Linux Attack and Live Forensics at Scale

€399

Linux Attack, Detection and Live Forensics - Materials Only - Lifetime Access

Course
264 Lessons

Learn Linux Attack, Detection, and Live Forensics based on hands-on analyses of user space and kernel space Linux rootkits, C2 frameworks, and tools. Create low-level Linux attack paths, know better Linux internals, improve your Linux detection, understand the need for Linux telemetry, and stay prepared for Linux threats.

This package includes MATERIALS ONLY for an unlimited time. You can purchase the PurpleLABS VPN Access package separately.

Buy now

Cyber Range Playground with Hands-On Labs

Use PurpleLABS as a Cyber Range advanced R&D environment for your own red/blue security research needs or as a part of the course, where you will study hands-on labs that we have carefully prepared. You can purchase separately a 90-day VPN PurpleLabs access:

Purchase 90 Days PurpleLabs VPN Access

Learn more about PurpleLabs

Recommendations

You can find the extended recommendation list here: https://edu.defensive-security.com/about

"Great content, very informative, Super training!, Learned new ways to detect attacks and defend on Linux, Good overview of offensive/defensive tools, I mostly like the level of content of this course, Good overview of different attacks and their traces in multiple monitoring systems, Content: Excellent."

BruCON 2022

From official training feedback

"We utilized PurpleLabs to further develop our SOC team skills. We have found that Defensive Security's hands-on content enabled them to better understand Linux internals and threats landscape in a unique hands-on format. Many step-by-step offsec lab modules ready to chain into low-level Linux attack paths, different detection layers, live telemetry streams and forensics tooling allow for a unique and challenging hands-on experience. Highly recommended!"

Przemysław Dęba

Head of Cybersecurity @ Orange

"I had the pleasure of completing Leszek’s exceptional course on Linux Attack and Live Forensics At Scale. I am especially impressed by the depth of each topic and Leszek's ability to simplify intricate concepts, making it an invaluable learning experience for even seasoned professionals. The hands-on approach, particularly in experimenting with the latest offensive techniques from stealthy rootkits to C2 frameworks and so much more, using relevant open-source tools for detection, significantly enhances the value for any security professional. Leszek's continuous incorporation of new topics further enriches the course's value, complemented by exceptional support. Undoubtedly, it has elevated my skills in purple teaming / learning new offensive and defensive techniques and I highly recommend Leszek’s course to anyone looking to enhance their skills in this area."

Wajih Yassine

Senior Security Engineer @ Google

"Content and labs are interesting, Hands-on, Purple lab focus on the ability to simulate offensive so that we can deal with the defensive. I love all the additional things shared by the instructor. Deploying and using C2, rootkits, etc, and seeing this reflected in the detection tooling."

Hack In The Box Singapore 2022

From official training feedback

"It is funny, out of all courses and labs, PurpleLabs was the best lab in terms of knowledge that I use today."

Stefan Waldvogel

SIEM Engineer @ Graylog

"I've been having fun doing the Defensive Security Linux Attack and Live Forensics course."

Craig Rowland

Founder @ SandflySecurity, Agentless Linux security and EDR

About the course

Attackers constantly find new ways to attack and infect Linux boxes using more and more sophisticated techniques and tools. As defenders, we need to stay up to date with adversaries, understand their TTPs and be able to respond quickly. The combination of low-level network and endpoint visibility is crucial to achieving that goal. For DFIR needs
we could go even further with proactive forensics inspections. This training will guide you through different attack-detection-inspection-response use cases and teach critical aspects of how to handle Linux incidents properly.

This course helps create and understand low-level Linux attack paths, improve your Linux detection coverage, see in action many Open Source DFIR/defensive projects, and understand the need for Linux telemetry, especially including Kubernetes clusters where Runtime Security solutions are a must these days. The techniques and attack paths covered in this training include many different implementations of eBPF, XDP, Ftrace, Kprobe, Uprobe, Netfilter, Systemtap, PAM, SSHD, HTTPD/Nginx, LD_PRELOAD-based code samples, and PoCs. Detection and forensics layers include LKRG, bpftool, Velociraptor IR, OSQuery, CLI-based /proc/ and /sys/ analysis, memory forensics with Volatility 2/3 Framework with the semi-automated RAM acquisition, Sysmon4Linux, Falco, Tracee, Sysdig, Tetragon, Sandfly Security, Zeek IDS, Suricata IDS, Moloch/Arkime FPC, Yara rules and more.

