Sign In
In this section

Course Roadmap — 12 Modules in Context

3 hours · Module 0 · Free
What you already know

You know the ATT&CK framework's tactic structure from Initial Access through Impact. You've seen courses organized by tactic. This course follows the offensive lifecycle rather than the ATT&CK tactic list, because attackers think in operational phases, not tactic categories. This section maps all 12 modules across four phases so you can see where each fits, what capability it builds, and how to plan your path through the course.

Scenario

You have 30 minutes before a leadership briefing on an active incident. You know the attacker used a phishing email, stole credentials, moved laterally to a file server, and exfiltrated data. Leadership asks: who is doing this, what do they want, how serious is it, and what should we do? You need a framework that turns partial evidence into a structured assessment. The course roadmap below is that framework: each module gives you one more layer of assessment capability, from infrastructure classification through campaign reconstruction.

Why the course follows the offensive lifecycle, not ATT&CK tactics

ATT&CK organizes techniques by tactic: what the attacker is trying to achieve at each stage. That's a useful classification system, but it's not how attackers plan or execute operations. An attacker doesn't think "now I'll do some Credential Access, then some Lateral Movement." They think "I need domain admin credentials to reach the backup server, and I need to reach the backup server before I can disable recovery points."

The offensive lifecycle follows the operational sequence: how campaigns actually unfold in time, from pre-attack planning through objective execution. The lifecycle sequence matters because each phase creates the conditions for the next phase. Infrastructure decisions constrain delivery options. Delivery method determines what kind of initial access is possible. The type of initial access shapes what the attacker can do in the first 30 minutes. Each phase is a set of decisions conditioned on the outcomes of the previous phase.

Organizing the course around the operational lifecycle means you learn to read campaigns as decision chains, not as collections of techniques sorted by tactic.

The four course phases

12 MODULES — FOUR PHASES OF OFFENSIVE UNDERSTANDING PHASE 1 — FREE M0: Offensive thinking M1: Attacker planning Conceptual foundation PHASE 2 — LIFECYCLE M2 Infra · M3 Delivery · M4 Access M5 Post-comp · M6 Creds · M7 Lateral M8 Evasion · M9 Objectives PHASE 3 M10: Campaign reconstruction Full-campaign capstone PHASE 4 M11: Strategy + roadmap Program design CAPABILITY PROGRESSION: Understand → Execute → Detect → Reconstruct → Strategize Every module: offense deep-dive + defender counter-section with detection, hunting, mitigations, and logging gaps

Figure 0.5 — The course follows the offensive lifecycle, not the ATT&CK tactic list. Each phase builds a distinct defensive capability. The capability compounds: M10 uses M2 through M9, and M11 uses everything.

Phase 1: Foundation (M0 and M1, free)

You're in Phase 1 now. These two modules establish the conceptual foundation: why campaign-level detection matters (M0) and how attackers plan operations at the campaign level (M1). No lab infrastructure required. The exercises use your existing SIEM and alert queue.

M0 gave you the campaign detection gap, the five cognitive differences between offensive and defensive thinking, the Pyramid of Pain as a detection investment model, and the course scope. M1 teaches attacker operational planning: how groups select targets, assess defensive postures, allocate resources, build operational timelines, and make go/no-go decisions. The planning perspective is the lens you'll use throughout every subsequent module.

The defensive capability built: you understand the campaign detection gap and the attacker's operational decision framework. You can apply perspective switching and retrospective alert correlation to your own investigations immediately.

Phase 2: Offensive lifecycle (M2 through M9, premium)

Eight modules, each covering one phase of the offensive lifecycle. Every module follows the offense-defense dual structure from Section 0.4. Hands-on labs in every content section.

M2: Offensive Infrastructure. How attackers build C2 infrastructure, redirector chains, domain fronting configurations, and staging servers. You learn to map infrastructure topology from a single IOC and understand why infrastructure decisions constrain everything that follows. The defender section teaches you to detect infrastructure setup patterns in DNS, certificate transparency, and network telemetry.

M3: Payload Engineering and Delivery. How attackers build payloads (loaders, implants, droppers) and deliver them to targets (phishing, watering holes, supply chain). You learn to read delivery artifacts and classify the attacker's capability level from the payload engineering. The defender section teaches you to trace the delivery-to-execution chain and detect delivery mechanisms across email, web, and endpoint telemetry.

M4: Initial Access. The transition from delivery to execution. How the attacker gains their first foothold, what they learn in the first minutes, and how the access method shapes their operational options. The defender section teaches you to classify the initial access method and predict what it reveals about the attacker's profile and objectives.

M5: The First 30 Minutes. The critical post-compromise period where the attacker transitions from foothold to operational presence. Environment discovery, security tool enumeration, privilege assessment, and persistence decisions. The defender section teaches you to detect the post-compromise command sequence that every operator runs, regardless of their tooling.

