diff --git a/Blue Team/prompt-02.md b/Blue Team/prompt-02.md
new file mode 100644
index 0000000..32f9a73
--- /dev/null
+++ b/Blue Team/prompt-02.md	
@@ -0,0 +1,15 @@
+Analyze this IP for SOC triage: <IP>
+
+Seen in: <FIREWALL/PROXY/DNS/EDR/SIEM>
+Direction: <INBOUND/OUTBOUND>
+Protocol/port: <PROTO:PORT>
+First seen / last seen: <TIMES>
+Asset involved: <HOSTNAME/IP/OWNER/CRITICALITY>
+
+Deliver:
+- Likely role (CDN/cloud/VPN/residential/hosting) and what that implies
+- High-risk indicators (ASN patterns, uncommon ports, bursty beacons, geo anomalies, TOR/VPN hints)
+- Internal correlation checklist (netflow, DNS, process tree, user activity)
+- Severity + confidence
+- Next steps: contain / monitor / block / escalate
+Output: “Finding Summary”, then “Evidence to Collect”, then “Decision”.