PT0.5 Module Summary

What Module 0 covered

Four subs. One question at the centre of all of them: do you actually know whether your detections work?

PT0.1 — How Real Incidents Unfold and What Your Rules Miss. Three coverage claims that sound right but aren't. Ransomware detection that fires after encryption. Credential dumping detection that catches one variant of six. AiTM detection that's been broken since a February schema change and nobody noticed. The gap between deployed and validated is where breaches live.

PT0.2 — The Purple-Team Mindset. Why coverage rots — vendor telemetry shifts, attacker tools evolve, environments diverge, telemetry pipelines break silently, tuning was done once. The three changes the mindset demands: stop trusting the dashboard, stop accepting "we have a rule for it" as sufficient, measure differently. The continuous rhythm — daily, weekly, monthly, quarterly, annually — that keeps coverage current.

PT0.3 — The Vocabulary of Coverage. Six metrics that survive scrutiny: MTTD, validated coverage percentage, detection quality score, false-positive classification, remediation backlog, programme cadence compliance. All six live in the programme template you'll populate across the course.

PT0.4 — The Toolkit and What Comes Next. The complete toolset mapped across the course. Foundation tools (Module 1) and per-module attack tooling introduced as techniques require them. Adjacent skills worth building. What Module 1 asks of you.

What you have now

After Module 0, you have:

A concrete understanding of the coverage gap. You know what it looks like when a detection rule exists, is deployed, shows green on the dashboard, and doesn't fire when the attacker runs the technique. You've seen three specific examples.

The purple-team mindset. Detection coverage is not a count of deployed rules. It is a count of rules that have been tested against the actual technique in the last 90 days. Everything else is hope. The course replaces hope with evidence, one technique at a time.

A shared vocabulary. Six metrics you'll use across every module and every coverage report. Precise enough to present to leadership. Concrete enough to track in a spreadsheet.

A map of the toolkit. You know what tools the course uses, when they appear, and what's already familiar versus what you'll learn by doing.

What comes next

Module 1 — Building Your Purple-Team Lab. Free. Roughly twelve subs covering hypervisor setup, Windows endpoint with Sysmon, Active Directory domain controller, Linux with auditd, M365 developer tenant, Sentinel in Azure, Defender XDR Advanced Hunting, secondary SIEM (Splunk Free or Elastic), attack tooling, tracking with VECTR, and a smoke test firing T1059.001 to confirm telemetry lands in all three SIEMs.

By the end of Module 1, you have a working four-environment, three-SIEM purple-team lab. The lab is the infrastructure every paid module uses. It's yours to keep regardless of what you decide after Module 1.

Module 2 — Initial Access. The first paid module. Four techniques: phishing payloads (T1566), valid account compromise via password spray (T1078), drive-by compromise (T1189), exploit-public-facing application (T1190). Each walked end-to-end with the eleven-element rhythm — scene, learning objectives, technique, attack, telemetry, detection, tuning, decision exercise, try-it, reference card. This is where the course becomes what the course is.

Before you move to Module 1, complete the Check My Knowledge in PT0.6. Six scenario questions testing whether you've internalised the mindset and vocabulary. If you can answer them without scrolling back, you're ready for the lab build.