DoD DCWF - Cyber Defense Analyst

MCSI Certification

MCDA - Certified Cyber Defense Analyst

The training course for the Cyber Defense Analyst role is designed to build proficiency in detecting, analyzing, and mitigating cyber threats.

The Cyber Defense Analyst course curriculum is designed to cover essential areas like system security, network security, log analysis, intrusion detection, and threat analysis. Participants will learn to utilize advanced tools and techniques for identifying and responding to cyber threats, ensuring a broad grasp of vital cybersecurity functions. This structured approach ensures a thorough understanding of the strategic and tactical aspects of cybersecurity operations.

Upon course completion, participants will possess a comprehensive grasp of the cyber defense domain, with the dexterity to secure organizations against the challenges of modern digital threats. Equipped with a robust skill set, they will be capable of assuming pivotal roles as Cyber Defense Analysts, bolstering the security and resilience of IT infrastructures. This preparation ensures they can effectively navigate and contribute to the evolving cybersecurity sector.

Intermediate Level MCSI Certification Intermediate
ic-certificate Certification
ic-clock 600+ hours
ic-money $1295
No Expiry, No Renewals

Course Overview

The training course for the Cyber Defence Analyst role is designed to build proficiency in detecting, analyzing, and mitigating cyber threats. It delves into cybersecurity principles, network defense strategies, and threat intelligence analysis. Participants will complete practical exercises that simulate real-world scenarios, enhancing their skills in incident response and threat mitigation. This hands-on approach ensures that participants can apply theoretical knowledge in practical settings, preparing them for the complexities of the cyber defense field.

In addition to technical skills, the course will focus on developing strategic thought and decision-making prowess in the realm of cyber defense. Participants will examine real evidence from historical cyber incidents to gain a nuanced comprehension of cyber threat evolution and the critical need for swift, decisive action plans.

To provide a comprehensive educational experience, the course will explore the ethical dimensions of cybersecurity, emphasizing adherence to industry security standards and best practices. This expertise is crucial for devising strategies to defend against cyber threats while upholding ethical principles, fostering responsible and compliant cybersecurity operations.

Upon completion of the MCDA Certified Cyber Defence Analyst course, participants will be equipped with the skills to:

  • Master network mapping skills to accurately map an organization's network infrastructure and understand device interactions.
  • Assess network security posture through comprehensive evaluations to identify vulnerabilities.
  • Utilize intrusion detection tools to detect intrusions and unauthorized activities on the network.
  • Develop unique intrusion detection strategies tailored to identify and mitigate previously unidentified intrusions.
  • Enhance system configurations to fortify defenses against potential intrusions and cyber threats.
  • Communicate complex cyber security issues effectively to non-technical audiences.

Knowledge, Skills and Abilities You Will Acquire

MCSI is one of the most respected and trusted names in cyber security education and training. Our certifications teach critical skills, knowledge and abilities needed to advance a career in cyber security. Our courses are comprehensive and up-to-date, and our instructors are experienced professionals who are dedicated to helping students learn. MCSI provides the real-world skills and knowledge you need to protect any organization from cyber threats.

  • Lab Setup

    Lab setup is crucial for cyber defense analysts as it provides a controlled environment to simulate real-world cyber threats, allowing analysts to practice detection, analysis, and mitigation techniques safely.


    VirtualBox is a powerful virtualization tool that allows analysts to create and manage virtual machines (VMs) for testing and experimenting with different operating systems and network configurations. It's essential for simulating diverse IT environments and testing security measures.


    Pandas is a Python library used for data manipulation and analysis. In cyber defense, analysts can leverage Pandas for processing and analyzing large datasets related to network traffic, logs, or security events, enabling more effective threat detection and response.

    Active Directory

    Active Directory (AD) is a Microsoft service that manages users, groups, and resources within a network environment. Understanding AD is crucial for cyber defense analysts to secure user accounts, enforce policies, and monitor directory services for signs of unauthorized access or anomalies.


    OpenVAS (Open Vulnerability Assessment System) is an open-source vulnerability scanner used to detect and assess security vulnerabilities in networks and hosts. It's important for analysts to use OpenVAS to identify and prioritize security risks, enabling proactive mitigation and patching.


    Yara is a powerful tool used for malware identification and classification based on patterns or rules. Cyber defense analysts use Yara to create custom signatures for detecting specific types of malware or suspicious files, enhancing threat hunting and incident response capabilities.

  • Key Risk Management Concepts

    Risk management is essential for cyber defense analysts as it enables them to assess and prioritize threats, allowing for strategic allocation of resources to address critical vulnerabilities.

    By implementing effective risk management practices, analysts can enhance incident response capabilities, mitigate potential impacts of cyber threats, and maintain robust cybersecurity defenses.

    Risk Transfer

    Risk transfer involves shifting the financial burden of potential losses from identified risks to another party, typically through insurance or outsourcing certain activities.

