Sign In
Offensive Security

For Security Practitioners Who Want to Detect Campaigns, Not Just Alerts

Offensive Security for Defenders

Think like the attacker. Detect the campaign. Stop chasing IOCs.

Operate offensive tools in your lab — Sliver, Evilginx, Impacket — then switch perspective and detect what you built. Every sub translates offensive operations into campaign-level detection strategy with concrete detection capabilities, telemetry, and datasets to sharpen your analysis skills.

Start Free — No Account Needed View Subscription Pricing
Content last updated: April 2026
OFFENSIVE LOGIC → DEFENSIVE TRANSLATION ATTACKER PLANNING Operational profiles, risk tolerance, campaign timing How the attacker thinks about your organisation as a target INFRASTRUCTURE C2 systems, redirectors, CDN abuse, rotation patterns Map the topology from a single IOC — stop chasing domains one at a time PAYLOAD ENGINEERING Multi-stage chains, obfuscation, MOTW bypass, LOLBins Read the delivery chain as intelligence about the attacker's capability POST-COMPROMISE Escalation, lateral movement, persistence, exfiltration Campaign-level detection across the full attack lifecycle CAMPAIGN SYNTHESIS Connect the dots — phishing email to data exfiltration Full campaign reconstruction from multi-source telemetry 12 modules 10 datasets 30-40 hours Hands-on labs From "I blocked the IOC" → "I mapped and dismantled the campaign"
View Pricing Download Lab Pack Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Operate offensive tools (Sliver, Evilginx, Impacket) in a lab and detect what you built from your own telemetry
Reconstruct complete attack campaigns from multi-source telemetry across hosts and timeframes
Predict attacker next steps during active investigations based on operational patterns
Build campaign-level detection rules that catch operational patterns rather than isolated artifacts
Translate offensive understanding into detection portfolio design and programme investment decisions

The approach — attack then detect

Every content sub follows the same flow. You execute the offensive technique in your lab, observe what it produces in telemetry, then deploy the detection and verify it fires against what you just did. The offense is not context for the detection — the offense IS the curriculum. Detection is the applied outcome.

This is not a red team course. You finish as a defender who can look at a set of seemingly unrelated alerts and recognize the campaign connecting them — because you understand why the attacker chose that infrastructure, that access method, that movement pattern, and that timing.

Who this course is for

SOC analysts who triage individual alerts but want the campaign context that connects them.

Detection engineers who want to write rules that target operational patterns an attacker cannot change by editing a config file.

IR practitioners who want to predict attacker next steps during active investigations.

Threat hunters who want to hunt campaign patterns rather than IOC lists.

Security managers building a detection strategy that catches campaigns, not just techniques.

Anyone with a genuine interest in offensive security for defenders. Whatever your background — whether you are transitioning from another domain, early in your career, or exploring a new direction — if the subject interests you and you are willing to put in the work, this course is for you. Backgrounds vary. Motivation is what matters.

What you will be able to do

1. Explain the operational logic behind attacker decisions. Given a campaign phase — infrastructure build, initial access, post-exploitation, lateral movement, objective execution — articulate why an attacker makes specific choices and what constraints drive those choices.

2. Recognize campaign patterns in telemetry. Given a series of alerts across systems and timeframes, identify the operational pattern connecting them and classify the campaign phase.

3. Anticipate attacker next steps. During an active investigation, predict what the attacker is likely to do next based on what they have already done, and pre-position detection or containment accordingly.

4. Build campaign-level detections. Write detection rules and correlation logic that catch operational patterns — infrastructure staging, credential reuse chains, lateral movement timing, data staging sequences — not just individual technique artifacts.

5. Analyze published campaigns. Read a threat intelligence report and extract the operational patterns: infrastructure decisions, access methods, movement logic, objective execution. Map those patterns to detection opportunities.

6. Translate offensive understanding into detection strategy. Prioritize detection investment based on attacker economics — what is cheap for them to change, what is expensive — so your programme targets the patterns that persist across campaigns.

7. Reconstruct complete campaigns from raw telemetry. Take isolated alerts across 6 hosts over 72 hours and build the complete attack narrative — from infrastructure staging through objective execution.

Course at a glance

Modules: 12 (OD0–OD11) + operational cheatsheet

Campaign datasets: 10 multi-system, multi-day telemetry datasets from M2 onward

Estimated duration: 30–40 hours (self-paced)

Format: Written content — hands-on attack execution, annotated telemetry, detection capabilities, datasets, knowledge checks

Free content: OD0–OD1 (2 modules) — no account required

Paid content: OD2–OD11 (10 modules) — Premium or Team subscription

Platform: Sliver, Evilginx, Impacket, Sysmon, KQL, Sentinel, Defender XDR

Built by Ridgeline Cyber

Ridgeline Cyber Defence builds security operations training grounded in practical and operational experience. The team behind this course runs cybersecurity operations across cloud and on-prem security stacks, manage and execute incident engagements across a plethora of cyber investigations. You are in good hands.

The offensive scenarios in this course are grounded in that defensive operational work — real campaign patterns, sanitized and adapted for training.

Lab environment

Linux VM (Ubuntu 22.04+): Team server (Sliver), redirectors (Nginx), attack tooling. Your attack platform. Built in M1.

Windows VM (Windows 10/11, Sysmon configured): Beacon endpoint and target for attack execution. Generates the telemetry you detect.

Sentinel workspace or Splunk instance: Detection queries, campaign telemetry analysis, and detection rule deployment.

M365 developer tenant (free): Cloud attack scenarios (M4–M6) — AiTM phishing, device code phishing, OAuth consent abuse. Free from developer.microsoft.com.

