KC7 Cybersecurity Curriculum

Our Approach

We built KC7 to teach blue team cybersecurity skills through games. In KC7, you investigate realistic scenarios, query logs, and figure out what happened. This document describes the skills we are trying to develop through this process. Read more...

We built KC7 to teach blue team cybersecurity skills through games. In KC7, you investigate realistic scenarios, query logs, and figure out what happened. This document describes the skills we are trying to develop through this process.

Blue team means defense. Blue teamers detect malicious activity, investigate alerts, and respond to incidents. Whether you end up as a SOC analyst, incident responder, detection engineer, or threat intelligence analyst, the foundation is the same: looking at data, asking the right questions, and determining whether you are seeing normal activity or an attacker at work.

Some skills we teach explicitly: how logs work, what attackers do, where to look for evidence. You study these concepts, and games give you a place to apply them. Other skills develop implicitly through practice: judgment, pattern recognition, knowing when to stop digging. We design scenarios to exercise these skills, but there is no checklist. You build them by working through investigations, making mistakes, and reflecting on what worked.

The implicit skills take longer to develop. They also matter more.

Two analysts with the same technical knowledge will perform differently based on how they reason under uncertainty. We think about this a lot when designing games.

We organized the curriculum into three sections:

  • Core Analyst Competencies are judgment skills developed through practice.
  • Domain-Specific Knowledge covers technical concepts you study and memorize.
  • Advanced Specializations go deeper into threat intelligence, cloud investigations, and malware analysis.

Our goal is job-ready analysts, not walking encyclopedias. Every objective here answers the question: why does this matter during an investigation? This curriculum is not perfect and does not cover everything. But it should give you a solid foundation with clear paths into deeper learning.

  • Core Analyst Competencies
    Core Analyst Competencies are judgment skills that grow through practice. Each scenario you investigate builds pattern recognition and sharpens your decision-making. You will revisit these skills in every game, and you should expect progress to be gradual.
    • Analytical Thinking and Decision-Making
      Security analysis is reasoning under uncertainty. Analytical Thinking and Decision-Making skills help you think clearly when the data is messy, incomplete, or misleading.
      • Forming and Testing Hypotheses 1.0
        You form theories about what might have happened based on the evidence available to you. You test those theories by looking for data supporting or contradicting them. When the evidence points clearly in one direction, you commit to a conclusion. When it does not, you adjust your theory and keep looking. You understand the difference between what you know, what you suspect, and what you are guessing.
        reasoninghypothesisevidence
      • Deciding When to Act vs. Keep Digging 1.0
        You recognize when you have enough evidence to act and when you need to keep investigating. You understand the cost of waiting too long versus acting too soon. You make decisions even when the picture is incomplete, because in security work, it usually is. You document your reasoning so others understand why you made the call you did.
        decision-makingjudgmentdocumentation
      • Spotting Abnormal Activity 1.0
        You spot activity in logs and telemetry not fitting normal patterns. You notice when something looks different from what you have seen before, even if you do not immediately know why. Over time, you build mental models of what normal looks like in different environments, which helps you notice deviations faster.
        pattern-recognitionanomaly-detectionbaselines
      • Catching Your Own Blind Spots 1.0
        You catch yourself when your assumptions steer your analysis in the wrong direction. You watch for confirmation bias, where you favor evidence supporting your initial theory. You watch for anchoring, where you fixate on the first piece of information you found. You actively look for evidence contradicting your hypothesis, not just evidence supporting it.
        biasself-awarenesscritical-thinking
      • Prioritizing What to Investigate First 1.0
        You decide what matters most when you have too many things to investigate at once. You consider the potential impact of each issue, the likelihood it represents a real threat, and the time sensitivity of the response. You accept you will not get to everything and focus your energy where it matters most.
        prioritizationtriagetime-management
    • Data Analysis
      Every investigation runs on data. Data Analysis skills help you find the right data, make sense of it, and connect pieces across sources.