    Risk Register

    A risk register is a documented inventory of identified risks, their characteristics, potential impacts, and mitigation strategies, providing a structured approach to managing risks.

    Disaster Recovery Plan

    A disaster recovery plan outlines procedures to recover and restore critical systems and operations following a disruptive event, ensuring continuity and minimizing downtime in the face of disasters.

  • SIEM (Security Information and Event Management)

    SIEM (Security Information and Event Management) is crucial for cyber defense analysts because it provides real-time visibility into security events and logs across an organization's network, allowing for proactive threat detection and response. It aggregates and correlates security data from multiple sources, enabling analysts to identify patterns, anomalies, and potential security incidents efficiently, thus enhancing overall cybersecurity posture.

    ELK Stack

    The ELK Stack is a powerful combination of open-source tools used for log management and analysis. Elasticsearch provides real-time search and analytics, Logstash processes and transforms log data, and Kibana offers visualization and dashboarding capabilities, making it essential for monitoring system health, troubleshooting issues, and detecting security incidents in large-scale environments.

    Writing ELK Filters to Detect Exploits

    Writing ELK filters to detect exploits involves creating specific queries within the ELK Stack that can identify patterns or signatures of known vulnerabilities or exploit attempts in log data, enabling proactive detection and response to potential security threats.

    Writing ELK Filters to Detect Malicious Processes/Executables

    Creating ELK filters to detect malicious processes or executables involves crafting queries that can flag suspicious behavior or activities in log data, aiding in the identification and mitigation of malware or unauthorized activities within the IT environment.

    Creating a Kibana Dashboard

    A Kibana dashboard is a visual interface in the ELK Stack used to display key metrics, logs, and analytics data in a customizable format. Creating effective Kibana dashboards enables cyber defense analysts to gain insights into security events and performance metrics, facilitating informed decision-making and proactive response to cybersecurity threats.

    Using ELK to Analyze Reverse Shells

    Analyzing reverse shells using the ELK Stack involves examining network traffic, log data, and system events to detect signs of compromise or unauthorized access originating from reverse shell connections, enabling swift response and remediation to prevent further exploitation or data breaches.

    Using ELK to Analyze Spear Phishing

    Leveraging the ELK Stack for spear phishing analysis involves scrutinizing email logs, network traffic, and user activity to identify indicators of targeted phishing attacks. This proactive approach allows cyber defense analysts to detect and mitigate spear phishing threats more effectively, reducing the risk of successful cyber attacks targeting specific individuals or organizations.

  • Network Analysis

    Network analysis is crucial for cyber defense analysts to gain insights into network traffic patterns, identify anomalies, and detect potential security threats. By analyzing network data, analysts can assess network performance, pinpoint vulnerabilities, and enhance overall network security posture to safeguard against intrusions and unauthorized activities.

    RFI Templates

    RFI (Request for Information) templates are standardized documents used to gather specific details and requirements from potential vendors or suppliers during procurement processes.


    GrassMarlin is an open-source tool used for passive network defense to monitor, detect, and respond to suspicious activities on operational technology (OT) networks.

    Network Situational Awareness

    Network Situational Awareness refers to the ability to monitor, analyze, and understand network behavior and activity to detect potential threats and vulnerabilities.

    Performing risk assessments on APTs

    Performing risk assessments on Advanced Persistent Threats (APTs) involves evaluating the potential impact and likelihood of APTs targeting specific assets or systems within an organization.

    Active & Passive Analysis

    Active and passive analysis techniques are used to assess network security, where active analysis involves direct interaction to evaluate responses, while passive analysis observes without direct interaction.

    Finding network vulnerabilities

    Finding network vulnerabilities involves identifying weaknesses or gaps in network defenses that could be exploited by attackers to compromise systems or data.

    Finding website vulnerabilities

    Finding website vulnerabilities entails identifying security flaws or weaknesses in web applications or websites that could be exploited by malicious actors to compromise data or breach security.

  • Incident Response & Forensics

    Incident Response & Forensics is crucial for cyber defense analysts to effectively detect, contain, and mitigate security incidents, minimizing the impact of cyber threats on organizational assets. By conducting incident response and forensics, analysts can gather evidence, understand attack patterns, and improve future incident handling processes to enhance overall cybersecurity resilience.

    Investigating Unauthorized Network Connections

    Analyzing and tracing unauthorized access attempts or connections to identify potential security breaches.

    Investigating Malicious Behavior on Windows

    Examining and analyzing suspicious activities or behaviors on Windows systems to detect and respond to potential threats.

    Performing Network Forensics on EternalBlue Attacks

    Conducting forensic analysis specifically focused on incidents involving EternalBlue exploits, which target vulnerabilities in Windows systems.

    Performing Network Forensics on Malicious Connections

    Investigating and analyzing network traffic to identify and understand connections related to malicious activities or threats.

