Module 1: Foundations — How Hunters Think
Learn the mental models, anomaly patterns, and data manipulation skills that separate hunters from alert responders.
Lessons & Labs
Common Anomaly Patterns
Eight categories of anomalies — impostor signals, volume outliers, clock violations, wrong neighborhood, invisible footprints, encoded whispers, relationship breaks, and baseline drift — each defined by a real finding from the lab data.
Lab 1.1 — Guided Peel-Back Hunt
Start with ALL alerts. Aggregate by rule.groups, narrow by agent, narrow by IP. Iteratively peel back layers until you find the attacker. Teaches the narrowing process.
Data Manipulation Skills
The Hunter's Ladder: search, filter, aggregate, correlate, profile. Why aggregation is the skill that separates alert responders from hunters — and the 'Rung 3 cliff' where most analysts get stuck.
Lab 1.2 — Anomaly Spotting Challenge
Given pre-selected findings from the fresh attack scenarios, classify each into the correct anomaly category. Teaches pattern recognition and anomaly vocabulary.
Search Refinement Strategy
Expanding and reducing queries on different axes simultaneously. Iterative query building. Normalizing 'I refined this query 6 times' as expected, not failure.
Lab 1.3 — Aggregation Mastery
Pure DQL aggregation exercises: frequency analysis, rarest-value hunting, cross-agent IP counting, and exclusion filtering. Build the Rung 3 skill.
The Hunt Process
Read a brief, decompose into entities and steps, predict what evidence would exist, hunt for it, document what you found and missed. A repeatable process for every hunt.
Lab 1.4 — Your First Open Hunt
Full dataset plus the Network Intel Brief. Something is wrong. Find it. No scenario name, no starting queries in the instructions.