Skip to content

Track 02 — Defensive Operations

Find attackers in the noise and respond before they reach their goal. Detection engineering, SIEM, log analysis, hunting, and incident response — treated as code: telemetry in, tested detections out, mapped to attacker behaviour.

What you'll be able to do

  • Build a telemetry pipeline from host, network, and cloud into a searchable store.
  • Write, test, and version detections mapped to MITRE ATT&CK.
  • Hunt proactively across endpoint and network data.
  • Triage and drive an incident from alert to root cause.

Modules

# Module What you'll learn OSS tools
01 Telemetry & Log Centralisation What to collect and how to ship it elastic, fluent-bit, vector
02 Windows & Endpoint Telemetry Process/file/auth events worth alerting on sysmon, wazuh
03 Linux Telemetry Auditd and kernel-level visibility auditd, osquery
04 Network Security Monitoring Protocol logs and connection records zeek, arkime
05 Intrusion Detection Signature and anomaly detection on the wire suricata
06 SIEM Fundamentals Indexing, querying, and dashboards elastic/kibana, wazuh
07 Log Parsing & Normalisation Turning raw logs into a common schema vector, logstash
08 Detection-as-Code Writing portable rules in Sigma sigma
09 Detection Testing & Tuning Validating coverage, cutting false positives Atomic Red Team
10 ATT&CK Mapping & Coverage Measuring and closing detection gaps ATT&CK Navigator
11 Threat Hunting — Endpoint Hypothesis-driven host hunting osquery, velociraptor
12 Threat Hunting — Network Hunting across protocol and flow data zeek, jupyter
13 PowerShell Logging & Hunting Script-block/module logging and hunting PowerShell abuse pwsh, chainsaw, sigma
14 Alert Triage & Incident Response A repeatable process from alert to verdict TheHive
15 Threat Intelligence Managing IOCs and enriching detections MISP, OpenCTI
16 Response Automation (SOAR primer) Automating enrich → contain → ticket Shuffle
17 KEV-Driven Defense Operationalise CISA KEV: exploit a current entry, then detect it Vulhub, sigma

Phases & projects

The modules run in three phases; each ends in a project that integrates its modules.

  • Phase 1 · Get the data (01–07) — Project: a working telemetry pipeline that ingests host and network data into a searchable SIEM, with a real attack dataset flowing through it.
  • Phase 2 · Find the attacker (08–13) — Project: a set of detections-as-code mapped to MITRE ATT&CK, tested against a real attack dataset, plus one documented threat hunt.
  • Phase 3 · Respond & stay current (14–17) — Project: an incident handled from alert to root cause, with an automated enrich → contain → ticket step, plus a KEV-driven coverage loop (exploit a current exploited-in-the-wild CVE and ship the detection for it) — the track capstone.

Standalone by design. Every detection lab here sources a real public dataset (and a generate-it-here option), so you can complete this track without having done Offensive. If you did do Track 01, bring your own attack artifacts instead — same skill.

Prerequisites

Complete Track 00 — Foundations first.

Labs use open-source tooling and free sample datasets (Malware-Traffic-Analysis.net, public PCAPs, EVTX-ATTACK-SAMPLES). Only analyse data you're authorised to handle.

Capstone

Stand up a telemetry pipeline, simulate an attack (Atomic Red Team or a replayed PCAP), and catch it: ship the logs, write the detection-as-code mapped to ATT&CK, and produce an incident write-up from alert to root cause. Deliverable: the tested detections plus the investigation.

The starter scaffold and acceptance checks live in plaintext-labs/defensive/capstone/.

Capstone rubric

You must catch the attack you simulate and follow it from alert to root cause. Proficient is the bar to ship.

Dimension Developing Proficient Exemplary
Telemetry pipeline Logs from one source, not searchable Host and network telemetry flowing into a searchable store Pipeline reproducible as code; parsing normalised to a common schema
Detection-as-code A rule that only matches the demo data A versioned detection (Sigma) mapped to ATT&CK that fires on the simulated attack Validated against benign data for false positives; tuning rationale documented
The catch Attack ran but wasn't detected The simulated attack (Atomic Red Team / replayed PCAP) is caught by your detection Detection catches the technique, not the exact sample — proven on a variation
Investigation Alert noted, no follow-through Triaged alert → root cause, with the supporting events cited Full alert→containment narrative; what the attacker did and what they didn't
Write-up & automation Manual, undocumented A repeatable process and an incident write-up An automated enrich→ticket step closes the loop; the whole thing re-runs

AI & automation

A small local model triages and classifies log lines cheaply at volume; a frontier model drafts an incident narrative or a Sigma rule. The skill is review: a generated detection with broken logic ships false confidence, and automation that buries a real signal is worse than none. AI authors the rule — you map it to ATT&CK, test it, and own the alert.

Standards & further reading

  • MITRE ATT&CK and the ATT&CK Navigator
  • Sigma rule specification
  • NIST SP 800-61 (Incident Handling Guide)
  • The Pyramid of Pain

Comments

Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).