      • Choosing the Right Data Source 1.0
        You know which log source answers which question. You look at endpoint logs for process execution and file activity, network logs for connections and DNS queries, authentication logs for logins and access patterns, email logs for message flow and phishing analysis. You understand what each source captures and what it misses. When you have a question, you know where to look first.
        logsdata-sourcesinvestigation
      • Interpreting Log Fields 1.0
        You understand what fields mean across different log types. You parse timestamps and convert between time zones. You recognize common field naming conventions and know which fields contain reliable system-generated data versus user-controlled input an attacker could manipulate. When you encounter an unfamiliar log format, you figure out what the fields represent.
        logsparsingtimestamps
      • Querying Logs 1.0
        You write queries to filter, aggregate, and extract data from logs. You are comfortable with at least one query language like KQL, SPL, or SQL. You start broad and narrow down, or start specific and expand out. You iterate on your queries when they return too much noise or miss relevant results. You know how to count, group, sort, and summarize to find patterns.
        queriesKQLSPLSQLfiltering
      • Pivoting Across Data 1.0
        You take a single indicator like an IP address, username, hostname, or file hash and follow it across data sources to find related activity. When you find a suspicious IP in network logs, you search for it in endpoint logs, proxy logs, and DNS logs. You build out the full picture from a single starting point. You recognize which fields link different data sources together.
        pivotingcorrelationindicators
      • Joining Data Across Tables 1.0
        You combine data from multiple tables or sources to answer questions neither source answers alone. You enrich events with context from asset inventories, user directories, or threat intelligence. You understand join logic and know when to use inner joins, outer joins, or lookups. You recognize when missing joins cause you to miss important connections.
        joinsenrichmentcorrelation
      • Decoding Obfuscated Content 1.0
        You recognize and decode the tricks attackers use to hide malicious content. When you see Base64 strings, URL-encoded characters, hex values, or Unicode obfuscation, you know how to decode them to see what the attacker was actually doing. You chain decodings when attackers layer multiple encoding schemes. You understand why attackers use encoding and what it tells you about their sophistication.
        encodingobfuscationbase64decoding
    • Managing an Investigation
      You need to know where to start, how far to go, and when to stop. Managing an Investigation skills help you run an investigation from beginning to end.
      • Recognizing Investigation Starting Points 1.0
        You recognize the many ways investigations begin. Alerts are one source, but investigations also come from user reports, help desk tickets, external notifications from law enforcement or ISACs, threat intel about campaigns targeting your industry, news about breaches at similar organizations, third-party disclosures like credential dumps, and anomalies you spot during routine work. You treat all these sources as valid starting points. When employees report something suspicious, you ask good follow-up questions and do not dismiss their concerns. User reports are often your earliest warning of an attack.
        investigationalertsuser-reportsthreat-intel
      • Triaging Alerts 1.0
        You evaluate a queue of alerts quickly and figure out which ones need attention now versus later. You do not treat all alerts equally. You look at context, potential impact, and confidence level to decide where to focus first. You are comfortable closing low-confidence alerts after brief investigation so you have time for the important ones.
        triagealertsprioritization
      • Scoping Investigations 1.0
        You determine how wide to cast your net during an investigation. You use kill chain thinking: if you found command and control activity, you look backward to understand how the attacker got in and forward to see what they did with their access. When you see one suspicious event, you ask what else this attacker might have done and pivot on usernames, IP addresses, file hashes, and timestamps to find connected activity. You avoid both tunnel vision (missing the bigger picture) and scope creep (investigating everything forever). You know when you have found enough to close the case or hand it off, and you define what "done" looks like early in the investigation.
        scopingkill-chainpivotinginvestigation
      • Reconstructing Attack Timelines 1.0
        You reconstruct the sequence of events to determine what happened, in what order, and who or what was responsible. You pull timestamps from multiple log sources and align them to build a coherent narrative. You account for time zone differences and clock skew between systems. You identify gaps in the timeline where you lack visibility.
        timelinetimestampsreconstruction
    • Communication and Collaboration
      You need to explain what you found, document your work, and coordinate with people who are not security experts.
