Module Summary

What you learned in this module

M0 established the problem this course solves and the framework it uses to solve it. Here is what you now know:

The campaign-correlation gap is where attackers succeed against functional detection (OD0.1). Three alerts on three systems over six hours. Each triaged independently as a standalone event. Together they form a credential-access campaign that nobody recognizes until the attacker has already achieved their objective. M-Trends 2026 reports a median dwell time of 14 days, not because organizations lack detection tools, but because SOC workflows process alerts as isolated incidents. The campaign-correlation gap is the space between technique-level detection and campaign-level understanding. Closing that gap requires a different mode of analysis: retrospective alert correlation, where you revisit closed alerts and ask what connects them across time, systems, and identities.

Attackers and defenders reason from different cognitive frameworks (OD0.2). Defenders think in controls; attackers think in gaps. Defenders think in alerts; attackers think in objectives. Defenders think in events; attackers think in decisions. Defenders think in compliance; attackers think in constraints. Defenders think in categories; attackers think in paths. These five differences are not personality traits. They are structural consequences of the roles each side plays. Perspective switching is the method for bridging the gap: choose a closed alert, assume the attacker's objective, and ask what you would do next if you were operating the campaign. Scattered Spider's 2025 UK retail attacks demonstrated every one of these cognitive differences in practice.

The Pyramid of Pain determines where detection investment produces durable value (OD0.3). David Bianco's six-layer framework ranks indicators by how much pain they impose on the attacker when the defender detects them. Hash values sit at the bottom: trivially rotated, near-zero cost to the attacker. TTPs sit at the top: changing them requires retraining, retooling, and redesigning operational workflows. The detection investment equation follows: rules targeting indicators below the TTP line catch the last attack but miss the next variant. Rules targeting tactics and procedures catch the next campaign because the attacker cannot change their operational patterns without absorbing significant cost. MITRE's Summiting the Pyramid v3.0 extended this concept with quantitative scoring models for detection robustness.

The course teaches offensive operational logic for defensive advantage, not how to hack (OD0.4). Six boundaries define what falls outside the course scope: penetration testing methodology, exploit development, individual technique detection (covered in Detection Engineering), specific tool training, compliance frameworks, and malware reverse engineering. Inside the scope: understanding how attackers plan, execute, adapt, and complete campaigns so you can detect the campaign patterns, predict attacker decisions from partial evidence, and respond at the operational level. Every module from M2 onward follows the offense-defense dual structure, where 50 to 60 percent covers the attacker's operational logic and 40 to 50 percent covers the defender's detection, hunting, and mitigation response.

Twelve modules follow the offensive lifecycle across four phases (OD0.5). Phase 1 (M0 and M1, free) builds the conceptual foundation. Phase 2 (M2 through M9, premium) covers the offensive lifecycle from infrastructure through objectives, with hands-on labs in every section. Phase 3 (M10, premium) is the campaign reconstruction capstone where you take 72 hours of raw multi-system telemetry and produce a structured campaign narrative. Phase 4 (M11, premium) translates offensive understanding into a threat-informed detection roadmap. Each module builds a specific, testable capability. The capabilities compound: M10 requires everything from M2 through M9, and M11 uses everything in the course.

What's next

M1: Attacker Operational Planning. You now know why campaign-level detection matters and how attackers think differently from defenders. M1 teaches the planning phase: how threat actors select targets, assess defensive postures, allocate resources, build operational timelines, and make go/no-go decisions. The planning perspective becomes the lens you use throughout every subsequent module. When you encounter a campaign in M2 through M10, you will read each technique as a decision that was conditioned on the attacker's planning constraints, not as an isolated technique selected from a list.

Skills verification checklist

Before moving to M1, verify you can do each of the following. These are the skills every subsequent module assumes you have:

Can you identify the campaign-correlation gap in your own environment? Pick three recent alerts from your SOC queue that were closed independently. Ask whether they could represent different phases of the same campaign. If you cannot articulate what would connect them, revisit OD0.1.

Can you apply perspective switching? Choose a closed alert and assume the attacker's role. State their likely objective, identify the constraints they face, and predict what they would do next. If you default to thinking in controls rather than gaps, revisit OD0.2.

Can you classify a detection rule by Pyramid of Pain level? Take any detection rule from your SIEM and identify which pyramid layer it targets. Can the attacker defeat it by changing a single variable? If the classification is unclear, revisit OD0.3.

Can you explain the course scope to a colleague? Describe in two sentences what this course teaches and what it does not. If you find yourself reaching for terms like "learn to hack" or "red team training," revisit OD0.4.

Can you map the four course phases? Name the four phases, the modules in each, and the defensive capability each phase builds. If the relationship between the phases is unclear, revisit OD0.5.

If you can do all of the above, you are ready for M1. If any item is unclear, revisit the relevant section. The investment in offensive thinking foundations pays dividends in every module that follows.