4 day10:00 – 16:00

Threat Hunter

Learn how to proactively hunt for hidden, undetectable threats within the organization and increase the overall level of security in your company.


Threat hunting is fast becoming the biggest asset for any information security team. To reduce dwell time, threat hunters apply the scientific method, developing hypotheses about attacker behavior and testing them. Hunters do not rely on previously uncovered indicators of compromise (IoCs) but rather develop hypotheses based on their extensive knowledge of attackers’ tactics, techniques, and procedures (TTPs) as well as personal experience in handling incidents. This proactive approach helps security teams catch cybercriminals off guard and take them down.

Threat hunting adds to the offensive capabilities of information security teams, which are gradually becoming commonplace worldwide.

Group-IB’s Threat Hunter course explores what makes a good threat hunter and the techniques they use to put forward successful hypotheses.

Course description:

The Threat Hunter course is divided into four days, during which you’ll learn how to put forward successful hypotheses, get the most out of the MITRE ATT&CKⓇ matrix, leverage digital forensics and malware analysis capabilities within the threat hunting process, and perform threat hunting on an enterprise scale.

The course is designed for newcomers to the field, but experienced professionals are likely to benefit from the structure it provides to existing skills and knowledge. You may also be surprised at how much you’ll learn.

Day 1

Threat hunting is one of the biggest trends in cybersecurity. But what is it, really? What does the job entail and how do threat hunters fit into the information security ecosystem? These are some of the questions that will be answered at the start of Day 1.

Next, we will look into the general techniques and models used by threat hunters today, and how to apply the scientific method (i.e. hypothesis testing) to the threat hunting process. And, of course, you’ll learn how to get the most out of the MITRE ATT&CKⓇ matrix. Understanding how to read and interpret the open-source database will help you create more accurate hypotheses and catch threat actors more often.

Day 2

Malware analysis can be the key to unlocking a threat actor’s movements. On Day 2, you’ll learn what sandboxes are and how to use them for dynamic analysis. You’ll also get a firsthand look at how to detonate malware in a controlled environment and have the opportunity to practice the technique.

The day will end with a discussion about tools used for analyzing malicious documents and scripts. You’ll also be shown services and tools that will enrich your malware analysis process with additional information that will take you one step closer to finding the threat actor.

Day 3

Digital forensics is the cornerstone of cybersecurity. Without a basic understanding of the best practices in the field, threat hunters cannot perform their tasks properly. Day 3 will start with a discussion about the digital forensics methods that are most useful for threat hunting. You’ll then learn how to identify useful events from Windows event logs and how to directly interact with remote hosts.

The lesson will then move to an overview of LOLBAS and Sysmon, and how to use the latter for logging during the threat hunting process. You’ll get a chance to practice analyzing event sequences with Sysmon.

Day 4

Up until this point, you’ll have learned how to perform threat hunting on a single host. Real-world threat hunting, however, will require you to analyze dozens of hosts at the same time. As such, the last day of the Threat Hunter course will be spent on giving you a realistic view of the threat hunting process. You’ll receive tools for log collection and analysis on an enterprise-scale and have extensive practice with hypothesis generation and testing based on MITRE ATT&CKⓇ data.

To successfully pass the course you will need:
  • Understanding of networks and network technologies
  • Experience and skills in administrative infrastructure
  • Knowledge of how file systems are structured
  • Understanding of how cyberattacks are carried out
  • Basic knowledge of how malware operates

After this course, you’ll be able to:

  • Detect anomalies in network infrastructure
  • Understand the TTPs most often used by threat actors
  • Understand the basics of digital forensics and malware analysis
  • Test hypotheses and obtain new IoCs for hidden threats
Who can benefit from this course?
Technical specialists with experience in IS
IS experts
Threat Hunters

What you’ll receive

Lecture videos and practical materials used during training


Valuable insight into malware analysis and how it can fit into IS practices

Valuable experience and information that you can put into practice and use professionally

Why Group-IB?

Experience in international investigations

Our training courses are based on 1300+ successful investigations worldwide.

Technical expertise

All courses are led by GCFA-, EnCE- and MCFE-certified experts.

Practicing experts

The course instructors are current Group-IB specialists, which translates to the most up-to-date and first-hand information for course participants.

Stimulating practical training

Practical exercises based on real-life cases make up 70% of the course.

Continuously updated program

Course materials are regularly updated with new cases from Group-IB’s experience, which ensures that the course program always reflects the latest trends.

Comprehensive development

Group-IB’s training courses provide a wide range of competencies for creating an effective information security department in any company.

Individual learning approach

Send us a request for an individual consultation on Group-IB technical training courses

Get new report
Ransomware Uncovered 2021/2022

The well-known complete guide to the latest tactics, techniques, and procedures of ransomware operators based on MITRE ATT&CK®


We use cookies on the website to make your browser experience more personal, convenient and secure. You may block or manage the use of cookies, however, in some cases they’re essential to make this site work properly. Learn more about cookies in Group-IB Privacy And Cookies Policy.