      • Writing Incident Reports 1.0
        You write clear incident reports serving both technical staff and executives. You structure reports so readers find what they need quickly. For technical audiences, you include IOCs, affected systems, and detailed timelines. For executives, you lead with business impact, risk level, and recommended actions. You avoid jargon when writing for non-technical readers.
        reportingwritingcommunication
      • Documenting Your Work 1.0
        You keep clear notes as you work, recording what you thought, what you found, and why you made certain calls. You document your hypotheses, the queries you ran, the results you got, and your interpretation of those results. This lets others pick up where you left off if you are unavailable. It also helps you remember your own reasoning when you revisit an investigation later.
        documentationnotesknowledge-sharing
      • Explaining Findings to Non-Technical Audiences 1.0
        You explain what happened and what it means to people outside the security team. You tailor your message to your audience. You tell legal what they need for compliance and liability decisions. You tell IT what they need to contain and remediate. You tell business leaders what they need to make risk decisions. You translate technical findings into business terms.
        communicationtranslationstakeholders
      • Coordinating Across Teams 1.0
        You work with IR, legal, IT, and business teams when an incident requires more than security involvement. You understand what each team needs from you and what you need from them. You communicate clearly about timelines, dependencies, and blockers. You recognize when a situation has grown beyond what security alone should handle.
        collaborationcross-functionalincident-response
  • Domain-Specific Knowledge
    Domain-Specific Knowledge covers technical concepts you study and memorize. Games help you apply this knowledge and recognize patterns faster. If you hit a concept you do not understand, pause and look it up. We link to external resources where helpful. The goal is recognition and application, not memorization under pressure.
    • Understanding the Adversary
      Defending against attackers requires understanding them. Adversary Understanding covers who attacks organizations, why they do it, and how their operations unfold.
      • Understanding Why Attackers Attack 1.0
        You understand who is attacking organizations and why. You recognize the difference between financially motivated criminals seeking quick payouts, nation-state actors conducting espionage, hacktivists pursuing ideological goals, and insiders abusing their access. You use this understanding to predict what an attacker might do next and what they are after.
        threat-actorsmotivationattribution
      • Mapping Attacker TTPs 1.0
        You understand the steps attackers take to get from initial access to their end goal. You follow how an attacker gains a foothold, establishes persistence, escalates privileges, moves laterally, and achieves their objective. You use frameworks like the Cyber Kill Chain to understand attack stages and MITRE ATT&CK to describe specific techniques. These frameworks give you shared vocabulary for describing and analyzing attacker behavior.
        kill-chainMITRE-ATT&CKattack-lifecycle
      • Recognizing Common Entry Points 1.0
        You know the most common ways attackers get in. You understand how phishing delivers initial access, how exposed services get exploited, how stolen credentials enable account takeover, and how supply chain compromises affect downstream organizations. You use this knowledge to focus your investigations on likely entry points.
        initial-accessphishingvulnerabilities
      • Spotting Successful Exploitation 1.0
        You recognize what it looks like in your logs when someone successfully exploits a vulnerability. You know the telemetry signatures of common exploits. You understand the difference between scanning and probing versus actual exploitation. You look for post-exploitation activity confirming an attacker achieved code execution.
        exploitationdetectionpost-exploitation
    • Security Logging and Monitoring
      Logs are your primary source of truth. You need to understand where they come from, what they capture, and how to work with them.
      • Understanding Log Sources 1.0
        You understand where logs come from, what they capture, and why they matter for investigations. You know the difference between logs generated by operating systems, applications, network devices, and security tools. You understand what each log type records and what it misses. You use this knowledge to know which logs to query for different investigative questions.
        logsdata-sourcestelemetry
      • Understanding How SIEMs Work 1.0
        You understand how security platforms collect, standardize, and connect log data for querying. You know how raw logs get ingested, parsed, normalized, and stored. You understand field mapping, log enrichment, and correlation rules. These concepts apply regardless of which SIEM you use, so you focus on understanding the principles rather than memorizing vendor-specific features.
        SIEMlog-managementnormalization
      • Correlating Across Log Sources 1.0
        You pull together data from multiple log sources to get the full story. You correlate events across endpoint logs, network logs, authentication logs, and cloud logs. You account for different timestamp formats, field names, and data structures. You recognize when you are missing a log source needed to answer your question.
        correlationlogsinvestigation
      • Spotting Anomalies from Baselines 1.0
        You use knowledge of normal activity to spot abnormal activity. You understand what typical user behavior looks like in authentication logs, what normal network traffic patterns look like, and what regular system processes look like. You recognize when something deviates from the baseline. You also understand where baselines fail you: they miss slow-and-low attacks, insider threats from authorized users, and novel techniques you have not seen before.
        baselinesanomaly-detectionbehavior
    • Host Forensics
      When something bad happens on an endpoint, you need to know where to look. This covers the artifacts and evidence sources telling you what happened on a machine.
