Cyber Security & Operations

The foundation everything else builds on. You'll learn to navigate a Linux system, create and manage files, control who can access what, and chain commands together to automate tasks. By the end, you'll be able to set up users, connect to servers over SSH, install software, and run your first Docker container.

T01 Files & Navigation (+Quiz)

Learn to move around a Linux filesystem, create and organize directories, copy, move, and remove files, and search for anything on the system.

ls, cd, pwd, mkdir, rm, cp, mv, find

T02 Viewing, Editing & Permissions (+Quiz)

Read files from the terminal, edit them with nano, and control exactly who can read, write, or execute every file on the system.

cat, head, tail, less, nano, chmod, chown

T03 Pipes & Redirection (+Quiz)

Chain commands together to filter, sort, count, and search through data. Redirect output to files, combine streams, and build one-liners that do real work.

|, >, >>, 2>&1, tee, sort, uniq, wc, grep

T04 Processes & System (+Quiz)

See what's running on your system, monitor resource usage in real time, stop runaway processes, and manage background jobs.

ps, top, kill, bg, fg, jobs

Lab 1A: Server Cleanup

Put your skills to the test. You're handed a messy server with oversized log files and runaway processes. Find them, clean them up, and bring the system back to health.

Covers: filesystem audit, log cleanup, process management, disk recovery, system health

T05 Users & SSH (+Quiz)

Create and manage user accounts, configure sudo access, generate SSH keys, and connect to remote servers securely.

useradd, passwd, sudo, ssh, ssh-keygen, authorized_keys

T06 Networking (+Quiz)

Check your network interfaces, test connectivity, make HTTP requests from the terminal, understand how DNS resolves names, and identify what's listening on which ports.

ip, ss, ping, curl, DNS resolution, ports

T07 Package Management (+Quiz)

Install, update, and remove software. Manage repositories, resolve dependency issues, and keep your system current.

apt, dpkg, repositories, dependencies

T08 Docker Basics (+Quiz)

Pull images, run containers, map ports, and manage the container lifecycle. Your first step into the tool that changed how software gets deployed.

images, containers, run, ps, stop, rm, port mapping

Lab 1B: New Server Checklist

You just got access to a fresh server. Set up users, configure SSH, install essential packages, and get it production-ready from scratch.

Covers: user setup, SSH configuration, package installation, server hardening, baseline config

Exam Level 1 Master Exam

Prove you've mastered the fundamentals. 10 questions covering everything from Level 1. Score 80% or higher to pass.

Covers: files, permissions, pipes, processes, users, SSH, networking, packages, docker

Running a Linux server means keeping it healthy, secure, and automated. Job scheduling, log management, firewalls, disk management, backups, shell environments, systemd services, and text processing with awk and sed.

T09Cron & Job Scheduling (+Quiz)

Automate recurring tasks with cron. Write crontab entries, schedule scripts to run at specific times, and build the habits that keep servers running without you watching.

crontab, cron.d, at, 5-field syntax, scheduling

T10Log Management (+Quiz)

Read and analyze system logs with journalctl and syslog. Set up log rotation so your disks don't fill up, and learn to spot patterns that tell you something is wrong before it breaks.

journalctl, syslog, logrotate, /var/log, log analysis

T11Firewalls with UFW (+Quiz)

Control what traffic gets in and out of your server. Set up allow and deny rules, configure default policies, and understand the basics of network security at the OS level.

ufw, allow, deny, status, default policies

T12Disk Management (+Quiz)

Monitor disk usage, understand mount points, work with block devices, and get an introduction to LVM for flexible storage management.

df, du, lsblk, mount, fdisk, LVM basics

Lab2A: Scheduled Maintenance

Build a maintenance routine for a production server. Set up automated backups, schedule log rotation, and write a cron job that monitors disk usage and alerts when it gets critical.

