Real hunts rarely map to a single MITRE technique. A scenario titled "exfiltration" might involve text storage (T1567.003), cloud storage (T1567.002), and non-C2 protocol exfil (T1048.003) all at once. When you reference the matrix, look at adjacent techniques within the same tactic, not just the most obvious one. Tunnel vision on one ID is the most common rookie mistake. Hints shown in tutorial mode only. Switch to "Challenge" to hide.