Learn the foundations of cybersecurity defense with Foundational Security Operations and Defensive Analysis (SOC-200), a course designed for job roles such as Security Operations Center (SOC) Analysts and Threat Hunters. Learners gain hands-on experience with a SIEM, identifying and assessing a variety of live, end-to-end attacks against a number of different network architectures. Learners who complete the course and pass the exam earn the OffSec Defense Analyst (OSDA) certification, demonstrating their ability to detect and assess security incidents.

Who is this training for;

Job roles like: Security Operations Center (SOC) Tier 1, Tier 2 and Tier 3 Analysts, Jr. roles in Threat Hunting and Threat Intelligence Analysts, Jr. roles in Digital Forensics and Incident Response (DFIR). Anyone interested in detection and security operations, and/or committed to the defense or security of enterprise networks.

Read more


Learners are required to have basic knolwedge in Networking, Linux and Windows OS.

Read more

Delegates will learn how to

Learners will learn how to:

  • Recognize common methodologies for end-to-end attack chains (MITRE ATT&CK® framework)
  • Conduct guided audits of compromised systems across multiple operating systems
  • Use a SIEM to identify and assess an attack as it unfolds live

About the Exam

  • The OSDA Exam Scheduling Open Now
  • The SOC-200 course prepares you for the OSDA certification
  • Exam is Proctored
  • Learn more about the exam here
Read more


Module 1 Attacker Methodology

The Network as a Whole

  • Gain a basic understanding of an enterprise network's DMZ
  • Learn about deployment environments
  • Understand the difference between core and edge network devices
  • Study virtual private networks and remote sites

The Lockheed-Martin Cyber Kill-Chain

  • Learn the parts of the Lockheed-Martin Cyber Kill-Chain
  • Apply the Kill-Chain to malware that performed cryptomining
  • Apply the Kill-Chain to three iterations of ransomware

MITRE ATT&CK Framework

  • Learn the classifications of the MITRE ATT&CK Framework
  • Review a case study of OilRig campaigns with MITRE ATT&CK principles
  • Review a case study of APT3 campaigns with MITRE ATT&CK principles
  • Review a case study of APT28 campaigns with MITRE ATT&CK principles

Module 2 Windows Endpoint Introduction

Windows Processes

  • Gain a basic understanding of programs running within Windows
  • Learn about Windows Services and their relationship with processes
  • Review the common states of Windows Services

Windows Registry

  • Review the configuration structure of theWindows Registry
  • Learn about the key-value pair relationship within the Windows Registry
  • Understand the value types and formats for Windows Registry keys

Command Prompt, VBScript, and PowerShell

  • Review the non-graphical means of interacting with Windows
  • Build batch scripts used for the command prompt to run local commands
  • Write a Visual Basic Script for collecting operating system
  • Build custom PowerShell functions

Programming on Windows

  • Review the Component Object Model in Windows
  • Learn about the development of the .NET Framework and .NET Core

Windows Event Log

  • Gain a basic understanding of Windows Event logs and sources
  • Review several Windows Event logs using the Windows Event Viewer
  • Use PowerShell to query Windows Event logs

Empowering the Logs

  • Gain a basic understanding of System Monitor Sysmon)
  • Review Sysmon events using the Windows Event Viewer
  • Review Sysmon events using PowerShell
  • Use PowerShell Core in Kali Linux to query event logs remotely

Module 3 Windows Server Side Attacks

Credential Abuse

  • Learn about the Windows Security Account Manager
  • Learn about Windows Authentication
  • Understand the concept of suspicious login activity
  • Evaluate the behavior of brute-force login activity

Web Application Attacks

  • Learn about the configuration of Internet Information Services IIS in Windows
  • Evaluate logging artifacts of local file inclusion for attacking web servers
  • Evaluate logging artifacts of command injection and file upload for attacking web servers

Binary Exploitation

  • Learn about binary attacks through buffer overflows, and the artifacts they create
  • Study the use of Windows Defender Exploit Guard and how it protects against binary exploitation
  • Evaluate logging artifacts generated by the Windows Defender Exploit Guard

Module 4 Windows Client Side Attacks

Attacking Microsoft Office

  • Review social engineering and spearphishing techniques
  • Evaluate the use of Microsoft Office products to deploy phishing attacks
  • Review logging artifacts generated from a phishing attack

