OD0.4 What This Course Teaches and What It Doesn't

Operational Objective

Before investing 40+ hours in a course, you need to know exactly what you'll build, what skills you'll gain, and what's explicitly excluded. If this course isn't what you need, you'll know by the end of this sub.

This sub defines the course scope, the offense/defense sub structure that organizes every module, how the hands-on labs and campaign telemetry datasets work, and where this course sits relative to Detection Engineering and Purple Teaming.

Learning Objectives

By the end of this sub you will be able to:

• Explain the course's scope in one sentence and distinguish it from Detection Engineering (technique-level rules) and Purple Teaming (technique-level validation). This matters because practitioners who understand the scope invest their time in the right course — and practitioners who complete all three can articulate a detection capability that covers techniques, validation, and campaign-level correlation.

• Describe the offense/defense sub structure and explain how every paid sub is organized into an offense deep-dive (how the attacker operates) and a defender counter-section (detection, hunting, mitigation, logging gaps). This matters because the structure is the pedagogy — understanding how subs are organized lets you extract maximum value from each one.

What this course teaches

Campaign-level offensive operations — from the attacker's perspective — translated into detection strategy.

The course teaches you how attackers plan and execute operations at the campaign level: how they build infrastructure, choose access methods, move through networks, evade defenses, and execute objectives. Every module covers one phase of the offensive lifecycle. For each phase, you learn the attacker's decision logic (why they make specific choices) and the defensive translation (what those choices produce in your telemetry and how to detect the pattern).

The unit of work is the campaign, not the technique. You finish the course able to look at a series of alerts across systems and time and recognize the operational pattern connecting them — because you understand why the attacker made those specific choices in that specific sequence.

What this course does NOT teach

Penetration testing. You won't learn to conduct a pentest, write exploits, or earn an offensive certification. The offensive content exists to serve defensive objectives.

Individual technique detection. That's Detection Engineering and Purple Teaming. This course assumes you already have technique-level detection skills. It builds campaign-level detection on top of them.

Tool-specific workflows. Cobalt Strike, Sliver, Mimikatz, and other tools appear as examples, but no module is organized around a tool. Tools change. Operational patterns persist.

Compliance frameworks. No ISO 27001 mapping, no NIST CSF alignment table, no compliance-driven content. The course is operational, not regulatory.

The offense/defense sub structure

Every paid content sub (M2–M11) follows the same structure:

Offense deep-dive. How the attacker executes this phase of the operation, step by step. What they're trying to achieve, what decisions they make, why they make them, and what constraints drive the choices. You build and execute the attack in a hands-on lab so you've seen it from the operator's side.

Defender counter-section. What the attack produces in your telemetry and how to respond. Four subsections: detection (Sigma + KQL + SPL rules), hunting (proactive techniques to find the activity), mitigation (defensive measures that limit the attacker's options), and logging gaps (what you're probably not seeing). You detect and investigate the attack in a second hands-on lab.

This structure is the course's pedagogy. You always understand the offense before you build the defense — because detections built without understanding the offensive logic catch the artifact, not the pattern.

Hands-on labs and campaign telemetry datasets

Per-sub hands-on labs. Every content sub has two labs: one in the offense section (build the attack) and one in the defender section (detect and investigate). Labs run in your own environment — a Linux VM for attack tooling, a Windows VM with Sysmon for endpoint telemetry, and your SIEM for detection queries.

Campaign telemetry datasets (M5 onward). Modules covering multi-system, multi-day campaigns include pre-generated telemetry that you analyze in your SIEM. These supplement the per-sub labs for scenarios you can't reproduce in a two-VM lab — multi-host lateral movement, 72-hour campaign timelines, cross-system correlation.

Recommended background

The course assumes comfort with Sigma rules, KQL, and ATT&CK at the technique level. If you've completed Detection Engineering or Purple Teaming on this platform, you're ready. If you're coming from equivalent experience elsewhere, you should be comfortable writing a Sigma rule from scratch and running KQL queries in Sentinel or SPL queries in Splunk.