Covers: automated backups, log rotation, cron scheduling, disk monitoring, alerting

T13Backup Strategies (+Quiz)

Use rsync and tar to create reliable backups. Learn incremental backup strategies, automate them with cron, and understand the difference between a backup you have and one you can actually restore.

rsync, tar, incremental backups, cron-automated

T14Environment & Shell (+Quiz)

Customize your terminal with .bashrc and .profile. Set up PATH, create aliases for common commands, and configure environment variables that persist across sessions.

.bashrc, .profile, PATH, aliases, environment variables

T15Systemd Deep Dive (+Quiz)

Understand how Linux manages services at boot and runtime. Work with units, targets, and dependencies. Start, stop, enable, and debug services with systemctl and journalctl.

units, services, targets, systemctl, journalctl

T16Text Processing (+Quiz)

Slice, transform, and analyze structured text from the command line. Use cut for columns, awk for field extraction and pattern matching, and sed for find-and-replace across files.

cut, awk, sed, sort, uniq, field extraction

Lab2B: Server Health Report

Build an automated health report from scratch. Pull disk usage, memory stats, service status, and recent errors into a single report that runs on a schedule and saves to a file.

Covers: disk usage, memory stats, service status, error aggregation, report automation

ExamLevel 2 Master Exam

Prove you can administer a Linux server. 10 questions covering scheduling, logs, firewalls, backups, systemd, and text processing. Score 80% or higher to pass.

Covers: scheduling, logs, firewalls, backups, systemd, text processing

Your first security-focused level. Harden SSH, deploy fail2ban, lock down user privileges, audit file permissions, set up security auditing with auditd, detect network threats, analyze logs for security events, and manage secrets.

T17SSH Hardening (+Quiz)

The first thing attackers scan for is SSH on port 22 with password auth. Lock it down. Switch to key-only authentication, disable root login, restrict who can connect, and make your server invisible to the most common automated attacks.

key-only auth, PermitRootLogin, MaxAuthTries, AllowUsers

T18Fail2Ban (+Quiz)

Ban attackers automatically. Configure jails that watch your auth logs, detect brute-force attempts, and block offending IPs at the firewall. The difference between watching attacks happen and stopping them.

jail configuration, filter rules, ban actions, monitoring

T19User & Sudo Security (+Quiz)

Control what users can actually do. Write sudo rules that grant just enough access for the job, use the wheel group correctly, and enforce least privilege across your entire team.

sudo rules, wheel group, sudoers.d, least privilege

T20File Permissions Deep Dive (+Quiz)

Go beyond chmod 755. Learn what SUID and SGID really do, understand the sticky bit, set proper umask defaults, use ACLs for fine-grained control, and hunt down the dangerous permissions attackers look for.

SUID/SGID, sticky bit, umask, ACLs, find by permission

Lab3A: Lock Down a Server

Take a wide-open server and harden it end-to-end. Lock down SSH, deploy fail2ban, audit permissions across the filesystem, and document every change so the next engineer can verify your work.

Covers: SSH lockdown, fail2ban deployment, permission audit, firewall rules, change documentation

T21Security Auditing (+Quiz)

Turn on the black box recorder. Configure auditd to track file access, privilege changes, and suspicious syscalls, then use ausearch and aureport to pull the signal out of the noise when something happens.

auditd, auditctl rules, ausearch, aureport, audit.log

T22Network Threat Detection (+Quiz)

Know what's talking to your server. Read netstat and ss output like a pro, spot port scans in progress, recognize beaconing patterns, and build the pattern-matching skills that separate analysts from alert-clickers.

netstat, ss, port scanning indicators, suspicious connections

T23Log Security Analysis (+Quiz)

Your auth.log is telling you a story. Learn to read it. Spot brute force campaigns, detect privilege escalation attempts, track user sessions, and identify the exact moment a normal login became a compromise.

auth.log patterns, brute force detection, privilege escalation

T24Secrets Management (+Quiz)

Stop putting API keys in your code. Understand the tradeoffs between env vars and config files, lock down permissions on secret files, and learn the basics of gpg for when you need real encryption at rest.

environment variables, file permissions, gpg basics

Lab3B: Audit a Breach

You walk in Monday morning to a server with strange logins over the weekend. Investigate the auth logs, identify what happened, trace the timeline, and write up a clear incident summary.

