Online training sessions:

Intelligence-driven Threat Hunting for improving SOC maturity level
with STIX, SOAR, MITRE ATT&CK, SANS 6-step IR, The Diamond Model of Intrusion Analysis, Cyber Threat Intelligence, MaGMa Use Case Framework and more


In order to increase their maturity level, SOC organizations frequently introduce intelligence-driven Threat Hunting. Benefits of intel-driven Threat Hunting are:

  • True analysis methodology based on hypothesis formulation and testing
  • Driven by the consumption of Open Source Intelligence (OSINT) and/or commercial Cyber Threat Intelligence
  • In contrast to deep-dive forensic analysis which doesn’t scale across thousands or tens of thousands of endpoints, Threat Hunting is forensic analysis methodology at scale

A common human error when starting an analysis engagement is to begin with improperly evaluated hypotheses. Since a hypothesis represents the very starting point of an analysis, if not formulated with proper care, eventually leads the analysis to a dead end.

These online and free series of 9 training sessions are aimed to help SOC organizations understand the limitation of current SOC analysis methodology and how intel-driven Threat Hunting can complement it to improve their maturity level enormously.

Note: These training sessions build on each other. Although we always start a new session by summarizing the previous session, it might not make sense to join at some later point in time if you haven't been there from the beginning.

Class agenda
  1. Review current SOC working model
    • Limitations
    • Complementing by intel-driven Threat Hunting based on the specification of the MaGMa use case framework
  2. Consumption of Threat Intelligence/feeds (OSINT / commercial)
    • ThaiCERT Threat Actor encyclopedia
    • MISP
    • AlienVault's Open Threat Exchange (OTX)
    • MITRE ATT&CK framework
    • Cyber Threat Intelligence IOC feeds
  3. Determine relevant adversaries, their capabilities and infrastructure
    • Study relevant Threat Reports
    • Adversary emulation plan
    • Attack Graph representation with STIX
  4. The Diamond Model of Intrusion Analysis
    • Diamond relationships (Adversary, Infrastructure, Capabilities, Victim)
    • Hypothesis formulation
    • Analytic pivoting
      • Discover evidence
      • Discover related elements
    • Analysis of Competing Hypothesis (ACH)
      • Generate new hypotheses
      • Create matrix of competing hypotheses
      • Strengthen, weaken or disprove hypotheses based on discovered evidence
      • Continue analysis with sustainable hypotheses
    • Hypothesis testing
    • Activity Threads
  5. How we implemented intel-driven Threat Hunting in a SOAR tool complemented by a SIEM

Target audience

SOC Managers, SOC Analysts, Forensic Analysts and SOC-related Consultants


Free of cost


1.5 hours per session

Planned sessions:

Impressions of previous on-site training classes:

Sign up for Online sessions
I confirm that I have read and agreed to the Privacy Policy
Subscribe to our free newsletter
Agree to be contacted by telephone
Agree to be contacted by email