Sign In
In this module

OD0.5 Course Roadmap — 12 Modules in Context

3 hours · Module 0 · Free
What you already know

You know the ATT&CK framework's tactic structure — Initial Access through Impact. You've seen courses organized by tactic. This course follows the offensive lifecycle rather than the ATT&CK tactic list, because attackers think in operational phases, not tactic categories. This sub maps all 12 modules so you can see where each fits and plan your path through the course.

Operational Objective

You're about to invest 40–50 hours in this course. You need to see the full map before you start walking — which modules build which capabilities, how they connect, and where the defensive payoff is highest.

This sub provides the complete roadmap: 12 modules positioned against the offensive lifecycle, with the defensive capability each module builds and the campaign telemetry dataset it uses.

Learning Objectives

By the end of this sub you will be able to:

  • Map the 12 modules against the offensive lifecycle and explain which operational phase each module covers. This matters because understanding the full arc lets you prioritize — if your environment's biggest gap is lateral movement detection, you know to focus on M7 after completing the foundations.
  • Identify the defensive capability each module builds and explain how the capabilities compound — from understanding attacker planning (M0–M1) through technique-level offensive operations (M2–M9) to campaign reconstruction (M10) and strategic defense (M11). This matters because the course is cumulative: M10's campaign reconstruction exercise uses every skill taught in M2–M9.
OFFENSIVE SECURITY FOR DEFENDERS — 12-MODULE ROADMAP
M0 — FREE
Why Offensive Thinking
Alert → campaign gap
M1 — FREE
How Attackers Plan Operations
Offensive lifecycle, constraints
OFFENSIVE OPERATIONAL PHASES (PREMIUM)
M2 — Infrastructure
Build, stage, burn. C2 systems.
M3 — Payload + Delivery
Engineering, evasion, delivery methods.
M4 — Initial Access
AiTM, device code, OAuth, exploitation.
M5 — First 30 Minutes
Post-compromise priority sequence.
M6 — Credential Operations
Harvesting, Kerberos, tokens, certs.
M7 — Lateral Movement
Where, when, how fast, which credential.
M8 — Defense Evasion
EDR, logs, LOLBins, adaptation.
M9 — Objectives
Ransomware, theft, espionage, sabotage.
CAPSTONE + STRATEGY (PREMIUM)
M10 — Campaign Reconstruction
72-hour CHAIN-HARVEST. Full reconstruction.
M11 — Threat-Informed Defense
Attacker economics. Detection roadmap.

Figure OD0.5 — The 12-module course. M0–M1 (free) build the foundation. M2–M9 (premium) teach each offensive operational phase with hands-on labs. M10 reconstructs a full campaign. M11 translates everything into detection strategy.

The four course phases

The 12 modules group into four phases. Each phase builds a distinct layer of defensive capability.

Phase 1 — Foundation (M0–M1, free)

You're here now. These two modules establish the conceptual foundation: why campaign-level detection matters (M0) and how attackers plan operations at the campaign level (M1). No lab infrastructure required. The exercises use your existing SIEM and alert queue.

The defensive capability built: you understand the campaign detection gap and the attacker's operational decision framework. You can apply retrospective alert correlation and perspective switching to your own investigations.

Phase 2 — Offensive operational phases (M2–M9, premium)

Eight modules, each covering one phase of the offensive lifecycle. Every module follows the same structure: offense deep-dive (how the attacker operates in this phase, step by step) and defender counter-section (detection, hunting, mitigation, logging gaps). Hands-on labs in every sub.

M2 (Infrastructure) and M3 (Payload + Delivery) cover pre-attack preparation — what the attacker builds before the first phishing email. M4 (Initial Access) through M9 (Objectives) follow the post-compromise lifecycle from first foothold through objective execution.

The defensive capability built: for each offensive phase, you understand the attacker's decision logic, can detect the operational patterns in your telemetry, know how to hunt for the activity proactively, understand the mitigations that limit the attacker's options, and have identified the logging gaps in your environment.

Phase 3 — Campaign reconstruction (M10, premium)

The capstone module. You receive 72 hours of multi-system telemetry from a CHAIN-HARVEST campaign variant and reconstruct the full campaign: initial access through objective execution, across 6 hosts, using every skill taught in M2–M9. You produce a campaign timeline and investigation brief.

The defensive capability built: you can take raw multi-system telemetry and reconstruct the attack narrative — the skill that distinguishes a senior analyst from a senior SOC operator.

Phase 4 — Strategy (M11, premium)

The final module translates offensive understanding into programme-level decisions. Threat modeling from the attacker's perspective. Attacker economics — what's cheap to change, what's expensive. Prioritizing detection investment based on campaign patterns. Building a threat-informed detection roadmap.

The defensive capability built: you can design a detection programme that prioritizes the right investments based on the most likely campaign patterns for your threat model.

Per-module capabilities

Each module builds a specific, testable capability. Here's what you'll be able to do after each:

M0. Apply retrospective alert correlation to your closed-alert queue. M1. Assess an attacker's operational profile from the campaign evidence. M2. Map C2 infrastructure topologies from a single IOC. M3. Trace the delivery-to-execution chain from a phishing artifact. M4. Classify the initial access method and predict what it reveals about the attacker. M5. Detect the post-compromise command sequence in the first 30 minutes. M6. Map credential harvesting campaigns and reuse chains across systems. M7. Reconstruct multi-hop lateral movement paths from authentication telemetry. M8. Identify evasion meta-signals — the evidence of evidence destruction. M9. Determine the attacker's objective from pre-execution staging patterns. M10. Reconstruct a full 72-hour campaign from raw multi-system telemetry. M11. Build a threat-informed detection roadmap for your organization.

These capabilities compound. M10 uses M2–M9. M11 uses everything.

Next
OD0.6 — Module Summary. A recap of what M0 established: the campaign detection gap, the five cognitive differences, the Pyramid of Pain, the course scope, and the 12-module roadmap. Then you move to M1, where you learn how attackers plan operations.
Operational Artifact — Module Capability Map

Use this to track your progress and identify which modules address your highest-priority gaps.

Foundation (M0–M1, free). Alert correlation, perspective switching, operational profiling. No lab required.

Pre-attack (M2–M3, premium). Infrastructure mapping from IOCs. Delivery chain tracing. Lab: Linux VM + Windows VM + SIEM.

Post-compromise (M4–M9, premium). Access method classification, post-compromise detection windows, credential chain mapping, movement path reconstruction, evasion meta-signals, objective identification. Lab: full environment + campaign telemetry datasets from M5.

Capstone (M10, premium). Full 72-hour campaign reconstruction from raw telemetry. Campaign timeline + investigation brief as portfolio artifact.

Strategy (M11, premium). Threat-informed detection roadmap. Attacker economics. Detection portfolio prioritization.

Checkpoint — before moving on

You should be able to do the following without referring back to this sub. If you can't, the sections to re-read are noted.

1. Name the four course phases and explain what defensive capability each one builds. (§ The four course phases)
2. Given a specific detection gap in your environment (e.g., "we can't detect lateral movement campaigns"), identify which module addresses it. (§ Per-module capabilities)
3. Explain why M10's campaign reconstruction exercise requires all skills from M2–M9 and what output it produces. (§ Phase 3)
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of offensive-security-for-defenders

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts.

View Pricing See Full Syllabus
← Previous Next →