Skip to main content
KeenSafe
Training · SOC / Blue Team

SOC / blue team training — detection engineering and threat hunting tradecraft

Detection-engineering, threat-hunting and SOC analyst tradecraft — measured against real attack paths from the KeenSafe platform.

Plan a workshopAll services
Training & Workshops·Operator-grade skill uplift
LiveLive SOC · Drill
ALERT QUEUECRITLSASS access · WS-12HIGHGoldenSAML attemptHIGHMass SMB enumMEDNew parent processMEDOAuth consent grantESCALATIONT1T2 huntT2 IRT3 advancedIRT engagedDRILL · COHORT KPIsTriage3mThreat hunting14mDetection eng94%Forensics6%
The problem

Where teams get stuck

SOC training often relies on synthetic alerts and toy datasets. Analysts learn to triage tickets but not to hunt, build resilient detections, or reason about identity-driven attack paths.

The KeenSafe approach

How we engage

KeenSafe drives training with the same attack paths the platform finds in real environments. Detections are written, hunted, tuned and validated against live adversary chains, not pre-canned PCAPs.

Methodology

Four-step engagement model

Same rigour every engagement, calibrated to your environment, threat model and regulatory exposure.

STEP 01

Tier-1 fundamentals

Triage, alert anatomy, identity context, escalation discipline.

STEP 02

Threat hunting

Hypothesis-driven hunting against ATT&CK tactics — endpoint, identity, cloud.

STEP 03

Detection engineering

Write, tune, version-control detections; ATT&CK coverage as code.

STEP 04

Capstone exercise

Live attack-path replay; analysts triage, hunt, contain and write detections under pressure.

What you get

Deliverables

Every engagement ships these outputs — reproducible, evidence-backed and ready for executives, engineers and auditors.

Tier-1/2 analyst curriculum

Triage, hunt, escalate — disciplined SOC tradecraft.

Threat-hunting playbooks

Hypothesis-driven hunts mapped to ATT&CK techniques.

Detection-as-code

Detections version-controlled with acceptance tests and ATT&CK tags.

Live capstone

Real attack paths replayed against the SOC for end-to-end exercise.

Scope of engagement

What this engagement covers

Concrete coverage. Clear boundaries. Optional add-on tracks where customers want to extend.

Included
  • Tier-1 / Tier-2 / Tier-3 progressive curriculum
  • Live SOC drill: real attack-path replay against the cohort
  • Threat hunting hypothesis library (50+ hunts mapped to ATT&CK)
  • Detection-as-code workshop in your chosen SIEM
  • Forensic acquisition fundamentals
  • Per-tier scorecard + cohort-level coverage matrix
Optional add-ons
  • SIEM-specific deep dive (Splunk / Sentinel / Elastic / CrowdStrike / Chronicle)
  • Threat-hunt programme design for in-house teams
  • Tier-3 advanced track: malware-analysis fundamentals
  • Quarterly cohort retainer
Out of scope
  • OSINT / threat-intelligence sourcing (covered by CTI service)
  • Pure red-team tradecraft (covered by Offensive Training)
Engagement model

How we deliver

Duration
5 days intensive · or 8 weeks part-time cohort
Team
Senior detection engineers + threat hunters with active SOC operations background
Format
Onsite · remote cohort · hybrid capstone with live attack replay
Capacity
12–24 trainees per cohort
Who it is for
  • Tier-1 SOC analysts
  • Tier-2 incident handlers
  • Tier-3 threat hunters
  • Detection engineers
  • SOC managers
Prerequisites
  • Familiarity with at least one SIEM platform
  • Basic Windows + Linux logging knowledge
  • Network protocols at L2–L7 working knowledge
  • Recommended: prior shift experience in a SOC role
Curriculum

Module-by-module breakdown

Each module is hands-on. Lab time is roughly 60% of total.