The hands-on content has been divided into user-space and kernel-space sub-sections. When you are done, dig deeper and create your own custom attack paths, then improve your detection coverage. Purple teaming for life!

If you want to enhance your understanding of Linux x86/x64 internals and stay prepared for Linux threats, this course is a must have!

Through the hands-on labs, you will gain a perfect understanding of important DFIR Linux/Network internals and investigation steps needed to get the full picture of Linux attack paths including post-exploitation activities and artifacts left behind.

Dive into the world of Linux syscall hooking techniques, see hands-on how rootkits work in well-prepared Detection PurpleLabs Cyber Range, analyze and modify the source codes, find interesting behavior patterns in binaries and logs, learn what telemetry is needed to catch modern Linux threat actors, and find how to proactively validate and improve detection coverage with step-by-step Linux adversary emulations.

Course Mindmap.png

3.84 MB

Linux Detection and Forensics Cheatsheet v0.4.pdf

1.2 MB

00. PurpleFlows Rapid Track

The idea around PurpleFlows Rapid Track is to quickly illustrate the lab features, Linux threat landscape, and possible detection/forensics methods using PurpleLabs components. Not everyone has the time and willingness to go through all the material and here my role is to provide you with a list of the most important and best-built scenarios. Remember to check the single lab as completed when it is done.

PurpleFlow#1

01. PurpleLabs Cyber Range Navigation

This module is dedicated to the introduction to the PurpleLabs environment, network setup and assigned virtual machines, available tools, hunting components, datasets, and telemetry. Use this short and easy section to better use the PurpleLabs platform and hands-on materials.

Welcome to PurpleLABS!

PurpleLabs Detection and Hunting Dashboard

PurpleLabs Components - Helicopter View

PurpleLabs Components - EDRmetry Matrix

EDRmetry Matrix Generic Flow

Data sources and SIEM/DFIR components

Your Virtual Machines

Your Virtual Machines - TARGET_X

PurpleLabs Network Architecture

795 KB

PurpleLabs VM Robot Tool

Troubleshooting

Rules and policies

Technical Support Service

Open Source Community

Changelog

Preview

Threat Detection and Hunting with PurpleLabs #1

Threat Detection and Hunting with PurpleLabs #2

02. Introduction to the course

This chapter is a course introduction and the technical scope you can expect from the materials. By analyzing the current Linux threat landscape you will jump into the area of Linux attack paths/offensive operations vs detection engineering and live forensics inspections. This chapter is just an entry point to the broader true hands-on Linux/Network Purple Teaming journey I am going to kidnap you on during this course.

About the course

Best strategy for taking the course

Why Linux as a target?

Current Linux threat landscape (2022/2023/2024/2025)

Linux Appliances Exploitation Cases

Active Defense

Purple teaming approach

Threat Hunting vs Incident Response

Linux MITRE ATT&CK

Linux EDR/Security Products

Recommended books

03. Blue/DFIR Components: SIEM

In this chapter, you are going to get familiar with different SIEM stacks running in PurpleLabs including Splunk, Hunting ELK (HELK), Graylog, and Wazuh. Through different security analysis tools, you will get access to real and live data sources including network and host telemetry coming from different nodes in the Cyber Range network.

SIEM/Elastic Security

SIEM/Splunk

SIEM/Wazuh

Sigma Rules Hands-on Introduction

Protections Artifacts from Elastic

SIEM/Graylog [RETIRED]

SIEM/HELK introduction [RETIRED]

04. Blue/DFIR Components: HOST

This chapter is fully dedicated to Linux endpoint/server security monitoring and live forensics at scale. A set of low-level visibility tools like Tracee, Falco, Sysdig, or Sysmon4Linux have been used to enhance host visibility. You will play with short use-case scenarios that effectively show not only the tool's values, but first of all, allow you to "see" and better understand the true behavior of attacks and corresponding TTPs at scale through the visibility/DFIR layers you can find in PurpleLabs.

