diff --git a/Blue Team/prompt-03 b/Blue Team/prompt-03
new file mode 100644
index 0000000..3b6fbc1
--- /dev/null
+++ b/Blue Team/prompt-03	
@@ -0,0 +1,13 @@
+Investigate the domain behind this URL as a threat hunter: <URL or DOMAIN>
+
+Provide:
+- Registrant/age heuristics (newly registered? likely disposable?)
+- DNS posture: A/AAAA, MX, TXT/SPF/DMARC, NS patterns, fast-flux signs
+- Certificate/TLS hints (issuer, validity, SANs) and what to pivot on
+- Similar domains / typosquat possibilities (what to look for internally)
+- Recommended detections (SIEM queries ideas)
+Output as:
+1) Key Observations
+2) Pivots (what else to search for)
+3) Detection Opportunities
+4) Recommended Response