    Creating Incident Response Playbook

    Developing comprehensive guidelines and procedures for responding to specific security incidents or cyber threats based on best practices and lessons learned.

  • Scripting

    Scripting is crucial for cyber defense analysts as it enables the automation of routine tasks, enhances incident response capabilities, and facilitates rapid deployment of security measures.

    Proficiency in scripting languages like PowerShell, Python, and Bash enables analysts to develop custom tools and scripts tailored to specific security needs, improving overall efficiency and effectiveness in cyber defense operations.

    Writing PowerShell Scripts to Harden Windows

    Writing PowerShell scripts is essential for cyber defense analysts to automate security hardening tasks on Windows systems, ensuring robust defenses against vulnerabilities.

    Writing PowerShell Scripts to Prevent Vulnerabilities

    Utilizing PowerShell scripting allows analysts to proactively prevent security vulnerabilities by automating tasks that enhance system security and mitigate potential risks.

    Using Python to Convert Log Types

    Python scripting is instrumental for converting and processing different log types, facilitating effective log analysis and enhancing overall cybersecurity operations.

    Using Python to Capture Executables

    Python scripting enables analysts to capture and analyze executables, providing insights into potential threats and malicious activities within an environment.

  • Threat Hunting with Pandas & Yara

    Threat hunting involves proactively searching for signs of advanced threats or malicious activities within an organization's network. It is essential for cyber defense analysts because it allows for early detection of potential threats that traditional security measures may miss, enabling timely mitigation and response to minimize impact.

    Writing YARA Rules to Detect Malicious Activity

    Writing YARA rules allows analysts to create custom patterns that can identify specific types of malicious activity within files or processes, enhancing threat detection capabilities.

    Writing YARA Rules to Search Contents of Files

    By writing YARA rules to search file contents, analysts can pinpoint specific patterns or signatures indicative of malicious behavior, aiding in comprehensive threat hunting and investigation.

    Writing Pandas Queries to Identify Malicious Activity

    Using Pandas queries, analysts can efficiently sift through large datasets to identify and isolate suspicious or malicious activity, streamlining the threat hunting process and enabling timely responses.

    Threat Hunting Against 2000 Machines

    Conducting threat hunting across a large number of machines helps analysts identify potential threats at scale, allowing for proactive mitigation and protection of organizational assets.

  • Threat Mapping

    Threat mapping involves identifying and visualizing cyber threats, their origins, attack vectors, and potential impacts within an organization's environment. It's important because it provides a strategic overview of potential risks, enabling proactive defense measures and informed decision-making to strengthen cybersecurity posture and resilience.

    Setting up OpenCTI

    OpenCTI is an open-source platform designed for threat intelligence management. It centralizes and visualizes cyber threat intelligence to facilitate informed decision-making and strategic threat analysis.

    Setting Up MISP

    MISP (Malware Information Sharing Platform & Threat Sharing) is an open-source threat intelligence platform for sharing, storing, and correlating Indicators of Compromise (IOCs) and threat information among security practitioners.

    Creating custom STIX Definitions

    STIX (Structured Threat Information eXpression) is a standard format for representing cyber threat intelligence. Creating custom STIX definitions allows organizations to tailor threat intelligence to their specific needs and use cases.

    Creating custom Google queries to identify hidden information on adversaries

    Crafting custom Google queries helps cybersecurity professionals gather open-source intelligence (OSINT) to uncover information about adversaries, such as leaked credentials, public forums discussions, or other digital footprints.

    Diamond Model

    The Diamond Model is a framework used to analyze cyber threat intelligence. It helps map the relationships between adversaries, infrastructure, capabilities, and victim targeting, enhancing understanding and response to cyber threats.

    Cyber Kill Chain

    The Cyber Kill Chain is a concept that describes the stages of a cyber attack, from initial reconnaissance to data exfiltration. Understanding the Cyber Kill Chain aids in developing effective defense strategies and mitigating threats.

    Graphing Attacks

    Graphing attacks involves visualizing cyber attacks, mapping out relationships and interactions between different entities such as threat actors, tools, and victim assets. This approach helps in identifying patterns and trends for threat analysis and response.

DoD Cyber Workforce Framework KSATs

This course teaches the specific Knowledge, Skills, Abilities, and Tasks (KSATs) aligned with the DoD Cyber Workforce Framework (DCWF) as outlined in DoD 8140. By focusing on these critical competencies, the course ensures that you develop the essential capabilities required for various cybersecurity roles within the Department of Defense. This alignment not only guarantees that the training is relevant and comprehensive but also that it prepares you to meet the specific operational needs and standards of the DoD cyber workforce.

