A deep-dive Linux Offensive Security course with comprehensive Purple Teaming methodology and detection/forensics logics, featuring AI-ready content delivery enhancement and MITRE ATT&CK framework integration. Technical excellence through practical Red vs Blue application. 100% Hands-On delivery focused on real-world scenarios. Your Next Generation Approach for Self-Learning Linux Security from the perspective of the attacker and defender.
*** Lifetime Access to [v2.0+v1.0] materials and updates + PurpleLabs Cyber Range 90 Days is included. ***
Lower price
If you are interested in accessing only the course materials, without getting access to PurpleLabs Cyber Range VPN for 90 days, you can use the special 30% discount link below:
Course Description
Welcome to the Linux Attack, Detection, and Live Forensics v2.0! After almost 4 years of active development and constant research I have done for v1.0, I decided to refresh the overall approach a bit. Due to the considerable dynamics of our Linux cybersecurity space and, above all, the active development of the EDRmetry Matrix project, I decided that the new version of the course will be developed in a more modular way, with better navigation and structure. The natural course of action was, of course, to categorize the content into the MITRE ATTACK Framework, exactly what has already been done with the EDRmetry Matrix. Everything came together to the idea of integrating EDRmetry Matrix as a v2.0 core, serving as a central knowledge base for offensive techniques. With this perspective, I began working on individual detection points and forensic artifacts. Thanks to PurpleLabs, I was able to achieve a complete and easily expandable Linux-oriented Purple Teaming Training platform in the playbook format.
Long story short, version v2.0 offers more offensive techniques, improved structure, and modularity. The entire material is based on the EDRmetry Linux Matrix (400+ offensive techniques), which allows for easy searching based on keywords. The content is also cleaner and more methodical, with the option of easier extension and updating.
The detection and forensics layer is modular and stackable now, allowing you to build your own detection paths required in detection engineering and incident handling procedures.
Centralizing activities within modern TARGET_Xbased on Alma Linux 9 allowed for greater stability and predictability of the system and component behavior.
Course content serves as a dynamic hub for cutting-edge offensive Linux expertise vs corresponding telemetry, detections, and forensics artifacts
One thing remains unchanged: attackers constantly find new ways to attack and infect Linux boxes using more and more sophisticated techniques and tools. As defenders, we need to stay up to date with adversaries, understand their TTPs, and be able to respond quickly. The combination of low-level network and endpoint visibility is crucial to achieving that goal. For DFIR needs, we could go even further with proactive forensics inspections. This course will guide you through different attack-detection-inspection-response use cases and teach critical aspects of how to handle Linux incidents properly.
Create and understand low-level Linux attack paths, improve your Linux detection coverage, see in action many Open Source DFIR/defensive projects, and understand the need for Linux telemetry, especially for critical Linux machines and Kubernetes clusters, where Runtime Security solutions are a must these days. The techniques and attack paths covered in this course include many different implementations of eBPF, XDP, Ftrace, Kprobe, Uprobe, Ptrace, Netfilter, Systemtap, PAM, SSHD, HTTPD/Nginx, LD_PRELOAD-based code samples, one-liners, C2, and corresponding PoCs. Detection and forensics layers include LKRG, bpftool, Velociraptor IR, OSQuery, deep-dive CLI-based /proc/ and /sys/ analysis, memory forensics with Volatility3 Framework with the semi-automated RAM acquisition, Sysmon4Linux, Kunai, Falco, Tracee, Sysdig, Tetragon, Sandfly Security, Zeek IDS, Suricata IDS, Moloch/Arkime FPC, Yara rules, and more. Just check the agenda and see for yourself. Expect a fully packed, practical Linux Purple Teaming program, which you won't find in a similar format anywhere else.
"Knowing is not enough, we must apply. Willing is not enough, we must do" - Bruce Lee
Linux Offensive Security & Purple Team Operations
Always updated, Central Hands-On Linux Knowledge Base for Red Team
Content mapped to Linux Matrix TTPs with the ability to dynamically build complete attack paths
AI-ready / HexStrike supported Linux Offensive Content => json to import + LLM/GPT prompts
Full scope of corresponding detection logics and DFIR/forensic artifacts included
100% Purple Teaming structure and only hands-on delivery style
No fluffy stories behind, just a pure minimalist technical structure
Easy content integration with your own Cyber Range / HomeLABS / TST infra
Useful for testing the effectiveness of EDR/Runtime Security Engines and SIEM integrations
Complete material for validating incident management plans and IR exercises
90 days of VPN PurpleLabs Cyber Range Access included
500+ satisfied v1.0 program participants from around the world
Comprehensive Hands-On Attack TTPs Catalog
EDRmetry Matrix is your Comprehensive Hands-On Linux Attack TTPs Catalog - a powerful playbook crafted to empower security professionals to evaluate Linux EDR/Runtime Security. Aligned with the MITRE ATT&CK™ Framework. It offers a cost-effective, customizable approach to simulating real-world Linux attacks, including 400+ dedicated offensive techniques in a copy-paste-run format, ready for chaining. Fueled by continuous research into emerging threats, EDRmetry Matrix serves as a dynamic hub for cutting-edge offensive Linux expertise. Know your enemy through hands-on experience. For v2.0, the EDRmetry Matrix forms the basis of the offered course. Every technique includes dedicated instructions to be executed on TARGET_X with associated detection and forensic artifacts. EDRmetry Matrix is Included in PurpleLabs Cyber Range by default.
