// Flagship cyber range · 24h · Intermediate → Advanced

MITRE ATT&CK: From Plan to Action

Threat-Informed Defense Operations Center. Detect, hunt, score risk and respond to APT ShadowFox across Splunk, Sysmon, Wazuh and a live Active Directory range. Earn the CMASA certification.

KaliWindows 11Windows Server 2022Active DirectorySplunkSysmonWazuh
Track progress0/11 labs · 0%
Organization
Alpha Research Labs
Defense Research
Threat Actor
APT ShadowFox
T1190 → T1059 → T1003 → T1021 → T1041
Mission
Detect · Investigate · Respond
Multi-stage intrusion in 24h

The 11-lab path

← All labs
  1. LAB 01

    ATT&CK Fundamentals

    Master the ATT&CK matrix: tactics, techniques and the cyber kill chain.

  2. LAB 02

    Build Detection Coverage

    Audit SIEM telemetry against ATT&CK techniques and produce a coverage dashboard.

  3. LAB 03

    Security Content Developer

    Build a Splunk detection, correlation search and alert for a fresh PowerShell attack.

  4. LAB 04

    SOC Engineer Data Requirements

    Justify and document logging requirements (PowerShell, Sysmon 1/3, 4688) for ATT&CK coverage.

  5. LAB 05

    Threat Hunting: C2 Beaconing

    Hunt T1071 application-layer beaconing across Splunk, Sysmon and DNS logs.

  6. LAB 06

    Risk-Based Alerting (RBA)

    Convert ATT&CK detections into weighted risk scores and trigger a high-risk alert on user jsmith.

  7. LAB 07

    Adversary Emulation

    Safely emulate the APT chain: initial access → PowerShell → credential dumping → lateral movement → persistence → exfil.

  8. LAB 08

    Blue Team Incident Response

    Detect, investigate, contain, eradicate and recover from the simulated APT ShadowFox intrusion.

  9. LAB 09

    Red Team Assessment

    Speak ATT&CK across teams: map technique → detection status → response status → gap.

  10. LAB 10

    CISO Dashboard

    Translate ATT&CK posture into a board-ready dashboard: coverage %, asset visibility, maturity, heatmap, roadmap.

  11. CAP

    Capstone: APT ShadowFox

    Live-fire APT ShadowFox capstone. Chain T1190 → T1059 → T1003 → T1021 → T1041 end-to-end.

Certified MITRE ATT&CK Security Analyst

CMASA

Validates: ATT&CK mapping · Threat hunting · Detection engineering · SIEM operations · SOC analysis · Risk-Based Alerting · Incident response · Adversary emulation.

Sign in to start the track