Module 3 Narration#
Opening#
Open with the professional setting: an incident response team deciding which containment actions can be automated safely. Ask students what decision is being made, who is affected, and what evidence would be persuasive to a skeptical reviewer.
Middle#
Move through the module in four passes:
Define SOAR and tool orchestration in the context of Automated Response Systems.
Walk through the lab as a proxy-data exercise, emphasizing what it can and cannot show.
Compare a baseline with an AI-enabled or more sophisticated alternative.
Translate the result into stakeholder language: recommendation, risk, mitigation, and next evidence.
Closing#
Close by returning to the module artifact: automated response playbook with approval gates, rollback plan, and post-incident learning loop focused on soar and tool orchestration: Prototype a tool orchestration plan.. Students should leave knowing exactly what artifact they are producing and how it will be judged.