CyberBlue Threat Hunting
From Alert Responder to Threat Hunter
Go beyond alerts. Learn to hunt for threats that detections miss — using fresh attack scenarios, constrained-data exercises, and open-ended investigations across SIEM, network, and endpoint tools.
Course Modules
Module 1: Foundations — How Hunters Think
Learn the mental models, anomaly patterns, and data manipulation skills that separate hunters from alert responders.
Module 2: SIEM Hunting Deep Dive
Hunt within constrained data — authentication only, Sysmon only, network logs only. Discover what each source reveals and what it hides.
Module 3: Network and Endpoint Hunting
Expand beyond the SIEM. Hunt with Suricata network signatures and Velociraptor endpoint forensics.
Module 3: Adversary Technique Hunting
Hunt for specific ATT&CK technique categories: credential access, persistence, lateral movement, privilege escalation, and defense evasion.
Module 4: Operationalizing the Hunt
Turn hunting into a repeatable, measurable program. Document, automate, and prove value to leadership.
Module 4: Network and Endpoint Hunting
Expand beyond the SIEM. Hunt with Suricata network signatures and Velociraptor endpoint forensics.
Module 5: File and Memory Hunting
Hunt at the file and memory level. Build YARA rules for hunting, stack file metadata for anomalies, decode encoded payloads, and analyze memory artifacts.
Module 6: Operationalizing the Hunt
Turn hunting into a repeatable, measurable program. Document, automate, and prove value to leadership.