$ cat curriculum.md
Workshop Overview
Step into a fully realized production-grade cyber range to master modern, AI-augmented Security Operations Center (SOC) workflows. This intensive workshop focuses heavily on reproducing real-world attacks and tracing complete attack chains across enterprise infrastructure. Participants will execute advanced adversary techniques, map them directly to the MITRE ATT&CK Matrix, work with Active Directory environments, honeypots and orchestrate automated, AI-assisted defenses.
Includes a complimentary 5-day Cyber Range access pass.
Session 1: Architecture, Adversary Simulation & AI-Augmented Detections
Module 1: Intro & Cyber Range Onboarding Cyber range architecture onboarding; LogManthan overview and deployment; Overview of Wazuh and OpenCTI ecosystem; Rules update workflow, user management, AI-Augmented operations, Case Management and playbook foundations.
Module 2: Introducing SIEM Architecture and ART Wazuh components (Manager, Indexer, Dashboard); Firewall integration and log ingestion pipelines; Firewall rule correlation and network-layer alert mapping; MITRE ATT&CK framework overview and Atomic Red Team (ART) attack simulation.
Module 3: Attack-Chain Simulation & Detection Validation Executing a 5-Stage cyber kill chain: social engineering, payload dropping with in-memory execution, scheduled task persistence, privilege escalation, and lateral movement. Validating detections in Wazuh at each stage; Tuning custom detection rules and alert severity.
Module 4: AI-Augmented Threat Hunting Model Context Protocol (MCP) and LLM integration with Wazuh; Executing natural-language threat hunting queries against raw security telemetry.
Session 2: Automation & Active Defense
Module 5: Honeypot Deployment & Active Directory Defense Honeypot types, concepts, and deployment strategies; Capturing threat data and evaluating attack patterns. Active Directory attack vectors and detections.
Module 6: Automated Threat Mitigation Navigating the Cyber Threat Intelligence (CTI) dashboard; Engineering Wazuh's rule-based trigger system for automated incident response and defensive orchestration.
Module 7: Active Response Engineering & FIM Developing and deploying Active Response scripts to drop malicious IPs and kill unauthorized processes; Integrating File Integrity Monitoring (FIM) with VirusTotal API for real-time malware analysis.
Session 3: Enterprise Automation & Live Digital Forensics
Module 8: Playbook Automation Infrastructure as Code (IaC) using Ansible for centralized security management; Master YAML syntax, inventory files, and playbook structures; Automation scripts for zero-touch mass endpoint enrollment across corporate environments.
Module 9: Live Digital Forensics & Velociraptor Investigation Importance of volatile data in live digital forensics; Velociraptor architecture and endpoint data collection; Running VQL (Velociraptor Query Language) queries to hunt hidden threats; AI-assisted investigations via MCP-Velociraptor integrations.