      • Investigating Endpoints 1.0
        You understand the fundamentals of investigating what happened on a computer. You know the difference between volatile evidence (memory, running processes) and non-volatile evidence (disk, registry). You understand evidence volatility and why collection order matters. You know where to look on a system to answer common investigative questions.
        forensicsendpointsevidence
      • Reading Process Trees 1.0
        You read process trees to spot suspicious behavior. You understand parent-child process relationships and why certain combinations raise red flags. You know why Word spawning PowerShell is suspicious, why explorer.exe should not have cmd.exe children running encoded commands, and why services.exe spawning unusual processes warrants investigation. You use process lineage to identify malicious activity masquerading as normal operations.
        processesprocess-treesdetection
      • Finding Persistence Mechanisms 1.0
        You find the ways attackers set themselves up to survive a reboot. You check scheduled tasks, services, registry run keys, startup folders, WMI subscriptions, and other persistence locations. You know what legitimate entries look like in each location so you recognize when something does not belong. You understand how these techniques map to ATT&CK Persistence tactics, which helps you search systematically and communicate findings.
        persistenceATT&CKregistryscheduled-tasks
      • Locating Windows Evidence 1.0
        You know key Windows evidence sources and what they tell you. You examine file creation and modification timestamps, prefetch files showing program execution, ShimCache and AmCache for execution history, registry keys recording user activity, and browser artifacts. You understand what each artifact records and its limitations.
        Windowsforensicsartifactsprefetch
    • Network Security Fundamentals
      Networks are how attackers get in, move around, and get data out. You need to understand how networks work to spot when something is wrong.
      • Understanding Network Communication 1.0
        You understand how computers find and talk to each other across local networks and the internet. You know how IP addressing and subnetting work, how routing directs traffic between networks, and how NAT affects what you see in logs. You use this understanding to interpret network telemetry and understand where traffic originated and where it went.
        networkingIProutingNAT
      • Analyzing Network Protocols 1.0
        You understand the protocols relevant to investigations and what to look for in each. You analyze DNS queries to spot malicious domains and tunneling. You examine HTTP and HTTPS traffic for suspicious requests and responses. You understand TCP connection patterns and what they reveal about communication behavior. You interpret SSL/TLS certificate information to identify suspicious infrastructure. You use ARP data to map IP addresses to physical devices.
        protocolsDNSHTTPTLSTCP
      • Detecting Network Compromise 1.0
        You spot signs of unauthorized access, internal movement, and data theft in network traffic and logs. You identify unusual connection patterns like internal hosts reaching unexpected destinations, large data transfers to external systems, or connections at unusual hours. You recognize scanning activity, lateral movement between internal systems, and command and control communication patterns.
        detectionnetworklateral-movementC2
    • Identity and Access Management
      Attackers exploit access, not systems alone. Understanding how identity works helps you spot abuse.
      • Understanding Identity Management 1.0
        You understand how organizations track who is who and who has access to what. You know how user accounts, groups, and roles organize access rights. You understand the difference between local accounts and domain accounts. You recognize how identity serves as the foundation for access control decisions across an enterprise.
        identityaccess-controlaccounts
      • Understanding Auth and Access Control 1.0
        You understand how systems verify identity and grant permissions. You know the difference between authentication (proving who you are) and authorization (determining what you are allowed to do). You understand password-based authentication, multi-factor authentication, certificate-based authentication, and token-based authentication. You recognize common weaknesses in each approach.
        authenticationauthorizationMFA
      • Understanding Active Directory 1.0
        You understand how Windows enterprise environments manage users, groups, and permissions. You know the structure of AD: domains, forests, organizational units, and group policies. You understand why attackers target AD and what they gain by compromising domain controllers, service accounts, or privileged groups. You recognize common AD attack patterns like Kerberoasting, Pass-the-Hash, and DCSync.
        Active-DirectoryWindowsKerberosdomain
      • Understanding SSO and Federation 1.0
        You understand how single sign-on and cloud identity systems work across multiple applications. You know how SAML, OAuth, and OIDC enable federated authentication. You understand the trust relationships between identity providers and service providers. You recognize the security implications of compromised identity providers.
