5 min read

Sherlocks Submissions Process: A Step-by-Step Guide

Sherlocks are quickly gaining popularity! Read below to learn more about the steps to submit your own Sherlock and be rewarded.

JXoaT avatar

Apr 23

In the spirit of creation, we are now opening Sherlocks to community submissions! Hack The Box history of user-created content continues with a blue team twist. Sherlocks gives platform members the experience of diving into an incident in multiple engaging scenarios. 

Solve your first Sherlock

Our content is being played by SOC Engineers looking to stay up-to-date with current trends/threats and beginners getting their first glance at how a security incident plays out. We are even seeing a shift in interest from players who traditionally enjoyed our red-centric content!

There will always be new threats to find, each telling a different story of how compromise can happen in the wild. We’d like you to join us in crafting those stories.  

If you’re interested in creating your own Sherlock and get rewarded for that, here's what you need to know!

How do we differentiate levels? 

Each Sherlock’s story and content should focus on how a user will play through the scenario. All difficulties will contain a list of questions that will guide the user through the investigation process. 

Here’s a high level overview on how we’d differentiate each difficulty:

Very Easy and Easy 🟪🟩

  • Extremely beginner-friendly and concise investigation.

  • The attack life cycle is straightforward; the tools used are easily detectable.

  • High granularity in endpoint logs.

  • No complex reverse engineering is required.

  • Very Easy Typically completed within 1 hour, depending on experience.

  • Easy typically completed within 2-4 hours, depending on experience. 

Medium 🟨

  • Requires intermediate knowledge in defensive security.

  • Complex attack life cycle with multi-step processes and harder detection.

  • Endpoint log granularity varies by attack vector, set by the creator.

  • Expected duration: 4-8 hours, experience-dependent.

Hard 🟥

  • Requires advanced knowledge in defensive security.

  • Extremely complex attack life cycle with advanced/state nation actor tactics.

  • Diverse data types across various OSs and applications.

  • Endpoint log granularity varies by attack vector, set by the creator.

  • Expected duration: Up to 2 days, experience-dependent.

Insane ⬜

  • Requires expert knowledge in defensive security.

  • Highly complex attack life cycle with very difficult to detect/find attacker activity.

  • If malware is involved, it must be unique (not on VirusTotal) and require reverse engineering.

  • Expected duration: Up to 5 days, experience-dependent.

Payment scale 

We want to make your hard work well worth the effort! So here’s a quick breakdown of compensation based on difficulty: