FUNDAMENTAL KNOWLEDGE(7/06/25-8/06/25)

Network Essentials
Covers essential networking concepts, including TCP/IP and OSI models, common network
devices, key network protocols, and the TCP three-way handshake. Candidates will also
explore workflows of web browsing and email transmission and gain hands-on experience
with HTTP, SSL/TLS, and VPN scenarios.

Operating System Basics

Introduces the Windows and Linux operating systems, covering OS architecture, security
features, authentication mechanisms, file systems, and common processes. Also includes an
introduction to Active Directory and the use of event logs for tracing system activity.

Cryptography Basics
Focuses on fundamental topics, including encryption types and differences between
encoding, encryption, and hashing. Candidates will also learn to recognise common
encodings and get familiar with useful decoding tools.

Cloud and Virtualisation Basics

Covers the essentials of virtualisation and cloud computing, including the differences
between VMs and hosts, cloud vs virtual hosting, and key cloud providers. Candidates will
also learn about cloud service models like SaaS and IaaS with real-world examples.

Web & Scripting Basics

Explores the core web and scripting concepts, including web app architecture, APIs, and
common formats like JSON and XML. Also emphasizes recognizing scripts across various
languages (Python, JavaScript, Bash, PowerShell, PHP) and differentiating scripting from
compiled programs.
Cybersecurity Fundamentals(9/06/25-
10/06/25))
Covers fundamental principles, including the CIA triad, least privilege, and the impact of
human factors in security. Candidates will gain a foundational understanding of modern
cybersecurity trends and major vulnerabilities like Log4Shell and EternalBlue.

MITRE ATT&CK Framework

Introduces the MITRE ATT&CK Framework, a structured knowledge base of adversary tactics,
techniques, and procedures (TTPs). Candidates will learn how to navigate the framework,
understand attack stages, and map real-world attacks on MITRE techniques.

Cyber Kill Chain Framework

Explores the Cyber Kill Chain, its purpose in understanding cyber attacks, and the stages of
an attack lifecycle. Covers the differences between the Cyber Kill Chain and the MITRE
ATT&CK Framework, highlighting their approaches to threat analysis and defence.

NIST Cybersecurity Framework

Covers the NIST Cybersecurity Framework (CSF), including its five stages: Identify, Protect,
Detect, Respond, and Recover. Candidates will learn the high-level purpose of each stage
and map real-world scenarios and attack chains on NIST CSF stages.

Attack Traces and Indicators

Covers Indicators of Compromise (IoC) and Indicators of Attack (IoA). Participants will
explore various types of IoCs (e.g., IP addresses, file hashes, domains), the difference
between IoC and IoA, and the concept of the Pyramid of Pain. Practical examples will
demonstrate how and where to use or define IoCs in real-world scenarios to identify and
respond to security threats effectively
COMMON MALICIOUS BEHAVIOUR

Social Engineering
Covers the attack lifecycle, email vulnerabilities, and detection techniques. Candidates will
analyse phishing tactics such as impersonation, typo-squatting, and sender spoofing while
learning about SPF, DKIM, DMARC, and email analysis for threat identification.

Network Attacks
Explores common network-based attacks, including port scanning, DDoS, MiTM, DNS
poisoning, and ARP spoofing. Candidates will analyse network traffic to identify attack
patterns, data exfiltration techniques, and command-and-control (C2) channels.

Web Exploitation
Focuses on web exploitation, explaining why web applications are prime targets. Covers the
differences between client-side and server-side vulnerabilities, key defensive measures
(input validation, patching, WAF), and common web attacks like XSS, SQL injection, code
injection, and path traversal. Candidates will learn to recognize these threats, understand
their impact, and see real-world exploitation examples.

Endpoint Attacks
Focuses on how attackers gain access to and maintain control over endpoints. Learners will
explore common initial access methods such as RDP/SSH, persistence and privilege
escalation techniques, and credential theft with a focus on Mimikatz usage. The module will
conclude with an understanding of the impact of attacks and the importance of activity
logging for detection using tools like Auditd and Sysmon.

Command & Control

Explores Command and Control, including the different types of shells - forward shells and
reverse shells and when each is used, particularly the advantages of reverse shells in
bypassing firewall restrictions. Explores C2 frameworks like Metasploit and Cobalt Strike,
beaconing techniques, and how they compare to reverse shells, highlighting their
advantages and detection indicators.

Malware & LOLBAS

Introduces malware classification, focusing on understanding the actions performed by
different types of malware. Covers the identification of malware indicators and the
difference between static and dynamic analysis. Provides an introduction to LOLBAS and
explains why threat actors use living-off-the-land techniques for defence evasion.

SECURITY TOOLS OF THE TRADE

Endpoint Detection and Response (EDR)
Explores the functionality of EDR tools, their deployment, and their role in investigations by
providing endpoint telemetry. Compares EDR vs. traditional AV and covers detection
(telemetry, behavioural analysis) and response (remote shell, containment) features.

Network and Web Protection

Covers firewall and WAF deployments, their detection capabilities and limitations, basic
configurations, and firewall log analysis. Candidates will also learn how to create WAF rules
for security enforcement.

Security Information and Event Management (SIEM)

Focuses on SIEM deployments, log parsing, alert management, threat hunting, triage, and
security reporting in SOC environments. Candidates will also learn how raw logs transform
into SIEM alerts and how to use alert properties such as severity and status for triage.

Security Orchestration and Automation (SOAR)

Explores SOAR platforms, their role in automating security responses, and the creation of
playbooks for incident response automation. Focuses on data enrichment and SOAR
integration with threat intelligence platforms.

Threat Intelligence Platforms (TIP)

Covers the use of threat intelligence platforms, feeds, and indicators in SOC workflows.
Explores how TI is used to classify IP addresses, domains, and hashes, introduces YARA for
rule-based detection, and explains TI integration with SIEM and SOAR for data enrichment
and automated threat response.

Vulnerability Scanning
Explains the concept of vulnerability scanning, its purpose, and the importance of regular
scans to identify security weaknesses. Covers the differences between external vs internal
scanning and web vs network scanning, emphasizing their roles in a comprehensive security
strategy.
SOC WORKFLOWS AND ACTIVITIES

SOC Team and Responsibilities

Covers the concept of Blue and Red teams, explaining their roles in security operations.
Introduces different types of security teams and outlines the common security hierarchy
within organizations. Also focuses on SOC Team roles, with a specific emphasis on the
responsibilities of SOC environment.

Common Security Activities

Explains the classification of security activities into proactive and reactive categories.
Discusses common activities, including the purpose of False Positive remediation, detection
engineering, vulnerability scanning, and tabletop exercises. Introduces the concept and
purpose of DFIR and Threat Hunting in enhancing security posture.

Alert Triage and Ticketing

Focuses on the purpose of SOC Workbooks. Explains the difference between ticket, alert,
and detection rule. Walks through the triage workflow and covers alert classification,
including alert severity, statuses, and verdicts.

SOC Metrics and Lookups

Introduces key performance indicators such as MTTA, MTTD, MTTR, and SLA. Candidates will
learn best practices for tracking and improving SOC performance through metrics and
lookups.

Escalation and Communication

Explains escalation basics and common escalation schema/matrix in a SOC environment.
Covers basic remediation steps for handling urgent cases. The session also discusses SOC
communication, focusing on how communication is managed between different teams.