        SSOSAMLOAuthfederation
      • Detecting Identity Abuse 1.0
        You spot suspicious logins, privilege escalation, and access patterns not making sense in authentication logs. You look for impossible travel (logins from distant locations in short timeframes), unusual login times, authentication from unexpected devices or locations, and access to resources outside normal job functions. You recognize when legitimate credentials are being abused by unauthorized users.
        detectionidentityauthenticationanomalies
    • Email Security Analysis
      Email is the most common way attackers get initial access. Analyzing suspicious messages is a daily task for most SOC teams.
      • Tracing Email Origins 1.0
        You read email headers to determine where a message actually originated, not where it claims to come from. You trace the path a message took through mail servers by reading the Received headers. You check whether SPF, DKIM, and DMARC authentication passed or failed, and you understand what those results mean. You identify discrepancies between the displayed sender address and the actual envelope sender. You extract originating IP addresses and timestamps from headers.
        emailheadersSPFDKIMDMARC
      • Spotting Phishing Indicators 1.0
        You spot the signs of phishing in suspicious emails. You look for spoofed sender addresses, lookalike domains, and display name manipulation. You examine links for URL obfuscation, redirect chains, and mismatches between displayed text and actual destination. You recognize urgency tactics, authority impersonation, and other social engineering techniques. You check attachments for suspicious file types and naming conventions.
        phishingemailsocial-engineering
      • Understanding Malicious Email Content 1.0
        You analyze attachments and links to understand what the attacker is trying to accomplish. You recognize common payload types: credential harvesters, malware droppers, macro-enabled documents, and fake login pages. You extract indicators like URLs, domains, file hashes, and sender infrastructure from malicious emails. You pivot on these indicators to find other users who received similar messages, related phishing campaigns, or earlier attacks using the same infrastructure.
        emailmalwarepayloadsindicators
      • Recognizing Email Attack Chains 1.0
        You understand how email attacks unfold from initial lure through payload delivery and post-compromise activity. You recognize phishing campaigns, business email compromise, credential harvesting, and malware delivery. You trace the connection between a malicious email and subsequent activity on endpoints or in authentication logs. You understand the full attack chain, not just the email itself.
        emailattack-chainBECphishing
    • Web Application Security
      Web apps are common targets. This covers how web attacks look from the defender's perspective, in your logs rather than in exploit code.
      • Detecting Web Attacks in Logs 1.0
        You recognize common web attacks in server and WAF logs. You spot SQL injection attempts by looking for SQL syntax in request parameters. You identify cross-site scripting (XSS) by recognizing script tags and event handlers in input fields. You detect path traversal attempts from directory navigation sequences like "../" in requests. You recognize authentication bypass attempts, parameter tampering, and other web attack patterns. You also spot signs of successful exploitation like web shells: unusual files in web directories, requests to suspicious endpoints, and command-execution patterns in parameters.
        webSQLiXSSweb-shellsWAF
      • Analyzing HTTP Traffic 1.0
        You read HTTP requests and responses to spot malicious activity. You examine URLs, headers, parameters, and response codes for suspicious patterns. You look for unusual user agents, unexpected request methods, abnormal parameter values, and suspicious response sizes. You understand what normal web traffic looks like so you notice when something deviates.
        HTTPwebtraffic-analysis
      • Understanding Web Exploitation Outcomes 1.0
        You understand what attackers gain when they successfully exploit a web application. You recognize how SQL injection leads to data theft or authentication bypass. You understand how remote code execution gives attackers a foothold on the server. You know how attackers pivot from a compromised web server to internal systems, databases, or cloud resources. You connect web attack indicators to downstream activity in other log sources.
        webexploitationpost-exploitationpivoting
    • Tracing Attacker Activity
      You found something suspicious. Now you need to figure out what else the attacker did. Tracing Attacker Activity skills help you follow attacker movement, communication, and objectives.
      • Identifying Lateral Movement 1.0
        You found a compromised account or host. Now you look for signs the attacker used it to reach other systems. You search authentication logs for the compromised account logging into other machines. You look for remote access patterns like RDP, SMB, WMI, or PsExec originating from the compromised host. You check for the same malicious files, scheduled tasks, or services appearing on other systems. You trace the path the attacker took through your environment.
        lateral-movementRDPSMBPsExec
      • Identifying C2 Activity 1.0
        You found a compromised endpoint. Now you look for how it communicates with the attacker. You search network logs for connections to external IPs or domains around the time of compromise. You look for beaconing patterns where the host connects to the same destination at regular intervals. You check DNS logs for unusual queries, long subdomains, or newly registered domains. You correlate network activity with process execution to understand which process is making the connections.