Module 01

Tier-1 Fundamentals — Triage Discipline

Day 1 · 8h
  • Alert anatomy: signal, context, escalation criteria
  • Identity-context triage (M365, AD, Okta)
  • Endpoint signal interpretation (EDR telemetry)
  • Network signal interpretation (DNS, HTTP, TLS metadata)
  • Tier-1 escalation discipline: when to call Tier-2
Hands-on labs
Tier1-Triage-LabIdentity-Context-Drill
Module 02

Threat Hunting — Hypothesis-Driven

Day 2 · 8h
  • Hypothesis formation from ATT&CK technique grouping
  • Endpoint hunts (process tree analysis, persistence patterns)
  • Identity hunts (logon anomalies, MFA fatigue, golden-SAML)
  • Cloud hunts (IAM enumeration, key creation, role assumption)
  • Hunt result documentation + detection conversion
Hands-on labs
Endpoint-HuntIdentity-HuntCloud-Hunt
Module 03

Detection Engineering at Scale

Day 3 · 8h
  • Detection-as-code: version control, peer review, acceptance tests
  • ATT&CK coverage modelling (per-tactic, per-technique)
  • False-positive reduction methodology
  • Detection regression testing with attack-path replay
  • Documentation: every detection ships with a hunt origin
Hands-on labs
SIEM-Rule-BuildCoverage-Matrix-Lab
Module 04

Incident Response Tradecraft

Day 4 · 8h
  • Triage to scope to contain — under time pressure
  • Forensic acquisition without spoliation (memory, disk, network)
  • Identity, endpoint and cloud containment
  • Communications discipline (technical, executive, regulator)
  • Lessons-learned: closing the loop into detection backlog
Hands-on labs
IR-DrillForensic-Capture
Module 05

Capstone — Live SOC Drill

Day 5 · 8h
  • Real attack-path replay (KeenSafe-validated chain)
  • Cohort triages, hunts, contains, writes detections under pressure
  • Roles rotated: T1, T2, T3, IR lead
  • Scored debrief with instructor team
  • Action backlog ready for trainee's real SOC
Hands-on labs
Live-SOC-Drill
Sample report

What lands on your desk

Sections customers actually see in the engagement deliverable.

  1. 01
    Per-trainee tier scorecard

    Triage, hunt, detection, IR and comms scored per trainee with next-tier readiness recommendation.

  2. 02
    Cohort coverage matrix

    ATT&CK coverage delta the cohort produced during training, mapped to your SIEM stack.

  3. 03
    Detection backlog

    Concrete detection-engineering tickets ready to land in your SIEM next sprint.

  4. 04
    Hunt-origin documentation

    Every detection produced during training carries its hunt origin for traceability.

Common questions

Frequently asked

What SIEM/XDR do you cover?
Splunk, Microsoft Sentinel, Elastic, CrowdStrike, SentinelOne and Chronicle. We adapt the lab to your stack.
Tier-3?
Yes — advanced threat hunting, malware analysis fundamentals and detection-engineering for senior analysts.
How real is the capstone?
A real KeenSafe-validated attack chain is replayed in your lab environment. The cohort responds in real time; instructors score per role.
Can we run cohorts quarterly?
Yes — cohort retainer is the most popular model for SOCs maturing detection coverage over time.
Related services

Pairs well with

Training · Defensive Security

Defensive security training

Hardening, detection and incident-response training for engineers and architects — built around real adversary techniques, not generic security awareness.

Read more
Defensive · MDR / SOC

MDR / SOC

24×7 detection, response and SOC operations augmented with continuous attack-path validation that closes the loop between offensive evidence and detection engineering.

Read more
Defensive · Incident Response

Incident response

Retainer-backed IR with KeenSafe-derived attack-path evidence to accelerate scoping, containment and lessons-learned. Emergency response within named SLAs.

Read more
Get Started

Work with the team behind KeenSafe

Continuous adversarial validation, managed security operations and executive-grade risk visibility — delivered by senior offensive security engineers.

Request engagementExplore the platform