Host/Syslog

Host/Journal

Host/Auditd

Host/Falco Runtime Security

Host/Tracee Syscall Tracing

Host/Kunai Runtime Security

Host/Kunai Hunting Queries

Host/Sysdig Syscall tracing

Host/Tetragon Runtime Security

Host/Jibril Runtime Security

Host/Sysmon4Linux

Host/Velociraptor

Host/FleetDM OSquery

Host/Sandfly Security

Host/Wazuh

Host/Sunlight

Host/Sunlight IR_Executor

Host/ghostscan

Host/CatScale

Host/UAC

Host/varc

Host/rkhunter & chkrootkit

Host/Yara Scanning

Host/Capa

Host/LKRG

Host/SELinux

Host/Clamav

Host/Entropyscan vs ELFCrypt

Host/BPFMon

Host/bpftrace

Host/Argus Runtime Security [RETIRED]

05. Blue/DFIR Components: NETWORK

In this chapter, you will learn about different network data sources available in PurpleLabs. From Netflow to signature-less Zeek IDS and signature-based Suricata IDS to Full PCAP Capture based on Moloch/Arkime. True experience based on a real network with cool network visibility. Connect to your PurpleLabs VMS and generate the first network activities. Simple network behavior of your hosts (HASSH, JA3, DNS, NTP, ICMP, SMB, etc.) sounds like a great idea to learn more about network protocols and specific behaviors of Linux boxes in the context of running applications during an attack.

Network/Zeek

Network/Zeek JA4

Network/Suricata

Network/Arkime Full Packet Capture

Network/Forward Proxy Squid SSL Decryption

Network/WAF Modsecurity

Network/RITA

Network/Elastiflow [RETIRED]

06. Establishing baseline vs Attack Vectors

Baseline profiling is the key to getting a better and faster incident handling process. While analyzing different Linux components, core system services, filesystem paths, and other subsystem configurations, you are going to better understand where exactly attackers can leave backdoors as a persistence method. In this chapter, you will learn about various OS locations and persistence methods including one-liners and obfuscation vs Live Forensics at scale using OSquery, Sandfly, Velociraptor, and more.

Basic Linux Investigation tools

Process names

Process arguments

Parent-child process relationship

/proc exploration

/sys exploration

sysctl

Linker / LD_PRELOAD

Linux Kernel Modules

LKM Off

Dmesg

eBPF programs

DNS Settings

Network profiling

Open Ports

iptables

At / cron / systemd timers

Users

Shell Configuration

Initialization scripts / systemd

Special File Attributes

DNF / yum

File Hashing / checksums

OS / application logging behavior

SSH keys

Linux namespaces

Linux Capabilities

07. Linux Memory Forensics

This section is about dynamic memory acquisition and live memory forensics of Linux boxes. Improve your memory forensics skills by playing with Volatility Framework 2/3 against a huge set of Linux attack use cases. The idea is simple. You make an offensive operation and in the next step, you download the RAM image and use Volatility Framework to find artifacts. The entire process has been automated, which allows you to focus on the merits. Memory forensics is also a cool approach for baselining low levels of your OS and apps!

Linux Report Sections

Introduction to Volatility Framework 3

Providing Volatility 3 ISF JSON Profiles

Providing Volatility 2 Profiles

Memory Acquisition

Memory Forensics with Volatility 3

Volatility 3 External Fileless plugin

Volatility 3 External eBPF plugins

Memory Forensics with Volatility 2

Building Volatility 3 ISF JSON Profiles [RETIRED]

Building Volatility 2 Linux Profiles [RETIRED]

08. Linux Shells / C2 Implants

This chapter is all about playing with different C2 frameworks you could use as an attacker against your Linux targets. You will focus on different types of payloads and listeners, and various types of execution methods including sideloading, process injection/hiding, and C2 armoring to execute malicious code even in a more stealthy manner. The detection part comes in next as you will use PurpleLabs host and network visibility to learn more about different C2 behaviors, their TTPs, implant process structures, and configurations.

