Why Defenders Need Offensive Thinking

What this module is

Your SIEM fires alerts. Your rules detect techniques. Your SOC triages events. And the attacker still operates inside your environment for fourteen days before anyone notices — because every alert was handled as an isolated event, and nobody connected them into the campaign they represented.

This is the gap that defines modern detection failure. Not a lack of detections — most mature security programmes have hundreds of rules deployed. The problem is cognitive: the gap between detecting individual techniques and recognizing campaigns. Three alerts across three systems over six hours: a suspicious PowerShell execution, an unusual sign-in from a new location, and a new scheduled task on a server. Each one triaged independently. Each one closed as low-severity. Together, they're a credential-access campaign that ended in persistent domain access.

Module 0 establishes this problem and sets up the offensive-thinking framework that the rest of the course uses to solve it. By the end you'll understand precisely what "thinking like an attacker" means in operational terms — not the pop-security version about "hacking back" or "adversarial mindset," but the specific analytical shift that lets a defender read three unconnected alerts and recognise a campaign.

What you'll be able to do after this module

Three concrete capabilities:

Identify the campaign-correlation gap in your own alert pipeline. You'll look at three recent alerts from your own SIEM and ask: "are these independent events, or phases of one campaign?" Most defenders never ask that question because their triage workflow treats each alert as atomic. After this module, you'll ask it automatically.

Explain why technique-level detection is necessary but insufficient. You'll understand the Pyramid of Pain at an operational level — not as a poster on the SOC wall, but as a framework for deciding where to invest detection engineering effort. Hash-based detection catches the last attack. TTP-based detection catches the next one. The distinction becomes actionable.

Navigate the full course map and know where each module fits. Twelve modules covering the complete offensive lifecycle. This module tells you what each one teaches, which defensive capability it builds, and how the modules connect. You'll know whether to study linearly or jump to the module that matches your immediate priority.

Who this module is for

This module is for anyone considering the course. It's free and it's designed to help you decide whether the course is right for you.

If you're a SOC analyst who triages alerts and wonders whether the events you close as "low severity" are actually pieces of something larger — this module shows you exactly what that looks like.

If you're a detection engineer who writes rules and isn't sure which rules are catching the techniques that matter versus the techniques that are cheap for an attacker to change — this module establishes the framework for making that assessment.

If you're a security manager evaluating whether this course adds value to your team's capability — this module lays out the specific gap the course addresses, so you can decide whether that gap exists in your organisation.

Module structure

Five content subs followed by an interactive lab, a summary, and a knowledge check. Estimated completion: 3 hours including the lab.

OD0.1 — The gap between alerts and campaigns. Three alerts, three systems, six hours. Each alert is triaged independently and closed. Together they're a credential-access campaign. The sub walks you through what the SOC saw, what they missed, and what campaign-level thinking would have caught. This is the foundational problem statement for the entire course.

OD0.2 — How attackers think differently from defenders. Defenders think in controls, alerts, and compliance requirements. Attackers think in objectives, constraints, and operational decisions. Five specific cognitive differences — and why understanding the attacker's decision process makes you a better defender without making you a red teamer.

OD0.3 — The Pyramid of Pain: why operational patterns matter. David Bianco's Pyramid of Pain, operationalised for detection engineering. You'll classify detection rules from your own SIEM by which layer of the pyramid they target, and identify which ones an attacker could defeat by changing a single variable.

OD0.4 — What this course teaches and what it doesn't. The scope: offensive operational logic for defensive advantage. This is not a red team course, not a pentesting course, and not Purple Teaming again. Every content sub from M2 onward follows the offense/defense structure — an offense deep-dive followed by a defender counter-section with detection, hunting, mitigation, logging gaps, and hands-on labs.

OD0.5 — Course roadmap: twelve modules in context. The full module map positioned against the offensive lifecycle. Which modules build which capabilities, where the campaign telemetry datasets appear, and how the course connects to Detection Engineering and Purple Teaming.

OD0.6 — Interactive lab: campaign correlation simulator. Eight alerts across three systems over six hours. Some are unrelated. Some are a campaign. You group them, identify the campaign phases, and classify the attacker's objective.

OD0.7 — Module summary.

OD0.8 — Check my knowledge. Eight scenario-based questions.

What you need

Nothing. Module 0 is free and requires no tools, no lab environment, and no prior course completion. A browser and your attention.