Curriculum · 2 Products

14 modules. 70 lessons. 327 exercises.

Two complete security training products — SQL Security Sandbox and Python Security Sandbox — covering the full spectrum of hands-on analyst and engineering skills.

NIST CSF 2.0 MITRE ATT&CK PCI-DSS v4.0 DoD 8140 DCWF PCEP · PCAP · PCES CySA+ NSA/CISA Memory-Safe
↓ SQL Security Sandbox ↓ Python Security Sandbox
Module 1 · Free Demo

SQL Fundamentals

NIST CSF DE.AE T1078 PCI Req 6
🟢 Beginner · 4 lessons

Build your foundation using real authentication logs from the Contoso Corp SOC investigation. Every query serves a defensive purpose from lesson one.

  • 1.1 — Your First Security Query: SELECT and FROM
  • 1.2 — Filtering Suspicious Events: WHERE Clause
  • 1.3 — Sorting Threat Data: ORDER BY and LIMIT
  • 1.4 — Identifying Patterns in Auth Logs
Module 2 · Full Version

Filtering & Aggregation

NIST CSF DE.AE-3 T1078, T1110 PCI Req 10
🟡 Intermediate · 4 lessons

Chain conditions to isolate multi-factor attack patterns. Aggregate across time windows to surface brute-force attempts and anomalous login volumes.

  • 2.1 — Compound Filters: AND, OR, NOT
  • 2.2 — Pattern Matching: LIKE and Wildcards
  • 2.3 — Aggregating Events: COUNT, SUM, AVG
  • 2.4 — Grouping and Filtering Aggregates: GROUP BY and HAVING
Module 3 · Full Version

Joins & Subqueries

NIST CSF DE.CM-7 T1078.003 PCI Req 10, 12
🟠 Advanced · 4 lessons

Correlate events across multiple security tables. Join auth logs with user accounts, firewall events with network segments, and surface lateral movement patterns.

  • 3.1 — Correlating Tables: INNER JOIN
  • 3.2 — Finding Gaps: LEFT JOIN and Missing Records
  • 3.3 — Nested Queries: Subqueries for Threat Isolation
  • 3.4 — Multi-Table Investigation: Lateral Movement Case
Module 4 · Full Version

Window Functions & CTEs

NIST CSF DE.AE-5 T1078.004 PCI Req 7, 10
🔴 Expert · 5 lessons

Write a working impossible-travel detector using OVER(), LAG(), LEAD(), and Common Table Expressions. This is the capstone of the Core track.

  • 4.1 — Running Calculations: OVER() and PARTITION BY
  • 4.2 — Time Sequencing: LAG() and LEAD()
  • 4.3 — Readable Complex Queries: Common Table Expressions (WITH)
  • 4.4 — Building the Detector: Impossible-Travel Query, Part 1
  • 4.5 — Finishing the Detector: Impossible-Travel Query, Part 2
Advanced Defender Modules
Module A · Full Version

Privilege Auditing

NIST CSF PR.AC T1078 PCI Req 7, 10 SOC 2 CC6
🔴 Expert · 6 lessons

Query db_permissions and access_policy tables to audit user privileges, identify over-permissioned accounts, and produce PCI-DSS Req 7 compliance evidence.

  • A.1 — Access Model Overview: Roles, Permissions, Scopes
  • A.2 — Least Privilege Analysis: Who Has Too Much?
  • A.3 — Temporal Auditing: When Was Access Granted?
  • A.4 — Cross-Referencing Policy vs. Reality
  • A.5 — Producing Audit Evidence for PCI Req 7
  • A.6 — Challenge: Full Access Review for the Contoso Breach
Module B · Full Version

Logging Failure Analysis

NIST CSF DE.CM-1 T1070 PCI Req 10.2, 10.3, 10.5, 10.6, 12.10
🔴 Expert · 6 lessons

Analyze the log_config table for integrity gaps, missing sequences, and suppression patterns — the leading indicator of attacker log-tampering.

  • B.1 — Log Architecture: What Should Be Captured?
  • B.2 — Gap Analysis: Sequence Breaks in the Audit Trail
  • B.3 — Suppression Patterns: Logs That Disappeared
  • B.4 — Retention Compliance: PCI Req 10.5 and 10.6
  • B.5 — Incident Response: Log Evidence Preservation
  • B.6 — Challenge: Full Log Integrity Audit for Contoso
Module C · Full Version

SQL Injection Anatomy for Defenders

NIST CSF ID.RA T1190 PCI Req 6.2, 6.4, 10.2, 12.10 OWASP A03
🔴 Expert · 6 lessons

Read attack patterns in endpoint_sensitivity and query logs. Identify injection signatures, triage exfiltration scope, and document for PCI Req 6.2 / 6.4 evidence.

  • C.1 — How SQLi Works: An Attacker's View for Defenders
  • C.2 — Signature Recognition: Spotting Injection in Query Logs
  • C.3 — Scope Assessment: What Data Was Reachable?
  • C.4 — Triage: Classifying the Severity of an SQLi Event
  • C.5 — PCI Evidence: Req 6.2 Application Security Testing
  • C.6 — Challenge: Full SQLi Forensics Investigation
View Framework Mappings → Get Full Access — $99 →

Python Security Sandbox · New Product

7 modules. 35 lessons. 185 exercises.

