Defending Enterprises - 2025 Edition (In-Person)
2-day in-person course (starting Thursday 24th of April)
Updated for 2025, our immersive 2-day Defending Enterprises training is the natural counterpart to our popular Hacking Enterprises course. You’ll play a SOC analyst in our Microsoft Sentinel cloud-based lab and try to rapidly locate IOA’s and IOC’s from a live enterprise breach executed by the trainers in real time.
Whether you’re new to Kusto Query Language (KQL) or a seasoned pro, there’s plenty for you in the 2-days! Yes, we’re using Microsoft Sentinel, but the underlying threat detection theory, logic and threat hunting approach is transferable into your own environments, whatever your preferred platform.
We look at the top 10+ methods we use in offensive engagements and show how these can be caught, along with numerous other examples and methods that go above and beyond these common TTPs!
This training goes beyond threat hunting as we peek into the world of detection engineering and the processes involved in converting logic into alerts!
With 14 hands-on exercises, many of which also featuring extra time and bonus content, you’ll gain real-world experience in all of the domains listed below
Course Outline
Day 1
* MITRE ATT&CK, CAR and D3fend frameworks
* Defensive OSINT
* Logging and event data
* Overview of the Kusto Query Language (KQL) and Microsoft Sentinel
* Identifying Indicators of Attack (IOA) and Indicators of Compromise (IOC)
* Detecting phishing attacks and living off the land binary (LOBAS) abuse
* Detecting C2 traffic and beacons HTTPS/DNS
* Microsoft Windows Defender for Endpoint (MDE)/Defender for Identity
* Detecting persistence activities
* Detecting credential exploitation
* Kerberoasting
* Pass-the-Hash
Day 2
* Pass-the-Ticket
* Detecting Active Directory Certificate Services (ADCS) attacks
* Detecting DCSync attacks
* Detecting lateral movement within a network
* Cloud attacks
* Conditional Access Policies
* Azure Managed Service Accounts
* Authentication Token Abuse
* Consent Phishing and App Registrations
After Class
We realise that training courses are limited for time and therefore students are also provided with the following:
* 14-day extended LAB access after the course finishes
* Discord support channel access
* All students have access to a training platform (during the event and for 14-days after training completes) in which exercises are provided along with detailed instructions on how to achieve the task.
Target Audience
This training is suited to a variety of students, including:
* SOC analysts
* Security professionals
* Penetration testers
* IT Support, administrative and network personnel
Non-technical individuals would not be suited to this course.
Pre-requisites
Detection methods will be taught during training, however an understanding of KQL concepts would be beneficial, and previous SOC experience and/or pentesting is advantageous but not required.
Students will need to have access to a laptop and their favourite browser!
Trainers Bio
Will has been in infosec for over 15 years, co-founded In.security in 2018 and as a pentester has helped secure many organisations through technical security services and training. Will's delivered hacking courses globally at several conferences including Black Hat, has spoken at several conferences and events and helps run Password Village at DEFCON. Will also assists the UK government in various technical, educational and advisory capacities. Before Will was a security
consultant he was an experienced digital forensics consultant and trainer.