Covers: auth log analysis, login investigation, timeline reconstruction, incident summary, evidence collection

ExamLevel 3 Master Exam

Prove you can secure a Linux server. 10 questions covering SSH hardening, fail2ban, sudo, permissions, auditd, and log analysis. Score 80% or higher to pass.

Covers: SSH hardening, fail2ban, UFW, lynis, auditd, CIS benchmarks

Power tools for serious Linux work. vim for efficient editing on any server. Systemd unit authoring for custom services. iptables for real firewall control. lsof and strace for debugging. Netcat for network testing. Ansible for automation. Make for task running.

T25vim (+Quiz)

The editor that's on every server. Learn modes, navigation, editing, search and replace, and how to configure .vimrc. Once you're comfortable in vim, you can edit anything, anywhere.

modes, navigation, editing, search/replace, buffers, .vimrc

T26Systemd Unit Authoring (+Quiz)

Write your own systemd service files from scratch. Define how services start, set dependencies, create timers, and manage custom applications as first-class system services.

service files, ExecStart, dependencies, timers

T27iptables (+Quiz)

Real firewall control. Understand chains, tables, and rule ordering. Write ACCEPT, DROP, and REJECT rules. Configure NAT, log suspicious traffic, and persist rules across reboots.

chains, tables, rules, ACCEPT/DROP/REJECT, NAT, logging

T28lsof (+Quiz)

See every file every process has open and every network socket in use. Essential for spotting unexpected connections, backdoor processes, and anything else that shouldn't be there.

open files, network connections, process file handles

Lab4A: Debug a Broken Server

A server is misbehaving after a suspected incident. Services won't start, unexpected ports are open, and processes are behaving strangely. Use vim, systemctl, iptables, and lsof to figure out what's wrong and restore it.

Covers: service diagnostics, port conflicts, suspicious processes, system recovery, root cause analysis

T29strace (+Quiz)

Trace every system call a process makes. Debug hangs, find permission issues, and when you need to, figure out exactly what a suspicious process is trying to do.

system call tracing, hanging processes, latency analysis

T30netcat (+Quiz)

The Swiss army knife of networking. Test if ports are open, transfer files between machines, set up simple servers, and debug network connectivity issues in seconds.

port testing, file transfer, simple servers, debugging

T31Ansible (+Quiz)

Automate configuration across multiple servers. Write inventory files and playbooks, use modules and handlers, and understand idempotency so your automation is safe to run twice.

inventory, playbooks, modules, tasks, handlers, idempotency

T32Make (+Quiz)

Use Makefiles as task runners for your projects. Define targets, manage dependencies between tasks, set variables, and build repeatable workflows that anyone on the team can run.

Makefiles, targets, dependencies, variables, task automation

Lab4B: Automate a Deployment

Write an Ansible playbook that provisions a hardened server from scratch. Lock down SSH, configure fail2ban, apply baseline firewall rules, and verify everything is in place. Automation that runs the first time and every time after.

Covers: Ansible hardening, SSH lockdown, fail2ban config, firewall automation, verification

ExamLevel 4 Master Exam

Prove you know the power tools. 10 questions covering vim, systemd, iptables, lsof, strace, netcat, Ansible, and Make. Score 80% or higher to pass.

Covers: tshark, tcpdump, Snort, Suricata, Zeek, packet analysis

Hands-on offensive and defensive tools. Network scanning with nmap. Packet analysis with tshark. Security auditing with lynis. Advanced auditd rule writing. Advanced iptables for security. Incident response playbook execution.