  • knowledge
    ID Description
    1069A Knowledge of general kill chain (e.g., footprinting and scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).
    108 Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
    1158 Knowledge of cybersecurity principles.
    1159 Knowledge of cyber threats and vulnerabilities.
    150 Knowledge of what constitutes a network attack and the relationship to both threats and vulnerabilities.
    19 Knowledge of cyber defense and vulnerability assessment tools, including open source tools, and their capabilities.
    22 Knowledge of computer networking concepts and protocols, and network security methodologies.
    66 Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions via intrusion detection technologies.
    70 Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).
    81A Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.
    87 Knowledge of network traffic analysis methods.
    92 Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]).
    922A Knowledge of how to use network analysis tools to identify vulnerabilities.
    984 Knowledge of cyber defense policies, procedures, and regulations.
    990 Knowledge of the common attack vectors on the network layer.
    991 Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution).
    6900 Knowledge of specific operational impacts of cybersecurity lapses.
    25 Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]).
    27 Knowledge of cryptography and cryptographic key management concepts.
    34 Knowledge of database systems.
    49 Knowledge of host/network access control mechanisms (e.g., access control list).
    58 Knowledge of known vulnerabilities from alerts, advisories, errata, and bulletins.
    61 Knowledge of incident response and handling methodologies.
    63 Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
    79 Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]).
    88A Knowledge of current and emerging cyber technologies.
    90 Knowledge of operating systems.
    95A Knowledge of penetration testing principles, tools, and techniques.
    98 Knowledge of policy-based and risk adaptive access controls.
    105 Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
    110 Knowledge of key concepts in security management (e.g., Release Management, Patch Management).
    111 Knowledge of security system design tools, methods, and techniques.
    130A Knowledge of systems security testing and evaluation methods.
    139 Knowledge of the common networking protocols (e.g., TCP/IP), services (e.g., web, mail, Domain Name Server), and how they interact to provide network communications.
    148 Knowledge of Virtual Private Network (VPN) security.
    177B Knowledge of countermeasures for identified security risks.
    212A Knowledge of network mapping and recreating network topologies.
    270 Knowledge of common adversary tactics, techniques, and procedures in assigned area of responsibility (i.e., historical country-specific tactics, techniques, and procedures; emerging capabilities).
    271 Knowledge of common network tools (e.g., ping, traceroute, nslookup).
    277 Knowledge of defense-in-depth principles and network security architecture.
    278 Knowledge of different types of network communication (e.g., LAN, WAN, MAN, WLAN, WWAN).
    286 Knowledge of file extensions (e.g., .dll, .bat, .zip, .pcap, .gzip).
    342A Knowledge of operating system command line/prompt.
    904 Knowledge of interpreted and compiled computer languages.
    912 Knowledge of collection management processes, capabilities, and limitations.
    915 Knowledge of front-end collection systems, including traffic collection, filtering, and selection.
    1033 Knowledge of basic system administration, network, and operating system hardening techniques.
    1034C Knowledge of Personal Health Information (PHI) data security standards.
    1034B Knowledge of Payment Card Industry (PCI) data security standards.
    1034A Knowledge of Personally Identifiable Information (PII) data security standards.
    1072 Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).
    1073 Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.
    1114 Knowledge of encryption methodologies.
    1119 Knowledge of signature implementation impact.
    1121 Knowledge of Windows/Unix ports and services.
    3431 Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).
    6935 Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).
    6938 Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.
    43A Knowledge of embedded systems.
    133 Knowledge of key telecommunications concepts (e.g., Routing Algorithms, Fiber Optics Systems Link Budgeting, Add/Drop Multiplexers).
    59A Knowledge of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools and applications.
    8 Knowledge of authentication, authorization, and access control methods.
    21 Knowledge of computer algorithms.
    138 Knowledge of the cyber defense Service Provider reporting structure and processes within one’s own organization.
    234B Knowledge of the use of sub-netting tools.
    992C Knowledge of threat environments (e.g., first generation threat actors, threat activities).
    1036 Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.
    1142 Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).
  • skills
    ID Description
    214A Skill in performing packet-level analysis.
    353 Skill in collecting data from a variety of cyber defense resources.
    895 Skill in recognizing and categorizing types of vulnerabilities and associated attacks.
    3C Skill in recognizing vulnerabilities in information and/or data systems.
    75C Skill in conducting trend analysis.
    175 Skill in developing and deploying signatures.
    179A Skill in assessing security controls based on cybersecurity principles and tenets.
    181A Skill in detecting host and network based intrusions via intrusion detection technologies.
    183 Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.
    229 Skill in using incident handling methodologies.
    233 Skill in using protocol analyzers.
    1118 Skill in reading and interpreting signatures (e.g., snort).
  • abilities
    ID Description
    1120 Ability to interpret and incorporate data from multiple tool sources.
    3007 Ability to analyze malware.
  • tasks
    ID Description
    433 Characterize and analyze network traffic to identify anomalous activity and potential threats to network resources.
    472 Coordinate with enterprise-wide cyber defense staff to validate network alerts.
    723 Document and escalate incidents (including event’s history, status, and potential impact for further action) that may cause ongoing and immediate impact to the environment.
    745 Perform cyber defense trend analysis and reporting.
    750 Perform event correlation using information gathered from a variety of sources within the enterprise to gain situational awareness and determine the effectiveness of an observed attack.
    767 Perform security reviews and identify security gaps in security architecture resulting in recommendations for the inclusion into the risk mitigation strategy.
    800 Provide daily summary reports of network events and activity relevant to cyber defense practices.
    823 Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts.
    956 Provide timely detection, identification, and alerting of possible attacks/intrusions, anomalous activities, and misuse activities and distinguish these incidents and events from benign activities.
    958 Use cyber defense tools for continual monitoring and analysis of system activity to identify malicious activity.
    959 Analyze identified malicious activity to determine weaknesses exploited, exploitation methods, effects on system and information.
    1107 Identify and analyze anomalies in network traffic using metadata (e.g., CENTAUR).
    1108 Conduct research, analysis, and correlation across a wide variety of all source data sets (indications and warnings).
    1111 Identify applications and operating systems of a network device based on network traffic.
    1111 Identify applications and operating systems of a network device based on network traffic.
    427 Develop content for cyber defense tools.
    559B Analyze and report system security posture trends.
    559A Analyze and report organizational security posture trends.
    576 Ensure cybersecurity-enabled products or other compensating security control technologies reduce identified risk to an acceptable level.
    593A Assess adequate access controls based on principles of least privilege and need-to-know.
    716A Monitor external data sources (e.g., cyber defense vendor sites, Computer Emergency Response Teams, Security Focus) to maintain currency of cyber defense threat condition and determine which security issues may have an impact on the enterprise.
    717A Assess and monitor cybersecurity related to system implementation and testing practices.
    782 Plan and recommend modifications or adjustments based on exercise results or system environment.
    806A Provides cybersecurity recommendations to leadership based on significant threats and vulnerabilities.
    880A Work with stakeholders to resolve computer security incidents and vulnerability compliance.
    938A Provide advice and input for Disaster Recovery, Contingency, and Continuity of Operations Plans.
    1103 Determine tactics, techniques, and procedures (TTPs) for intrusion sets.
    1104 Examine network topologies to understand data flows through the network.
    1105 Recommend computing environment vulnerability corrections.
    1109 Validate intrusion detection system (IDS) alerts against network traffic using packet analysis tools.
    1110 Isolate and remove malware.
    1112 Reconstruct a malicious attack or activity based off network traffic.
    1113 Identify network mapping and operating system (OS) fingerprinting activities.
    2062 Assist in the construction of signatures which can be implemented on cyber defense network tools in response to new or observed threats within the NE or enclave.
    2611 Notify designated managers, cyber incident responders, and cybersecurity service provider team members of suspected cyber incidents and articulate the event’s history, status, and potential impact for further action in accordance with the organization’s cyber incident response plan.

