Threat Hunting and Detection Engineering

Course Details

Training Level: Beginner; Intermediate


Early Bird: RM5,000 (Use Code: SS2024TEB. Ends 31st May, 2359H)
Normal: RM6,300

Course Abstract

This class is designed to introduce students to the understanding of threat hunting and detection engineering. Threat hunting is a proactive cybersecurity approach aimed at identifying and mitigating potential security threats before they can cause harm to an organization’s systems, networks, or data and Detection Engineering (DE) is a discipline within cybersecurity that focuses on developing and improving the capabilities of security systems to detect malicious activities and threats effectively. DE involves the creation, implementation, and refinement of detection mechanisms, rules, algorithms, and processes to identify suspicious or unauthorized behaviour within an organization’s IT infrastructure.

Through an applied understanding of introduction of the concept TH & DE, students should be able to identify available processes and frameworks to detect undetected threats, that can be used to enhance security posture, stay ahead of threat actors and improve incident response by uncovering the indicator of compromise and suspicious activities.

Our threat hunting approach is based on students’ familiarity with their IT environments, with DE students should learn how to develop rules, signatures, or patterns that can identify specific types of malicious activities or behaviours. DE students also will work on developing and refining machine learning algorithms and statistical models to detect anomalies or patterns indicative of cyber threats.

This class will focus on a few type active APT groups and hope every student can apply the skills and experience in their IT environment.

Course Outline

  • Introduction of Threat Hunting and Detection Engineering
    • The concept of Threat Hunting & Detection Engineering
    • The Cyber Kill Chain
    • MITRE & ATT&CK framework
    • The Pyramid of Pain
    • Old school vs modern cyber attacks
    • The problems on the current detection problems
    • The solutions for better detection
  • Threat Hunting
    • What is threat hunting?
    • Types of threat hunting
    • The threat hunting mind and skill sets
    • The threat hunting process
    • The threat hunting loops
    • The hunting models
    • Start threat hunting by building the hypothesis
  • Your data source is everything.
    • Where is my data?
    • Operating System and logs 
    • Networking and logs
    • Data sources 
    • End point data
    • Network data
    • Security Data
  • Understanding the threat actor & adversary
    • Mapping the Adversary
    • The ATT&CK framework
    • Tactics, techniques, sub-techniques and procedures
    • The ATT&CK Matrix
    • The ATT&CK Navigator
    • Mapping with ATT&CK
  • Working with data
    • Using data dictionaries
    • Open source security event metadata
    • Using Sigma
  • Emulating the adversary
    • What is adversary emulation?
    • MITRE & ATT&CK emulation plan
    • Atomic red team
    • Mordor
    • Caldera
    • Other tools
  • Working with a research environment
    • Choose your virtual environment for research
    • ELK
    • HELK
  • HUNTING the adversary
    • MITRE evaluations
    • Hunting for APT group
  • Documenting & Automating process
    • Documenting your hunts
    • KanBan Boards
    • The Jupyter notebook
    • The threat hunting playbook
  • Building a detection engineering for malware research development
    • Technical Requirement
    • The ELK
    • Deploying the ELK
    • Configuring the ELK
    • Setting up Fleet Server
    • Installing and configuration of the ELK
    • Building your first detection
  • Working together with the incident response team
    • The impact of communication on the success of threat hunting program

Who should attend?

This class is meant for professional cybersecurity analysts, security operation center personnel (SOC), Incident response team members, threat intelligence analysts, network security analysts, IT security managers and leaders, compliance and risk management professionals and penetration testers.

Key Learning Objectives

  • Understanding Threat Landscape
  • Data and threat intelligence integration
  • Proactive detection techniques
  • Data analysis and visualization
  • Incident response skills
  • Hunting hypothesis development
  • Risk-based approach
  • Detection mechanism
  • Security technologies
  • Rule creation and tuning
  • Testing and validation


Students should be prepared with basic operating systems, network, cybersecurity threats and techniques.

What to bring?

Students should have their own laptop and the latest VMware Player or Workstation.

Trainer Profile

Razwan Mokhtar

From a programmer at a tech company, Earth Media Sdn Bhd in 1998, he began his career in cyber security in 1999 at 20 years old. He was invited as a consultant by the Bukit Aman Royal Police Cyber Forensic department, where he contributed to forensic analysis for combating cybercrime (malware analyst).

In the span of his 23 years career, he has consulted for various national ministries and government agencies and industry sectors ranging from Tech, Healthcare, Banking and Energy.

Currently a Fellow at University Malaya, he is also active in the cybersecurity community, co-founded Nanosec Asia (, one of the biggest offensive cybersecurity conference events in South-East Asia. He aims to change a vendor-neutral platform for researchers to present their research to the community and accept the right combination of technical & case study papers to create balance. He wants to see more local talents to share their research with the world and interact with fellow researchers/professionals with a similar mindset.

Scroll to top