FULL SPECTRUM SPACE CYBERSECURITY PROFESSIONAL
(SCOR Practitioner) — Session 2: Live Operations
Zendir.io Digital Twin Platform — From Theory to Operations
4 Hours  |  5 Knowledge Domains  |  40 Minutes Each
Delivered by ProofLabs  |  In partnership with ethicallyHackingspace (eHs)®
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN2
OPERATIONS BRIEFING
Your Five Live Missions — From Situational Awareness to Cyber Defense
You trained as space cybersecurity operators in Session 1. Now you operate for real. The Zendir.io digital twin puts you in the operator's seat. Each mission escalates from monitoring to active defense.
6
OVERWATCHSpace Situational Awareness — Open Your Eyes (40 min)
7
HELIOSSatellite Operations — Hands on the Wheel (40 min)
8
APERTUREPayload Operations — Capture the Mission (40 min)
9
SAFEGUARDSatellite Ops IR — When Things Go Wrong (40 min)
10
THUNDERDOMESatellite Cyber IR — Fight for the Platform (40 min)
MISSION QUESTION
You've built the threat model, the detection rules, and the telemetry plan. Now you're at the operator terminal. What is the very first thing you check?
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN3
SESSION 1 FOUNDATIONS RECAP
✓ BLUEPRINT
🗺
Platform decomposed using METEORSTORM five-layer model. All assets, segments, and services catalogued.
✓ PANORAMA
📡
Threat landscape mapped across six enrichment sources: SPARTA, ATT&CK, EMB3D, D3FEND, MISP, STIX.
✓ SENTINEL
🛡
Priority Intelligence Requirements established at Strategic, Operational, and Tactical tiers.
✓ TRIPWIRE
Converged detection rules engineered across cyber, physical, and operational domains.
✓ LIGHTHOUSE
🔦
Telemetry instrumentation plan validated with gap analysis and remediation priorities.
These five outputs are your operational foundation. Session 2 puts them into action.
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN4
ZENDIR.IO DIGITAL TWIN PLATFORM
Your Satellite Operations Environment
Zendir.io provides a full-fidelity digital twin of a LEO satellite constellation including spacecraft bus, payload, ground station, and communications links. All operations execute in real time.
PLATFORM CAPABILITIES
  • Operator Terminal — Individual workstation displays for spacecraft health, orbital position, and communications
  • Spacecraft Bus Subsystems — Power, thermal, ADCS, onboard data handling, communications
  • Payload Systems — Electro-optical camera with configurable aperture, FOV, spectral bands, GSD
  • Simulation Injects — Instructor-controlled scenario events including telemetry anomalies and adversary attacks
TEAM ROLES
🎖 Mission Commander
🛰 Spacecraft Operator
📷 Payload Operator
🔐 Cybersecurity Analyst
ZENDIR.IO OPERATOR CONSOLE
SPACECRAFT HEALTH
Power: 28.2V ✓
Thermal: 21°C ✓
ADCS: Nominal ✓
ORBITAL MAP
Alt: 552km
Inc: 53.0°
Next GS: 12:34 UTC
TELEMETRY TIMELINE
Last update: 00:08s
Anomalies: 0
Alerts: None
COMMAND INTERFACE
Queue: 3 pending
Last CMD: 11:58 UTC
Auth: Verified ✓
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN5
SESSION 2 LEARNING OUTCOMES
6 · OVERWATCH
👁
Monitor spacecraft health and environmental conditions to establish operational baselines
7 · HELIOS
Execute spacecraft bus operations including pointing, power management, and communications
8 · APERTURE
📷
Configure and operate Earth observation payloads with mission-driven tasking
9 · SAFEGUARD
🛡
Detect, classify, and respond to operational anomalies with structured incident procedures
10 · THUNDERDOME
Defend satellite architecture against cyber attacks in Red vs. Blue team exercise
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN6
MISSION 6
OVERWATCH
👁
MISSION 6: OVERWATCH
Space Situational Awareness — Open Your Eyes
Before you can operate, you must see. Before you can defend, you must understand what normal looks like. Your first live mission: establish the operational picture and build the baselines every subsequent mission depends upon.
⏱ 40 MINUTES
METEORSTORM Functions 3 & 4: Operational Monitoring & Incident Readiness
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN7
MISSION 6 OBJECTIVES
  1. Navigate the Zendir.io interface, identifying key displays for spacecraft health, orbital position, and communications status.
  2. Monitor satellite telemetry in real time, correlating housekeeping data with baselines from Session 1 decomposition.
  3. Interpret space weather advisories and assess impact on spacecraft subsystems, links, and payload.
  4. Track orbital elements and identify deviations indicating perturbation, conjunction risk, or anomalous maneuvering.
  5. Apply METEORSTORM taxonomy tagging to observed telemetry anomalies for structured reporting.
  6. Establish an operational baseline that serves as the reference state for incident detection in Domains 9 and 10.
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN8
FROM THEORY TO OPERATIONS
SESSION 1 → SESSION 2 BRIDGE
  • Your decomposition becomes your monitoring checklist
  • Your detection rules become alert triggers
  • Your telemetry plan becomes your data feeds
  • Your PIR become your operational priorities
  • Your enrichment frameworks become your threat context
Key Insight: Every artifact from Session 1 has a direct operational counterpart in Zendir.io. Theory becomes practice the moment you log in.
ZENDIR.IO MAPPING
BLUEPRINT→ Asset inventory panel
PANORAMA→ Threat context overlay
SENTINEL→ Alert priority queue
TRIPWIRE→ Detection rule engine
LIGHTHOUSE→ Telemetry data feeds
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN9
MONITORING THE OPERATIONAL ENVIRONMENT
SPACECRAFT HEALTH
AST:HW, AST:SW
  • Power voltage/current
  • Thermal readings by zone
  • ADCS attitude and rates
  • OBC status and memory
  • Link quality metrics
ORBITAL ENVIRONMENT
PCE:Orbital, SEG:Space
  • TLE tracking and updates
  • Conjunction assessment
  • Orbital decay monitoring
  • Debris tracking alerts
  • Maneuver detection
SPACE WEATHER
PCE:Orbital hazards
  • Solar flux index (F10.7)
  • Geomagnetic Kp index
  • Radiation belt counts
  • Ionospheric scintillation
  • SEU event tracking
Baseline Principle: "Document 'normal' for every parameter. Anomaly detection is only as good as your baseline."