Career Outcomes

Join our Cyber Defense Analyst course to gain essential skills for protecting networks and information systems. Learn through practical exercises and master incident detection, network security, and response strategies. Equip yourself with the expertise to analyze threats and implement robust cyber defense measures, preparing you for a crucial role in any cybersecurity team.

Certification Detail

MCSI certifications are highly respected and sought-after credentials in the industry. Earning an MCSI certification is a testament to your knowledge and skillset, and demonstrates your commitment to excellence. The content is cutting-edge, uniquely-designed, and hands-on. Our exercises teach in-demand skills that are immediately applicable in the field.

The certifications are valid indefinitely and do not require any renewal fees. The training is accessible without any time limits.


Training Modules

This course provides you with multiple training modules, each of which is designed to teach you practical skills that can help you solve important cyber problems. Each module offers exercises that will help you build your skills and capabilities.

  • MCDA-001: Lab Setup - 9 exercises
  • MCDA-101: Key Risk Management Concepts - 7 exercises
  • MCDA-102: Introduction to Security Information and Event Management (SIEM) - 6 exercises
  • MCDA-103: SIEM 101: Elasticsearch Fundamentals - 6 exercises
  • MCDA-104: SIEM 102: Basic ELK Security Searches - 5 exercises
  • MCDA-105: SIEM 103: Intermediate ELK Security Searches - 5 exercises
  • MCDA-106: SIEM 104: Building Dashboards - 3 exercises
  • MCDA-107: SIEM 105: Malware Analysis - 6 exercises
  • MCDA-201: Network Analysis - 5 exercises
  • MCDA-202: Network Security Analysis - 7 exercises
  • MCDA-203: Network Security Assessment - 11 exercises
  • MCDA-204: Documentation and Procedures - 4 exercises
  • MCDA-301: Incident Response Challenges - 9 exercises
  • MCDA-302: Network Forensics Challenges - 6 exercises
  • MCDA-303: Incident Response Playbooks - 5 exercises
  • MCDA-401: Scripting for Cyber Defense - 17 exercises
  • MCDA-402: Configuring GPOs for Cyber Defense - 8 exercises
  • MCDA-403: Using Playbooks for Cyber Defense - 7 exercises
  • MCDA-501: Hunting for threats with YARA - 20 exercises
  • MCDA-502: Hunting for threats with Pandas - 15 exercises
  • MCDA-503: Enabling Anomaly Detections - 12 exercises
  • MCDA-504: Analyzing Enterprise System Activity - 10 exercises
  • MCDA-505: Monitor New Threats and Vulnerabilities - 8 exercises
  • MCDA-506: Cyber Threat Mapping - 6 exercises
  • MCDA-507: Harnessing Threat Feeds - 8 exercises
  • MCDA-508: Creating Strategic Reports - 3 exercises
  • MCDA-509: Business Continuity Operations - 3 exercises


