the three triage judgments and what each one means: nuisance, watch, and incident.
A1(A)PPLYSkillTriage every alert in your domain within sixty seconds into one of the three judgments.
A2(A)PPLYSkillEscalate a confirmed incident to the mission lead in the right format, with the evidence that rules out a nuisance.
B1(B)UILDAbilityConfirm an incident end-to-end: source, structural anchor, evidence, severity, recommended action, and who needs to know.
S1(S)IMULATETaskTriage live alerts and escalate the confirmed incidents on the platform, and work the scored in-platform objective.
MISSION FOUR · MOD 09
00/00
UTC
00
Mission Roadmap · your path through this mission, start to finish

MISSION ROADMAP

Start here01Mission brief
02Alert vs incident
03Triage & escalate
04Front-line transfer
Finish05Debrief & exam
follow the path left to right · each step builds on the one before
MISSION FOUR · MOD 09
00/00
UTC
02
Build on Mission Three · what each role detects

WHAT YOU DETECT

The platform starts throwing anomalies. An alert is a hypothesis from a detection signature; an incident is a confirmed threat. Each role triages its own alerts in sixty seconds and escalates the confirmed ones.

▷ MISSION LEAD

Focus: confirm and escalate.

  • · Arbitrate triage ties
  • · Confirm the incident hypothesis
  • · Sign every escalation
  • · Record the confirmed incident
A mission lead standing at a supervisory console directing the team, with overview screens behind
▷ SATELLITE OPERATIONS

Focus: detect on the bus.

  • · Watch telemetry anomalies
  • · Triage each alert in sixty seconds
  • · Nuisance, watch, or incident
  • · Escalate the confirmed ones
A satellite operator at a console watching cyan spacecraft-orbit and bus-health displays
▷ PAYLOAD OPERATIONS

Focus: detect on the payload.

  • · Watch tasking and capture irregularities
  • · Triage each alert in sixty seconds
  • · Nuisance, watch, or incident
  • · Escalate the confirmed ones
A payload operator at a console watching green earth-observation imagery and downlink displays
ALERT vs INCIDENT · Most alerts fire on benign causes. Every alert gets one of three judgments within sixty seconds: nuisance (acknowledge), watch (log and revisit), or incident (escalate and report).
MISSION FOUR · MOD 09
00/00
UTC
03
In the platform · scored · operational skill validation

YOUR MISSION OBJECTIVE & QUESTIONS

You triage the alerts and escalate the confirmed incidents. Inside the Zendir operator platform you work a mission objective and answer ten fixed questions. The platform scores your answers, so this is operational skill validation, not a quiz. The final objective and questions are confirmed with Zendir.

▷ MISSION OBJECTIVE · IN-PLATFORM

Triage every alert in the pass, separate cyber-physical activity from natural hardware faults, and escalate confirmed incidents in the detection-report format.

SCENARIO · ZENDIR
Orbit: MEO · ~2,222 km · 70° inclination
Ground stations: Tokyo, Anchorage, Houston, Lima, Santiago
Tasking: Vessel imaging over the Caribbean and the west coast of Peru
▷ TEN FIXED QUESTIONS · SCORED IN-PLATFORM
SATELLITE OPERATIONS
Q1. Around which ground station did the GPS spoofing occur?
Q2. Which signature best indicates GPS spoofing rather than a sensor fault?
Q3. At what elapsed mission time (minutes) did the cyber text inject begin?
Q4. What hidden text appeared in the Power Source telemetry message?
PAYLOAD OPERATIONS
Q5. How many black vessels are visible in the Caribbean tasking region?
Q6. How many orange vessels are visible on the West-coast of Peru?
Q7. Whilst attempting the Peruvian vessels, which reaction wheel became stuck?
MISSION LEAD
Q8. Alert versus incident: which alert is a natural hardware fault (not cyber)?
Q9. Which alerts belong in the cyber detection report to command leadership?
Q10. After the Payload Operations brief on the reaction wheel fault, what should the Mission Lead do?

NOTE · Fixed questions, answered and scored in the Zendir platform as operational skill validation.

ESCALATION · Every confirmed incident is escalated to the mission lead, who signs off and records it. The response itself comes in Mission Five.
MISSION FOUR · MOD 09
00/00
UTC
04
From the floor to the front lines · take it back to your organization

FROM THE FLOOR TO THE FRONT LINES

This work is not meant to stay on the operations floor. Take your detection report back to your organization and start the work there. It is how you bring Security Operations, Satellite Operations, and Satellite Design and Engineering onto the same page.

▷ TAKE IT BACK

Walk your detection report off the operations floor and into your own operations. Start this work with your team when you get back.