        C2beaconingDNSnetwork
      • Identifying Data Exfiltration 1.0
        You confirmed a breach. Now you look for signs of data theft. You search for unusual outbound transfers from the compromised host or account. You look for data being staged in unusual locations before transfer. You check for access to sensitive file shares, databases, or cloud storage the attacker should not have touched. You examine upload activity to external services, personal email, or cloud storage. You look for signs of compression or encryption before transfer.
        exfiltrationdata-theftdetection
    • Understanding Defenses
      Security controls work together. No single tool stops everything, but layered defenses force attackers to work harder and create more opportunities to catch them.
      • Layered Defenses 1.0
        You understand how defenses stack at different levels: perimeter controls filter traffic before it enters the network, network segmentation limits movement between zones, endpoint protection catches malicious activity on hosts, and identity controls restrict who accesses what. Each layer addresses different threats. You recognize how these layers create multiple opportunities to stop or detect an attack.
        defense-in-depthcontrolsarchitecture
      • How Controls Stop Attacks 1.0
        You understand what each type of control blocks and how. Firewalls block unauthorized connections. Email gateways filter malicious attachments and links. Endpoint protection stops known malware from executing. Identity controls prevent unauthorized access. You recognize how an attacker must defeat multiple controls in sequence to achieve their objective, and how each control they encounter increases the chance of detection.
        controlsfirewallsEDRdetection
      • What Controls Miss 1.0
        You understand why attacks succeed despite defenses. You recognize blind spots: encrypted traffic firewalls do not inspect, fileless malware endpoint protection misses, legitimate credentials identity controls trust. You understand how attackers choose techniques based on what defenses they expect to face. You know where your visibility gaps are and what threats could slip through undetected.
        gapsevasionblind-spots
    • Understanding Detection
      Detection is about finding attacker activity in your telemetry. Some detections are more valuable than others. Understanding why helps you prioritize and recognize limitations.
      • The Pyramid of Pain 1.0
        You understand why detecting attacker behaviors matters more than detecting indicators. At the bottom of the pyramid, hash values and IP addresses are trivial for attackers to change. Domains and tools require more effort. At the top, tactics, techniques, and procedures (TTPs) are hard for attackers to change because they reflect how the attacker operates. Detections targeting TTPs remain effective even when attackers rotate their infrastructure and tools. You prioritize behavioral detections over indicator-based detections when possible.
        detectionTTPsindicatorspyramid-of-pain
      • Detection Trade-offs 1.0
        You understand the tension between catching threats and generating noise. Signature-based detection looks for known bad patterns and has low false positives but misses novel threats. Behavioral detection catches unusual activity but generates more false positives. Broad detections catch more but create alert fatigue. Narrow detections are precise but miss variations. You recognize these trade-offs when interpreting alerts and understand why some detections are noisy.
        detectionfalse-positivestuning
      • Why Detections Fail 1.0
        You understand why attackers evade detection. Some techniques blend with normal activity. Some exploit gaps in logging or visibility. Some target systems where no detection exists. Attackers test their tools against common defenses before deploying them. You recognize when you are relying on detections with known weaknesses and understand what threats could bypass your current coverage.
        evasiondetectiongaps
  • Advanced Topics
    Advanced Specializations require both domain knowledge and analytical judgment. Games introduce core concepts and give you practice. Mastery requires continued study and real-world experience beyond what any curriculum provides.
    • Threat Intelligence
      Threat intel helps you understand the broader context: who is attacking, what they want, and how they operate. It turns isolated incidents into patterns.