Cyber professionals must be ready for everything. The typical security training strategy, which focuses on individual skills and tools, is insufficient. You must be able to operate as part of a team, see the big picture, and respond swiftly and effectively to unforeseen circumstances. That's why, as part of our training, we use replays of whole cyber missions. Our scenarios help you prepare for the demands of the job and give you confidence in your ability to work professionally.

  • MCDA-SC-01: Business Email Compromise Investigation - 10 exercises
  • MCDA-SC-02: Ransomware Investigation - 7 exercises
  • MCDA-SC-03: Secure Code Reviews - 4 exercises

Enroll now with lifetime access for $1295


MCSI Industry Certifications are important for you to earn because they signify that you have the skills required to work in a cybersecurity. Certificates of Completion are also important to earn because they signify that you have completed an exercise. Earning Certificates of Completion and Industry Certifications demonstrates that you are willing to put in the extra work to be successful.




Obtain CPE points by solving exercises


Achieve multiple certifications


Receive help from instructors online

This certification is aligned with the DoD Cyber Workforce Framework (DoD 8140), ensuring you receive training that meets the standards and competencies required for cybersecurity roles within the Department of Defense. This alignment guarantees that you gain relevant, up-to-date skills and knowledge tailored to the specific needs of the DoD cyber workforce, effectively preparing you to support and secure defense operations.

Certificate Level Curriculum Completion Requirement Scenarios Completion Requirement
MCSI Cyber Defense Analyst (Basic) Level 1 50% 0%
MCSI Cyber Defense Analyst (Intermediate) Level 2 75% 50%
MCSI Cyber Defense Analyst (Advanced) Level 3 95% 100%

Sample Exercises

Below are three (3) exercises from the 100+ exercises available in MCDA - Certified Cyber Defense Analyst:

Utilize GrassMarlin To Map The Devices On Your Network


Perform Network Forensics Of A Machine Compromised With Eternal Blue


Write A PS Script To Turn On Windows Defender


Our Instructors

Student exercises are reviewed and graded by multiple instructors. This one-of-a-kind approach allows you to get highly personalized input from a number of successful professionals.

MCSI's teachers bring real-world experience and knowledge to the classroom, ensuring that students have the skills they need to excel in the field of information security. Due to their extensive experience in penetration testing, vulnerability assessment, reverse engineering, incident response, digital forensics, and exploit development, students will understand the most up-to-date defensive and offensive cybersecurity strategies and procedures.

Our instructors are passionate about information security and are always looking to further their own knowledge. Students who attend an MCSI course can be confident that they are learning from some of the best in the business. They can adapt their teaching approaches to match the demands of any student, regardless of their degree of expertise.

The MCSI team strives to provide the most comprehensive and up-to-date cybersecurity training available. Whether you are a seasoned security professional or new to the field, MCSI has a course that will meet your needs.

Receive personalized feedback from cybersecurity experts:

  • Overcome challenges and hurdles preventing you from advancing your skills
  • Receive guidance on how to focus your training efforts and avoid wasting time
  • Learn how to meet the industry's quality standards and produce high-quality work
  • When you're stuck, go to a support forum or ask inquiries to the instructors right on the platform

Help and Support

24/7 Discord Community

If you're looking for additional support during your studies, consider joining our Discord server. Our community of fellow students and instructors is always available to provide help and answer any questions you may have.

Personalized Support

Your submissions will be reviewed by MCSI instructors, who will provide you with personalized feedback. This input is critical since it can assist you in identifying the areas where you need to enhance your skills. The instructor's feedback will also tell you how well you did an exercise and what you can do to improve your performance even further.

Click here to see an example of personalized feedback.

Our personalized support will take your skills to the next level. Read what a student says about it:

Quick Questions

If you have any questions or need clarification on any of the exercises, MCSI offers a Quick Questions section on each exercise where you can ask for help. This is a great resource to use if you need assistance. This feature is only available for paid courses.