Python TLS/SSL Reverse Shell

Sliver C2 Setup

Sliver Transports and Pivoting

Sliver in details

Meterpreter Setup

Sliver to Meterpreter Sideload

Meterpreter shell_to_meterpreter

Merlin Setup

Merlin Transports

Merlin libprocesshider

TLS/sniCAT

DNS/AXFR Payload Delivery

DNS/dnscat2

ICMP-based C2 and Exfiltration

Port knocking

Hidden NTP Exfiltration

FreeIPA LDAP as Hidden Storage

DNS/Weasel AAAA [RETIRED]

09. Tunnels / pivots / redirectors

A section about different kinds of network tunneling and pivoting techniques. Thanks to PurpleLabs you can easily jump through different subnets and hosts using protocols of your choice, then analyze your network flows and prepare IoC in IRIS.

SSH Socks Proxy

SSH Tunneling

Reverse SSH

Shootback Protocol Tunneling

SSHimpanzee

FRP Fast Reverse Proxy

Global Socket

socat

Chisel

ngrok

10. Incident Response

Live forensics is an important part of Incident Response. During a course, use IRIS - an Incident Response Investigation System that helps incident responders share technical details. Create and simulate your own Attack Paths and use IRIS for custom hands-on investigation needs. In this section, you will also get introduced to the extensive IR playbooks.

DFIR basics

DFIR Preparation

Linux IR Investigation

IR Playbooks

IRIS Introduction

11. Default Targets Exploitation & Detection

A section dedicated to local and remote exploitation. Sample targets allow you to better understand the attack methods and corresponding offensive tools and frameworks. Detailed analysis of individual cases will allow you a better understanding of the detection engineering process and will allow obtaining the real values from the "show me the change" approach where comparing the behavior of infected systems vs the golden images is crucial.

Reverse Shell / Backdoor payloads

File transfers

Apache Tomcat

Apache HTTP CVE-2021-41773

NFS no_root_squash

Dirty Pipe CVE-2022-0847

pkexec CVE-2021-4034

CVE-2022-2588

GameOver(lay) CVE-2023-2640/CVE-2023-32629

Spring Cloud Function CVE-2022-22963

Solr Log4j CVE-2021-44228

Kafka CVE 2023-25194

ActiveMQ CVE-2023-46604

XZ / liblzma backdoor CVE-2024-3094

Samba / CIFS + SSH Honey Key

Weblogic SSRF

Wordpress RCE

SSH Brute force

Docker escape

Exiftool CVE-2021-22204

Remote Heap Exploitation

Attack Emulation: Atomic Operator

Attack Emulation: Panix

12. Linux Rootkits for Red and Blue Teams

This is the main and the largest part of the course where you will play with a set of real Linux offensive use cases vs detection/forensics. The hands-on content has been divided into user-space and kernel-space subsections. When you are done, dig deeper and create your own custom attack paths, then build your detection against them. Purple teaming for life!

[US] = user space
[KS] = kernel space

Evaluation of Linux Rootkits and Detection INTRO SLIDES - Practical Linux Rootkits for Red and Blue .pdf

441 KB

eBPF SLIDES - Practical Linux Rootkits for Red and Blue .pdf

491 KB

Linux System calls

General Linux rootkits behavior

[US] Rootkits: Shared Library Injection

[US] Rootkits: Hide SSH key with ld.so.preload

[US] Rootkits: Oh my Father!

[US] Rootkits: Sneaky Bedevil

[US] Rootkits: Socket Command Injection

[US] ELF injection with ptrace()

[US] ELF injection without ptrace()