      • Using Threat Intelligence Feeds 1.0
        You use threat intelligence feeds and reports to add context to your investigations. You check indicators you find against threat intel databases. You use intelligence about active campaigns to guide your hunting. You understand the difference between strategic intelligence (who is attacking and why), tactical intelligence (how they attack), and operational intelligence (specific indicators and signatures).
        threat-intelfeedsindicators
      • Assessing Threat Reports 1.0
        You assess whether a threat report is useful or noise. You consider the source, timeliness, and relevance to your environment. You recognize not all intelligence applies to your organization. You evaluate confidence levels and corroborate claims before acting on them. You do not treat every report as urgent just because it exists.
        threat-intelanalysisrelevance
      • Clustering Related Attacks 1.0
        You connect related attacks based on shared techniques, infrastructure, or tools. You recognize when different incidents might be the same attacker. You use ATT&CK techniques, infrastructure patterns, and tooling overlaps as common reference points for clustering activity. You understand the difference between confident attribution and tentative clustering.
        clusteringattributionthreat-intel
      • Organizing Threat Information 1.0
        You use structured models like the Diamond Model to organize what you know about threats. You understand how to describe intrusions in terms of adversary, capability, infrastructure, and victim. You use frameworks to ensure you capture relevant details and identify gaps in your understanding. You communicate threat information using standard structures others recognize.
        Diamond-Modelframeworksthreat-intel
    • Cloud Security Investigations
      Cloud environments have different logs, different attack surfaces, and different rules. If your organization uses cloud infrastructure, you need to know how to investigate there.
      • Investigating in Cloud Environments 1.0
        You understand how cloud investigations differ from on-prem investigations. You know cloud environments have different log sources, different telemetry, and different attacker techniques. You adapt your investigation workflows for cloud contexts. You understand the shared responsibility model and what visibility you have versus what the cloud provider controls.
        cloudAWSAzureGCPinvestigation
      • Recognizing Cloud Attack Techniques 1.0
        You know the attacks most relevant in cloud environments. You understand how misconfigured storage buckets expose data, how attackers abuse identity and access management to escalate privileges, and how metadata services get exploited for credential theft. You recognize cloud environments have unique attack surfaces not present in traditional infrastructure.
        cloudIAMS3metadata
      • Tracking Attackers Across Hybrid Environments 1.0
        You track attackers as they move between on-prem networks and cloud infrastructure. You correlate activity across both environments. You understand how attackers use cloud as initial access to on-prem networks and how they pivot from compromised on-prem systems into cloud resources. You maintain visibility across the boundary.
        cloudhybridpivotingcorrelation
      • Handling Cloud Forensics Challenges 1.0
        You understand the unique challenges of cloud forensics. You know cloud resources are ephemeral and may disappear before you investigate them. You understand you have limited access to underlying infrastructure in shared-responsibility models. You know how to preserve cloud evidence before it vanishes and what forensic data is available in different cloud platforms.
        cloudforensicsevidenceephemeral
    • Basic Malware Analysis
      Sometimes you need to understand what a piece of malware does. This covers the basics of analyzing malicious files without becoming a reverse engineer.
      • Identifying Malware Types 1.0
        You recognize what type of malware you are dealing with. You distinguish between ransomware, remote access trojans (RATs), loaders, infostealers, wipers, and other malware categories. You understand what each type does and what the attacker is trying to achieve. You use this understanding to predict what else the malware might have done and what you should look for in your environment.
        malwareransomwareRATclassification
      • Interpreting Sandbox Results 1.0
        You read and interpret results from automated malware analysis tools like VirusTotal, Any.Run, and Hybrid Analysis. You understand what these tools show you: file metadata, detection ratios, behavioral indicators, network connections, dropped files, and registry modifications. You know the limitations of sandbox analysis, including evasion techniques causing malware to behave differently in sandboxes.
        malwaresandboxVirusTotalanalysis
      • Choosing Analysis Approaches 1.0
        You understand the difference between analyzing malware without running it and watching it run. Static analysis examines code, strings, imports, and metadata without execution. Dynamic analysis observes behavior during execution in a controlled environment. You know when each approach is appropriate and what each reveals.
        malwarestatic-analysisdynamic-analysis
      • Deobfuscating Malicious Code 1.0
        You untangle the tricks malware authors use to hide what their code does. You recognize common obfuscation techniques like string encoding, control flow manipulation, and packing. You use tools and manual techniques to deobfuscate code enough to understand its purpose. You do not need to fully reverse engineer malware, but you need to extract useful indicators and understand basic functionality.
        malwareobfuscationdeobfuscationanalysis
      • Linking Related Malware Samples 1.0
        You recognize technical markers linking related malware samples. You use PDB paths to identify developer environments and link related samples. You use import hashes to find functionally similar binaries. You examine Rich headers for compiler metadata revealing build environment details. You understand what these markers tell you about malware relationships and attribution.
        malwareattributionimphashPDB