Actively Maintained Course

This course is actively maintained to ensure that it is current and error-free. We want to ensure that you have the best possible experience while taking this course, which includes having access to accurate and current information. This course is also tested for flaws on a regular basis, so you can be sure you're getting a high-quality product.

This course is constantly updated with the support of trustworthy industry peers to ensure that students are acquiring the most up-to-date information and skills. This dedication to staying ahead of the curve is what distinguishes this course as one of the greatest in the market.


Training Laptop Requirement

This course can be completed on a standard training laptop. To ensure you have the necessary hardware to complete the course, your machine should meet the following specifications:

  • 64-bit Intel i5/i7 2.0+ GHz processor or equivalent
  • 8GB of RAM
  • Ability to run at least (1) virtual machine using Virtual Box, or an equivalent virtualization software
  • Windows 10 or later, macOS 10 or later, or Linux
  • Local administrator privileges
Do you support older operating systems?

Yes. Many of the exercises can be completed on older OS versions. A few of our students are successfully using older equipment to learn cyber security.

Proficiency in the English language

You must have the ability to comfortably read and understand IT documentation written in English. Ideally, they have an IELTS score of 6.5 with no band less than 6 (or equivalent).

Note: You can register for this course without having undertaken an English test.

Lab Environment

This course teaches you how to setup and configure your own cybersecurity lab.

There are numerous advantages to creating your own cybersecurity lab rather than paying for one. The cost savings are perhaps the most evident benefit. When compared to the expense of licensing a pre-built lab, creating your own lab can save you thousands of dollars. You also have the option of customizing the lab environment to meet your specific requirements. You can, for example, select the hardware and software that will be used in your lab.

Another advantage of setting up your own cybersecurity lab is that it allows you to learn new skills. Building a lab from the ground up necessitates knowledge of networking, system administration, and other technical subjects. This experience is invaluable in your career as a cybersecurity professional.

We frequently see students who can complete a task in a pre-built lab but cannot complete the same task at work. This is because these labs are meant to lessen work complexity, thereby creating an illusion of personal capabilities. It's also worth noting that you'll be expected to set up your own lab to test tools and techniques in the workplace. Employers may give you the resources to set up virtual computers and networks, but it will be up to you to manage the lab environment and maintain your tools.

Finally, you should know that pre-built labs are not commonly licensed by top cybersecurity professionals. They've realized that setting up a lab is simple, efficient, adaptable, cost-effective, and that it sparks creativity. It also nullifies risk of performing unauthorized actions against systems provisioned by a third-party.

Aptitude Test (Optional)

This is an intermediate course. It includes exercises for novices but assumes that they have competent IT skills and a strong understanding of cybersecurity concepts.

Aptitude Test:

If you're not sure if you'll be able to fully enjoy this course, then contact us via email to organize a free aptitude test. This test will determine whether you meet the course's basic baseline criteria. If you've never studied with us before, it will also introduce you to the MCSI Method™.

Why MCSI's Certified Cyber Defence Analyst Certification is Exceptional

why MCSI

Comprehensive Cyber Defence Training

Holders of the MSDA Certification have completed an intensive training program focused on cyber defence strategies and tactics, including threat analysis, incident response, digital forensics, threat intelligence, and reverse engineering.

why MCSI

Deep Understanding of Cyber Threats

Certified Cyber Defence Analysts possess in-depth knowledge of cyber threats and attack vectors, enabling them to identify, analyze, and respond effectively to security incidents and breaches.

why MCSI

Proficiency in Cyber Defence Tools and Techniques

MCSI's Certified Cyber Defence Analyst certification equips professionals with advanced skills in using security tools, conducting threat hunting, and implementing defensive measures to protect critical IT infrastructure and data assets.

Enrollment and Fees


Terms and Conditions

  • No discounts
  • No refunds
  • No transfers
  • No renewal fees
  • No hidden fees
  • No time limits
  • Exercises must be completed on MCSI's Online Learning Platform
  • You'll also be charged GST if you live in Australia

Cooling-Off Policy

Received a full refund if you changed your mind about a purchase within 24 hours. No questions asked. Read the full details here.

Don't Buy This Course

Don't buy this course if you think learning cyber security is simple, that it will only take a few hours, that remembering a few concepts from videos and books would be enough, or, that you should be provided with walkthroughs and solutions to practical problems instead of thinking critically for yourself.

Our competitors are misleading you by claiming that their video courses and open-book theoretical certificates will teach you everything you need to know about cyber security. We recommend that you stay away from our courses until you've realized that cybersecurity requires hundreds of hours of training against difficult challenges under the watchful eye of experts encouraging you to improve your weaknesses. Only then will you understand the value of this course and the benefits that the MCSI Method™ can bring to your career. We only want satisfied customers.

