// Flagship cyber range · 24h · Intermediate → Advanced
MITRE ATT&CK: From Plan to Action
Threat-Informed Defense Operations Center. Detect, hunt, score risk and respond to APT ShadowFox across Splunk, Sysmon, Wazuh and a live Active Directory range. Earn the CMASA certification.
The 11-lab path
← All labs- LAB 01
ATT&CK Fundamentals
Master the ATT&CK matrix: tactics, techniques and the cyber kill chain.
90m+300ptsIntermediate - LAB 02
Build Detection Coverage
Audit SIEM telemetry against ATT&CK techniques and produce a coverage dashboard.
120m+450ptsIntermediate - LAB 03
Security Content Developer
Build a Splunk detection, correlation search and alert for a fresh PowerShell attack.
120m+500ptsIntermediate - LAB 04
SOC Engineer Data Requirements
Justify and document logging requirements (PowerShell, Sysmon 1/3, 4688) for ATT&CK coverage.
90m+400ptsIntermediate - LAB 05
Threat Hunting: C2 Beaconing
Hunt T1071 application-layer beaconing across Splunk, Sysmon and DNS logs.
150m+650ptsAdvanced - LAB 06
Risk-Based Alerting (RBA)
Convert ATT&CK detections into weighted risk scores and trigger a high-risk alert on user jsmith.
150m+700ptsAdvanced - LAB 07
Adversary Emulation
Safely emulate the APT chain: initial access → PowerShell → credential dumping → lateral movement → persistence → exfil.
180m+800ptsAdvanced - LAB 08
Blue Team Incident Response
Detect, investigate, contain, eradicate and recover from the simulated APT ShadowFox intrusion.
180m+750ptsAdvanced - LAB 09
Red Team Assessment
Speak ATT&CK across teams: map technique → detection status → response status → gap.
150m+700ptsAdvanced - LAB 10
CISO Dashboard
Translate ATT&CK posture into a board-ready dashboard: coverage %, asset visibility, maturity, heatmap, roadmap.
120m+600ptsAdvanced - CAP
Capstone: APT ShadowFox
Live-fire APT ShadowFox capstone. Chain T1190 → T1059 → T1003 → T1021 → T1041 end-to-end.
240m+1500ptsCritical
Certified MITRE ATT&CK Security Analyst
CMASA
Validates: ATT&CK mapping · Threat hunting · Detection engineering · SIEM operations · SOC analysis · Risk-Based Alerting · Incident response · Adversary emulation.
Sign in to start the track