Monitoring Windows PowerShell

  • Gain a basic understanding of extended PowerShell logging capabilities
  • Understand the use of PowerShell module logging
  • Understand the use of PowerShell script block logging
  • Understand the use of PowerShell transcription
  • Review PowerShell logging artifacts generated from a phishing attack
  • Learn about PowerShell obfuscation and deobfuscation

Module 5 Windows Privilege Escalation

Privilege Escalation Introduction

  • Gain a basic understanding of Windows integrity levels and enumeration
  • Learn about Windows’ User Account Control UAC
  • Evaluate a UAC bypass technique and the logging artifacts it creates

Escalations to SYSTEM

  • Perform an elevation using UAC Bypass and review the logging artifacts created
  • Learn about service permissions for privilege escalation along with relevant logging artifacts
  • Learn about unquoted service paths for privilege escalation along with logging artifacts

Module 6 Linux Endpoint Introduction

Linux Applications and Daemons

  • Understand what Linux daemons are
  • Understand the Syslog Framework components
  • Understand how the syslog and the journal daemon work together
  • Understand Linux web logging

Automating the Defensive Analysis

  • Understand how scripting can aid log analysis
  • Understand how to scale further scripting with DevOps tools
  • Understand how to put together what we learned in a real-life hunting scenario

Module 7 Linux Server-Side Attacks

Credential Abuse

  • Understand suspicious logins and how to detect them in logs
  • Understand brute-force password attacks and their log footprints

Web Application Attacks

  • Understand command injection attacks and their log footprint and detections
  • Understand SQL injection attacks and their log footprint and detections

Module 8 Linux Privilege Escalation

User-side privilege escalation attack detections

  • Understand how Linux privileges works
  • Understand how to detect privilege escalation attacks on user's configuration files

System-side privilege escalation attack detections

  • Understand how Linux privileges works
  • Understand how to detect privilege escalation attacks on user's configuration files

Module 9 Windows Persistence

Persistence on Disk

  • Understand and recognize Persisting via Windows Service
  • Understand and recognize Persisting via Scheduled Tasks
  • Understand and recognize Persisting by DLLSideloading/Hijacking

Persistence in Registry

  • Understand Using Run Keys
  • Understand Using Winlogon Helper

Module 10 Network Detections

Intrusion Detection Systems

  • Understand theory and methodologies behind IPS and IDS
  • Understand Snort rule syntax
  • Learn how to craft basic Snort rules

Detecting Attacks

  • Learn how to detect known vulnerabilities with Snort rules
  • Learn how to detect novel vulnerabilities with Snort rules

Detecting C2 Infrastructure

  • Understand the components of a C2 framework
  • Learn how to detect a well-known C2 communication through Snort rule sets

Module 11 Antivirus Detections

Antivirus Basics

  • Understand an Overview of Antivirus
  • Understand Signature-Based Detection
  • Understand Heuristic and Behavioral-Based Detection

Antimalware Scan Interface AMSI

  • Understand the basics of AMSI
  • Understand how attackers bypass AMSI

Active Directory Enumeration

Abusing Lightweight Directory Access Protocol

  • Understand LDAP
  • Interact with LDAP
  • Enumerate Active Directory with PowerView

Detecting Active Directory Enumeration

  • Audit Object Access
  • Perform Baseline Monitoring
  • Use Honey Tokens

Module 12 Network Evasion and Tunneling

Network Segmentation

  • Understand the concept of network segmentation
  • Learn the benefits of network segmentation
  • Understand possible methods of implementing network segmentation in an enterprise

Detecting Egress Busting

  • Understanding the concept of egress filtering
  • Understanding an iptables firewall setup and application of egress filtering
  • Evaluate an 'egress busting' technique and the logging artifacts it creates

Port Forwarding and Tunneling

  • Understand the concept of tunneling and port forwarding
  • Learn how attackers use it to compromise additional machines in the network
  • Understand the possible methods and tools attackers use to tunnel into the network and how to detect them

Module 13 Windows Lateral Movement

Windows Authentication

  • Understanding Pass the Hash
  • Understanding Brute Forcing Domain Credentials
  • Understanding Terminal Services