MISSION QUESTION
Spacecraft telemetry shows a 3% solar array current drop that recovers over two orbits. Anomaly or normal? What additional data do you need?
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN10
TELEMETRY CORRELATION & BASELINE ESTABLISHMENT
CORRELATION PATTERNS FOR ANOMALY DISCRIMINATION
Pattern 1 — NORMAL: Eclipse Entry
Power dip + thermal change + orbital position matches eclipse entry → Nominal event, log and continue
Pattern 2 — CAUTION: Subsystem Issue
Power dip + NO thermal change + NO orbital event → Potential subsystem degradation, investigate
Pattern 3 — WARNING: Potential Adversary
Power dip + attitude change + unexpected RF event → Escalate to Cybersecurity Analyst, apply AN:IOA
BASELINE TEMPLATE
ParameterExpected RangeDeviation ThresholdMETEORSTORM Tag
Bus Voltage27.5–28.5V>±0.5VAST:HW:PowerSubsystem
Payload Bay Temp15–25°C>±3°CAST:HW:ThermalControl
ADCS Pointing Error<0.1°>0.2°AST:HW:ADCS
S-band Uplink Margin>6dB<3dBSVC:Control / SEG:Link
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN11
SPACE WEATHER & ENVIRONMENTAL AWARENESS
SPACE WEATHER → METEORSTORM MAPPING
Solar Flares
PCE:Orbital hazard → AST:HW impact on solar arrays, sensors
Geomagnetic Storms
SEG:Link degradation → SVC:Data communications disruption
Radiation Belt Enhancement
AST:HW single-event upsets → AN:IOC false positive generator
Critical Insight: Space weather events can mimic adversary actions. Environmental context is essential for every anomaly assessment.
SPACE WEATHER SCALE
G5
Extreme
Widespread disruption, safe mode recommended
G3
Strong
Baseline adjustments required, monitor closely
G1
Minor
Note in log, no operational change needed
MISSION QUESTION
A geomagnetic storm is forecast for 6 hours. Which baselines should you temporarily adjust, and how do you document this in a METEORSTORM-compliant report?
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN12
STARCOM-LEO: ESTABLISHING THE OPERATIONAL BASELINE
Worked example baselines for STARCOM-LEO — each parameter tagged to the METEORSTORM taxonomy hierarchy:
SubsystemParameterNominal RangeMETEORSTORM Tag
PowerBus voltage27.5–28.5VPCE:Orbital > SEG:Space > SVC:Control > AST:HW:PowerSubsystem
PowerSolar array current (sunlit)4.0–4.4AAST:HW:SolarArray
PowerBattery DOD<30%AST:HW:Battery
ThermalPayload bay temperature15–25°CAST:HW:ThermalControl
ThermalBattery temperature5–20°CAST:HW:Battery
ADCSPointing accuracy<0.1°AST:HW:ADCS / AST:SW:FlightSoftware
CommsS-band uplink margin>6dBSEG:Link > SVC:Control > AST:HW:Antenna
CommsX-band downlink margin>3dBSEG:Link > SVC:Data > AST:HW:Antenna
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN13
MISSION 6 EXERCISE: GUIDED MONITORING
⏱ 10 MINUTES — INSTRUCTOR-FACILITATED LIVE EXERCISE
ZENDIR.IO SCENARIO: NOMINAL WITH EMBEDDED VARIATIONS
  1. Identify each telemetry variation from your established baseline
  2. Classify each variation as nominal or anomalous
  3. Tag each anomaly with the appropriate METEORSTORM taxonomy elements (PCE, SEG, SVC, AST, AN)
  4. Document findings in a structured SSA status report
Deliverable: Completed SSA status report with METEORSTORM-tagged anomalies. This baseline becomes your reference for all subsequent missions.
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN14
MISSION 6 CHECKPOINT
CHECKPOINT Q1
What three categories of information compose the SSA picture in Zendir.io? How does each map to the METEORSTORM taxonomy?
CHECKPOINT Q2
How does a space weather advisory map to METEORSTORM taxonomy elements? Walk through a G3 geomagnetic storm scenario.
CAPSTONE ACTIVITY (5 MIN)
Produce a complete SSA status report covering: spacecraft health status, orbital position summary, environmental conditions, and any anomalies with full METEORSTORM taxonomy tags.
MISSION QUESTION
You monitor two spacecraft in the same orbital plane—one shows a power anomaly, one does not. What does this asymmetry tell you about the likely cause? How does your answer change if both show the anomaly simultaneously?
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN15
MISSION 6 ASSESSMENT RUBRIC
CriterionExemplary (4)Proficient (3)Developing (2)Beginning (1)
Platform Navigation & Telemetry Interpretation
Navigates Zendir.io, interprets telemetry, identifies baselines		Navigates all displays confidently, correlates multiple telemetry streams, identifies all baselines with correct METEORSTORM referencesNavigates primary displays, interprets key indicators with appropriate taxonomyNavigates basic displays but struggles with correlation or taxonomyCannot navigate displays or interpret basic telemetry
Environmental Awareness
Integrates space weather, orbital dynamics, EM spectrum		Integrates space weather, orbital dynamics, and EM spectrum into unified assessment with proactive impact predictionsInterprets space weather and orbital data correctly, identifies potential impactAcknowledges environmental factors but cannot assess operational impactCannot interpret space weather data
Anomaly Detection & Reporting
Detects anomalies, classifies with METEORSTORM, produces SSA report		Detects all anomalies, classifies with correct METEORSTORM taxonomy, produces comprehensive SSA reportDetects most anomalies with classification and adequate reportDetects some anomalies with incomplete taxonomy or unstructured reportCannot distinguish anomalous from normal telemetry
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN16
MISSION 6 SCORE CARD
👁
DOMAIN 6: OVERWATCH
12
Maximum Points
3
Criteria
6
Pass Threshold
Pass: ≥ 6/12 (50%) | No domain below pass threshold for credential
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN17
MISSION 6: OVERWATCH — COMPLETE
You can see the battlespace. Now take the controls. Next: HELIOS — hands on the wheel.
