Cybersecurity, learned like a practitioner.
24 learning paths · 398 modules live · every lesson written by someone who has shipped the control or run the engagement. Free to start.
Cyber Threat Intelligence · modules
OSINT, ATT&CK, Pyramid of Pain, and intel-driven hunting — actionable CTI, not feed subscriptions.
Module 15 · Strategic Threat Intelligence
Tactical TI is for SOC. Strategic TI is for executives. Different language, different cadence, different artefacts. Strategic questions Which threat actors target organisations like ours? What are their goals (extortion, espionage, disruption)? What’s their technical sophistication level? Are we more or less targeted than peers? What investments would meaningfully shift the risk? Strategic artefacts Threat […]
Module 8 · STIX & TAXII Standards
STIX = data format. TAXII = transport. Together: machine-readable threat intel sharing. STIX object types Indicator (the “what to look for”) Threat Actor Campaign Intrusion Set Malware Tool Attack Pattern (= ATT&CK technique) Vulnerability (= CVE) Identity (= Victim) Relationship Why structured matters Vendor PDF report → manual extraction. Vendor STIX feed → automatic ingestion […]
Module 9 · Attribution Methodology
“Who did this?” is often the wrong question. Attribution is hard, slow, and often inconclusive. Defenders mostly need TTP-level intel, not actor identity. The Diamond Model Four vertices of an intrusion analysis: Adversary — who Capability — what tools, what TTPs Infrastructure — what domains, IPs, code-signing certs Victim — who/what was targeted Pivot between […]
Module 10 · OSINT for Actor Profiling
For sectoral and regional threat awareness, OSINT is invaluable. Sources Public threat reports — Mandiant, CrowdStrike, Microsoft, Recorded Future VirusTotal Intelligence — sample relationships MalwareBazaar — malware samples URLhaus, ThreatFox — abuse.ch projects Twitter/X — security researchers post real-time Telegram — actor channels (be careful) Dark web monitoring — paid services (Recorded Future, Flashpoint, KELA) […]
Module 11 · IOC Hygiene
Buying IOC feeds is the easy part. Operationalising them without false positives is the hard part. IOC lifecycle Ingest from source Score (confidence, source reputation) Enrich (WHOIS, geolocation, ASN, related campaigns) Match against telemetry Decay — IOCs age out (IPs rotate, domains expire) Retire — remove from active matching after N days Quality signals Source […]
Module 12 · Deception Technology
Deception is high-fidelity threat detection: legitimate users don’t touch decoys, so any touch = malicious. Three patterns Honeypots — fake systems (servers, databases). Real protocol; fake content. T-Pot, Cowrie. Honeytokens — fake credentials, fake API keys. Trigger alert on use. Canary tokens — Thinkst Canary; lightweight tokens that fire on access. Practical deployment Honey AD […]
Module 13 · Malware Family Classification
Classifying samples by family enables tracking actor evolution. YARA is the de-facto language. YARA basics rule MyMalware_v2 { meta: author = "RingSafe" family = "Cobalt Strike" version = "4.x" strings: $beacon_str = "Mozilla/5.0 (Windows NT 6.1)" wide $config_marker = { 00 01 00 0E ?? ?? } condition: uint16(0) == 0x5A4D and any of them […]
Module 14 · Continuous Threat Intel Workflow
Most Indian organisations don’t have dedicated CTI teams. But you can run a 1-person / 0.5-FTE program effectively. The cadence Daily (15-30 min) — skim Twitter/X security feed; check threat-feed updates; review SIEM enrichments Weekly (2 hours) — read 2-3 vendor reports; update threat-actor watchlist; brief SOC on changes Monthly (half day) — assessment review, […]
Module 6 · The Pyramid of Pain
Covered briefly in Blue Team Module 6. This is the deeper dive. The pyramid Hash values — recompile, hash changes IPs — rotate infrastructure Domains — register new Network/host artefacts — User-Agent, registry keys Tools — Cobalt Strike, Mimikatz TTPs — tactics, techniques, procedures Top of pyramid = harder for attacker to change. Operational implication […]
Module 7 · MITRE ATT&CK in Practice
MITRE ATT&CK is the de-facto common language. Operationalising it requires discipline. The structure Tactics (14) — adversary goals (Initial Access, Execution, Persistence, etc.) Techniques (~200) — how the goal is achieved Sub-techniques — specific variants Procedures — actor-specific implementation ATT&CK Navigator Free tool for visualising layers. Use cases: Coverage map — which techniques have detections […]
Practitioners who've
shipped the controls.
Every module is written by someone who has built the defence or run the engagement. No repackaged tutorials, no generic theory.
Why learn here
Practitioner-written.
Each lesson is authored by someone who has shipped the control or run the engagement in production.
Quiz after every module.
20+ questions with explanations. 70%+ to mark complete. Unlimited retries.
Progress tracked.
Completions, scores and streaks saved automatically. Resume exactly where you left off.
India-priced.
Start free. ₹499/mo for intermediate. ₹4,999/yr for advanced. No hidden fees, ever.