[US] Proxy execution with DDexec

[US] In-memory execution with memrun

[US] memfd_vs_no_exec

[US] memexec + XOR Loader

[US] Fileless Scripting Execution

[US] Rootkits: Dynamic Linker Preloading

[US] Rootkits: Zombie Ant Farm Pypreloader

[US] MSF Shellcode from bash

[US] Rootkits: sshd injection

[US] Rootkits: sshd dummy cipher suite

[US] PAM-based Rootkits #1

[US] PAM-based Rootkits #2

[US] PAM-based Rootkits #3

[US] Python .pth Extension

[US] Yum/RPM Persistence

[US] Udev persistence

[US] Rootkits: Apache mod_authg

[US] Rootkits: HTTPD mod_backdoor

[US] Webshells: SOCKS from JSP

[US] Webshells: meterphp

[US] Linux Process Snooping

[US] Capturing SSH with strace

[US] Hiding process with bind mounts

[US] Beacon Object File (BOF) Stager

Preview

[KS] Rootkits: Usermode Helper on ICMP

[KS] Rootkits: In-Memory LKM Loading

[KS] Rootkits: Diamorphine

[KS] Rootkits: Reptile Analysis

[KS] Rootkits: Suterusu Analysis

[KS] Rootkits: Reveng_rtkit Analysis

[KS] Rootkits: Registering Char Device

[KS] Rootkits: iptables evil bit

[KS] Rootkits: systemtap creds() upgrade

[KS] Rootkits: Netfilter hooking #1

[KS] Rootkits: xt_conntrack.ko Infection

[KS] Rootkits: Ftrace Hooking #1

[KS] Rootkits: Ftrace Hooking #2

[KS] Rootkits: BDS Ftrace Hooking #3

[KS] Rootkits: Bad-bpf trip

[KS] Rootkits: Offensive bpftrace

[KS] Rootkits: eBPF hooking / TripleCross

[KS] Sniffer: eBPF SSL/TLS text capturing

[KS] Rootkits: eBPF Raw Tracepoint Interception

[KS] Sniffer: eBPF PAM creds stealing

[KS] Rootkits: eBPF KoviD Analysis

[KS] Rootkits: eBPF Boopkit Analysis

[KS] Rootkits: eBPF Hiding with nysm

[KS] Rootkits: eBPF bpfdoor

[KS] Rootkits: ebpfkit Analysis

[KS/US] Backdooring Initramfs

Preview

[ELF] Kiteshield Anti Forensics

[KS] Randomized Faulter [RETIRED]

[KS] Rootkits: XDP-UDP-Backdoor [RETIRED]

Linux EDR Architecture

Introduction

What is Linux EDR engine?

How does Linux EDR work?

Core functionalities and key features

Visibility Events / Indexes / Data sources

Syscalls, Kernel Functions and Tracing Visibility

Detection logic / rulesets

Engine Modes

Response, Triage and Forensics

Deployment and Operations

Alerts / Incidents / Detections

Query Language

Linux EDR Telemetry Project

13. Active Security Research

Active Research

Rootkits: Syscall hooking

Linux Incident Response

In-memory Execution

Evasion / Bypassing techniques

OS Security Stacks

Exploitation

Memory Forensics

Linux Internals

LSM/Sandboxes

eBPF

Anti-Forensics

Tunneling/Proxying

Malware

Fun

Kubernetes/Cloud

Certificate of Completion

Complete all labs scenarios, learn Linux attack, detection, and forensics at scale, create your own Linux attack paths while looking for DFIR artifacts, and get your PurpleLabs Certificate of Completion.

Benefits for Blue Teams/DFIR

Understand the advantages and values of the purple teaming approach in the Linux ecosystem
Learn about the full scope of Linux Detection/Forensics techniques, tools, and the newest community research
Understand the structures of advanced Linux attack paths, how they really work, and how to protect
Learn about different offensive tools that you can use against hackers
See the effectiveness of Detection tooling vs attacks emulations
Get experience with Sigma Rules for a better understanding of the logic behind attacks and needed telemetry

Benefits for Red Teams

Understand the advantages and values of the purple teaming approach in the Linux red/blue ecosystem
Learn about the full scope of Linux offensive techniques, tools, and newest community research
Learn about different detection/response tools and techniques vs attacks
Learn how to hide effectively in the Linux OS and how to exfiltrate data in stealthy ways
Learn how to deploy and use C2, low-level rootkits and see this reflected in the detection/DFIR tooling
Get code and command snippets ready to use during your red team and adversary operations/emulations
Get experience with Sigma Rules/Protections Artifacts for staying stealthier and improving your defense evasion skills