OVERWATCHComplete
7
HELIOSNext →
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN18
MISSION 7
HELIOS
MISSION 7: HELIOS
Satellite Operations — Hands on the Wheel
Situational awareness gave you the picture. Now you take control—executing pointing maneuvers, managing subsystems, and commanding the satellite. Every action creates data your detection rules must process.
⏱ 40 MINUTES
METEORSTORM Function 1: CONOPS — Operational Execution
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN19
MISSION 7 OBJECTIVES
  1. Execute pointing maneuvers: Inertial, Sun, Velocity, Nadir, Ground Station, and Location modes.
  2. Monitor and manage bus subsystems: power, thermal, onboard data handling.
  3. Verify health using pre-op checklist aligned to METEORSTORM AST:HW, AST:SW, AST:DA.
  4. Execute command sequences for station keeping and attitude adjustment.
  5. Manage communications: uplink scheduling, downlink reception, link budget monitoring.
  6. Document activities in mission log with METEORSTORM taxonomy references.
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN20
OPERATOR TERMINAL QUALIFICATION
PRE-OPERATION CHECKLIST
  • 1. Verify telemetry feed live — timestamp <30s, all streams active
  • 2. Confirm all subsystems nominal — compare to Domain 6 baselines
  • 3. Check communications window schedule — next AOS/LOS times
  • 4. Review command queue — pending commands, authorization status
  • 5. Confirm team roles — all positions staffed, comms protocol active
METEORSTORM: Each checklist item maps to AST:HW, AST:SW, and SVC elements — your decomposition from Session 1 is your checklist.
TEAM COMMUNICATION PROTOCOL
CMD
Commander
Authorizes all commands, declares incidents
OPS
Spacecraft Operator
Executes bus commands, monitors health
PAY
Payload Operator
Manages imaging tasks, data products
CSA
Cybersecurity Analyst
Monitors for cyber indicators, advises escalation
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN21
SPACECRAFT POINTING MODES
INERTIAL
Fixed to celestial frame. Use: star tracker calibration, deep space observation. ADCS: quaternion hold.
SUN POINTING
Solar array aligned to sun vector. Use: maximum power generation during low-power states. ADCS: sun sensor primary.
VELOCITY
Aligned with velocity vector. Use: drag management, aerodynamic stability. ADCS: GPS/TLE derived.
NADIR
Earth-facing. Use: primary Earth observation mode. ADCS: Earth sensor, settling time ~3 min.
GROUND STATION
Antenna aimed at ground station. Use: communications passes. ADCS: ground track prediction.
LOCATION
Payload aimed at geographic coordinates. Use: targeted imaging. ADCS: highest accuracy mode, <0.05°.
MISSION QUESTION
Satellite is Sun Pointing for battery charging. Urgent imaging task arrives. What trade-offs must you consider before switching to Location Pointing?
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN22
BUS SUBSYSTEM MANAGEMENT
POWER
AST:HW:PowerSubsystem
  • Solar array monitoring (current, voltage, temperature)
  • Battery state-of-charge management
  • Load shedding priority list
  • Eclipse entry/exit preparation
  • Power budget enforcement
THERMAL
AST:HW:ThermalControl
  • Zone-by-zone temperature monitoring
  • Heater control (survival vs. operational)
  • Hot case / cold case management
  • Payload thermal conditioning
  • Attitude-thermal interdependency
DATA HANDLING
AST:HW:OBC, AST:SW:FSW
  • OBC health and watchdog status
  • Memory utilization and management
  • Data bus integrity checks
  • Flight software version verification
  • Autonomous fault detection status
Interdependencies: Payload heater activation → power draw increase. Attitude change → thermal profile shift. Understanding these chains is essential for Domain 9 incident discrimination.
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN23
COMMUNICATIONS LINK OPERATIONS
GROUND STATION PASS MANAGEMENT
  • AOS (Acquisition of Signal) — Confirm link established, verify margin
  • Command Window — Uplink validated commands in priority order
  • Telemetry Reception — Download buffered health and security data
  • LOS (Loss of Signal) — Confirm all commands acknowledged, log pass
SECURITY IMPERATIVE
The uplink command channel is the most critical attack surface. Every command must be validated before transmission. Authentication, integrity, and authorization checks are non-negotiable.
LINK BUDGET ELEMENTS
TX
Transmit Power
Ground station EIRP (dBW)
GA
Antenna Gain
Spacecraft receive gain (dBi)
PL
Path Loss
Free-space loss at range (dB)
MG
Link Margin
Required >6dB for reliable uplink
MISSION QUESTION
8-minute pass. 15 commands to uplink, 200MB to downlink. How do you prioritize—and what security checks before each command?
