Course Library

Learn the process of conducting security investigations regardless of the toolset.

  • A simple investigation framework to ensure you’ll never get stuck or overwhelmed by data when pursuing leads.
  • The characteristics of evidence and which sources will provide the most value.
  • A formula for building investigation playbooks that will help you get to the right conclusion faster and consistently.
  • Useful techniques for building timelines, making threat hunting observations, and optimizing your workflow through the principle of mise en place.

* This course is available online and on-site at your organization.

A structured system to ensure you’re never at a loss for what to hunt for, where to find it, and how to see it amongst the noise.

  • Two ways to get started: attack-based hunting (ABH) and data-based hunting (DBH)
  • Techniques for leveraging threat intelligence and the MITRE ATT&CK framework for hunting input
  • The 9 most common types of anomalies you’ll encounter when reviewing evidence
  • A 5-step framework for dissecting and simulating attacks to prepare for hunting expeditions
  • The 4 ways threat hunters most commonly transform data to spot anomalies
  • My two-step system for effective note taking while hunting

Get hands-on experience capturing, dissecting, and making sense of packets.

  • 5 techniques for capturing packets in any scenario and how to know which one is appropriate
  • A tutorial on using packet maps to navigate protocols along with color-coded printable maps for all the most common protocols you’ll encounter.
  • Learn all of Wireshark’s analysis features including how to create graphs, traverse protocol hierarchy charts, and generate stats that are simple AND useful.
  • My tips for customizing your analysis environment by using features like Wireshark profiles, custom columns, and individual packet color coding.
  • Techniques for extracting complete files from network communication via multiple protocols — even custom malware command and control.
  • How to use tshark and tcpdump to perform packet analysis on the command line.
  • How to approach and dissect these protocols: IPv4, IPv6, TCP, UDP, DHCP, DNS, HTTP, SMTP, and ICMP.
  • Learn what normal looks like so you can spot abnormal when you encounter it.

Intrusion Detection Honeypots rely on deception to trick attackers into interacting with fake systems, services, and data. In this class, you’ll get hands-on experience designing, building, deploying, and monitoring honeypots to detect network adversaries before they accomplish their goals.

  • Use the See-Think-Do framework to integrate honeypots into your network and lure attackers into your traps. If you control what the attacker sees and thinks, you can control their actions. This strategy is the key to deceptive defense.
  • Hide honey tokens and web bugs in office documents. When attackers interact open them, you’ll know they’re on the network.
  • Embed honey credentials in services and memory so that attackers will find and attempt to use them. You’ll leverage various forms of authentication monitoring to know when this happens.
  • Build deception-based defenses against common attacks like Kerberoasting and LLMNR spoofing.

Master your data by learning how to centralize, parse, and analyze it using the popular open source ELK toolkit.

  • Store, index, and search data in a centralized location with Elasticsearch.
  • Explore the most useful Logstash plugins to effectively collect and manipulate structured and unstructured data.
  • Techniques for searching data and building useful visualizations and dashboards with Kibana.
  • Step-by-step guides for building data pipelines for common data sources: HTTP proxy logs, file-based logs, Windows events and Sysmon data, netflow, and IDS alerts.

Learn my system for writing that communicates a clear message, keeps your reading engaged, and creates meaningful change.

  • My repeatable system for faster, more effective security writing through storytelling and empathy development.
  • Techniques to bridge the gap between technical and non-technical audiences.
  • The critical components of a penetration testing report and how to write one so that network owners will finally take your findings and recommendations to heart.
  • How to write compromise reports that aren’t boring, and help stakeholders understand the scope of an attack that has occurred.
  • How to write more effective short-form communication, including e-mails, case notes, and chat messages.

Find your passion as this free introduction to information security takes you through a real investigation from the popular “Cuckoo’s Egg” book by Cliff Stoll.

  • Journey through the story of Cliff Stoll and compare his experience with information security in the modern day.
  • Explore a wide array of topics touching nearly every information security specialty. IF you’re new to the field, this is a great way to figure out what interests you.
  • Stretch your mind by considering tough questions that practitioners struggle with on a daily basis.
  • Watch an interview with Hans “Pengo” Hubner, one of the hackers responsible for the events in the book.

In addition to the courses I personally teach, I also help produce courses for others at

Be sure and check out some of these other great courses!