Sign In
Offensive Security

For Security Practitioners Who Want to Detect Campaigns, Not Just Alerts

Offensive Security for Defenders

Think like the attacker. Detect the campaign. Stop chasing IOCs.

Operate offensive tools in your lab — Sliver, Evilginx, Impacket — then switch perspective and detect what you built. Every sub translates offensive operations into campaign-level detection strategy with concrete detection capabilities, telemetry, and datasets to sharpen your analysis skills.

Start Free — No Account Needed See Pricing
What you'll deploy
Campaign-level understanding of how attackers plan and execute operations
Real attacker TTPs translated into production Sentinel + Defender XDR detections
Offensive infrastructure analysis: C2, redirectors, and staging servers
Payload analysis skills: what the attacker built and how to detect it
Detection rules mapped directly to offensive techniques you've studied
Purple team validation methodology for testing your own defenses
OFFENSIVE LOGIC → DEFENSIVE TRANSLATION ATTACKER PLANNING Operational profiles, risk tolerance, campaign timing How the attacker thinks about your organization as a target INFRASTRUCTURE C2 systems, redirectors, CDN abuse, rotation patterns Map the topology from a single IOC — stop chasing domains one at a time PAYLOAD ENGINEERING Multi-stage chains, obfuscation, MOTW bypass, LOLBins Read the delivery chain as intelligence about the attacker's capability POST-COMPROMISE Escalation, lateral movement, persistence, exfiltration Campaign-level detection across the full attack lifecycle CAMPAIGN SYNTHESIS Connect the dots — phishing email to data exfiltration Full campaign reconstruction from multi-source telemetry 12 modules 10 datasets 30-40 hours Hands-on labs From "I blocked the IOC" → "I mapped and dismantled the campaign"
View Pricing Download Lab Pack Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Operate offensive tools (Sliver, Evilginx, Impacket) in a lab and detect what you built from your own telemetry
Reconstruct complete attack campaigns from multi-source telemetry across hosts and timeframes
Predict attacker next steps during active investigations based on operational patterns
Build campaign-level detection rules that catch operational patterns rather than isolated artifacts
Translate offensive understanding into detection portfolio design and programme investment decisions
Premium tier | 12 modules + cheatsheet | 30–40 hours at your own pace | 40 CPE credits | 2 free modules — no account needed | Updated May 2026
Course Agenda View all 13 modules

Who this course is for

“I write detection rules from documentation but I've never run the attack.” You build rules from vendor advisories and blog posts, but you've never seen what Sliver C2 beaconing actually looks like in your telemetry. This course puts offensive tools in your hands so your detections are built from observation, not imagination.

“I block IOCs one at a time and the attacker just rotates infrastructure.” Blocking a C2 domain is a five-minute fix for the attacker. This course teaches you to map the campaign infrastructure — redirectors, staging servers, CDN abuse patterns — so you detect the operational pattern, not the disposable indicator.

“I see individual alerts but I can't connect them into a campaign narrative.” A phishing email, a suspicious sign-in, a PowerShell download, a scheduled task — four separate alerts that are actually one attack chain. You learn to think at the campaign level: what was the objective, what was the sequence, what comes next.

“Our red team drops a report with 20 findings and I don't know what to do with it.” Each finding maps to attacker technique, telemetry source, and detection opportunity. This course teaches you to read offensive findings as detection engineering input — translating every red team result into a rule, a hunt, or a hardening change.

“I understand phishing emails but not what happens after initial access.” The full post-compromise lifecycle: privilege escalation, credential access, lateral movement, persistence, data staging, exfiltration. You operate each phase with real tools and then build the detection layer that catches it.

“I want adversarial thinking but I'm not pursuing an offensive career.” This is not a pentesting course. You never learn to exploit for its own sake. Every offensive technique is taught as a defender's advantage: understand what they do so you can detect how they do it.

Whatever your background — if the subject interests you and you're willing to put in the work, this course is for you.

Before and after this course

Before

You block a malicious domain and the attacker is back in 20 minutes with a new one. You're playing whack-a-mole with IOCs.

Four alerts fire across different consoles. You investigate each separately and close them as unrelated. They were the same campaign.

You read “the attacker used Sliver for C2” in a threat report and you have no idea what that looks like in your telemetry or how to detect it.

The red team report says “we achieved domain admin via Kerberoasting” and you don't know whether your detections would have caught it or where to start building one.

After

You detect the C2 beaconing pattern, not the domain. The attacker rotates infrastructure and the behavioral detection still fires because the operational pattern hasn't changed.

You see the campaign: the phishing email delivered the payload, the payload established persistence, the persistence enabled lateral movement. One investigation, one timeline, one containment action.

You've run Sliver yourself. You know the beacon jitter, the named pipe pivots, the process injection telemetry. Your detection rule was built from watching it run, not reading about it.

Every red team finding becomes a detection engineering ticket: technique → telemetry source → detection rule → validation test. The offensive report is input, not output.

How the course works

Every module follows the same structure: attack 50–60%, telemetry 15–20%, detection 15–20%. You operate the offensive tool, then pivot to the defensive side:

Attack
Operate the Tool

Run Sliver, Evilginx, Impacket in your lab. Execute the technique the way an operator would — infrastructure setup, payload delivery, post-compromise actions. Not theory. Execution.

Telemetry
Read the Evidence

Switch perspective. Look at Sysmon, Event Logs, Defender telemetry, network captures. See exactly what evidence the attack produces and where it's visible.

Detect
Build Campaign Detection

Write the detection that catches the operational pattern, not just the IOC. KQL for Sentinel, Defender XDR custom detections. Rules that survive when the attacker rotates infrastructure.

What the content looks like

This is a real detection from the C2 module. After you've operated Sliver and observed the beaconing pattern, you build the KQL that detects the jitter interval — not the domain name the attacker will change tomorrow.

KQL — From Module 8: C2 Beaconing Detection
// Detect periodic outbound beaconing by jitter consistency
DeviceNetworkEvents
| where RemotePort in (80, 443)
| summarize
    ConnectionCount = count(),
    AvgInterval = avg(Interval),
    StdDevInterval = stdev(Interval)
    by DeviceName, RemoteIP, InitiatingProcessFileName,
       bin(TimeGenerated, 1h)
| where ConnectionCount > 10
    and StdDevInterval / AvgInterval < 0.15  // low jitter ratio
| project DeviceName, RemoteIP,
    InitiatingProcessFileName, ConnectionCount,
    AvgInterval, JitterRatio = StdDevInterval / AvgInterval

A jitter ratio below 0.15 means the connection intervals are suspiciously consistent — too regular for human browsing, too periodic for application updates. The module teaches you to tune this threshold for your environment (some backup agents beacon too) and to correlate with process lineage so you don't alert on Windows Update.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may use detection rules, queries, and analysis techniques in your professional work. You may not redistribute course content or share account credentials.

Offensive techniques: All attack execution is in your own isolated lab. Do not execute techniques against systems you do not own or have explicit written authorization to test.

Fictional environment: All scenarios use Northgate Engineering. Any resemblance to real organizations is coincidental.

Version and changelog

Current version: 1.0  |  Last updated: April 2026

April 2026 — v1.0: Course launch. 12 modules (OD0–OD11) plus operational cheatsheet. Complete offensive lifecycle from attacker planning through campaign reconstruction. 10 campaign telemetry datasets. Type 2 structure throughout.

This course is actively maintained. Content is updated as the threat landscape evolves.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
1scenario
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.