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN24
STARCOM-LEO: OPERATIONAL SEQUENCE
Worked example — complete operational sequence for a STARCOM-LEO imaging pass:
Step 1: Pre-ops Checklist Verification — All 5 items confirmed, team roles assigned
Step 2: Attitude Transition — Sun Pointing → Nadir for imaging (3 min settling)
Step 3: Subsystem Monitoring — Power budget confirmed, thermal stable, ADCS locked
Step 4: Ground Station Pass — AOS 14:22 UTC, 8 commands uplinked, 180MB downlinked, LOS 14:30
Step 5: Post-pass Documentation — Mission log updated, METEORSTORM tags applied, anomalies: none
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN25
MISSION 7 EXERCISE: GUIDED OPERATIONS
⏱ 10 MINUTES — TEAM OPERATIONS EXERCISE
INSTRUCTIONS
  1. Execute attitude transition commanded by Mission Commander (Sun → Nadir or Location)
  2. Monitor subsystem impacts during and after transition
  3. Manage ground station pass: command uplink + telemetry downlink
  4. Respond to simulated power constraint injected by instructor
  5. Document all activities with METEORSTORM taxonomy tags
Deliverable: Mission operations log with all commands, subsystem states, anomaly responses, and METEORSTORM taxonomy references.
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN26
MISSION 7 CHECKPOINT
CHECKPOINT Q1
Which pointing mode maximizes solar power generation, and why? What ADCS sensors are primary in this mode?
CHECKPOINT Q2
What METEORSTORM Asset elements are involved in an ADCS pointing maneuver? Trace from AST:HW through AST:SW to SVC:Control.
CAPSTONE ACTIVITY (5 MIN)
Complete a mission operations log covering all commands executed, subsystem states at each step, and full METEORSTORM taxonomy references for every action.
MISSION QUESTION
An operator sends a pointing command conflicting with the power budget. Spacecraft enters safe mode. Who is responsible? How should the incident be documented using METEORSTORM taxonomy?
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN27
MISSION 7 ASSESSMENT RUBRIC
CriterionExemplary (4)Proficient (3)Developing (2)Beginning (1)
Spacecraft Pointing Execution
Executes transitions, monitors ADCS, demonstrates trade-off understanding		Executes all transitions smoothly, monitors ADCS telemetry, demonstrates trade-off understandingExecutes transitions correctly with telemetry monitoring and mode rationaleExecutes basic transitions, struggles with telemetry or justificationCannot execute pointing maneuvers or interpret ADCS telemetry
Subsystem Verification & Monitoring
Completes checks with correct METEORSTORM mappings		Comprehensive checks, all METEORSTORM mappings correct, proactive interdependency identificationCompletes checks with correct taxonomy, adequate monitoringPartial checks, some taxonomy errors, monitoring gapsCannot perform structured verification or map to METEORSTORM
Operational Documentation
Mission log accuracy, taxonomy, and traceability		Complete mission log, accurate taxonomy, operational rationale, full traceabilityAdequate log with correct taxonomy and key eventsIncomplete log with missing taxonomy or gapsCannot produce a mission log
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN28
MISSION 7 SCORE CARD
DOMAIN 7: HELIOS
12
Maximum Points
3
Criteria
6
Pass Threshold
Pass: ≥ 6/12 (50%) | No domain below pass threshold for credential
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN29
MISSION 7: HELIOS — COMPLETE
You've mastered the bus. Now execute the mission's purpose. Next: APERTURE — capture the mission.
OVERWATCHComplete
HELIOSComplete
8
APERTURENext →
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN30
MISSION 8
APERTURE
📷
MISSION 8: APERTURE
Payload Operations — Capture the Mission
The bus is your vehicle. The payload is your purpose. Configure cameras, plan imaging tasks, manage data, and coordinate payload with bus operations to deliver mission results.
⏱ 40 MINUTES
METEORSTORM Function 1: CONOPS — Data Plane Operations
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN31
MISSION 8 OBJECTIVES
  1. Configure payload parameters: aperture, FOV, spectral bands, GSD.
  2. Plan and execute imaging tasks: orbital geometry, lighting, pointing, target coordinates.
  3. Assess image quality: spatial resolution, spectral fidelity, geometric accuracy.
  4. Manage onboard storage and prioritize downlink scheduling.
  5. Coordinate payload with bus operations for pointing, power, and thermal.
  6. Document payload operations with METEORSTORM Data Plane and Asset layer references.
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN32
CAMERA AND SENSOR FUNDAMENTALS
ZENDIR.IO EO CAMERA PARAMETERS
f/
Aperture
Light gathering and diffraction-limited resolution. Larger aperture = sharper image at cost of FOV.
FOV
Field of View
Angular extent vs. resolution trade-off. Wide FOV = lower resolution, larger coverage area.
GSD
Ground Sample Distance
Spatial resolution at surface. GSD = (altitude × pixel size) / focal length.
λ
Spectral Bands
Visible, NIR, thermal — each reveals different surface features.
METEORSTORM: Payload = AST:HW:Payload. Parameters = AST:DA. Products = SVC:Data output.
GSD GEOMETRY
ALTITUDE vs. GSD
Alt (km)GSD @ f=1mCoverage
4000.5mNarrow
5500.7mMedium
8001.0mWide
MISSION QUESTION
Payload can image at 1m GSD but mission requires 5m. Why choose lower resolution—and what operational advantages does this provide?
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN33
MISSION-DRIVEN IMAGING TASKS
TASK PLANNING PROCESS
1. Receive tasking order (target coordinates, parameters)
2. Calculate orbital geometry — overflight timing and lighting
3. Coordinate with bus — pointing mode, power, thermal
4. Configure payload parameters (aperture, FOV, band, GSD)
5. Execute during overflight window
6. Verify capture and assess quality
METEORSTORM TRACEABILITY
Imaging creates AST:DA delivered through SVC:Data, requiring SVC:Control for pointing.
IMAGING WINDOW FACTORS
  • Sun angle >20° for adequate illumination
  • Cloud cover assessment (if optical)
  • Satellite ground track alignment
  • Power budget sufficient for payload
  • Thermal pre-conditioning complete
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN34
IMAGE QUALITY ASSESSMENT
QUALITY CRITERIA
  • Spatial Resolution — Achieved GSD vs. required GSD
  • Spectral Fidelity — Band calibration accuracy, radiometric quality
  • Geometric Accuracy — Geolocation error vs. mission requirement
DEGRADATION CAUSES
  • Pointing errors during capture window
  • Vibration from reaction wheel operation
  • Thermal effects on focal plane
  • Exposure timing errors
  • Atmospheric effects (for optical)
CYBERSECURITY CONNECTION
⚠ CRITICAL: Subtle payload manipulation — altered calibration, timing offsets, parameter injection — can corrupt imagery while appearing valid. This is a potential AN:IOA indicator that only the Cybersecurity Analyst is trained to recognize.
