Threat Hunting develops advanced, hypothesis-driven capability for proactively identifying adversary activity across host and network environments. Students learn to translate threat intelligence into structured hunting hypotheses aligned to adversary tradecraft and the MITRE ATT&CK framework. Through hands-on investigation, students hunt for persistence mechanisms, obfuscated malware, lateral movement, and command-and-control activity using host telemetry, network data, and federated hunting platforms. The course emphasizes analytical rigor, behavioral detection, and evidence correlation over alert-driven response. Students conclude with a mission-oriented Culmination Exercise (CULEX) requiring execution of the full hunting lifecycle, reconstruction of an intrusion timeline, and production of a structured incident report.
Intended Audience: Cyber defenders, incident responders, and threat hunters with prior experience in Windows, Linux, and network telemetry who are transitioning from reactive detection to proactive, hypothesis-driven threat hunting. This course is intended for practitioners responsible for identifying stealthy adversary behavior across enterprise host and network data sources.