Skip to main content
KeenSafe
Training · Offensive Security

Offensive security training — red team craft and modern offensive tooling

Hands-on training in red team craft, modern offensive tooling and the engineering practices behind the KeenSafe platform — for security teams that want to operate, not just consume reports.

Plan a workshopAll services
Training & Workshops·Operator-grade skill uplift
LiveRed Team Lab · Cohort
OPERATOR CONSOLELAB TARGETS · LIVECAPTURE THE FLAGCOHORT SCOREBOARDRecon42Exploitation38Post-exploit27Reporting19Cloud · Identity8
The problem

Where teams get stuck

Most offensive training stops at "run this tool". Real attacker tradecraft is about chaining, evasion, modern identity abuse and cloud-native attack paths — and that is rarely taught well.

The KeenSafe approach

How we engage

KeenSafe runs immersive labs that mirror real enterprise environments — Active Directory, Azure / AWS, modern identity, EDR-evasion. Every exercise ties to ATT&CK and to the same platform engine the team will see in production.

Methodology

Four-step engagement model

Same rigour every engagement, calibrated to your environment, threat model and regulatory exposure.

STEP 01

Diagnostic & track design

Skills baseline, role-aware track design — operator, manager, lead.

STEP 02

Live-lab exercises

Realistic enterprise environments with AD, cloud and identity; full kill chains.

STEP 03

Modern tradecraft

Identity abuse, EDR evasion, cloud lateral movement, AI/LLM-aware tradecraft.

STEP 04

Outcome assessment

Capstone scenario, scored debrief, individual development recommendations.

What you get

Deliverables

Every engagement ships these outputs — reproducible, evidence-backed and ready for executives, engineers and auditors.

Role-aware curriculum

Tracks for operators, leads and managers — tied to your tooling.

Live enterprise labs

AD, Azure / AWS, identity, EDR — not generic CTF boxes.

Capstone & scoring

Individual and team scoring against an objective-driven scenario.

Tooling alignment

Where appropriate, exercises align to the same KeenSafe engine in production.

Scope of engagement

What this engagement covers

Concrete coverage. Clear boundaries. Optional add-on tracks where customers want to extend.

Included
  • Five role-aware tracks: Operator · Lead · Manager · Cloud · AI/LLM
  • Live enterprise lab (~120 hosts, AD forest, Azure tenant, AWS account, Kubernetes cluster)
  • Hands-on ATT&CK technique drills with reproducible artefacts
  • EDR-evasion lab against a real EDR (vendor-agnostic)
  • Capstone scenario: 8-hour objective-driven engagement with scoring
  • Per-trainee written + practical assessment, scored debrief
Optional add-ons
  • Custom lab mirroring your enterprise architecture
  • Cleared-personnel delivery (defence / government)
  • Train-the-trainer track for in-house enablement
  • Quarterly retainer cohorts
Out of scope
  • OSCP exam administration (we prep, Offensive Security certifies)
  • Production engagement against customer environment (covered by Managed Pentesting)
Engagement model

How we deliver

Duration
5 days intensive · or 10 weeks part-time
Team
Senior offensive operators (OSCP / OSEP / CRTO holders)
Format
Onsite immersive · remote cohort · hybrid capstone
Capacity
10–20 trainees per cohort
Who it is for
  • Security engineers
  • Penetration testers
  • Red team leads
  • SOC analysts moving to offensive
  • AppSec engineers
Prerequisites
  • Working knowledge of TCP/IP, Windows + Linux command line
  • Familiarity with Active Directory concepts
  • One scripting language (Python, PowerShell, Bash)
  • Recommended: prior CTF or basic pentest exposure
Curriculum

Module-by-module breakdown

Each module is hands-on. Lab time is roughly 60% of total.