When purchasing a course, you acknowledge that you understand and agree with our 100% practical MCSI Method™: no solutions, no walkthroughs, and you're expected to use critical thinking and research to solve the exercises. If you're not sure how this work, try our free version before buying.

How does MCSI Compare?

If you are looking for a certification that will give you an edge in the job market, look no further than MCSI certifications. Thanks to our innovative approach, cybersecurity training is more affordable and effective than traditional methods.

Our pricing is more affordable than our competitors because we have reinvented how cyber training is done online. Our innovative Online Learning Platform is highly effective at teaching cyber security. The platform provides a more engaging and interactive learning experience than traditional methods, which helps students learn and retain skills better. Try the free version and see for yourself.

Enroll now with lifetime access for $1295

Bloom's Taxonomy

Bloom's Taxonomy is a system for categorizing distinct stages of intellectual growth. It is used in education to assist students comprehend and learn material more effectively. MCSI teaches students how to apply, analyze, evaluate, and create at the highest levels of the taxonomy. The majority of our competitors are simply concerned with getting you to remember concepts.

The intellectual developments outlined in Bloom's Taxonomy are directly tied to your capacity to advance in your cyber security career. Employers look for people who can solve challenges that are worth paying for. With us, you'll learn practical skills that are in demand and applicable to a wide range of cyber occupations.

Industry Recognized Skills

MCSI credentials are well-respected around the world, and organisations searching for people with real cyber security abilities seek them out. Obtaining an MCSI certification verifies your understanding of critical cyber security topics as well as your ability to provide real-world results.

The ability of MCSI's training programme to give students with real-world, hands-on experience is unrivalled. Students must conduct their own research and develop their own answers in order to complete our practical exercises, which are meant to give them the skills they need to be successful in the field.

With MCSI, you will build a comprehensive cybersecurity portfolio of your skills as you complete exercises. This portfolio is a powerful tool for displaying your cybersecurity knowledge and abilities. A portfolio, as opposed to typical resumes and paper-based credentials, presents a more thorough summary of your skills and accomplishments.

Students Feedback

Here's what students say about the MCSI Method™ and our Online Learning Platform:

Student Testimonials

Frequently Asked Questions

What is the MCSI Method™?

Common Questions

  • Are solutions included in certifications and bundles?
    • No. Our method of teaching cyber security consists of challenging you with real-world problem statements that you're expected to research and solve by doing your own research. This is how you'll be expected to work in the field. When you fail an exercise, we provide you with constructive feedback to improve and try again.
  • Do bundles, training content, or certificates ever expire? Am I expected to buy again in the future?
    • Upon purchase, bundles and certificates are permanently unlocked with no recurring or ongoing fees.
  • Do I need to buy the training and the certification separately?
    • No. The price provided covers both. You only pay once.
  • Do you offer any special offers and discounts?
    • We understand that many of our customers may be looking for discounts, and we would love to be able to offer them. However, we do not provide discounts because we believe that our prices are fair and reasonable. We work hard to keep our prices low, and we feel that discounts would be unfair to our other customers. We hope you understand.
  • If I can't solve the exercise where do I go for help?
  • Who reviews and marks exercises?
    • Trained cyber security instructors that work for Mossé Cyber Security Institute.
    • MCSI instructors are highly qualified and experienced professionals who are able to teach a variety of topics related to information security. They have the ability to tailor their teaching methods to meet the needs of each student, regardless of their experience level. In addition, they are always up-to-date on the latest trends and developments in information security, which enables them to provide students with the most relevant and current information.
  • We can't pay via credit card. Can you raise an invoice for wire payment instead?
    • Yes. Send us the list of bundles and certifications you want to purchase at [email protected]
  • Can I access a trial/demo the certification programmes prior to enrolling?
    • We provide a free curriculum with 100+ hours practical exercises you can try.
    • The Free Curriculum teaches Security Tools, Penetration Testing, Red Teaming, Threat Hunting, Cyber Defence, GRC and Windows Internals.
    • Try the Free Curriculum
  • Do you provide Continuing Professional Education (CPE) credits?
    • Yes. Every single exercise offers CPE credits. The number of credits earned depends on the difficulty of the exercise completed. Below are the CPE Credits achieve for an exercise in each difficulty:
    • Novice exercises = 1 CPE credits
    • Advanced Beginner exercises = 2 CPE credits
    • Competent exercises = 5 CPE credits
  • Do I need to complete an exam to receive MCSI Certification?
    • No. MCSI Certifications are completed by solving practical cybersecurity exercises.
  • Do I need to purchase cybersecurity tools or subscriptions?
    • No. Only free or trial versions are used in our exercises. You do not require making any purchases.

More Kind Words from Students

Enroll now with lifetime access for $1295


We'll respond within 24 hours

Visit our Frequently Asked Questions (FAQ) page for answers to the most common questions we receive.

Ready to learn hands-on cyber security skills online?

Try 100 hours for free