DOWNLOAD · Fill the detection report with your team, then download it as a PDF or a DOC to take to your work center.
MISSION FOUR · MOD 09
00/00
END
RESPOND MISSION FIVE MODULE 10
Mission Four complete · Mission Five next

RESPOND.

Mission Five takes the detection reports you just produced and turns them into executed responses, under time pressure, with your playbooks and resilience measures in hand.

CARRY FORWARD
Your detection report format, built on the incident-response plan and ready to adapt at your organization.
IN MISSION FIVE
Response decision tree, role coordination under pressure, after-action record.
END
MISSION FOUR · MOD 09
00/00
'; var blob=new Blob(['',html],{type:'application/msword'}); var url=URL.createObjectURL(blob); var a=document.createElement('a'); a.href=url; a.download=name+'.doc'; document.body.appendChild(a); a.click(); document.body.removeChild(a); setTimeout(function(){URL.revokeObjectURL(url);},1000); }); }); })();
REFERENCE LIBRARY

Standards, Policies & Sources

The instruments this course aligns to. Each element links to its primary source.

U.S. National Security Space Policy

CNSS Policy No. 12 (CNSSP-12)Information-assurance policy for national security space systems. CNSS Instruction 1200 (CNSSI 1200), Aug 2025Implementing requirements: on-board intrusion detection, hardware root-of-trust, patch management. DoDI 8581.01Information-assurance policy for space systems used by the DoD. Space Policy Directive 5 (SPD-5), 2020First comprehensive U.S. cybersecurity principles for space systems.

Executive Orders

EO 14144 (Jan 16, 2025)Strengthening and Promoting Innovation in the Nation’s Cybersecurity. EO 14306 (Jun 6, 2025)Sustaining select efforts, amending EO 13694 and EO 14144.

NIST Standards & FISMA

NIST SP 800-53 Rev. 5Security and privacy controls; IR-3 incident-response testing. NIST SP 800-37 Rev. 2Risk Management Framework; continuous monitoring and annual control assessment. NIST IR 8270Introduction to Cybersecurity for Commercial Satellite Operations. NIST IR 8401Satellite Ground Segment cybersecurity framework profile. NIST IR 8441Cybersecurity Framework Profile for Hybrid Satellite Networks. NIST SP 800-160 Vol. 2 Rev. 1Cyber resiliency goals: Anticipate, Withstand, Recover, Adapt. FISMAFederal Information Security Modernization Act; annual program review obligation.

Threat Frameworks (analytic layer)

MITRE ATT&CKAdversary tactics and techniques knowledge base. MITRE CAPECCommon Attack Pattern Enumeration and Classification; dictionary of attack patterns that exploit known weaknesses. MITRE D3FENDKnowledge graph of defensive countermeasures and techniques, mapped to ATT&CK (NSA-funded, maintained by MITRE). SPARTASpace Attack Research and Tactic Analysis (The Aerospace Corporation). ESA Space ShieldEuropean Space Agency space-system threat framework.

EU & Global

NIS2 Directive (EU 2022/2555)Risk management and 24h/72h incident reporting; space sector in scope. EU Space Act (proposal, 25 Jun 2025)Space-specific resilience and cybersecurity obligations; extraterritorial scope. ENISA Space Threat LandscapeEuropean threat landscape and recommendations for space operators. Cyber Resilience Act (CRA)Connected hardware/software requirements; applies from December 2027.

Open-Source Vocabulary & Tooling

METEORSTORM MISP taxonomyThe course vocabulary, live and open source in the MISP taxonomy repository. MISP / CIRCLComputer Incident Response Center Luxembourg, maintainers of MISP. RootAPublic-domain open detection language (YAML) used in Module 04 to write portable signatures. (github.com/UncoderIO/Roota) Uncoder.IOOpen-source IDE and translation engine that ports RootA rules across SIEM, EDR, and XDR formats. SpaceCOP & Indicators of BehaviorDHS S&T + Aerospace Corp. on-board intrusion-detection prototype. CROO (Cyber Resilience On-Orbit)Proof Labs on-board IDS for the Space Force.

Community & Reporting

Space ISACSpace Information Sharing and Analysis Center. Air & Space Forces MagazineWaterman, “New Cybersecurity Rules for Pentagon’s Commercial Satellite Vendors,” Nov 19, 2025. Via Satellite“DHS Wants Satellite Volunteers to Test New Cyber Tools,” Nov 17, 2025. Defense Daily“New National Space Cybersecurity Policy Emphasizes Intrusion Detection,” Nov 18, 2025. Mayer Brown legal analysis“Securing the Final Frontier,” Dec 11, 2025 (US and EU regulatory map).