Module 01

External Recon & Initial Access

Day 1 · 8h
  • OSINT + asset discovery tradecraft
  • Service fingerprinting + version exposure
  • Phishing infrastructure (operational, not vendor demo)
  • Initial access via web exploitation chains
  • Production-safe exploitation discipline
Hands-on labs
Recon-Lab-01Phish-InfraWeb-RCE-Chain
Module 02

Active Directory & Identity Tradecraft

Day 2 · 8h
  • AD enumeration with BloodHound + custom tooling
  • Kerberoasting + AS-REP roasting under detection-floor throttling
  • ADCS ESC1–ESC11 with safe certificate replay
  • NTLM relay + coerced authentication (PetitPotam, Spooler)
  • Tier-0 boundary reasoning
Hands-on labs
BloodHound-HuntADCS-ESC1NTLM-Relay
Module 03

Cloud & Workload Identity

Day 3 · 8h
  • AWS / Azure / GCP IAM trust path mapping
  • Workload identity federation abuse (OIDC, GitHub Actions)
  • Cross-account assume-role chains
  • EKS / AKS / GKE pod escapes + metadata abuse
  • KMS / KeyVault / Cloud KMS data-plane reach
Hands-on labs
AWS-OIDC-ChainAzure-WIFEKS-Escape
Module 04

Evasion, Persistence & Lateral Movement

Day 4 · 8h
  • EDR-evasion: AMSI, ETW, PPL bypass tradecraft
  • C2 hygiene + traffic shaping
  • In-memory operations vs disk artefacts
  • Persistence selection by environment risk profile
  • Cross-trust + cross-tenant lateral movement
Hands-on labs
EDR-Evade-LabC2-TradecraftCross-Trust
Module 05

Capstone — Objective-Driven Engagement

Day 5 · 8h
  • Stated objective: reach a declared crown jewel from Tier-2 access
  • Solo + team modes with scoring
  • Production-safe rules-of-engagement enforced
  • Live debrief with operator instructor + recorded replay
  • Individual development recommendations
Hands-on labs
Capstone-Engagement
Sample report

What lands on your desk

Sections customers actually see in the engagement deliverable.

  1. 01
    Trainee scorecard

    Per-trainee score across recon, exploitation, lateral, persistence and reporting axes; individualised next-track recommendation.

  2. 02
    Cohort skills matrix

    Role-aware skills heatmap across the cohort; identifies team-level strengths and gaps for managers.

  3. 03
    Capstone replay

    Reproducible artefact pack from the capstone — payloads, screenshots, packets — for in-house review and re-run.

  4. 04
    Detection guidance

    For paired blue-team programmes: which TTPs to detect and how, written by the instructor team.

Common questions

Frequently asked

Onsite or online?
Both. Multi-day onsite immersives and remote cohort programmes; capstones can run hybrid.
Do you certify?
KeenSafe certificates of completion are issued; we also align with OSCP / CRTO style assessments where teams want a market-recognised credential.
Can the lab mirror our environment?
Yes — under custom-lab engagement. We replicate your AD forest, cloud topology and identity model so trainees practise against your shape.
What is the trainee-to-instructor ratio?
10:1 default for full immersives. We can run 5:1 for senior tracks or executive-led cohorts.
Related services

Pairs well with

Training · Defensive Security

Defensive security training

Hardening, detection and incident-response training for engineers and architects — built around real adversary techniques, not generic security awareness.

Read more
Training · SOC / Blue Team

SOC / blue team training

Detection-engineering, threat-hunting and SOC analyst tradecraft — measured against real attack paths from the KeenSafe platform.

Read more
Offensive · Managed Red Teaming

Managed red teaming

Objective-oriented engagements aligned to specific threat actors and crown-jewel outcomes. Multi-vector attack chains, evasion-aware tradecraft, and a purple-team debrief that upgrades both prevention and detection.

Read more
Get Started

Work with the team behind KeenSafe

Continuous adversarial validation, managed security operations and executive-grade risk visibility — delivered by senior offensive security engineers.

Request engagementExplore the platform