Cyber Threat Hunting

The course covers a wide range of SOC expertise that will be equally challenging to both entry-level and mid-level SOC professionals.

Our experts use and update their knowledge and skills daily – rest assured you’re getting the most relevant experience out there.

One hundred hours of practice in the virtual lab are included in your course – you can put your newly acquired knowledge to practice immediately!

Built for Tier 3 Threat Hunters

Intermediate

$1,400 inc. tax per learner

Intermediate

$1,400 inc. tax per learner

Background

Modern organizations face increasingly sophisticated cyber threats that can bypass automated defenses and remain undetected for long periods of time. To proactively identify malicious activity before it escalates into a serious breach, companies rely on cyber threat hunting, a discipline focused on uncovering hidden attacker behavior across endpoints, systems, and networks.

This updated version of Kaspersky’s course, developed by the company’s own SOC and incident investigation experts, provides comprehensive practical training in modern threat hunting methodologies.

Based on real-world experience and continuously updated expertise, the course introduces participants to threat hunting as an analytical process, the use of MITRE ATT&CK as a behavioral framework, and multiple hunting approaches, including TTP-based, IOC-based, and anomaly-based techniques.

Throughout the course, participants will gain hands-on experience investigating threats in Windows, Linux, and network environments, learning how to detect adversary activity, analyze telemetry and logs, reconstruct attack chains, and validate hunting hypotheses using professional tools and real-world scenarios in virtual lab environments.

Course leaders

Roman Nazarov

Head of Kaspersky SOC Consulting

Roman has 13-years experience in Information Security mainly focused on SOC areas. He started his career as a security engineer and advanced to manage a team specializing in building SOC platforms for big national organizations. Working internationally on various challenges, like designing threat detection frameworks, Roman became a certified ArcSight instructor. Back in Russia, he developed a cyber security platform handling 2 million security events per second at the country’s biggest bank.

Now at Kaspersky SOC Consulting, he focuses on a complex approach that includes all areas of SOC/MSS/CERT design and architecture, establishing operations and development planning. Roman is an acknowledged professional holding certificates like CISSP, CISM, CISA, GNFA, GCIH.

Sergey Soldatov

Head of Kaspersky SOC

Sergey started his career over 20 years ago as a software developer, writing in C and Perl. After working as a sysadmin of security systems, he became a member of a SOC team and was engaged in threat detection and incident investigation. Currently, Sergey is the head of Kaspersky SOC, responsible for internal SOC activities at the company as well as external managed detection and response and Compromise assessment services. Sergey is a certified information systems security professional (CISSP, OSCP) and auditor (CISA).

Dmitriy Uchakin

SOC Analyst and Researcher

Dmitriy is a SOC analyst, working in operation and research areas. He performs real-time investigations of detected threats and the analysis of fresh APT threats that were observed around the globe. Dmitriy is involved in the optimization of SOC operations and in the automatization of the SOC routines through the development of Jupyter notebooks, as well as robots for repeatable actions. He contributed to Kaspersky SOC’s Threat Hunting activities, like the creation of TH hypothesis, hunting for malicious indicators and converting successful cases into new threat detection rules.

Overview & objectives

Explain why threat hunting exists and how it fits alongside detection, incident response, and threat intelligence
Build, test, and document hypothesis-driven hunts using MITRE ATT&CK as a behavioral reasoning framework
Assess telemetry availability and visibility gaps before starting a hunt
Translate operational threat intelligence into testable hunting hypotheses
Hunt for identity abuse in Windows environments: credential extraction, Kerberoasting, and token impersonation
Hunt for persistence and execution anomalies on Linux hosts using auditd, osquery, and filesystem inspection
Hunt for C2 channels, lateral movement, and data exfiltration in network traffic
Determine when hunting findings are ready for detection engineering handoff

Syllabus

Download course program

Introduction to Threat Hunting

Threat hunting as an analytical discipline
Usage of MITRE ATT&CK
Types of hunting
Hypothesis-Driven Threat Hunting TTP hunting
WMI consumer hunting
Linux service hunting
Domain anomaly hunting
Endpoint anomaly hunting
APT report hunting

Windows Environment Threat Hunting

Windows OS cybersecurity features
Processes, places and sensitive information storage
Kerberos attacks and exploitation
Windows active directory audit management
Preventing account manipulation, privilege escalation
Mapping offensive activities onto logs
Building identity-driven hunting hypotheses
The use of Velociraptor
Searching for the actions of adversaries from the logs
MITRE ATT&CK matrix
Using Windows audit
Reconstructing multi-stage attack chains

Linux Security, Attack Vectors and Hunting

Linux general info
Linux security components
Linux monitoring
Linux capabilities and auditing system
Common Linux persistence and execution patterns
System tool privilege abuse hunting and investigation (openssl)
Auditd telemetry
Sudo misconfiguration abuse hunting and investigation
Hunting privilege escalation through SUID/SGID abuse
Detecting and analyzing fileless and LOTL execution patterns
Tracing SSH-based lateral movement and suspicious authentication activity
Reconstructing multi-stage Linux attack chains

Network Threat Hunting

Basics of network technologies
Common approaches to the network security
Network security monitoring
Specialized network devices
Key network data sources for threat hunting
Building baselines and detecting anomalies
Hunting for С2 channels, lateral movement, and data exfiltration
Correlating findings across multiple sources
Investigation of spoofing and replying attacks
Investigation of server-side attacks

Who is it for?

SOC analysts and specialists

For cybersecurity specialists involved in security operations and threat hunting.

Enterprises

For teams and enterprises focusing on threat hunting.

How you'll learn

Guided video lectures

Learn from more than 60+ videos by the top-notch Kaspersky SOC experts, sharing their practical experience and hacks.

Hands-on virtual lab and various environments within

Practice in our fully configured virtual lab - and experience various environments to hunt a wide range of threats.

Iterative learning

The course is structured around progressive learning with a consistent module framework based on specialist overviews of each task, practical work in the virtual lab and detailed solution walk-throughs.

Benefits

Access

6 months to complete your course from activation of your access code

Language

Delivered in English with subtitles

Pace

Self-guided learning that fits around your life (It will take you approximately 18 hours to watch the videos)

Browser-based access to virtual lab

100 hours of virtual lab time for hands-on learning

Downloads

PDF downloads of training materials & tips

Learning environment

Browser-based via desktop, mobile & tablet (excludes virtual lab which requires an RDP client)

Course author

Members of Kaspersky Security Operations Center

Guided videos

70+ videos to guide you through the course

Certificate of completion

PDF document on a Kaspersky letterhead certifying the completion of the course, signed by the course leader(s)

  