The lab is built in Module 1 and used throughout M2–M11. No commercial tools required.

Course Syllabus

12 modules plus an operational cheatsheet. OD0–OD1 are free — no account required.

Free Phase 1 — Offensive Foundations

OD0
Why Defenders Need Offensive Thinking — The gap between detecting alerts and detecting campaigns. What this course teaches and why it is different from a pentesting course.
 OD1
How Attackers Plan Operations — Target selection, reconnaissance, constraint analysis, operational timing, team structures. Documented ransomware, espionage, and supply chain campaigns.

Phase 2 — The Campaign Lifecycle

OD2
Offensive Infrastructure — Build a C2 platform with Sliver, configure redirectors, stage CDN-fronted infrastructure. Detect your own infrastructure from CT logs, passive DNS, and certificate transparency data.
 OD3
Payload Engineering and Delivery — Build multi-stage dropper chains, implement MOTW bypass, abuse LOLBins. Five delivery channels. Detect the full chain from phishing email through staged dropper to C2 establishment.
 OD4
Initial Access — Operate an AiTM proxy with Evilginx, execute device code phishing, abuse OAuth consent grants, exploit public-facing applications. Detect token replay, consent grants, and pre-access staging.
 OD5
The First 30 Minutes — Execute the post-compromise priority sequence: discovery, credential harvesting, persistence, C2 validation. Detect automated vs manual post-compromise from command timing and sequence patterns.
 OD6
Credential Operations — Kerberoasting, DCSync, token theft, certificate abuse, cloud credential operations. Credentials as operational resources. Detect credential harvesting campaigns across identity telemetry.
 OD7
Lateral Movement — Execute seven movement protocols and compare the telemetry each produces. Target prioritisation, movement timing, trust relationship exploitation. Detect and distinguish attacker from admin.
 OD8
Defense Evasion — EDR evasion philosophy, log awareness, timestomping, living-off-the-land, detection testing from the attacker's perspective. Detect the meta-signals of evasion that survive technique changes.
 OD9
Objectives — Ransomware staging, data theft, double extortion, espionage, BEC, sabotage, and cloud-native objectives. Detect objective staging patterns before the damage happens.
 OD10
Campaign Reconstruction — The capstone defensive skill. Timeline construction, multi-source correlation, behavioural clustering, kill chain reconstruction. Correlate isolated alerts into a complete attack narrative across 6 hosts over 72 hours.
 OD11
Threat-Informed Defense — Translate offensive understanding into programme decisions. Attacker economics, detection coverage mapping, portfolio design, programme rhythm, and measuring effectiveness.

What you get that you will not find elsewhere

This is not a pentesting course. Pentesting courses teach you to break in. This course teaches you to understand how attackers operate so you can detect them. You operate offensive tools because the best way to understand campaign logic is to execute it yourself — then detect what you built.

This is not Purple Teaming again. Purple Teaming for Blue Teams operates at the technique level — fire one ATT&CK technique, write the Sigma rule, tune it. This course operates at the campaign level — how attackers make decisions across multiple techniques, tools, and timeframes. PT detects the individual event. OD detects the campaign connecting them.

Every module includes a campaign telemetry dataset. Multi-system, multi-day log data with realistic baseline noise that mirrors what you would see in a production SIEM. You analyze these datasets the way you would analyze a real incident — except here you know exactly what the attacker did because you did it yourself.

The course builds cumulative investigation capability. Each module adds a layer. By Module 10, you reconstruct a full 72-hour campaign from raw telemetry across 6 hosts. By Module 11, you translate everything into a threat-informed detection roadmap for your own organisation.

Where this course fits

Detection Engineering teaches you to write rules. Purple Teaming teaches you to validate rules fire against the actual technique. Offensive Security for Defenders teaches you the campaign logic that connects those techniques — so your detection strategy targets the operational patterns an attacker cannot change by editing a config file.

Recommended learning path: DE → PT → OD → TH. This is a recommended path, not a dependency chain. A learner can start at any course.

The outcome

You start seeing individual alerts. You finish seeing campaigns.

Campaign pattern recognition — connect seemingly unrelated alerts into coherent attack narratives.

Attacker anticipation — predict what comes next during active investigations because you have operated the same tools and made the same decisions.

Campaign-level detections — rules that catch operational patterns rather than individual artifacts, detections that survive when the attacker changes a config file.

A threat-informed detection roadmap — prioritized by attacker economics, built for your organisation, grounded in offensive understanding.

Support and community

Questions about course content: training@ridgelinecyber.com

Billing and account management: Self-service via your account page or training@ridgelinecyber.com

LinkedIn: Follow Ridgeline Cyber for operational security content and course updates

X: @RidgelineCyber

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may use detection rules, queries, and analysis techniques from this course in your professional work. You may not redistribute course content, share account credentials, or republish course materials.

Offensive techniques: All attack execution is performed in your own isolated lab environment. Do not execute offensive techniques against systems you do not own or have explicit written authorization to test.

Fictional environment: All scenarios use the fictional Northgate Engineering environment. Any resemblance to real organizations, incidents, or individuals is coincidental.

Version and changelog

Current version: 1.0  |  Last updated: April 2026

April 2026 — v1.0: Course launch. 12 modules (OD0–OD11) plus operational cheatsheet. Complete offensive lifecycle from attacker planning through campaign reconstruction and threat-informed defense. 10 campaign telemetry datasets. Type 2 (Offensive Operations) structure throughout — attack execution, annotated telemetry, detection deployment in every content sub.

This course is actively maintained. Content is updated as the threat landscape evolves and new campaign patterns emerge.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Distinction: 90. Earn your certificate with CPE credits.

40minutes
3phases
100points
1scenario
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.