Defending Enterprises

Course Description

New for 2021, our immersive 2-day Defending Enterprises training is the natural counterpart to our popular Hacking Enterprises course.
From SIEM configuration to monitoring, alerting and threat hunting, you’ll play a SOC analyst in our cloud-based lab and try to rapidly locate IOA’s and IOC’s from an enterprise breach.

You’ll use a combination of Microsoft Azure Sentinel and Elastic platforms to perform practical exercises. In each instance, filters and/or expressions will be supplied for both platforms (where applicable). We know 2 days isn’t a lot of time, so you’ll also get 14-days FREE lab time after class and Discord
access for support.

Course contents

Day 1

  • MITRE ATT&CK framework 
  • Defensive OSINT 
  • Linux auditing and logging 
  • Windows auditing, events, logging and Sysmon 
  • Using Logstash as a data forwarder 
  • Overview of fields, filters and queries in ELK and Azure Sentinel 

Attacks and host compromises will be actioned by the trainers and delegates will be asked to  configure real-time alerting and monitoring using the provided lab infrastructure, in order to identify  these events.

  • Identifying Indicators of Attack (IOA) and Indicators of Compromise (IOC) 
  • Detecting phishing attacks (Office macros, HTA’s and suspicious links) 
  • Creating alerts and analytical rules
  • Detecting credential exploitation (Kerberoasting, PtH, PtT, DCSync)

Day 2

  • Detecting data exfiltration (HTTP/S, DNS, ICMP) 
  • Detecting persistence activities (userland methods, WMI Event Subscriptions)
  • C2 Communications
Also included

We realise that training courses are limited for time and therefore students are also provided with the  following: 

  • Completion certificate 
  • 14-day extended lab access after the course finishes
  • Discord support channel access where our security consultants are available

Target audience

This training is suited to a variety of students, including:

  • SOC analysts 
  • Security professionals 
  • Penetration testers / Red Team operators
  • IT Support, administrative and network personnel


  • Understanding of networking concepts 
  • Previous SOC and/or pentesting experience is advantageous, but not required 
  • Previous experience with the Kusto Query Language (KQL) is beneficial, but not required

Hardware/Software Requirements

  • Students will need to have access to a laptop and their favourite browser!

Trainers Biography

Will Hunt  co-founded in 2018. He’s been in infosec for over a decade and has  helped secure many organisations through technical security services and training. Will’s delivered  hacking courses globally at several conferences including Black Hat and has spoken at various  conferences and events. Will also assists the UK government in various technical, educational and  advisory capacities. Before Will was a security consultant he was an experienced digital forensics  consultant and trainer.

Twitter : @Stealthsploit

Owen Shearing  is a co-founder of, a specialist cyber security consultancy offering  technical and training services based in the UK. He has a strong background in networking and IT  infrastructure, with well over a decade of experience in technical security roles. Owen has provided  technical training to a variety of audiences at bespoke events as well as Black Hat, Wild West Hackin’  Fest, NolaCon, 44CON and BruCON. He keeps projects at

Twitter : @rebootuser