OD0.6 Module Summary

What you've established

Module 0 set up the problem this course solves and the framework for solving it.

The campaign detection gap is real and measurable. Your SIEM fires alerts. Your rules detect techniques. Your SOC triages events. And campaigns — coordinated sequences of attacker activity across systems and time — slip through because each component is handled as an isolated event. The Northgate scenario in OD0.1 demonstrated this with three alerts that were triaged correctly in isolation and missed the campaign connecting them.

The gap is cognitive, not technical. Your SIEM can correlate events across tables and time ranges. The missing ingredient is understanding how offensive operations are structured — why attackers chain specific techniques in specific sequences on specific timelines. That understanding comes from studying how offensive operations work, which is what the remaining eleven modules teach.

The Pyramid of Pain provides the economic logic: detect at the TTP level because operational patterns are the most expensive thing for the attacker to change. Hash values, IPs, and domains rotate in hours. Campaign patterns persist across infrastructure rotations because they're embedded in tradecraft, not in disposable indicators.

The five cognitive differences between defensive and offensive thinking give you a practical tool for switching perspectives during investigations. Reframe the event as the attacker's decision. Identify their constraint profile. Predict their next step. Pre-position detection or containment at the prediction.

The course teaches campaign-level offensive understanding for defensive application. Twelve modules following the offensive lifecycle, each with the same structure: an offense deep-dive (how the attacker executes this phase, step by step, with the reasoning behind every decision) and a defender counter-section (detection, hunting, mitigation, and logging gaps). Hands-on labs in every content sub let you build the attack and detect it. Campaign telemetry datasets provide additional practice material — realistic, multi-system, multi-day log data where you find the campaign buried in the noise.

What's next

Module 1 teaches how attackers plan operations — the offensive lifecycle from target selection through objective execution. You'll learn what determines an attacker's choices at each phase: their objective, their constraints, their risk tolerance, and their reconnaissance. By the end of Module 1, you'll be able to classify an attacker by their operational profile from the telemetry they produce — and that classification predicts their next move.