mid-level~4h total12 lessonsfree to read

⌗

Learn: Cybersecurity.

The track for the people who get paged when something looks wrong on the wire. Pentest fundamentals, SIEM tuning, incident response under time pressure, and hardening the box you just shipped to production.

Each lesson is a 1-line briefing on what you'll practice. Read the briefing, then click Practice in terminal to drop into a real sandbox.

module · entry-level

Triage signals

EDR alerts, AD audit logs, email forensics. Most "incidents" are noise : the skill is filtering fast without dismissing real intrusions in the process.

3 lessons

01Strange outbound to a Tor exitfree

Outbound to a Tor exit is not always malicious : but it is always worth a 5-minute triage. EDR, process tree, network history.

EDR triage · ~8m

Practice in terminal →

02New admin account at 3am

A new admin account created at 3am is your single highest-signal AD log. Pull the source, the creator, the parent process.

AD audit logs · ~10m

Practice in terminal →

03Phish landing: was it clicked?

A phish landed. Was it clicked? Headers, delivery report, URL clicks, attachment hash : in that order.

Email forensics · ~12m

Practice in terminal →

module · mid-level

Hunt + tune

SIEM false-positive tuning, beaconing/C2 detection, cloud posture, Linux priv-esc. You stop reading alerts and start writing the detection logic.

4 lessons

04SIEM is screaming false positives

A SIEM screaming false positives is a tuning problem, not a tool problem. Read the rule, find the noisy field, suppress without hiding real attacks.

Splunk / Elastic tuning · ~15m

Practice in terminal →

05Public S3 bucket: assess blast

A public S3 bucket : how bad? Inventory the contents, check access logs, decide whether to disclose.

Cloud posture · ~12m

Practice in terminal →

06Beaconing C2: find dwell time

Beaconing C2 hides in interval regularity. Find the rhythm, identify the dwell time, scope the blast radius.

Threat hunting · ~18m

Practice in terminal →

07Privilege escalation on a Linux box

Linux priv-esc starts with a kernel version, a SUID binary, or a misconfigured sudoers. Read the box like an attacker would.

priv-esc / IR · ~20m

Practice in terminal →

module · senior-level

Lead the response

Ransomware containment, WAF change-management, insider-threat investigation, executive write-up. Time pressure + business risk + technical depth, all at once.

5 lessons

08Ransomware note on a fileshare

A ransomware note on a fileshare. Isolate the source, identify the strain, decide whether backups are clean.

Containment · ~15m

Practice in terminal →

09Pen test report: write the exec memo

The pen-test report has 47 findings. The exec memo has 3 bullets. Translate without losing the punch.

Risk comms · ~15m

Practice in terminal →

10Patch the WAF without breaking prod

Patching the WAF live without breaking prod requires a canary, a rollback, and an honest read of which rules are load-bearing.

WAF · change mgmt · ~20m

Practice in terminal →

11Insider threat: find the leak

Insider threat: someone with access is taking data. UEBA flags + DLP context + interview without burning the lead.

DLP · UEBA · ~20m

Practice in terminal →

12Capstone: live tabletop · 1 hour · capstone

Capstone: live IR tabletop in one hour. Decide, document, communicate, finish.

IR end-to-end · ~30m

Practice in terminal →

ready to test?

Done reading. Now do it.

The graded assessment uses the same terminal sandbox as these lessons : only it scores you on accuracy, methodology, tool fluency, communication, and real-world fit.

Take the graded assessment →See full track page

// loading

Learn: Cybersecurity.

Each lesson is a 1-line briefing on what you'll practice. Read the briefing, then click Practice in terminal to drop into a real sandbox.