The goal of this program is to provide security professionals with the advanced knowledge and practical skills to execute and manage threat-led security operations, including Red Teaming and Adversary Simulation:

• Red Team Operators and Ethical Hackers.
• Security Operations Center (SOC) Analysts (Tier 2/3).
• Threat Hunters and Detection Engineers.
• CISO and Security Directors.
• Incident Response Team Members.
• Vulnerability Management Specialists.
• Security Architects.

• Hands-on labs using Red Team tools to simulate C2, persistence, and lateral movement.
• Group activity developing a threat profile and TTPs for a mock Red Team engagement.
• Mandatory Purple Team exercise collaborating to build a new SIEM detection rule.
• Case studies on major threat-led simulation results and the changes they drove.
• Technical discussions on the pros and cons of commercial vs. open-source simulation tools.

Unit 1: Foundations of Threat-Led Security

• Defining Threat-Led Security (TLS) and its distinction from Penetration Testing.
• The role of Red Teaming, Blue Teaming, and Purple Teaming.
• Leveraging the MITRE ATT&CK Framework as the common language for TTPs.
• Establishing clear scope, legal authorization, and rules of engagement (ROE).

• Identifying and prioritizing relevant threat actors (e.g., APTs, Cybercrime).
• Mapping threat actor TTPs to the organisation's assets and controls.
• Developing specific, measurable Red Team objectives based on threat intelligence.
• The importance of "intelligence-driven" over "exploit-driven" testing.

Unit 2: Red Team Operations Lifecycle

• The Red Team Kill Chain and planning phase.
• Deep external and internal reconnaissance (OSINT, network mapping).
• Developing and utilizing custom C2 (Command and Control) infrastructure.
• Creating believable pretexts for social engineering and physical access.

• Techniques for gaining initial access (phishing, public-facing exploits).
• Bypassing perimeter controls (e.g., EDR, AV, NGFW).
• Exploiting identified vulnerabilities to gain a foothold.
• Maintaining persistence without detection.

Unit 3: Internal Movement and Objectives

• Post-exploitation techniques for privilege escalation (e.g., misconfigurations, kernel exploits).
• Lateral movement techniques (Pass-the-Hash, RDP, WMI).
• Credential dumping and harvesting strategies.
• Avoiding detection by internal network security controls.

• Identifying and exfiltrating "Crown Jewel" data assets.
• Simulating disruption and denial-of-service against critical systems.
• Testing the organisation's readiness to respond to a major incident.
• Documenting all TTPs used and their success/failure against controls.

Unit 4: Purple Teaming and Defensive Improvement

• Detecting and responding to Red Team activities (the role of the SOC/IR).
• Analyzing logs and EDR alerts to reconstruct the Red Team's actions.
• Developing and refining SIEM and EDR detection rules (Detection Engineering).
• Measuring the Mean Time to Detect (MTTD) the Red Team.

• Conducting collaborative sessions between Red and Blue Teams.
• Real-time testing and refinement of defensive controls.
• Developing comprehensive security control validation tests.
• Using automation (e.g., Atomic Red Team, Caldera) for continuous simulation.

Unit 5: Reporting, Governance, and Maturity

• Structuring the Red Team report for executive and technical audiences.
• Focusing the report on TTPs, control gaps, and business impact.
• Developing a formal Plan of Action and Milestones (POAM) for identified gaps.
• Integrating simulation findings into the overall security risk register.

• Establishing a formal, continuous Threat-Led Security program.
• Governance and oversight of external Red Team engagements.
• Metrics for measuring the success and ROI of Adversary Simulation.
• Developing internal Red Team capability and talent.