From Python foundations to a full Game Studio Security Capstone — security automation, threat intelligence, network programming, and more. NSA/CISA memory-safe language compliant.

PCEP · PCAP · PCES DoD 8140 DCWF MITRE ATT&CK CySA+ NIST CSF 2.0 NSA/CISA Memory-Safe
Python Module 1 · 26 exercises

Python Foundations for Security

DCWF 511 NIST DE.AE PCEP
🟢 Beginner · 5 lessons

Variables, control flow, and data structures taught through real security scenarios. Build your first IOC parser and understand how Python thinks about data the way a security analyst does.

  • 1.1 — Python for Security: Environment and Mindset
  • 1.2 — Data Types and Structures for Security Data
  • 1.3 — Control Flow: Conditionals and Loops for Detection Logic
  • 1.4 — Your First IOC Parser
  • 1.5 — Putting It Together: Security Data Pipeline Foundations
Python Module 2 · 26 exercises

Functions, Files & Log Parsing

DCWF 511/531 MITRE T1070 CySA+
🟡 Intermediate · 5 lessons

Write reusable functions and automate log file ingestion. Parse syslog, JSON event streams, and Windows event logs. Detect MITRE T1070 indicators: log deletion, sequence gaps, and suppression patterns.

  • 2.1 — Functions and Modular Security Code
  • 2.2 — File I/O: Reading and Writing Security Logs
  • 2.3 — Regex for Log Parsing and IOC Extraction
  • 2.4 — Multi-Format Parsing: Syslog, JSON, Windows Events
  • 2.5 — Detecting T1070: Log Suppression and Sequence Gaps
Python Module 3 · 26 exercises

Data Analysis for SecOps

DCWF 511 NIST DE.CM pandas/numpy
🟡 Intermediate · 5 lessons

Use pandas and numpy for SIEM-style data analysis. Correlate events across time windows, surface anomalies, and build NIST DE.CM monitoring dashboards from raw security telemetry.

  • 3.1 — pandas Fundamentals for Security Data
  • 3.2 — Time-Series Analysis: Event Correlation
  • 3.3 — Anomaly Detection with numpy Statistics
  • 3.4 — Visualizing Security Metrics: NIST DE.CM Dashboards
  • 3.5 — Building a SecOps Data Pipeline
Python Module 4 · 26 exercises

Network & Protocol Programming

DCWF 461/541 PCES-30-01 cryptography
🟠 Advanced · 5 lessons

Build network reconnaissance tools, packet analyzers, and protocol inspectors using Python's socket library. Implement cryptographic primitives and design encrypted communication channels.

  • 4.1 — Sockets and Network Programming Fundamentals
  • 4.2 — Packet Capture and Protocol Analysis
  • 4.3 — Port Scanning and Network Reconnaissance
  • 4.4 — Cryptographic Implementations: hashing, AES, RSA
  • 4.5 — Encrypted Communication and Secure Channels
Python Module 5 · 26 exercises

OOP for Security Tooling

DCWF 521 PCAP core OOP patterns
🟠 Advanced · 5 lessons

Apply classes, inheritance, and polymorphism to security-specific engineering challenges. Design extensible scanners, detection engines, and security framework architectures.

  • 5.1 — Classes and Objects for Security Contexts
  • 5.2 — Inheritance: Building Extensible Detection Frameworks
  • 5.3 — Polymorphism and Interface Design
  • 5.4 — Design Patterns for Security Tools
  • 5.5 — Building a Modular Security Scanner
Advanced Security Modules
Python Module 6 · 26 exercises

Security Automation & Threat Intel

DCWF 531/621 STIX 2.1 · YARA · Sigma PCES
🔴 Expert · 5 lessons

Consume and produce STIX 2.1 threat intelligence feeds. Write YARA detection rules and Sigma alerts. Build automated response pipelines that act on live threat data.

  • 6.1 — STIX 2.1: Consuming and Producing Threat Intelligence
  • 6.2 — YARA Rule Development and Malware Detection
  • 6.3 — Sigma Rules and SIEM Detection Engineering
  • 6.4 — Automation Pipelines: Ingest → Detect → Respond
  • 6.5 — Orchestration: Connecting Tools Into a Security Platform
Python Module 7 · 35 exercises · Capstone

Game Studio Security Capstone

DCWF All Roles Full-Spectrum Capstone Project SCORM 1.2
🔴 Expert · 5 lessons + Capstone

End-to-end security engineering capstone set in a game studio production environment. Apply every skill from Modules 1–6 across all six DCWF work roles — detection, response, automation, threat intel, and adversary simulation — in a realistic scenario.

  • 7.1 — Scenario Setup: The Game Studio Environment
  • 7.2 — Incident Response: Detecting the Breach
  • 7.3 — Forensic Analysis: Python-Powered Investigation
  • 7.4 — Hardening: Automated Security Controls
  • 7.5 — Threat Intelligence: Building the Studio's CTI Program
  • 7.C — Capstone Challenge: Full Security Posture Assessment
View Python Product Details → Get Python Access — $99 →