T33nmap Discovery (+Quiz)

Map networks from the command line. Scan for live hosts, enumerate open ports, detect running services, and fingerprint operating systems. The reconnaissance foundation every security engineer needs.

host scanning, port scanning, service detection, OS fingerprinting

T34nmap Advanced (+Quiz)

Go beyond basic scans. Run NSE scripts for vulnerability detection, tune timing to avoid detection, format output for parsing, and turn nmap into a full security assessment tool.

script scanning, vulnerability detection, output formats, timing

T35tshark Basics (+Quiz)

Capture and analyze network traffic from the terminal. Read packet captures, apply display filters to find what matters, and understand the protocols flowing across your network.

capturing traffic, reading pcaps, display filters, protocols

T36tshark Analysis (+Quiz)

Extract real signal from a pcap. Follow TCP streams, pull statistics and conversations, reconstruct transferred files, and build the investigation skills that turn raw traffic into answers.

conversations, statistics, following streams, extracting data

Lab5A: Scan and Defend

You've been given a network segment to assess. Scan it with nmap, identify what's exposed, flag the services that shouldn't be there, and recommend exactly what to shut down.

Covers: nmap scanning, service enumeration, exposure assessment, remediation planning, defense hardening

T37lynis (+Quiz)

Audit servers automatically. Run lynis to score your hardening posture against industry benchmarks, check compliance requirements, and generate prioritized remediation lists for every finding.

security auditing, hardening index, compliance, remediation

T38Advanced auditd (+Quiz)

Go deeper into auditd. Write custom rules for file integrity monitoring, audit syscalls by key, track privileged operations, and search your audit log for exactly what you need.

custom rules, file integrity monitoring, syscall auditing

T39Advanced iptables (+Quiz)

Move past basic rules. Implement stateful inspection, rate-limit aggressive IPs, configure port knocking for hidden services, and build dedicated logging chains for investigation.

stateful inspection, rate limiting, port knocking, logging chains

T40Incident Response Playbook (+Quiz)

Execute the IR lifecycle when something goes wrong. Contain the threat, eradicate it from affected systems, recover services, and document everything so the postmortem actually helps.

IR lifecycle, containment, eradication, recovery, documentation

Lab5B: Run the Playbook

An incident just got reported. Work through the playbook end-to-end: identify the scope, contain affected hosts, remove the threat, restore services, and produce a clean incident report.

Covers: incident scoping, host containment, threat removal, service restoration, incident reporting

ExamLevel 5 Master Exam

Prove you can run security operations. 10 questions covering nmap, tshark, lynis, advanced auditd, iptables, and incident response. Score 80% or higher to pass.

Covers: centralized logging, structured logs, IDS, CIS benchmarks, SIEM, threat hunting

Enterprise security operations. Centralized logging with rsyslog. Structured log formats for machine parsing. Intrusion detection with OSSEC/Wazuh. CIS benchmark compliance. Vulnerability assessment and CVSS scoring. Threat intelligence with STIX feeds. Detection engineering with Sigma rules. SOC analyst workflow.

T41Centralized Logging (+Quiz)

Build a central log collection system. Configure rsyslog to forward logs from remote hosts, aggregate them in one place, and design the architecture enterprises use for real visibility.

rsyslog forwarding, remote collection, aggregation architecture

T42Structured Logging (+Quiz)

Ship logs as JSON and CEF so machines can parse them. Use jq to query, filter, and reshape structured log data, and turn unreadable text streams into queryable datasets.

JSON log format, CEF format, jq for parsing

T43Intrusion Detection (+Quiz)

Deploy a host-based IDS. Configure OSSEC or Wazuh agents, tune detection rules to reduce noise, set up active response actions, and manage a fleet of monitored endpoints.

OSSEC/Wazuh alerts, rule tuning, active response, agents

T44CIS Benchmarks (+Quiz)

Score your servers against industry security baselines. Work through CIS Benchmark checks, measure compliance gaps, and prioritize which remediations matter most for your environment.

security baseline scoring, compliance, remediation

Lab6A: Build a SIEM Pipeline

Build a working log pipeline from scratch. Forward logs from multiple hosts, normalize them to JSON, pipe them through jq for enrichment, and query the result for real security events.

