4-Day Instructor-Led Programme
A four-day hands-on practitioner programme covering hypothesis-driven threat hunting for nation-state intrusions across Splunk, Microsoft Sentinel, and ELK, with daily lab exercises and a live capstone. Build the detection engineering, hunt methodology, and intelligence reporting skills to find APT actors who have already bypassed standard SIEM alerting.
Duration
4 Days
Price
$4,495
Nation-state actors average 197 days inside a network before detection. Standard SIEM alerts are designed for known-bad indicators, not patient, living-off-the-land operators who use legitimate tools, trusted processes, and compromised credentials. This four-day programme develops the threat hunting capability needed to find what alerts miss, using the same platforms deployed in enterprise and government SOC environments.
Across four days of mentor-led instruction and hands-on platform labs, participants build APT-specific detection rules in Splunk and Microsoft Sentinel, execute structured threat hunts in all three platforms, apply MITRE ATT&CK Navigator to map detection coverage and identify gaps by adversary group, and analyse network traffic and DNS patterns for C2 beaconing and anomaly indicators. Every day concludes with a practical exercise reinforcing the session content.
The programme culminates in a four-hour capstone: a live red-versus-blue hunt scenario using a simulated nation-state intrusion dataset. Participants detect, investigate, and produce a professional intelligence report under realistic time pressure. This course is aligned with MITRE ATT&CK, NCSC threat hunting guidance, and platform-specific SOC detection engineering standards.
Full-day Splunk, Sentinel, and ELK platform labs; APT-specific detection rule building; C2 beaconing and DNS anomaly detection practicals; and a four-hour live hunt capstone exercise.
Practitioner-led detection engineering sessions with live rule review, ATT&CK coverage mapping workshops, and instructor-guided debrief of every hunt exercise output across all four days.
Hypothesis-driven threat hunting methodology, detection rule authoring across three SIEM platforms, ATT&CK coverage analysis, living-off-the-land detection, and intelligence report production under time pressure.
Hunt for long-dwell nation-state intrusions using Splunk, Microsoft Sentinel, and ELK across four days of hands-on lab work.
Apply MITRE ATT&CK Navigator to build detection coverage maps and identify gaps by specific adversary group.
Detect living-off-the-land techniques, LOLBin abuse, fileless malware, and trusted process injection patterns.
Identify lateral movement, credential dumping, and C2 beaconing signatures across enterprise telemetry.
Write structured threat hunting hypotheses and execute disciplined, evidence-based hunts to completion.
Produce professional intelligence reports translating hunt findings into actionable SOC and CISO recommendations.
Design and prioritise a detection engineering programme based on threat actor likelihood and sector exposure.
Active experience in a SOC analyst or security operations role at L2 level or above.
Familiarity with at least one SIEM platform and basic query language experience.
Understanding of common attack techniques including phishing, credential theft, and lateral movement.
Step-by-step learning journey from basics to professional practice
Master these in-demand skills through hands-on practice
A clear view of the roles this programme supports, what typically comes next, and where learners progress over time
Choose the learning format that works best for you and your team
Instructor-Led Training
Join live instructor-led sessions from anywhere. Interactive, engaging, and flexible.
Price per person
Group enrolments and early planning options available.
All prices are exclusive of VAT where applicable. Group enrolments and custom packages available on request.
Not everyone learns best in a group. If you want focused guidance, faster clarity, and confidence you can use on the job, our 1-to-1 Fast-Track Training gives you private, mentor-led support tailored to your experience and goals.
"Many learners choose 1-to-1 when they want understanding, not memorisation."
Everything you need to know about the certification exams
You will receive an Xcademia certificate of completion based on participation and successful completion of labs and scenario simulations.
Everything you need to know about this course
Familiarity with at least one SIEM platform and basic query writing is expected. Participants do not need expertise across all three platforms, as each is taught from a hunting-focused foundation within the programme.
Take the next step in your professional development