PurpleLABS is a dedicated Cyber Range infrastructure for running detection and analysis of attackers' behaviors in terms of used techniques, tactics, procedures, and offensive tools. The environment has been created to constantly improve competencies in the field of Linux/Network threat hunting and learning about current trends of offensive actions vs direct detection and live forensics.
This 90-day PurpleLabs VPN access package is included as an integrated part for hands-on exercises with the Linux Attack, Detection, and Live Forensics v2.0 course. After the purchase, you can start your VPN access at a convenient time.
Deep network and host visibility in hunting friendly environment allows you to easily get on the right track to find even the most sophisticated symptoms of chained tactics, techniques, and procedures of modern attackers.
Generate real symptoms of different attack phases, including C2 channels, persistence, defense evasion, data exfiltration, tunneling, and pivoting between critical network segment,s and run host/network detections.
100% Real-Life, Lab-oriented scenarios focusing on the latest attacks and mitigation techniques using Open Source software. Acquire the required competence sets in a short period of time. Hands-on is what matters.
PurpleLabs Cyber Range Component
The environment is alive and does not contain static data. It includes the following components by default, allowing you to install and connect agents within your TARGET_X manually:
Splunk
Elastic
Wazuh
Sandfly Security
Velociraptor
FleetDM OSquery
Zeek NIDS
Suricata NIDS
Arkime FPC
Linux IR Scripts
UAC / Ghostscan
Attack Flow Builder
EDRmetry Matrix
PurpleLabs and the provided offensive instructions also support the ability to deploy and play with your own EDR / tools in the unique attack-detection-inspection-response format.
Assigned VMs
Each student gains access to a dedicated set of virtual machines reachable via VPN.
PRIVATE
Alma 9
The main Linux VM under which attack emulations are carried out. Provides vulnerable services and security misconfigurations. This is the VM where you install your EDR/Runtime/SIEM agent.
PRIVATE
Kali Linux
An internal machine dedicated to hosting payloads, handling local reverse shell connections, installing C2 frameworks, pivoting, doing memory forensics, and many more.
PRIVATE
Kali Linux
An external machine dedicated to hosting payloads, handling egress reverse shell connections, installing C2 frameworks, pivoting and exfiltrating data over the public Internet.
SHARED
CentOS 7
An older virtual machine dedicated to Purple Teaming exercises.
SHARED
CentOS 8
An older virtual machine dedicated to Purple Teaming exercises.
SHARED
Ubuntu 21.04
An Older virtual machine dedicated to Purple Teaming exercises.
Offensive Operations / Detection Engineering / Threat Ecosystem
Understand the advantages and values of the purple teaming approach in the Linux red/blue ecosystem
Learn about the full scope of Linux offensive techniques, tools, and the newest community research
See the effectiveness of the Detection/DFIR tooling vs attack emulations
Learn how to hide effectively in the Linux OS and how to exfiltrate data in stealthy ways
Learn how to deploy and use C2, low-level rootkits, and see this reflected in the detection/DFIR tooling
Get code and command snippets ready to use during your red team and adversary operations/emulations
Improve your Linux defense evasion and persistence skills
Understand the features of modern Linux EDR/Runtime Security Engines
Recognize security-related enhancements in the modern Linux kernel
Understand current kernel components and programming interfaces used to compromise a system
Get experience with Linux internals for a better understanding attacks and the needed telemetry
This knowledge will change the way you look at hardening and monitoring your Linux ecosystems
The proposed method and offensive content have been consistently evaluated as highly valuable during professional services and training sessions at prestigious cybersecurity conferences, such as Black Hat USA/Singapore, x33fcon, OrangeCON, and also during private training for the biggest companies all over the world.
