Read as
Last updated: April 29, 2026
Covered briefly in Blue Team Module 6. This is the deeper dive.
Covered briefly in Blue Team Module 6. This is the deeper dive.
The pyramid
- Hash values — recompile, hash changes
- IPs — rotate infrastructure
- Domains — register new
- Network/host artefacts — User-Agent, registry keys
- Tools — Cobalt Strike, Mimikatz
- TTPs — tactics, techniques, procedures
Top of pyramid = harder for attacker to change.
Operational implication
If your detections are 90% IOC-based: attackers rotate trivially.
If 70%+ TTP-based: attackers need to retool — rare and expensive.
How to shift up
- For each IOC-based rule, ask: what behaviour does this represent? Build a behavioural rule.
- Use ATT&CK Navigator to plan TTP-coverage
- Regular purple-team sessions force the shift
🧠
Check your understanding
Module Quiz · 4 questions
Pass with 80%+ to mark this module complete. Unlimited retries. Each question shows an explanation.
Want this for your team?
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.
Book team training call
Replies in 4 working hrs · India-only · Senior consultants