What This Course Teaches and What It Doesn't

The capability this course builds

The course teaches you how attackers plan and execute operations at the campaign level. Not individual techniques. Not tool-specific commands. The full operational arc: how groups build infrastructure, select initial access methods, establish footholds, move through networks, escalate privileges, evade defensive controls, and execute their objectives.

For each phase, you learn two things. First, the attacker's decision logic: why they choose specific techniques over alternatives, what constraints shape those choices, and how their decisions chain into a coherent campaign. Second, the defensive translation: what those decisions produce in your telemetry, how to detect the pattern that connects them, and where the detection gaps are.

The unit of work across the course is the campaign, not the technique. A campaign is a goal-directed operation spanning multiple systems, multiple techniques, and multiple days. The attacker makes decisions at every stage based on what they've observed, what they've gained, and what they still need. Your job is to recognize those decisions in your evidence and predict the next one.

When you finish the course, you can look at a set of alerts across systems and time, recognize the operational pattern that connects them, and classify the campaign by its decision logic. You can predict the attacker's next move and pre-position your response. That capability doesn't come from memorizing more techniques. It comes from understanding why attackers make the choices they make.

The distinction matters because most security training stops at the technique level. You learn what credential dumping is, how to detect it, and how to write a rule for it. That's necessary but insufficient. In a live incident, you don't encounter isolated techniques. You encounter campaigns: sequences of decisions made by an operator who has a plan, constraints, and an objective. The credential dump happened because the attacker needed lateral movement credentials. The lateral movement is happening because the attacker needs to reach the domain controller. The domain controller is the target because the attacker's objective is domain-wide ransomware deployment. Each technique is a decision in a chain, and the chain is the campaign.

Campaign-level understanding changes how you respond. Instead of containing each technique as it appears, you can identify the chain, predict where the attacker is heading, and block the path before they reach the objective. The difference between containing an endpoint and preventing a domain-wide encryption event often comes down to whether the defender recognized the campaign early enough to act on the chain rather than the link.

What this course does not teach

Drawing a clear boundary matters because the course sits between several adjacent disciplines. The boundary prevents you from arriving with wrong expectations and ensures you invest your time in the right training for the capability you need.

Penetration testing methodology. You won't learn to scope a pentest engagement, write a rules-of-engagement document, or produce a pentest report. The offensive content exists to serve defensive objectives. Every offensive technique you execute in a lab is immediately followed by the detection and hunting content that teaches you how to find it.

Exploit development. You won't write shellcode, reverse-engineer binaries, or develop zero-day exploits. The course uses existing offensive tooling (C2 frameworks, credential tools, living-off-the-land binaries) as vehicles for understanding attacker behavior. The tool is never the point. The decision to use that tool, and what it reveals about the attacker's operational logic, is the point.

Individual technique detection at the rule level. Detection Engineering teaches you to identify a technique, observe its telemetry footprint, and write a Sigma rule that catches it. Purple Teaming teaches you to execute the technique in a lab and validate the rule against live telemetry. This course assumes those skills are in place. It builds campaign-level correlation on top of them, not in place of them.

Tool-specific operator training. Cobalt Strike, Sliver, Mythic, Mimikatz, Rubeus, Certify, and other tools appear throughout the course as examples of attacker tooling. No module is organized around a specific tool. Tools change. Operational patterns persist. You learn to detect the pattern regardless of which tool produced it.

Compliance framework mapping. No ISO 27001 controls, no NIST CSF alignment tables, no regulatory mapping. The course is operational. It teaches you what attackers do and how to detect it. If you need to map your detection capabilities to a compliance framework, that mapping happens after you've built the detection, not as a substitute for building it.

Malware reverse engineering. You won't disassemble binaries, analyze shellcode execution, or reverse custom implants. The course covers malware at the operational level: what classes of implants exist, what capabilities they provide to operators, and what telemetry they produce. You'll understand why an attacker chooses a reflective DLL injection loader over a process-hollowed implant. You won't write either one.

The offense-defense dual structure

Every paid content section from M2 through M11 follows the same dual structure. This isn't a stylistic choice. It's the course's core pedagogical model.

Offense deep-dive (50-60% of the section). How the attacker executes this phase of the operation, step by step. What they're trying to achieve, what decisions they make, why they make them, and what constraints drive the choices. You execute the attack in a hands-on lab so you've operated it yourself and seen the telemetry it produces from the attacker's perspective.

Defensive translation (40-50% of the section). What the attack produces in your telemetry and how to detect and respond to it. Four components in every defender section: detection rules (Sigma, KQL, and SPL correlation rules), hunting techniques (proactive investigation methods for finding the activity when rules don't fire), mitigation controls (defensive measures that constrain the attacker's options), and logging gaps (telemetry sources you're probably not collecting that would make the attack visible).

The offense percentage is deliberately higher than the defense percentage. That's not an accident. The offensive understanding is the hard part. Once you understand why the attacker made a specific decision, the detection rule writes itself. The challenge is never "how do I write a KQL query." The challenge is "what behavioral pattern should this query look for." The offense section answers that question.

Labs and campaign telemetry

Every content section includes two hands-on labs: one in the offense section (build and execute the attack) and one in the defender section (detect and investigate the attack you just executed).

Labs run in your own environment: a Linux VM for attack tooling, a Windows VM with Sysmon and Windows event forwarding for endpoint telemetry, and your SIEM (Sentinel or Splunk) for detection queries. The lab setup guide in M1 walks through the full configuration.

Starting in M5, modules covering multi-system, multi-day campaigns include pre-generated campaign telemetry datasets. These supplement the per-section labs for scenarios that can't be reproduced in a two-VM environment: multi-host lateral movement paths, 48-to-72-hour campaign timelines, and cross-system correlation across identity, endpoint, email, and network telemetry. You ingest the dataset into your SIEM and work through the investigation as if it were a live incident.

The campaign datasets are structured around realistic attack timelines. A ransomware dataset might span 48 hours from initial access to deployment, with realistic gaps between phases where the attacker is waiting for credentials to crack, waiting for users to log off, or staging tools on intermediate systems. An espionage dataset might span two weeks with long dormant periods between activity bursts. The datasets teach you to recognize operational tempo, not just individual events.

Where this course fits in your development

The course assumes comfort with Sigma rules, KQL or SPL, and ATT&CK at the technique level. If you've completed Detection Engineering or Purple Teaming on this platform, you have the prerequisite skills. If you're coming from equivalent experience elsewhere, you should be able to write a Sigma rule from scratch and run correlation queries in your SIEM.

The Analyst Decision above captures the progression. Detection Engineering gives you the technique-level rule. Purple Teaming validates it against real telemetry. Offensive Operations gives you the campaign-level understanding that lets you correlate those technique-level detections into campaign-pattern rules. The three courses are cumulative, not competitive.