M6: Credential Operations. How attackers harvest, crack, relay, and reuse credentials across an enterprise. Not just LSASS dumping: Kerberoasting, AS-REP roasting, NTLM relay, token theft, certificate abuse, and credential material from cached sessions. The defender section teaches you to map credential harvesting campaigns and track credential reuse chains across systems.

M7: Lateral Movement. How attackers move from system to system using harvested credentials and remote execution protocols. RDP, WinRM, DCOM, WMI, PsExec, SSH, and protocol-specific tradecraft for each. The defender section teaches you to reconstruct multi-hop lateral movement paths from authentication telemetry and detect the movement patterns that signal a campaign in progress.

M8: Defense Evasion. How attackers avoid, disable, or blind defensive controls. Timestamp manipulation, log deletion, EDR unhooking, AMSI bypass, event log clearing, and the operational decision logic behind evasion choices. The defender section teaches you to detect evasion meta-signals: the evidence that evidence was destroyed.

M9: Objectives. The end-game: data staging, exfiltration, ransomware deployment, destructive operations, and persistent access maintenance. How the attacker's objective determines their entire campaign structure, working backward from the end state to the initial access. The defender section teaches you to identify the attacker's objective from pre-execution staging patterns and correlate objective-stage activity with earlier campaign phases.

The defensive capability built across Phase 2: for each offensive phase, you understand the attacker's decision logic, can detect the operational patterns in your telemetry, know how to hunt for the activity proactively, and have identified your environment's logging gaps.

Phase 3: Campaign reconstruction (M10, premium)

The capstone module. You receive 72 hours of multi-system telemetry from a campaign variant and reconstruct the full operation: initial access through objective execution, across multiple hosts, using every skill taught in M2 through M9.

Analyst Decision

M10 Capstone Input: 72 hours of raw telemetry from 6 hosts. Endpoint logs, authentication events, DNS queries, process creation events, network connections. No pre-built timeline. No analyst notes. No previous investigation.

M10 Capstone Output: Complete campaign timeline with phase classification (infrastructure, delivery, access, post-compromise, credential operations, lateral movement, evasion, objectives). Attacker profile assessment. Technique-to-decision mapping. Detection gap analysis. Investigation brief suitable for leadership and legal.

The skill tested: Can you take unstructured, multi-system evidence and produce a structured campaign narrative that identifies the attacker's decisions, predicts their operational pattern, and informs the defensive response? This is the skill that separates senior analysts from junior ones, and it's the cumulative product of M0 through M9.

The defensive capability built: you can take raw multi-system telemetry and produce a structured campaign reconstruction. That reconstruction skill is what leadership needs during an active incident, what legal needs for regulatory notification, and what your detection engineering team needs to build campaign-correlation rules that catch the next campaign with the same operational pattern.

Phase 4: Strategy (M11, premium)

The final module translates offensive understanding into program-level decisions. Threat modeling from the attacker's perspective, where you assess your environment through the eyes of the most likely threat actors. Attacker economics: what's cheap to change, what's expensive, and where your detection investment produces the most durable value. Detection roadmap construction: prioritizing rule development based on the campaign patterns most relevant to your threat model.

The defensive capability built: you can design a detection program that prioritizes the right investments based on the most likely campaign patterns for your organization's threat profile. Not a generic ATT&CK coverage heatmap. A threat-informed roadmap that allocates engineering effort where it imposes the most cost on the attacker.

Per-module capability summary

Each module builds a specific, testable capability. After each module, you can do something you couldn't do before:

M0. Apply retrospective alert correlation to your closed-alert queue. M1. Assess an attacker's operational profile from campaign evidence. M2. Map C2 infrastructure topologies from a single IOC. M3. Trace the delivery-to-execution chain from a phishing artifact. M4. Classify the initial access method and predict what it reveals about the attacker. M5. Detect the post-compromise command sequence in the first 30 minutes. M6. Map credential harvesting campaigns and reuse chains across systems. M7. Reconstruct multi-hop lateral movement paths from authentication telemetry. M8. Identify evasion meta-signals. M9. Determine the attacker's objective from pre-execution staging patterns. M10. Reconstruct a full campaign from raw multi-system telemetry. M11. Build a threat-informed detection roadmap for your organization.

These capabilities compound. M10 requires M2 through M9. M11 uses everything.

Offensive Operations Principle

Twelve modules follow the offensive lifecycle from planning through exfiltration. Each module builds a specific defensive capability. The capability accumulates: by the capstone, you take raw multi-system telemetry and produce a campaign reconstruction that identifies the attacker's decisions, predicts their operational pattern, and informs the defensive response.

Next
Section 0.6: Module Summary. A recap of what M0 established: the campaign detection gap, the five cognitive differences, the Pyramid of Pain, the course scope, and the 12-module roadmap. Then you move to M1, where you learn how attackers plan operations at the campaign level.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.
Unlock the Full Course See Full Course Agenda
← Previous Next →