Stay prepared
The general skill level of the course is intermediate
Comfortable using the Linux console is required
Fundamental knowledge of TCP/IP network protocols is needed
Linux Penetration testing experience is beneficial, but not required
Basic programming skills and the ability to read code are a plus, but not essential.
The material serves as a hands-on guide. Detections and corresponding offensive tests are provided in a step-by-step format. Additional research is needed if you want to learn more. AI is your contextual friend.
What will you learn?
Master Linux Attack Paths and Defenses:
Get to know the newest Linux attack paths, hiding techniques, and offensive tools for Discovery, C2, Lateral Movement, Persistence, Evasion, Exfiltration, Execution, and Credential Access, aligned with the Linux MITRE ATT&CK Framework.
Enhance Detection and Correlation Skills:
Learn ways to improve detection, sharpen event correlation across Linux/network data sources, and identify malicious activities to filter out network noise for better incident response.
Explore Detection and DFIR Tools:
Understand visibility/detection methods of tools like Splunk, Elastic Security, Velociraptor, Falco, Jibril, Tracee, Tetragon, Kunai, Moloch/Arkime, Zeek, Suricata, OSquery, Wazuh, and Sandfly Security, including how open-source software supports SOC infrastructure.
Proactive Forensics and Simulation:
Gain insights into proactive Linux forensics scans, manual/automated attacker simulations to generate anomalies, and identifying blind spots in network security posture.
Purple Teaming Approach:
Understand the value of purple teaming, where red and blue teams collaborate to hunt for threats, augment SOC efficiencies, and extend Breach and Attack Simulation Systems (BAS enrichment).
Offensive Techniques and Evasion:
Learn full-scope Linux offensive techniques, tools, community research, stealthy hiding/exfiltration methods, C2 deployment, low-level rootkits, and defense evasion/persistence skills.
Linux Internals and Kernel Security:
Recognize security enhancements in modern Linux kernels, understand kernel components/programming interfaces for system compromise, and gain experience with internals for better attack logic and telemetry understanding.
Check out the full course program and explore some open sections to understand the style and value of the materials.
Complete all lab scenarios, learn Linux attack, detection, and forensics at scale, create your own Linux attack paths while looking for DFIR artifacts, and get your "Linux Attack, Detection and Forensics v2.0" Certificate of Completion.
Why should you take this course?
This course in the playbook format takes on an “attack vs detection” approach in a condensed and structured format. It will allow a gradual escalation of the level of knowledge in the scope of Linux internals and red/blue/purple teaming to both experienced specialists and beginners while maintaining the attractiveness and pleasure of performing tasks. This course is intended for:
CSIRT / Incident Response Specialists
Red and Blue team members
Cloud Security Engineers / Kubernetes Operators
SecDevOps / Linux Administrators
Penetration testers
Threat Hunters
Security / Data Analytics
IT Security Professionals, Experts & Consultants
SOC Analysts and SIEM Engineers
AI / Machine Learning Developers
Open Source Security Enthusiasts
Next phases of course development
As mentioned, the content of this course is based on the EDRmetry Matrix. As of November 12, 2025, the Matrix contains over 400 dedicated offensive techniques, and their number is still growing. "EDRmetries" are ready for use both within PurpleLabs and for your own project/homelab needs, as my goal was to achieve maximum flexibility and custom usability.
Detection and forensic areas will be added on an ongoing basis in monthly cycles. That's why, at the moment, you see fewer sections in the course agenda vs. the number of available offensive tests in the EDRmetry Matrix. If you want to follow the changes, please visit here:
Every two months, with new instructions being added, the official course price will increase to finally reach EUR 849 net.
EUR 549 net
Official Release
EUR 599 net
+ 15 lab instructions or more
EUR 649 net
+ 15 lab instructions or more
Check out the course - Experts say it's worth it
500+ satisfied program participants from around the world. Check out the FULL list of recommendations we've received so far for v1.0: https://edu.defensive-security.com/about
Senior Incident Response Specialist @ Kaspersky
"The course explores Linux security from incidents, exploits, and vulnerabilities all the way to large-scale detection and Linux forensics. It took me through attack paths, kernel/user-space rootkits, C2 frameworks, and persistence techniques, all tied to real-world threat scenarios and investigations. This isn’t a “check the box” course for me. It’s a reference I’ll keep coming back to for refining my knowledge.
A big thank you to Leszek Miś for putting together such a comprehensive and practical resource!"
"Great course, excellent added value with ongoing access to course material as well."
"Great training, excellent, thank you!"
"Great research, learned a lot! Respect for all that Leszek achieved."
"I liked the dynamic style of the course very much. Also, the presentation/live demo at the end of the course was really nice. I like the idea behind the whole EDRmetry/PurpleLabs project!"