Benefits for DevOps/SecOps/Admins

This knowledge will change the way you look at hardening and monitoring your Linux ecosystems
Recognize security-related enhancements in the modern Linux kernel
Understand kernel components and programming interfaces used to compromise a system
Discover recommended Open Source Security solutions against actual hands-on attacks
Learn about the full scope of Linux Detection/DFIR techniques, tools, and the newest community research
Understand the advantages and values of the purple teaming approach in the Linux red/blue scope
Gain experience in managing many different detection and visibility layers

KEY LEARNING OBJECTIVES

Get to know the newest Linux attack paths and hiding techniques vs proactive detection
Learn current trends, techniques, and offensive tools for Discovery, C2, Lateral Movement, Persistence, Evasion, Exfiltration, Execution, Credential Access against Linux machines ← Linux Matrix ATT&Ck Framework
Learn ways to improve detection and sharpen your event correlation skills across many different Linux/network data sources
Get to know visibility/detection methods and capabilities of well-recognized Hunting and Detection tools, including Elastic Security, Velociraptor, Falco, Tracee, Tetragon, Kunai, Splunk, Moloch/Arkime, Zeek, Suricata, OSquery, Wazuh, Graylog, Sandfly
Find the malicious Linux activities and identify threat details on the network
Prepare your SOC team for fast filtering out Linux network noise and allow for better incident response handling
Find out how Detection / DFIR Open Source Software can support your SOC infrastructure
Understand the values of proactive Linux forensics scans vs manual and automated approaches to simulate attackers and generate anomalies
Identify Linux blind spots in your network security posture
Understand the value of the purple teaming approach, where you hunt for yourself and teammates

Who Should Attend

Cloud Security Engineers / Kubernetes Operators
SecDevOps / Linux Administrators
CSIRT / Incident Response Specialists
Red and Blue team members
Penetration testers
Threat Hunters
Security / Data Analytics
IT Security Professionals, Experts & Consultants
SOC Analysts and SIEM Engineers
AI / Machine Learning Developers
Open Source Security Enthusiasts

Prerequisite Knowledge

General skill level of the course: intermediate
An intermediate level of command-line syntax experience using Linux.
Fundament knowledge of TCP/IP network protocols.
Penetration testing experience performing enumeration, exploiting, and lateral movement is beneficial, but not required.
Basic programming skills are a plus, but not essential.
Recommended reading material:
- Adversarial Tradecraft in Cybersecurity
- Privilege Escalation Techniques
- Linux System Programming
- Practical Threat Intelligence and Data-Driven Threat Hunting
- Transmetropolitan ;-)

WHY SHOULD YOU TAKE THIS COURSE?

This course takes on an “attack vs detection” approach in a condensed format. This will allow a gradual escalation of the level of knowledge in the scope of Linux internals and red/blue/purple teaming to both experienced specialists and beginners while maintaining the attractiveness and pleasure of performing tasks.

This class is intended for students who have a basic understanding of Linux and have to deal with advanced threats. Furthermore, the course is also interesting for experienced DFIR/SOC/CERT players who aim to dig deeper into the understanding of Linux internals and corresponding network attack analysis techniques, detection and response.

100% Real-Life, Lab-oriented scenarios focusing on the latest attacks and mitigation techniques using Open Source software. Acquire required competence sets in a short period of time.

Minimum theory, maximum hands-on labs only. High-tech Open Source Security workshops with the unique formula of "detection vs attack”. Feel the power of the Purple Team.

Provided by the highest level professionals in the market. Recommended by big players to expand your Open Source Security skills and knowledge.

Extremely deep-dive training on Linux Attack and Detection, Open Source SOC/DFIR components in action. Based on almost 20 years of unique experience.

