You met the instructor. Now you need the structure.
10 modules. 59 lessons. 1 pipeline — from an empty hypervisor to a fully operational purple team detection program, backed by tested rules, verified telemetry, and metrics you can present to leadership. Read this once. Bookmark it.
Come back when you are three modules deep and need to remember why a particular lesson exists. Everything connects. Nothing is filler.
Where You Are Going
- Build a segmented detection lab from scratch using VMware Workstation Pro — domain controller, workstations, firewall, SIEM, and attacker machine, all networked and communicating
- Run real adversary techniques using MITRE Caldera, Atomic Red Team, and Sliver C2 — the same frameworks used by professional red teams
- Write and validate Sigma detection rules using a repeatable four-step pipeline: select, emulate, observe, write, validate, iterate
- Detect real attacks — LSASS credential dumping, Kerberoasting, Pass-the-Hash, DCSync, scheduled task persistence, LOLBins, and a live web application attack
- Operationalize the program — CI/CD for detection rules, coverage tracking with VECTR, and a 30-day roadmap you can hand to your team lead or CISO
The Ten Modules
Module 1 — Welcome
You are here. Context before commands. Expectations, platform orientation, prerequisites, community.
Lessons: How This Platform Works | Prerequisites | Join the Community
Module 2 — The Purple Team Mindset
Most red team engagements produce a report. The report sits in a folder. Nothing changes. This module explains exactly why that happens — and how the purple team feedback loop fixes it. Red, blue, and purple are not job titles. They are operational workflows with different inputs, outputs, and accountability structures.
Lessons: Why Purple Teaming Changes Everything | Red vs Blue vs Purple: The Feedback Loop
Module 3 — Building Your Detection Lab
The longest module. There is a reason for that. A misconfigured firewall rule in Module 3 becomes a missing log in Module 5 becomes a failed detection in Module 6. Every dependency is upstream. You will deploy pfSense, stand up a Windows Server 2022 domain controller and workstations, configure Elastic Security with Kibana, deploy Sysmon with the sysmon-modular config, and populate Active Directory using BadBlood. Every component validated before you move on.
Lessons: Lab Architecture | VMware Setup | pfSense | Elastic SIEM | Sysmon | BadBlood | Troubleshooting
Module 4 — Emulation Frameworks & Tooling
Your lab is built. Now you need weapons. Real ones. MITRE Caldera runs automated adversary operations mapped to ATT&CK. Atomic Red Team — maintained by Red Canary — is unit testing for detections: one technique, one command, one observable result. Sliver C2 from Bishop Fox is a real command-and-control framework. You generate implants, establish sessions, and operate against your own domain — exactly like an adversary would. You are not learning these tools to attack. You are learning them to understand what your detections need to catch.
Lessons: Caldera | Atomic Red Team | Sliver C2
Module 5 — The Detection Engineering Pipeline
This is the core. Everything before it was setup. Everything after it is application. Four steps: select the technique, emulate and verify the telemetry, write the Sigma rule, test and iterate. This pipeline — the same one used by detection engineers at enterprise security teams — is what separates guessing from knowing.
Lessons: Technique Selection | Emulate & Verify | Writing Sigma Rules | Terminal Challenge: LSASS
Module 6 — Credential Access & Identity Attacks
Credential access is where most breaches escalate from initial foothold to full domain compromise. It is also where most detection gaps live. You will emulate LSASS credential dumping three ways — Mimikatz, comsvcs.dll, and ProcDump — and write one detection that catches all three. Then: OAuth token theft and identity-first attacks that bypass traditional credential defences entirely. Three methods. One detection. That is the engineering discipline.
Lessons: LSASS: Three Methods, One Detection | OAuth Abuse & Token Theft
Module 7 — Living-off-the-Land & Persistence
Adversaries do not always bring their own tools. They use yours. LOLBins — certutil, mshta, rundll32, regsvr32 — are already on every endpoint, already whitelisted, and already generating logs. You just need to know where to look. You will also run a complete purple team exercise around scheduled task persistence: create it, detect it, validate the detection, document the coverage. End to end.
Lessons: LOLBin Detection | Scheduled Task Persistence | Assignment: LOLBin Detection Pack
Module 8 — Active Directory & Lateral Movement
Active Directory is the most attacked infrastructure component in existence. If an adversary owns your AD, they own everything — and most organizations do not detect the techniques that get them there until it is far too late. You will emulate and detect Kerberoasting, AS-REP Roasting, Golden Ticket, DCSync, and Pass-the-Hash lateral movement. Every technique. Every detection. Every validation.
Lessons: Kerberoasting & AS-REP Roasting | Golden Ticket & DCSync | Pass-the-Hash & SMB | Terminal Challenge: DCSync
Module 9 — Operationalizing Purple Team Programs
Individual skill becomes organizational capability. You built detections. You validated them. Now you sustain them. VECTR tracks which ATT&CK techniques you can detect and where to invest next. CI/CD pipelines version-control and auto-deploy your Sigma rules. Operational metrics — Mean Time to Detect, coverage percentage, false positive rates — prove the program works. The module ends with a final assignment: a real 30-day purple team roadmap with techniques selected, tools identified, and metrics defined. The kind you can present to a CISO.
Lessons: VECTR | CI/CD for Detections | Measuring What Matters | Building the Culture | Final Assignment
Module 10 — Capstone: Web Application Attack & Detection
This is where you prove it. No instructions. No scaffolding. You deploy a vulnerable web application, attack it from Kali, collect the logs, and write the detection that catches you. End to end. By yourself. Against a real attack.
Lessons: What You Are About to Prove | Deploying DVWA | Log Layers of a Web App | The Attack: Manual Exploitation from Kali | Collecting the Evidence | Capstone Assignment: Detect the Intrusion