Interactive runtime-defense lab. Six scenarios drop you into the first 60 seconds of an incident: a Falco "shell in container" alert, lateral movement via stolen ServiceAccount tokens, crypto-miner indicators, Tetragon-detected container drift, audit-log triage of privilege escalation, and eBPF detection of fileless memfd-based attacks.