Hunt The Hacker

"Hunt The Hacker" A practical training that teaches attendees how to discover hackers that have bypassed existing security mechanisms, and are now operating invisibly within the internal network. This course is Windows domain centric. Brought to you by professional hackers!

Training duration: 2 days of instruction, predominantly in the form of hands-on hunting labs.

Group size: 10 participants maximum

Target audience: Everybody who needs to know more about what threat hunting is, why it is necessary, what is required to start doing it, and how it should be done. Appropriate roles include: CISOs, Security Managers, SOC staffers, Incident Responders, Forensic Analysts and System Administrators.

Pre-requisites:To maximize value to the attendee, prior HOHE participation is highly recommended, but not mandatory.

Price: 2 days, 700 EUR +VAT

Next public training courses

Contents of the training

During the 2 days hands-on training experience the participants learn how to hunt hackers within our Windows 10 lab network, using a range of highly effective threat hunting technologies and techniques. Technologies used: Sysmon, the Elastic stack (formerly “ELK”), WinRM, PowerShell, YARA.


Trainers are James DoddTaavi Sonets.

James Dodd James Dodd

James is an ethical hacker with an extensive development background in software development. He joined the team in December 2016 and came from gaming sector, where as a Principal Developer he worked on back end distributed systems.                                                                              James has a BSc degree in Software Engineering from De Montfort University, England. For his final year project, he wrote a steganography tool to invisibly embed large quantities of information into animated GIFs.                                                                                                        James is a trainer of our Hands-on Hacking Essentials (HOHE) and Hunt The Hacker (HtH) courses.                                                                              He is particularly passionate about full scope black box Red Teaming.

Taavi Sonets Taavi Sonets

Taavi joined the team in April 2015 as a Web application pentester. His previous work experience consists mainly of Web Application development. He holds a M.Sc. degree in Cyber Security from Tallinn University of Technology. He wrote his masters thesis about improving User Simulation Team Workflow in the Context of Cyber Defense Exercise. Taavi is the main trainer of our Hands-on Hacking training series (HOHE, HOHE FU, HtH, HOHA).

Training methods

The trainers engage participants with lectures, live demonstrations and Q&A sessions. Each participant spends the majority of their time performing a wide variety of hands-on hunts.

Intended outcome

Participants will understand what threat hunting is, be utterly convinced of the need for it, know what infrastructure is required to facilitate it, and be able to start doing it with confidence within their own organizations.

Training environment

The training environment is a remotely accessed lab that can be used by participants anywhere in the world as long as VPN connection via decent Internet connectivity is viable. The hunting lab is hosted on Clarified Security's own virtualized infrastructure. Each student has their own account on the shared environment, made up of a Windows domain plus threat hunting infrastructure.

Technical requirements for the training

  1. Good Internet connection - at least 10Mbps download speed via a network cable (RJ45 connector) for connecting the classroom to the training server in Tallinn, via our VPN device. The VPN device just needs to get an IP address via DHCP and have outgoing IPSEC traffic enabled to our training environment IP addresses. The participants will be using a web browser and an RDP client to connect to computers and services within the training environment via this VPN connection.

  2. Participants' computersany computer or laptop with any Operating System will do, as long as a Windows RDP compatible client is installed. The customer is expected to provide the LAN (switch + cables + power jacks) that can be connected to our VPN device that supplies IP addresses via DHCP. In case of laptops, we can provide our own WiFi Access Point for creating a LAN. Minimum 1024x768 monitor resolution is recommended.

  3. Video projector and large screen - so that command line activity is also easy to follow from the back row.