Scroll Top

A quick, efficient, yet not entirely sane, primer on Cyber Deception

Course Description

Active Defenses have been capturing a large amount of attention in the media lately. There are those who thirst for vengeance and want to directly attack the attackers. There are those who believe that any sort of active response directed at an attacker is wrong. We believe the answer is somewhere in between.

In this class, you will learn how to force an attacker to take more moves to attack your network. These moves may increase your ability to detect them. You will learn how to gain better attribution as to who is attacking you and why. You will also find out how to get access to a bad guy’s system. And most importantly, you will find out how to do the above legally.

The current threat landscape is shifting. Traditional defenses are failing us. We need to develop new strategies to defend ourselves. Even more importantly, we need to better understand who is attacking us and why. Some of the things we talk about you may implement immediately, others may take you a while to implement. Either way, consider what we discuss as a collection of tools at your disposal when you need them to annoy attackers, attribute who is attacking you, and finally, attack the attackers.

This class is based on the DARPA funded Active Defense Harbinger Distribution live Linux environment. This VM is built from the ground up for defenders to quickly implement Active Defenses in their environments. This class is also very heavy with hands-on labs. We will not just talk about Active Defenses. We will be doing hands-on labs and through them in a way that can be quickly and easily implemented in your environment.

This course is different from other courses…

  • The concepts, the approach, the labs
  • Most of the labs are not in the slides (because we like you :-))
  • This makes them more accessible after class, when you need them most
  • All labs using the VM are inside the VM, within github
  • This means you do not have to dig through hundreds of pages to figure out how something works later
  • There are also prerecorded video walkthroughs of each lab on the USB and embedded in Discord!

Key Takeways

  • Lots of open-source tools that can be freely and easily configured in your environment.
  • A better understanding of current legal landscapes.
  • An approach for developing enterprise integrations.


  • General security practitioners
  • Penetration testers
  • Ethical hackers
  • Web application developers
  • Website designers and architects

Hardware/Software Requirements

A browser-based cloud VM will be provided to all students.

Trainer Biography

John Strand has consulted and taught thousands of classes and hundreds of organizations in the areas of security, regulatory compliance, and penetration testing. He is a coveted speaker and much-loved former SANS instructor and course author. John is a contributor to the industry shaping Penetration Testing Execution Standard and 20 Critical Security Controls frameworks.

In 2008, John founded Black Hills Information Security (BHIS), a pentesting company that strives to understand its clients from a holistic perspective, emphasizing collaboration and education over stunt hacking. Since then, BHIS has grown to become a “tribe of companies” that includes Antisyphon Infosec Training, Active Countermeasures (ACM), Wild West Hackin’ Fest (WWHF), and more!

Twitter: @strandjs

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.