Covers: log forwarding, JSON normalization, jq enrichment, event querying, pipeline validation

T45Vulnerability Assessment (+Quiz)

Run real vulnerability scans and interpret the results. Score findings with CVSS, prioritize by actual risk to your environment, and build patch management workflows that ship fixes.

scanning concepts, CVSS scoring, remediation, patch management

T46Threat Intelligence (+Quiz)

Work with threat feeds. Consume STIX/TAXII data, parse indicators with jq, match IOCs against your logs, and turn external intelligence into local detections.

STIX/TAXII, IOC types, threat feed parsing, indicator matching

T47Detection Engineering (+Quiz)

Write Sigma rules that catch real attacks. Define detection logic, tune out false positives, map coverage to attack techniques, and build a detection library your SOC can actually use.

Sigma rules, detection logic, false positive tuning, coverage

T48SOC Workflow (+Quiz)

Work an alert queue like a real SOC analyst. Triage incoming events, investigate what matters, escalate what's serious, hand off cleanly at shift change, and document every step.

alert triage, investigation, escalation, shift handoff

Lab6B: Triage the Queue

Ten alerts just hit your queue at shift start. Work through each one, separate real threats from false positives, escalate what matters, and produce the shift handoff your replacement needs.

Covers: alert triage, false positive identification, threat escalation, shift handoff, queue management

ExamLevel 6 Master Exam

Prove you can operate in a SOC. 10 questions covering centralized logging, structured logs, IDS, CIS benchmarks, vulnerability management, threat intelligence, detection rules, and SOC workflow. Score 80% or higher to pass.

Covers: incident response, forensics, evidence handling, chain of custody, reporting

When incidents happen, you investigate. Chain of custody and evidence handling. Filesystem forensics. Log timeline reconstruction. Network forensics from packet captures. User activity tracking. Malware indicator analysis. Writing formal incident response reports.

T49Forensic Fundamentals (+Quiz)

Handle evidence the right way. Establish chain of custody, work through the order of volatility, image systems before touching them, and hash everything so your findings hold up.

chain of custody, order of volatility, imaging, file hashing

T50Filesystem Forensics (+Quiz)

Investigate a compromised filesystem. Read MAC times, find files modified during an attack window, check suspicious locations for persistence mechanisms, and pull the full bash history.

MAC times, find by time, persistence mechanisms, bash history

T51Log Timeline Reconstruction (+Quiz)

Rebuild the full story of an incident. Merge logs from multiple hosts, normalize timestamps across timezones, correlate events across systems, and map the attack to a coherent kill chain.

merging logs, timestamp normalization, cross-host correlation

T52Network Forensics (+Quiz)

Dig into captured traffic to find what happened. Analyze connections, investigate DNS lookups, identify command-and-control beaconing, and extract the evidence that shows where data went.

capture summaries, connection analysis, DNS forensics, C2 traffic

Lab7A: Breach Investigation

A customer reports unauthorized access. Image the host, examine the filesystem, reconstruct the timeline from logs, and identify how the attacker got in and what they touched.

Covers: host imaging, filesystem examination, timeline reconstruction, attack vector identification, forensic reporting

T53User Activity Investigation (+Quiz)

Track exactly what a user did. Follow SSH session trails, map privilege escalations, audit file access patterns, and reconstruct process execution history across the entire system.

SSH trails, privilege escalation tracking, file access trails

T54Malware Indicator Analysis (+Quiz)

Check files and processes against known threats. Hash suspicious binaries, match against threat intelligence feeds, inspect running processes for malicious behavior, and extract IOCs others can use.

file hash checking, threat feed matching, IOC extraction

T55Writing IR Reports (+Quiz)

Turn your investigation into a report leadership can read. Write executive summaries, lay out timelines, assess business impact, identify root cause, and recommend remediation that actually gets funded.

executive summary, timeline, impact, root cause, remediation

T56Investigation Capstone (+Quiz)

Walk through a complete forensic workflow on a real incident. Gather evidence, reconstruct the timeline, identify the root cause, pull the IOCs, and deliver the final report.

full incident reconstruction, complete forensic workflow

Lab7B: Timeline the Attack

An attack happened last week. Pull together logs from three different hosts, normalize timestamps, correlate events, and produce a single annotated timeline that shows the full kill chain.

