This mock case study of a malicious file upload and web shell planting attack illustrates the anatomy of a modern application-layer intrusion and its full lifecycle across investigation, containment, and remediation. It highlights several critical real-world principles: Weak application-layer controls — like poor file upload validation — are still primary footholds for attackers. Server-layer compromise often stems from overlooked permissions and lack of application hardening. Memory and runtime forensics become essential when active exploitation is suspected, not just disk-based analysis. Cross-referencing host, network, and application layers builds a complete, defensible investigation timeline. Early detection through proper logging, WAF alerts, and triage frameworks dramatically reduces attacker dwell time. This project demonstrates a practical example of how cybersecurity triage frameworks, system anatomy understanding, and disciplined investigation flow allow security professionals to respond systematically — not chaotically — under real-world attack conditions. The methodology used here deliberately bridges theoretical exam preparation (e.g., CySA+) with real-world investigative logic, preparing practitioners for both technical interviews and operational roles.