Abusing Kerberos Tickets

  • Understanding Pass the Ticket
  • Understanding Kerberoasting

Active Directory Persistence

Keeping Domain Access

  • Understanding Domain Group Memberships
  • Understanding Domain User Modifications
  • Understanding Golden Tickets

Module 14 SIEM Part One: Intro to ELK

Log Management Introduction

  • Understand SIEM Concepts
  • Learn about the ELK Stack
  • Use ELK Integrations with OSQuery

ELK Security

  • Understand Rules and Alerts
  • Understand Timelines and Cases

Module 15 SIEM Part Two: Combining the Logs

Phase One: Web Server Initial Access

  • Detect enumeration and command injection
  • Implement Phase One detection rules

Phase Two: Lateral Movement to Application Server

  • Discover brute forcing and authentication
  • Create Phase Two detection rules

Phase Three: Persistence and Privilege Escalation on Application Server

  • Understand persistence and privilege escalation
  • Build Phase Three detection rules

Phase Four: Perform Actions on the Domain Controller

  • Identify dumping the AD database
  • Create Phase Four detection rules
Read more

QA is proud to be the UK official partner with Offensive Security.

Click here to view all our OffSec courses.

Click here to view the Learn Online subscriptions.

Dates & Locations

Cyber Security learning paths

Want to boost your career in cyber security? Click on the roles below to see QA's learning pathways, specially designed to give you the skills to succeed.

Required Star = Required
Certification = Certification
Application Security
Cloud Security
Information Security Management
Security Risk
Cyber Tech Generalist
DFIR Digital Forensics & Incident Response
Industrial Controls & OT Security
NIST Pathway
Privacy Professional
Security Auditor
Secure Coding
Cyber Blue Team
Vulnerability Assessment & Penetration Testing
Emerging Tech Security
Business Continuity & Resilience

Offensive Cyber Operations learning paths

Want to boost your career in the world of Offensive Cyber Operations? View QA's learning pathway below, specially designed to give you the skills to succeed.

Required Star = Required
Certification = Certification
Vulnerability Assessment & Penetration Testing

Frequently asked questions

See all of our FAQs

How can I create an account on myQA.com?

There are a number of ways to create an account. If you are a self-funder, simply select the "Create account" option on the login page.

If you have been booked onto a course by your company, you will receive a confirmation email. From this email, select "Sign into myQA" and you will be taken to the "Create account" page. Complete all of the details and select "Create account".

If you have the booking number you can also go here and select the "I have a booking number" option. Enter the booking reference and your surname. If the details match, you will be taken to the "Create account" page from where you can enter your details and confirm your account.

Find more answers to frequently asked questions in our FAQs: Bookings & Cancellations page.

How do QA’s virtual classroom courses work?

Our virtual classroom courses allow you to access award-winning classroom training, without leaving your home or office. Our learning professionals are specially trained on how to interact with remote attendees and our remote labs ensure all participants can take part in hands-on exercises wherever they are.

We use the WebEx video conferencing platform by Cisco. Before you book, check that you meet the WebEx system requirements and run a test meeting (more details in the link below) to ensure the software is compatible with your firewall settings. If it doesn’t work, try adjusting your settings or contact your IT department about permitting the website.

Learn more about our Virtual Classrooms.

How do QA’s online courses work?

QA online courses, also commonly known as distance learning courses or elearning courses, take the form of interactive software designed for individual learning, but you will also have access to full support from our subject-matter experts for the duration of your course. When you book a QA online learning course you will receive immediate access to it through our e-learning platform and you can start to learn straight away, from any compatible device. Access to the online learning platform is valid for one year from the booking date.

All courses are built around case studies and presented in an engaging format, which includes storytelling elements, video, audio and humour. Every case study is supported by sample documents and a collection of Knowledge Nuggets that provide more in-depth detail on the wider processes.

Learn more about QA’s online courses.

When will I receive my joining instructions?

Joining instructions for QA courses are sent two weeks prior to the course start date, or immediately if the booking is confirmed within this timeframe. For course bookings made via QA but delivered by a third-party supplier, joining instructions are sent to attendees prior to the training course, but timescales vary depending on each supplier’s terms. Read more FAQs.

When will I receive my certificate?

Certificates of Achievement are issued at the end the course, either as a hard copy or via email. Read more here.

Contact Us

Please contact us for more information