Covers: multi-host correlation, timestamp normalization, event sequencing, kill chain mapping, timeline documentation

ExamLevel 7 Master Exam

Prove you can investigate incidents. 10 questions covering evidence handling, filesystem forensics, log reconstruction, network forensics, user activity, and IR reporting. Score 80% or higher to pass.

Covers: compliance frameworks, risk management, security architecture, policy, governance

The senior security level. Think about security at the organizational level, not just individual servers. Security frameworks (CIS, NIST, SOC2). Control mapping. SOC2 audit preparation. Risk assessment with STRIDE. Security policy writing. Network security architecture and zero trust. Audit preparation.

T57Security Frameworks (+Quiz)

Understand the frameworks that shape enterprise security. Learn what CIS Controls, NIST CSF, SOC2, and ISO 27001 actually require, and how to pick the right one for your organization.

CIS Controls v8, NIST CSF, SOC2, ISO 27001

T58Control Mapping (+Quiz)

Translate framework requirements into real Linux configurations. Map abstract controls to concrete SSH settings, iptables rules, and auditd configs. Turn compliance into engineering.

framework requirements to Linux configs, SSH, iptables, auditd

T59SOC2 for Linux Engineers (+Quiz)

Implement the Linux controls SOC2 auditors actually check. Configure access controls for CC6, set up monitoring for CC7, document change management for CC8, and collect the evidence that passes audit.

CC6 access controls, CC7 monitoring, CC8 change management, evidence

T60Risk Assessment (+Quiz)

Quantify risk so leadership can act on it. Score likelihood against impact, classify assets by criticality, threat model with STRIDE, and maintain a risk register that drives real decisions.

likelihood x impact, asset classification, STRIDE, risk registers

Lab8A: Map a Framework

Take a section of the CIS Benchmark and implement it end-to-end. Write the configs, document what satisfies each control, and produce the evidence an auditor would accept.

Covers: CIS benchmark implementation, control mapping, config writing, evidence collection, audit preparation

T61Security Policy Writing (+Quiz)

Write policies people will actually follow. Draft access control, password, incident response, and backup policies using RFC 2119 language, and produce documents that hold up in audit.

access control, password, IR, backup policies, RFC 2119

T62Network Security Architecture (+Quiz)

Design networks that assume breach. Apply defense in depth, segment traffic zones, design DMZs properly, implement zero trust principles, and translate architecture decisions into iptables rules.

defense in depth, segmentation, DMZ, zero trust, iptables

T63Audit Preparation (+Quiz)

Get ready for a real audit. Run gap analysis against your target framework, organize evidence so auditors can find it, plan remediation for gaps, and build continuous compliance instead of last-minute scrambles.

gap analysis, evidence organization, remediation, continuous compliance

T64Architecture Capstone (+Quiz)

Design a complete security architecture for an organization. Define segmentation, access controls, monitoring, logging, and incident response. End-to-end, on paper, defensible to leadership.

designing complete security architecture for an organization

Lab8B: SOC2 Readiness

Your startup just announced it's going through SOC2. Run a gap analysis against CC6, CC7, and CC8, build a remediation plan, and produce the evidence package an auditor would open first.

Covers: gap analysis, remediation planning, evidence packaging, control documentation, audit readiness

ExamLevel 8 Master Exam

Prove you can think like a security architect. 10 questions covering frameworks, control mapping, SOC2, risk assessment, policy writing, and network architecture. Score 80% or higher to pass.

Covers: offensive security, detection engineering, purple teaming, threat modeling, security operations

Python as a security automation tool. Scripting fundamentals, log parsing and analysis, network scanning automation, threat feed processing, forensic tooling, report generation, and building production-grade security tools.