"Just awesome! Great material, well-prepared training!"
"Such a nice, knowledgeable instructor! I'm so happy that I managed to attend this course! and definitely will be highly recommended!"
"Beyond this training, it would even be interesting to see a certification. I am excited and would love to see the services and tooling Leszek will release soon. :-)"
"The training was great, I learned a lot of new stuff, and it was very good to refresh my mindset to look more from a practical attacker's point of view instead of just reading up on single techniques. Thanks for a great 3 days. It was inspiring stuff."
"Great training, pace was fine. Even though I'm not super experienced in Linux architecture and couldn't understand everything, it was still useful. Timing for the practical sessions was on point, not too long and not too short. Thanks for this awesome training! Best conference training I've had so far :)"
"Leszek has a lot of knowledge about Linux forensics, threat hunting, and incident response. From an offensive perspective, the most useful parts of the training are getting familiar with the monitoring tools available and learning more about the internals of these tools (including the Linux internals). It gives me new inspiration to dive deeper in some topics, such as ebpf and some interesting syscalls. The life long access to the course material is going to be a great resource as well."
Threat Hunter @ WithSecure
"During x33fcon this year, I had a chance to attend training from Leszek Miś - Effective Linux EDR/XDR Evaluation Testing for Red and Blue Team. Actually, one of the best trainings I've ever attended, which already is starting to show its value, during my day-to-day job as a threat hunter. If you have a chance to attend it, and you're battling your thoughts about it, I reassure you, it's 100% worth it, especially for people who have to deal with threat hunting and detection engineering, to take a step back and re-evaluate themselves."
After the purchase, you will get:
Immediate access to the course playbook materials hosted in the Podia portal
Public HTTPS-based access to EDRmetry Linux Matrix for 365 days. HTTPS access will be provided within 1-2 days after purchase.
A dedicated set of VPN credentials to PurpleLabs Cyber Range for 90 days on request, but not earlier than 1-2 days after purchase. You can also start accessing the VPN at a time convenient for you, a week, a month, or six months after purchase. Just let me know which option works best for you.
For every student, we provide a set of six Linux machines (TARGET_X, KALI_X, C2_X, PRD_SHARED, DEV_SHARED, and FUBU_SHARED) that, at the same time, are a part of the shared detection/hunting PurpleLabs playground.
Version v2.0 offers more offensive techniques, improved structure, and modularity. The entire material is based on the EDRmetry Linux Matrix (400+ offensive techniques), which allows for easy searching based on keywords. The content is also cleaner and more methodical, with the option of easier extension and updating.
The detection and forensics layer is modular and stackable now, allowing you to build your own detection paths required in detection engineering and incident handling procedures.
Centralizing activities within modern TARGET_Xbased on Alma Linux 9 allowed for greater stability and predictability of the system and component behavior.
Course content serves as a dynamic hub for cutting-edge offensive Linux expertise vs corresponding telemetry, detections, and forensics artifacts
We are using the simplest solution based on Wireguard VPN. All you have to do is install the VPN client and import one configuration file.
Public HTTPS-based access to EDRmetry Linux Matrix for 365 days is provided within 2-4 days after the purchase.
I provide this option because you may want to focus only on the offensive part at first, without instant access to PurpleLabs VPN.
When requested over email, you will get PurpleLabs VPN access credentials within 2-4 days.
Usually, I advise spending 1-2 weeks just on reading the material and going deeply through it before hands-on. Then, when you are ready, you can send me an email with a VPN access request, but the ball is on your side:)
English OFC!
No, and it has never been a priority.
Hands-on lab instructions and the Cyber Range environment have been built in such a way that you can easily repeat the corresponding steps.
Access to the course playbook materials is provided on a lifetime basis, so there are no restrictions. Access to updates and new instructions is included.
Access to PurpleLabs VPN is provided for 90 days.
Access to the Public HTTPS-based EDRmetry Matrix is provided for 365 days.
Yes, on request. Just send me an email, and within 7 days, you should get your cert.
Of course! Please provide me with full details about the company:
Company name
name/surname
address/country
VAT ID (if applicable)
Yes, I am always open to new collaborations, all over the world, or just online. Send me a DM.
Yes. Ping me over email. I assume that by default, anyone with access to v1.0 will receive a XX% discount on access to the v2.0 materials. The promotional price does not include access to the lab; only access to the materials is included. You can purchase 90 days of PurpleLabs VPN access separately.
There are three options available. You can ask questions directly over email, send a question within the Podia Chat portal, or join our Defensive Security Discord Channel and ask there.