Unexpected geometric artifacts not matching known sensor behavior → escalate to CSA immediately.
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN35
ONBOARD DATA MANAGEMENT
STORAGE MANAGEMENT PROCESS
  • Assess utilization — Current storage use and remaining capacity
  • Prioritize by mission priority — High-priority imagery protected first
  • Schedule downlink windows — Maximum throughput during passes
  • Delete/compress — Lower-priority data as needed for capacity
DATA INTEGRITY
Checksums and verification for both storage and transmission. Corrupted data may indicate hardware failure or adversary interference — always verify before deletion.
METEORSTORM DATA PLANE
AST
AST:HW:DataStorage
Physical storage hardware
AST
AST:DA
Data products (imagery)
SVC
SVC:Data via SEG:Link
Downlink data service
MISSION QUESTION
Storage 80% full. High-priority task needs the remaining 20%. Un-downlinked lower-priority imagery exists. Delete, compress, or skip the new task? What information do you need before deciding?
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN36
STARCOM-LEO: PAYLOAD OPERATIONS SEQUENCE
Worked example — complete payload cycle for a STARCOM-LEO tasked imaging mission:
PhaseActionParametersMETEORSTORM Tag
TaskingImage target at [35.68°N, 139.69°E]Visible band, <3m GSDAST:DA (tasking order)
PlanningOverpass in 45 min, sun angle 35°Location Pointing 5 min beforeSVC:Control / AST:HW:ADCS
CoordinationPower and thermal confirmed by bus operator28.1V, payload bay 22°CAST:HW:Power / AST:HW:Thermal
ExecutionCamera configured, image captured12-second window, f/4, 550nmAST:HW:Payload / AST:DA
AssessmentQuality verifiedGSD 2.8m, geoloc 10m, spectral nominalAN:IOC (quality check)
Data850MB stored, queued for next passStorage: 67% utilizedAST:HW:DataStorage / SVC:Data
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN37
MISSION 8 EXERCISE: DATA MANAGEMENT
⏱ 10 MINUTES
INSTRUCTIONS
  1. Assess current storage utilization in Zendir.io
  2. Execute 2+ imaging tasks at different priority levels
  3. Prioritize downlink scheduling for the next ground station pass
  4. Manage storage constraints — make and justify a delete/compress/defer decision
  5. Document all payload operations with METEORSTORM taxonomy
Deliverable: Payload operations summary covering tasks executed, quality assessments, data management decisions, and METEORSTORM taxonomy documentation.
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN38
MISSION 8 CHECKPOINT
CHECKPOINT Q1
What is the relationship between camera FOV and GSD? If you increase focal length while keeping altitude constant, what happens to both?
CHECKPOINT Q2
Name the METEORSTORM layers and elements involved in an EO imaging task from planning through downlink. How many distinct taxonomy tags are required?
CAPSTONE ACTIVITY (5 MIN)
Produce a payload operations summary covering all tasks executed, quality assessments, data management decisions, and METEORSTORM taxonomy documentation.
MISSION QUESTION
Captured image shows unexpected geometric artifacts not matching known sensor behavior. Hardware failure, software bug, or adversary tampering? How do you investigate without alerting a potential adversary?
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN39
MISSION 8 ASSESSMENT RUBRIC
CriterionExemplary (4)Proficient (3)Developing (2)Beginning (1)
Payload Configuration & Execution
Parameters correct, timing/coordination, sensor trade-offs		All parameters correct for different missions, optimal timing/coordination, sensor trade-off understandingCorrect parameters with appropriate coordination and timingBasic config, needs guidance on optimization, bus coordination strugglesCannot configure payload or execute imaging tasks
Image Quality Assessment
Evaluates against requirements, root cause analysis, security implications		Evaluates against all requirements, root cause analysis, connects anomalies to cybersecurity indicatorsEvaluates against primary requirements, identifies major issuesBasic assessment, cannot diagnose degradation or security implicationsCannot assess quality or distinguish acceptable from unacceptable
Data Management & Documentation
Storage/downlink management, prioritization, METEORSTORM documentation		Optimal storage/downlink management, mission-impact prioritization, comprehensive METEORSTORM documentationAdequate management, correct prioritization, acceptable documentationReactive management, incomplete prioritization, documentation gapsCannot manage storage or document operations
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN40
MISSION 8 SCORE CARD
📷
DOMAIN 8: APERTURE
12
Maximum Points
3
Criteria
6
Pass Threshold
Pass: ≥ 6/12 (50%) | No domain below pass threshold for credential
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN41
MISSION 8: APERTURE — COMPLETE
You can see, operate, and capture. Now things go wrong. Next: SAFEGUARD — when things go wrong.
OVERWATCHComplete
HELIOSComplete
APERTUREComplete
9
SAFEGUARDNext →
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN42
MISSION 9
SAFEGUARD
🛡
MISSION 9: SAFEGUARD
Satellite Ops Incident Response — When Things Go Wrong
Systems degrade, sensors fail, the environment is hostile. Detect anomalies, classify incidents, execute response procedures — while determining operational failure vs. adversary action. Your Domain 6 baselines are now your most important tool.
⏱ 40 MINUTES
METEORSTORM Function 4: Incident Response — Operational Anomalies
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN43
MISSION 9 OBJECTIVES
  1. Detect anomalies through telemetry deviation analysis against Domain 6 baselines.
  2. Classify by subsystem, severity, and METEORSTORM exposure domain (Kinetic, Non-Kinetic Physical, EW, Cyber, Environmental).