T65Python Fundamentals (+Quiz)

Get comfortable in Python. Work with variables, data types, functions, conditionals, loops, and the core data structures (dicts and lists) that every security script depends on.

variables, data types, functions, conditionals, loops, dicts, lists

T66Log Parsing & Analysis (+Quiz)

Parse security logs at scale. Read auth.log with Python, extract fields with regex, detect suspicious patterns, and alert on anomalies before humans would notice.

auth.log, regex extraction, pattern detection, anomaly alerts

T67Network Automation (+Quiz)

Build network tools in Python. Write port scanners with the socket module, automate nmap workflows, and turn one-off investigations into repeatable scripts.

socket programming, port scanning, nmap workflow automation

T68Threat Feed Processing (+Quiz)

Automate threat intelligence. Download STIX and CSV feeds on a schedule, match IOCs against your logs, and turn external feeds into automated indicator lookups.

STIX/CSV feeds, IOC matching, automated indicator lookups

Lab9A: Log Anomaly Detector

Write a Python tool that watches your auth log in real time, flags brute force attempts as they happen, and sends an alert the moment a pattern crosses your threshold.

Covers: log parsing, pattern detection, anomaly scoring, alert generation, Python automation

T69Forensic Scripting (+Quiz)

Automate evidence collection. Hash files in bulk, generate timeline data from system artifacts, and build the scripts that make repeatable forensic investigations possible.

file hashing, timeline generation, evidence collection automation

T70Report Generation (+Quiz)

Generate reports automatically. Build templated incident reports, output CSV and JSON for other tools, and schedule daily security briefings that land in your inbox before coffee.

templated IR reports, CSV/JSON output, daily briefings

T71Security Tool Building (+Quiz)

Build CLI tools that feel professional. Use argparse for clean flags, handle errors gracefully, log what matters, and structure code into modules other engineers can import.

argparse CLI tools, error handling, logging, modular design

T72Security Automation Capstone (+Quiz)

Build a production-grade security tool from scratch. Design the interface, write the logic, handle edge cases, document the usage, and produce something your team would actually deploy.

production security automation tool from scratch

Lab9B: Build an IOC Matcher

Ship a Python tool that pulls IOCs from a threat feed, matches them against your log archive, and outputs a ranked list of hits your SOC can investigate tomorrow morning.

Covers: IOC ingestion, pattern matching, feed integration, batch scanning, reporting

ExamLevel 9 Master Exam

Prove you can automate security work in Python. 10 questions covering Python fundamentals, log parsing, network scripting, threat feeds, forensic automation, and tool building. Score 80% or higher to pass.

Covers: Python scripting, log analysis, network automation, threat feeds, security tooling

Four capstone labs that combine everything you've learned across all levels.

LabRed Team Simulation

Analyze the results of an external scan against a live network. Find the weakest target, trace the likely attack path, assess the risk to the business, and recommend exactly where to harden first.

Covers: full-scope reconnaissance, exploitation, privilege escalation, persistence, reporting

LabSOC Alert Triage

Ten alerts fire on your shift. Three are real threats. Seven are false positives. Work through each one, separate signal from noise, and escalate only what matters.

Covers: alert prioritization, false positive analysis, escalation decisions, SLA management, triage documentation

LabInsider Threat Investigation

A departing employee triggered suspicious activity in their final two weeks. Investigate their behavior across multiple systems, identify what data they accessed, and determine if anything left the company with them.

Covers: user behavior analysis, access log review, data exfiltration detection, evidence assembly, case reporting

LabBreach Investigation Case 2

A second breach lands on your desk, this one involving SQL injection, a webshell, and an exfiltration method you haven't seen before. Work the full forensic process and deliver a complete report.

Covers: incident scoping, lateral movement tracing, malware analysis, containment, executive briefing

Cyber Security & Operations

Full Curriculum

Where these skills take you

Start building security skills