Skip to main content
KeenSafe
Training · Defensive Security

Defensive security training — hardening, detection and response

Hardening, detection and incident-response training for engineers and architects — built around real adversary techniques, not generic security awareness.

Plan a workshopAll services
Training & Workshops·Operator-grade skill uplift
LiveBlue Team Sim · Cohort
INCIDENT TIMELINET+00 alertT+04 triageT+12 pivotT+24 containT+36 closeT1triagehuntdetect-engIRT2triagehuntdetect-engT3triagehuntDETECTION COVERAGE GAINED+24%HardeningDetectionIRCloud DefenseIdentity
The problem

Where teams get stuck

Defensive training often teaches frameworks rather than how a real attack moves through an environment. Engineers leave with checklists, not the ability to reason about identity, lateral movement and cloud-native attack paths.

The KeenSafe approach

How we engage

Every exercise pairs a realistic attacker action with the engineering response that closes it. Trainees learn by hardening systems against attacks they have just seen run in their own lab.

Methodology

Four-step engagement model

Same rigour every engagement, calibrated to your environment, threat model and regulatory exposure.

STEP 01

Adversary-led modules

Each module starts with a real attack technique, mapped to ATT&CK.

STEP 02

Hardening lab

Trainees harden systems against the techniques they just saw — AD, cloud, endpoint.

STEP 03

Detection engineering

Build, test and tune detections against the same techniques.

STEP 04

IR table-top

Scenario-based incident response exercise with scoring and lessons.

What you get

Deliverables

Every engagement ships these outputs — reproducible, evidence-backed and ready for executives, engineers and auditors.

Adversary-led curriculum

Modules anchored in real attack techniques, mapped to ATT&CK.

Hardening lab

Hands-on hardening against the attack you just ran — AD, cloud, endpoint.

Detection engineering

Build, test and tune detections in your SIEM/XDR with example queries.

IR table-top

Scenario-based response exercise with scoring and lessons.

Scope of engagement

What this engagement covers

Concrete coverage. Clear boundaries. Optional add-on tracks where customers want to extend.

Included
  • Adversary-led modules: every module starts with a real attack technique
  • Hardening lab: trainees harden systems against the attack they just saw
  • Detection-engineering lab: build, tune, version-control detections
  • Incident-response table-top with scoring
  • Cloud + identity defence integrated throughout (M365, Azure, AWS, GCP)
  • Per-trainee scorecard and team skills matrix
Optional add-ons
  • SIEM-specific deep dive (Splunk / Sentinel / Elastic / CrowdStrike)
  • Custom lab mirroring your environment
  • Quarterly retainer for continuous detection-engineering uplift
  • Train-the-trainer track
Out of scope
  • Awareness training for general staff (covered by Executive Cyber Awareness)
  • Production incident response (covered by Incident Response service)
Engagement model

How we deliver

Duration
5 days intensive · or 8 weeks part-time
Team
Senior detection engineers + IR-experienced operators
Format
Onsite · remote cohort · hybrid table-top
Capacity
12–20 trainees per cohort
Who it is for
  • Security engineers
  • Detection engineers
  • IR analysts
  • IT engineers running controls
  • Cloud security engineers
Prerequisites
  • Familiarity with one SIEM (Splunk, Sentinel, Elastic, or similar)
  • Working knowledge of Windows + Linux logging
  • Active Directory administrative basics
  • Recommended: prior incident-response exposure
Curriculum

Module-by-module breakdown

Each module is hands-on. Lab time is roughly 60% of total.

Module 01

Adversary Tradecraft Foundations

Day 1 · 8h
  • ATT&CK as a detection model, not a checklist
  • Identity-driven attack patterns in modern enterprises
  • Cloud-native attack chains
  • Living-off-the-land vs custom tooling tradeoffs
  • How attackers evade detection — categorical view
Hands-on labs
Adversary-Pattern-LabIdentity-Chain-Lab
Module 02

Hardening at the Boundary

Day 2 · 8h
  • AD Tier-0 model enforcement in practice
  • ADCS template hygiene, Kerberos delegation cleanup
  • Cloud workload identity hardening (AWS / Azure / GCP)
  • Endpoint baselines + EDR tuning
  • Hardening backlogs anchored to validated attack paths
Hands-on labs
AD-Tier0-LabCloud-IAM-HardeningEDR-Tune
Module 03

Detection Engineering

Day 3 · 8h
  • Detection-as-code: SIEM / EDR rules under version control
  • Per-TTP coverage modelling
  • False-positive reduction methodology
  • Detection regression testing against attack replays
  • Bridging detection and IR run-books
Hands-on labs
SIEM-Detection-BuildDetection-Regression
Module 04

Incident Response in Practice

Day 4 · 8h
  • Scoping and triage discipline under time pressure
  • Identity, endpoint, network, cloud containment
  • Forensic artefact collection without spoliation
  • Lessons-learned: turning incidents into detections
  • Communications: technical, executive, regulator
Hands-on labs
IR-Triage-DrillForensic-Capture
Module 05

Capstone — Live Incident Table-top

Day 5 · 8h
  • Realistic ransomware affiliate scenario, time-boxed
  • Trainees rotate roles: Tier-1, Tier-2, IR lead, comms
  • Decisions captured and scored against framework
  • Live debrief with instructor team
  • Action backlog for trainee's real environment
Hands-on labs
IR-Capstone
Sample report

What lands on your desk

Sections customers actually see in the engagement deliverable.

  1. 01
    Per-trainee scorecard

    Hardening, detection, IR and communications scored per trainee with next-step development recommendation.

  2. 02
    Cohort gap matrix

    Role-aware skills heatmap for managers — where the team is strong, where investment pays off.

  3. 03
    Detection-engineering backlog

    Concrete detection-engineering tickets the cohort produced during training, ready to land in your SIEM.

  4. 04
    Capstone replay

    Reproducible artefact pack from the IR table-top capstone for in-house re-run with new joiners.

Common questions

Frequently asked

Who is this for?
Security engineers, IT engineers and architects who design or run defensive controls. Not security awareness training for general staff.
Do you cover cloud?
Yes — Microsoft 365, Azure, AWS and GCP defensive engineering are integrated throughout.
Can we tailor the SIEM track?
Yes. Splunk, Sentinel, Elastic, CrowdStrike and Chronicle have dedicated SIEM-specific deep-dive content.
How is success measured?
Per-trainee scorecard plus a measurable detection-engineering backlog the cohort lands during training.
Related services

Pairs well with

Training · Offensive Security

Offensive security training

Hands-on training in red team craft, modern offensive tooling and the engineering practices behind the KeenSafe platform — for security teams that want to operate, not just consume reports.

Read more
Training · SOC / Blue Team

SOC / blue team training

Detection-engineering, threat-hunting and SOC analyst tradecraft — measured against real attack paths from the KeenSafe platform.

Read more
Defensive · Architecture & Hardening

Security architecture & hardening

Architecture-level review and operational hardening across cloud, identity, network and endpoint — driven by validated attack paths from the KeenSafe platform.

Read more
Get Started

Work with the team behind KeenSafe

Continuous adversarial validation, managed security operations and executive-grade risk visibility — delivered by senior offensive security engineers.

Request engagementExplore the platform