  3. Execute structured IR for power degradation, attitude anomalies, thermal exceedance, link failures.
  4. Coordinate multi-role response: Commander, Operator, Payload, Cybersecurity Analyst.
  5. Distinguish operational vs. cyber-origin anomalies using AN:IOA, AN:IOC.
  6. Produce structured incident report with METEORSTORM taxonomy.
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN44
ANOMALY DETECTION AND CLASSIFICATION
SEVERITY LEVELS
L1
Advisory
Trending toward threshold, no impact yet. Log and monitor.
L2
Caution
Threshold exceeded, monitor closely, prepare contingency plan.
L3
Warning
Subsystem degraded, operational impact, execute contingency.
L4
Emergency
Mission-threatening, immediate response required, consider safing.
Detection framework: thresholds from Domain 6 baselines, trending vs. instantaneous deviation, multi-parameter correlation. METEORSTORM: Each anomaly classified by exposure domain.
MISSION QUESTION
Sudden 15% solar array current drop, not in eclipse. Level 2 or Level 3? What three data points do you check first?
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN45
INCIDENT RESPONSE SCENARIOS
SCENARIO 1 — POWER ANOMALY
Solar array current drop. Response: Verify orbital position, check conjunction, assess battery SOC, prepare load shedding priority list. METEORSTORM: AST:HW:SolarArray → AN:IOC.
SCENARIO 2 — ATTITUDE ANOMALY
Deviation without command. Response: Check ADCS sensors, wheel speeds, external torques, verify no unauthorized command. METEORSTORM: AST:HW:ADCS → AN:IOA (if no cause found).
SCENARIO 3 — THERMAL EXCEEDANCE
Payload bay over limits. Response: Assess heater status, attitude relative to sun, solar exposure, implement thermal contingency. METEORSTORM: AST:HW:ThermalControl → AN:IOC.
SCENARIO 4 — COMMS DEGRADATION
Downlink margin dropping. Response: Check antenna health, RF environment, ground equipment status, evaluate jamming indicators. METEORSTORM: SEG:Link → AN:IOA (if EW suspected).
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN46
CYBER OR OPERATIONAL? THE CRITICAL QUESTION
DISCRIMINATION FRAMEWORK
  • Timing — Does anomaly coincide with predictable events (eclipse, pass, solar activity)?
  • Multi-subsystem — Multiple unrelated subsystems simultaneously? (suggests cyber)
  • Behavioral — Matches known SPARTA/ATT&CK techniques from Session 1?
  • Command correlation — Did it follow an uplinked command? Was it authorized?
  • Environmental context — Can space weather or hardware limitations explain it?
Session 1 Connection: Threat models (PANORAMA) and detection rules (TRIPWIRE) provide reference patterns for this discrimination.
ESCALATION PATHWAY
Anomaly Detected
Environmental check → Explains it? → Log as nominal
↓ No
Hardware/software check → Explains it? → Ops IR
↓ No
Behavioral check → Matches SPARTA/ATT&CK? → AN:IOA
↓ Yes
Escalate to Domain 10: THUNDERDOME
MISSION QUESTION
Two spacecraft, same orbital plane, simultaneous comms degradation. Ground station nominal. Space weather quiet. Coincidence, shared cause, or coordinated EW attack?
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN47
COORDINATED TEAM INCIDENT RESPONSE
🎖 MISSION COMMANDER
Declare incident level, assign priorities, external coordination, go/no-go decisions. Communication: "Commander declares Level [X] incident. [Role], execute [contingency]."
🛰 SPACECRAFT OPERATOR
Execute contingencies, manage bus response, prepare safing if directed. Continuous telemetry monitoring and status reporting to Commander every 60 seconds.
📷 PAYLOAD OPERATOR
Secure payload (safe mode if directed), assess mission impact, preserve data products. Verify payload is not the source of anomaly.
🔐 CYBERSECURITY ANALYST
Evaluate cyber indicators against Session 1 detection rules, correlate with PANORAMA threat models, advise Commander on escalation to Domain 10.
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN48
MISSION 9 EXERCISE: COORDINATED RESPONSE
⏱ 10 MINUTES — MULTI-SUBSYSTEM CASCADING INCIDENT
INSTRUCTIONS
  1. Detect and classify the initial anomaly using Domain 6 baselines
  2. Assess cascading secondary impacts across subsystems
  3. Execute multi-role coordinated response using team communication protocol
  4. Apply cyber vs. operational discrimination framework
  5. Produce structured METEORSTORM-tagged incident documentation
Deliverable: Structured incident report with timeline, METEORSTORM elements, response actions, discrimination assessment, and lessons learned.
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN49
MISSION 9 CHECKPOINT
CHECKPOINT Q1
Level 3 vs. Level 4 incident — how does the classification affect response priorities, team coordination, and the go/no-go decision for safing?
CHECKPOINT Q2
Name two specific indicators that would suggest cyber origin rather than mechanical or environmental cause. What METEORSTORM Analytic layer tags apply?
CAPSTONE ACTIVITY (5 MIN)
Produce a structured incident report: timeline, METEORSTORM taxonomy elements, response actions taken, discrimination assessment (operational vs. cyber), and lessons learned.
MISSION QUESTION
Post-incident: the Cybersecurity Analyst flagged a potential cyber indicator 90 seconds before the cascading failure — but the team was focused on the power anomaly. How do you restructure procedures to prevent this?
