Hunt The Hacker

"Hunt The Hacker" is an eye-opening practical training for security related personnel who are interested in how to discover and hunt hackers rooted in their systems.
Brought to you by hackers!

Training duration: 2 days of instructions heavily mixed with hands-on practical labs

Group size: 10 participants maximum

Target audience: System administrators, information security specialists and -managers and any other IT personnel that is not afraid of the shell or command prompt

Pre-requisites: Prior HOHE participation is highly recommended but not required to take this course

Price: 2 days, 700 EUR +VAT

Next public training courses

Contents of the training

During the 2 days hands-on training experience the participants will learn the basics of establishing a normal behavioral baseline in simulated network infrastructure. After that they will learn how to track down abnormalities and hackers in said infrastructure. Some of the tools featured in the course include: Kansa, Cuckoo, the Elastic stack, WindowsEventForwarding (WEF), PowerShell scriptblock logging, Sysmon.


Trainers are James DoddTaavi Sonets.

James Dodd James Dodd

James is an ethical hacker with an extensive development background in software development. He joined the team in December 2016 and came from gaming sector, where as a Principal Developer he worked on back end distributed systems.                                                                              James has a BSc degree in Software Engineering from De Montfort University, England. For his final year project, he wrote a steganography tool to invisibly embed large quantities of information into animated GIFs.                                                                                                        James is a trainer of our Hands-on Hacking Essentials (HOHE) and Hunt The Hacker (HtH) courses.                                                                              He is particularly passionate about full scope black box Red Teaming.

Taavi Sonets Taavi Sonets

Taavi joined the team in April 2015 as a Web application pentester. His previous work experience consists mainly of Web Application development. He holds a M.Sc. degree in Cyber Security from Tallinn University of Technology. He wrote his masters thesis about improving User Simulation Team Workflow in the Context of Cyber Defense Exercise. Taavi is the main trainer of our Hands-on Hacking training series (HOHE, HOHE FU, HtH, HOHA).

Training methods

Trainers will engage participants with lectures, live attack demonstrations and practical examples followed by individual hands-on exercise scenarios. Training is interactive, practical, and besides active participation also full of attack stories that help to change the perspective and understanding of real life security threats.

Intended outcome

After the training, the participants will have an understanding how to set up active threat hunting processes and infrastructure for their own respective companies and how to execute them.

Training environment

Training environment is essentially a mobile training lab that can be brought to the participants anywhere in the world as long as VPN connection via decent Internet connectivity is viable. Training activity takes place inside a special virtualization server (VMWare ESXi5, 24 cores, 96GB RAM, 2TB HDD). Every student has access to a individual Kali machine and targets in a separate subnet.

Technical requirements for the training

  1. Good Internet connection - at least 10Mbps download speed via a network cable (RJ45 connector) for connecting the classroom to the training server in Tallinn via our VPN device. The VPN device just needs to get an IP address via DHCP and have outgoing IPSEC traffic enabled to our training environment IP addresses. The participants will be using a web browser and an RDP client to connect to computers and services within the training environment via this VPN connection.

  2. Participants' computers - any computer or laptop with any Operating System will do, as long as a Windows RDP compatible client is installed. The customer is expected to provide the LAN (switch + cables + power jacks) that can be connected to our VPN device that supplies IP addresses via DHCP. In case of laptops, we can provide our own WiFi Access Point for creating a LAN. Minimum 1024x768 monitor resolution is recommended.

  3. Video projector and large screen - so that also command line activity is also easy to follow from the back row.