IT-Defense 2026Adversary Tactics: Detection

Adversary Tactics: Detection

Instructor: Jared Atkinson & Luke Paine

Duration: 2 days - February 2-3, 2026

Enterprise networks are under constant attack from adversaries of all skill levels and intentions. For many it feels that blue teamers are only facing a losing battle. The attacker “only needs to be successful once” to cause havoc; the blue team must prevent them every time, under every condition, at every step of the way. 

The goal of this course is to turn that statement on its head and provide you with confidence through a new defensive mindset. Preventative solutions are designed to stop attacks before they start, but against an adversary with enough time and resources, all eventually will fail. Rather than making the primary effort of security operations attempting to prevent any attack from being successful, assume breaches could (and likely would) occur and focus on developing robust detections around activity in all stages of the attack cycle. A strategy that focuses on deep understanding of post-exploitation activity (privilege escalation, lateral spread, pivot, persistence) produces high-quality alerts, creating a minefield where the attacker “only needs to be detected once” for blue teamers to respond. 

This course builds on standard network defense and incident response (which often focuses on alerting for known malware signatures) by focusing on abnormal behaviors and the use of adversary Tactics, Techniques, and Procedures (TTPs). We will teach you how to engineer detections, steering clear of brittle indicators in favor of attacker TTPs. In addition, you will learn to use free and/or open-source data collection and analysis tools (such as Sysmon, Windows Event Logs, and ELK) to analyze large amounts of host information and build detections for malicious activity. You will use the techniques and toolsets you’ve learned to create robust detections in a simulated enterprise network undergoing active compromise from various types of threat actors. 

In this course, you will: 

  • Learn how to best integrate different components of a detection program for maximum effect
  • Integrate “threat hunting” activity into current detection programs to drive meaningful detection engineering 
  • Understand different detection engineering hypothesis approaches 
  • Perform data sensor and data source analysis
  • Understand various MITRE TTPs and Threat Intelligence 
  • Practice standardized processes for developing technical detections  
  • Document detection research into standardized formats for use in security operations
  • In technical labs, practice data aggregation & analysis at scale to detect threat actor activity

You will learn

  • An understanding of how to shift from brittle IOC identification to an understanding of threat based on techniques.  
  • The role of alerting and detection strategies and how to incorporate them into a security operations program.
  • A practical approach to create robust detections based on attacker behavior, versus easily bypassed static indicators. 

Who should take this course

This class is intended for security analysts and blue teamers wanting to learn how to effectively build repeatable detections in enterprise networks. This course offers benefits to participants of most levels of security operations experience, from SOC analysts to experienced security defenders. Those with a strong technical background will have the opportunity for a deep dive into key concepts and labs. Participants in less technically focused positions will be exposed to a robust detection engineering framework that provides the building blocks to create highly effective detection strategies. 

Student Requirements & Access

Participants should have previous network defense/incident response experience and/or knowledge of offensive tools and techniques, primarily post-exploitation techniques. Additionally, familiarity with using a SIEM, such as ELK or Splunk, will be helpful.

During the course, participants will be provided with access to a comprehensive range to perform course labs and goals. Upon completion of the course, participants are provided with a copy of course slides and copies of solution guides/videos. 

Participants should bring a laptop with a modern web browser installed; lab access will all be performed through the SpecterOps web portal.

This traning will be held in English.

Price: € 2.100

Date
February 2-3, 2026

Location
Maritim Hotel Würzburg
Pleichertorstraße 5
97070 Würzburg
+49 931 3053-0
info.wur@maritim.de