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN50
MISSION 9 ASSESSMENT RUBRIC
CriterionExemplary (4)Proficient (3)Developing (2)Beginning (1)
Anomaly Detection & Classification
Detection speed, classification accuracy, taxonomy completeness		Rapid proactive detection, correct subsystem/severity/exposure domain classification, complete taxonomyReasonable timeliness, correct classification with appropriate taxonomyDetects obvious anomalies, delayed, incomplete classificationCannot detect or classify anomalies
Incident Response Execution
Correct procedures, team coordination, mission continuity		Correct procedures for all scenarios, effective team coordination, mission continuity maintainedCorrect procedures, adequate coordination, acceptable posturePartial procedures, significant coordination gapsCannot execute structured IR
Cyber-Operational Discrimination
Identifies distinguishing indicators, applies AN:IOA/AN:IOC, escalation recommendations		Correctly identifies distinguishing indicators, applies AN:IOA/AN:IOC, actionable escalation recommendationsDistinguishes most indicators, understands escalation pathwayAcknowledges cyber possibility but cannot reliably identify indicatorsCannot distinguish operational from cyber anomalies
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN51
MISSION 9 SCORE CARD
🛡
DOMAIN 9: SAFEGUARD
12
Maximum Points
3
Criteria
6
Pass Threshold
Pass: ≥ 6/12 (50%) | No domain below pass threshold for credential
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN52
MISSION 9: SAFEGUARD — COMPLETE
You've handled operational incidents and distinguished failure from attack. Now the adversary stops hiding. Final mission: THUNDERDOME — Red vs. Blue. Fight for the platform.
OVERWATCHComplete
HELIOSComplete
APERTUREComplete
SAFEGUARDComplete
10
THUNDERDOMENext →
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN53
MISSION 10
THUNDERDOME
MISSION 10: THUNDERDOME
Satellite Cyber Incident Response — Fight for the Platform
The culminating exercise. Everything across ten knowledge domains converges here. Red Team has breached the perimeter. Blue Team must detect, contain, eradicate, and recover — while keeping the mission alive. Every METEORSTORM concept leads to this moment.
⏱ 40 MINUTES
METEORSTORM Functions 4 & 5: Incident Response and Adversary Management
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN54
MISSION 10 OBJECTIVES
  1. Detect cyber attack indicators across full architecture using AN:IOA, AN:IOC, AN:DET in Zendir.io.
  2. Analyze ground station compromise: assets, vectors, lateral movement via METEORSTORM attack path mapping.
  3. Detect and respond to onboard compromise: unauthorized commands, telemetry manipulation, payload interference.
  4. Execute detection-containment-eradication-recovery adapted for satellite constraints (bandwidth, delay, connectivity).
  5. Coordinate Blue Team across all roles, integrating cyber response with spacecraft safing and mission continuity.
  6. Produce METEORSTORM-tagged cyber IR report for collective defense sharing via MISP.
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN55
CYBER THREAT LANDSCAPE: SATELLITE OPERATIONS
SESSION 1 THREAT MODEL → LIVE CONTEXT
ATTACK SURFACE
  • Ground station network — IT/OT convergence, remote access, insider threat
  • Command uplink — Authentication, replay attacks, spoofing
  • Telemetry downlink — Data integrity, interception, manipulation
  • Flight software — Unauthorized updates, memory corruption, logic bombs
  • Payload data pipeline — Data exfiltration, product manipulation
Key: "Your Session 1 threat model predicted these vectors. Your detection rules are active. Theory becomes reality."
THREAT ACTORS
NS
Nation-State
Sophisticated, persistent, strategic objectives
CR
Criminal
Financial motivation, ransomware, data theft
HA
Hacktivist
Disruption, publicity, ideological motivation
IN
Insider
Privileged access, hardest to detect
MISSION QUESTION
Your Session 1 threat model predicted command uplink attacks. But Red Team doesn't always attack where expected. What blind spots might your model have missed?
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN56
GROUND STATION COMPROMISE
THREE-PHASE ATTACK PROGRESSION
Phase 1: Initial Access
Unusual auth patterns, failed logins, unexpected processes. Detection window: 5–15 min.
Phase 2: Lateral Movement
Internal traffic anomalies, credential reuse, access to command systems. Detection window: 15–45 min.
Phase 3: Impact Preparation
Command queue modifications, telemetry forwarding, data staging. Detection window: Before first unauthorized command.
BLUE TEAM RESPONSE
  • Detect at each phase using Session 1 detection rules
  • Classify with METEORSTORM attack path: SEG:Ground > SVC:Control > AST:SW > AN:IOC
  • Contain: isolate compromised systems, revoke credentials
  • Preserve forensics before remediation
  • Maintain operations on backup systems
Priority: Protect the uplink command channel above all else. A compromised command path means a compromised spacecraft.
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN57
ONBOARD SYSTEM COMPROMISE
INDICATORS OF SPACECRAFT COMPROMISE
  • Unauthorized command execution — Commands not matching authorized queue
  • Telemetry manipulation — Inconsistencies between correlated parameters
  • Payload interference — Unexpected activation, config changes, data exfiltration
POTENTIAL VECTORS
  • Ground station lateral movement → uplink injection
  • Supply chain compromise in flight software
  • Insider threat with command authority
SPACE-SPECIFIC CONSTRAINTS
BW
Bandwidth
Limited forensic data transfer per pass
LAT
Latency
Command round-trip delay, no real-time response
WIN
Windows
Only 8–12 min per pass to act
PHY
Physical
Cannot physically access spacecraft
MISSION QUESTION
Spacecraft executing unauthorized commands. 7-minute pass to respond. Safe-mode (shutting down mission) or targeted remediation (risking adversary completion)? Defend your choice.
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN58
CYBER INCIDENT RESPONSE: ADAPTED FOR SPACE
1. DETECTION
METEORSTORM AN:DET rules, correlated telemetry, behavioral monitoring across all segments. Space constraint: Detection must happen within the pass window or autonomous onboard rules must trigger.
2. CONTAINMENT
Isolate ground systems, revoke credentials, emergency command authentication, suspend non-essential ops. Space constraint: Must be executed before LOS — autonomous safing rules critical.
3. ERADICATION
Remove attacker access, validate onboard software integrity, rotate cryptographic keys and tokens. Space constraint: Software validation requires dedicated downlink bandwidth.
