diff --git a/Blue Team/prompt-05.md b/Blue Team/prompt-05.md
new file mode 100644
index 0000000..d083ba7
--- /dev/null
+++ b/Blue Team/prompt-05.md	
@@ -0,0 +1,14 @@
+Threat-hunt this potential C2 indicator: <IP or DOMAIN>
+
+Observed pattern:
+- Periodicity: <e.g., every 60s/5m/random>
+- Bytes in/out: <RANGE>
+- Protocol: <HTTP(S)/DNS/ICMP/OTHER>
+- User-agent / SNI / JA3 (if known): <VALUES>
+- Affected hosts count: <N>
+
+Deliver:
+- Beaconing assessment (why/why not)
+- What to verify next (process lineage, scheduled tasks, persistence checks)
+- Containment recommendation threshold (when to isolate)
+- Detections to add (behavioral, not just IOC)