Sign In
In this section

Module Summary

6-8 hours · Module 1 · Free

What you learned

Twelve sections taught the attacker's operational model, from objective selection through campaign execution to the Operational Profile methodology you will use to classify adversaries from partial investigation evidence.

Section 1.1 — The Offensive Lifecycle. Seven phases from planning to exit. Not a theoretical model but the operational reality that determines every technique choice the attacker makes. Each phase produces different telemetry and requires different detection logic.

Section 1.2 — Target Selection and Objective Mapping. Four objective types (financial, intelligence, disruption, access) and how the target selection is the strongest single indicator of the objective. The targets the attacker has accessed tell you what they want.

Section 1.3 — Constraint Analysis. Budget, time, capability, and risk tolerance. The technique an attacker uses reveals their constraints. Kerberoasting instead of LSASS dump means no local admin. Business-hours-only access means intelligence objective. The constraints are diagnostic.

Section 1.4 — Risk Tolerance and Operational Security. Four noise levels (loud, visible, quiet, silent) and why noise is a deliberate operational choice, not an indicator of skill. Risk tolerance shifts during campaigns: quiet positioning followed by loud execution signals financial objective.

Sections 1.5-1.6 — Reconnaissance. Passive reconnaissance is invisible to your SIEM. Active reconnaissance exploits the gap between per-entity thresholds and cross-entity correlation. The attacker understands your detection thresholds better than you do.

Section 1.7 — The Decision Matrix. Connects adversary classification to operational prediction. Given partial evidence, the matrix narrows the likely next moves to a manageable set. The prediction is operational logic, not clairvoyance.

Section 1.8 — Operational Timing. Friday night ransomware, business-hours espionage, shift-boundary exploitation. Timing is an operational weapon that exploits predictable reductions in your response capacity.

Section 1.9 — Team Structures. Modern cybercrime is a supply chain (IABs, RaaS operators, affiliates), not a single actor. Skill discontinuity between campaign phases is the handoff signature. State-sponsored teams show consistent tradecraft throughout.

Sections 1.10-1.11 — Documented Campaigns. Ransomware follows a predictable six-phase sequence with five detection windows before encryption. Espionage operates through cloud APIs with 122-day dwell times detectable only through long-window behavioral analysis.

Section 1.12 — The Operational Profile. The deliverable. Observe, classify, predict, act. A structured adversary classification from partial evidence, produced in the first hour, that drives the response strategy and translates into a leadership brief.

What's next

Module 2 begins the offensive lifecycle hands-on. You will build offensive infrastructure (C2 frameworks, redirectors, domain infrastructure), craft payloads, and execute initial access techniques. Every technique you execute produces telemetry that you will learn to detect. The offensive operations teach you how attackers operate. The detection work teaches you how to catch them.

What comes after the free modules

M2–M3. Offensive infrastructure, payload delivery, initial access techniques

M4–M6. Post-compromise operations, credential access, lateral movement

M7–M9. Defense evasion, persistence, objective completion

M10–M11. Full campaign reconstruction and threat-informed defense

Cancel anytime. Every tool in the course is free.

💬

How was this module?

Your feedback helps us improve the course. One click is enough — comments are optional.

Thank you — your feedback has been received.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.
Unlock the Full Course See Full Course Agenda
← Previous Next →