4. RECOVERY
Restore from backups, re-establish trusted command path, verify baselines match Domain 6, resume operations. Space constraint: Recovery may span multiple orbital passes.
METEORSTORM Function 5 — Adversary Management: Document TTPs, update threat models, share via MISP/collective defense.
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN59
STARCOM-LEO: FULL CYBER IR WALKTHROUGH
All ten domains converge in this integrated cyber IR response:
IR PhaseDomain ContributionActionMETEORSTORM Tag
DetectionDomain 6 baselines + Domain 4 rulesGround auth anomaly triggered by AN:DET ruleSEG:Ground > AN:DET > AN:IOC
ClassificationDomain 9 discriminationConfirmed cyber, not operational — behavioral match to SPARTA SA-0003AN:IOA / SPARTA SA-0003
ContainmentDomain 7 operationsEmergency command authentication activated, non-essential ops suspendedSVC:Control > AST:SW:Auth
EradicationSession 1 decompositionCompromised ground systems isolated, flight software hash verifiedSEG:Ground > AST:SW:FSW
RecoveryDomain 8 payloadMission restored, payload recalibrated, Domain 6 baselines re-verifiedAST:HW:Payload > AN:IOC
ReportingMETEORSTORM taxonomyComplete MISP-ready report for collective defense sharingFull taxonomy chain
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN60
MISSION 10 EXERCISE: RED VS. BLUE
⏱ 15 MINUTES — CULMINATING EXERCISE
🔵 BLUE TEAM: DEFEND
🔴 RED TEAM: ATTACK
FULL RED VS. BLUE CYBER IR EXERCISE IN ZENDIR.IO
  1. Detect attack indicators across ground, link, and space segments
  2. Classify and prioritize using METEORSTORM taxonomy (AN:IOA, AN:IOC, AN:DET)
  3. Execute detection-containment-eradication-recovery cycle
  4. Coordinate all four team roles simultaneously
  5. Maintain mission continuity throughout the response
  6. Document all actions for post-incident reporting and collective defense
Deliverable: Comprehensive cyber IR report — attack timeline, SPARTA techniques, METEORSTORM-tagged assets, response actions, detection improvements, collective defense recommendations.
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN61
MISSION 10 CHECKPOINT
CHECKPOINT Q1
What makes satellite cyber IR fundamentally different from traditional IT IR? Name three space-specific constraints and explain how each affects the DCER cycle.
CHECKPOINT Q2
How does METEORSTORM attack path mapping from Session 1 inform real-time detection in Zendir.io? Trace a specific attack path from SEG:Ground through to AN:IOA.
CAPSTONE ACTIVITY (5 MIN)
Produce a comprehensive cyber IR report: attack timeline, SPARTA techniques used, METEORSTORM-tagged assets, response actions taken, detection improvements identified, and collective defense recommendations for MISP sharing.
MISSION QUESTION
After the exercise, your IR report reveals the adversary exploited a gap between your ground and space detection coverage — a seam between two METEORSTORM segments. How does your Session 1 decomposition need to evolve to close this gap?
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN62
MISSION 10 ASSESSMENT RUBRIC
CriterionExemplary (4)Proficient (3)Developing (2)Beginning (1)
Cyber Attack Detection & Analysis
Detects indicators, maps attack path, applies METEORSTORM taxonomy		Detects all indicators across segments, correct attack path mapping with full METEORSTORM taxonomyDetects primary indicators, maps attack path with correct taxonomyDetects some indicators, incomplete attack path or taxonomy gapsCannot detect cyber indicators or map attack paths
Incident Response Execution
Complete DCER cycle, team coordination, mission continuity		Complete DCER cycle adapted for space, effective team coordination, mission continuity maintainedCore IR phases executed, adequate coordination, reasonable mission impactPartial response, significant containment/recovery gapsCannot execute structured cyber IR
Reporting & Collective Defense
Comprehensive report, METEORSTORM tags, detection improvements, MISP-ready		Comprehensive report, complete METEORSTORM tags, detection improvements, MISP-ready for collective defenseAdequate report, correct taxonomy, basic detection improvementsIncomplete report, partial taxonomy, vague improvementsCannot produce structured cyber IR report
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN63
MISSION 10 SCORE CARD
DOMAIN 10: THUNDERDOME
12
Maximum Points
3
Criteria
6
Pass Threshold
Pass: ≥ 6/12 (50%) | No domain below pass threshold for credential
SCOR Practitioner — Session 2
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN64
COURSE DEBRIEF & COMPOSITE SCORING
SESSION 2 COMPOSITE
60
Session 2 Max
45
Pass Threshold (75%)
120
Combined S1+S2 Max
Credential threshold: ≥ 45/60 (75%) with no individual domain below 6/12 (50%). All 10 domains must achieve pass threshold.
DEBRIEF DISCUSSION
  • Key lessons from the THUNDERDOME exercise
  • Strongest domain performance and why
  • Areas for continued development
  • How METEORSTORM integrates across all 10 domains
DOMAIN SCORING SUMMARY
DomainSessionMaxPass
1. BLUEPRINTS1126
2. PANORAMAS1126
3. SENTINELS1126
4. TRIPWIRES1126
5. LIGHTHOUSES1126
6. OVERWATCHS2126
7. HELIOSS2126
8. APERTURES2126
9. SAFEGUARDS2126
10. THUNDERDOMES2126
MISSION COMPLETE
SCOR Practitioner — Full Spectrum Space Cybersecurity Professional
✓ BLUEPRINT
✓ PANORAMA
✓ SENTINEL
✓ TRIPWIRE
✓ LIGHTHOUSE
✓ OVERWATCH
✓ HELIOS
✓ APERTURE
✓ SAFEGUARD
✓ THUNDERDOME
You have completed all ten knowledge domains of the SCOR Practitioner programme. You are now a Full Spectrum Space Cybersecurity Professional.
ethicallyHackingspace (eHs)® | ProofLabs | TLP-GREEN | Version 1.0
1 / 65