For each major campaign decision point, create a decision tree: - "If phishing succeeds and we get a standard user session -> [Path A: credential harvesting and privilege escalation]" - "If phishing succeeds but EDR detects the payload -> [Path B: switch to fileless techniques]" - "If phishing fails