Kind of Linux ATTACK Framework in hands-on model

Direct use of the acquired knowledge in real production environments

Your instructor Leszek Miś

Leszek Miś is the Founder of Defensive Security, Principal Trainer, and Security Researcher with almost 20 years of experience in the Cyber Security and Open Source Security Solutions market. He went through the full path of the infosec carrier positions: from Linux Administrator, System Developer and DevOps Engineer, through penetration tester and security consultant delivering hardening services, penetration testing, and training for the biggest players in the European and global market, to become finally an IT Security Architect / SOC Security Analyst with deep non-vendor focus on Network Security attack and detection. He’s got deep knowledge about finding blind spots and security gaps in corporate environments. Perfectly understands technology and business values by delivering a structured, automated adversary simulation platform.

Recognized speaker and trainer: BruCON 2017/2018, Black Hat USA 2019, OWASP Appsec US 2018, FloCon USA 2018, Hack In The Box Dubai / Amsterdam / Singapore / Abu Dhabi 2018/2019/2020, 44CON UK 2019, Confidence PL, PLNOG, Open Source Day PL, Secure PL, Advanced Threat Summit PL,Semafor PL, ISSA Polska.

Testimonials

"It's been a while since I was so excited (like during #LockedShield2018). Together with a group of secfreaks we had an opportunity to bring into play intensive scenarios and step into adversaries' shoes. I don’t remember when I exfiltra… took away so much knowledge. Actually is better to simply turn off computers. But try harder."

“The content of in and out was great. Lots of gained knowledge and hands-on!

I wanted my team to experience something new, different ... I wanted SOC analysts to learn practical ways to bypass security and data exfiltration and learn to detect them and learn the techniques of attackers who could already break the security and work inside. And then Leszek appeared. We did not need a single coffee for three days! Leszek shared great knowledge with us in a very accessible way. Materials, pictures, scenarios - everything prepared and working. Thank you Leszek Miś! Highly recommend !!!

One of the best security exfiltration training so far! Lots of fun & learning! If you want to learn how hackers think and what kind of tooling they use - this is it!"

"If you need to get deep and broad knowledge in the scope of Defensive Security using Open Source software then don't hesitate and just grab for it - definitely worth to attend and meet Leszek in person and his experience"

“Leszek Miś is very knowledgeable in the topics covered in the course. He also shares real-life scenarios which were useful for participants to better understand the application of the material presented. The Content was very good, it covers many leading open-source projects which I find useful. I would recommend this course to my colleagues.”

Frequently asked questions

Just a bunch of questions and answers. Hope you will find them helpful. If not, send me a DM.

CAN I GET A CERTIFICATE OF COMPLETION?

Yes, on request. Just send me an email at lm+certificate@defensive-security.com and within 7 days you should get your cert.

IS PURPLELABS VPN ACCESS PROVIDED?

This package doesn't include VPN Access. You can purchase it separately.

CAN I GET AN INVOICE?

Of course. After the purchase please send me an email with the details for issuing the invoice:

Company name
name/surname
address/country
VAT ID (if applicable)

The payment document/invoice from Podia/Stripe/Paypal is not a valid accounting document.

We issue the correct document upon request.

CAN YOU DELIVER A DEDICATED TRAINING ONSITE FOR MY COMPANY?

Yes, I am always open to new collaborations, all over the world, or just online. Just send me a DM.

WHAT LANGUAGE ARE THE MATERIALS IN?

All materials and lab instructions are in English. For live/online sessions you can choose between Polish and English.

WHAT DOES THE COURSE INCLUDING?

After the payment, you will get instant and lifelong access to online materials, of course, in the fully guided step-by-step format. Updates included!

IS VIDEO CONTENT INCLUDED IN THE COURSE?

No, it was not a priority, only hands-on lab experience.
The hands-on lab instructions and the PurpleLabs Cyber Range environment have been designed so that you can easily handle all instructions yourself.

WHEN WILL I GET ACCESS TO PURPLELABS?

You have to purchase a dedicated VPN access separately. We provide VPN for 30 and 90 days.

IS IT POSSIBLE TO BUY THE COURSE AND PURCHASE THE VPN LAB ACCESS LATER?

Definitely YES! I understand we are all busy, and I am flexible here - if someone wants to purchase the VPN Access hands-on in one week, month, or even 3 or 6 months after the course purchase - that’s fine :) Just ping me when you are ready to start the VPN PurpleLabs.