Cyber Security Courses

Threat Hunting Master Course

Mossé Cyber Security Institute teaches students a unique approach to threat hunting based on data science, active deception and the development of custom intrusion detection tools.

In this five-day master course, students will learn how to hunt for threat actors on large scale computer networks. No prior knowledge in incident response, threat hunting, reverse engineering or malware analysis is required prior to attending this course. Detailed step-by-step instructions will be given, and students will leave this course with practical skills to hunt for attackers on their networks, or their clients’ networks.

Our approach to teaching Threat Hunting is to teach the fundamental concepts and strategies that can be used to detect threat actors on any operating systems and types of networks. In this way, we ensure that our students can immediately apply the techniques they have learnt, and rapidly build upon their skills to hunt for more complex attack techniques.

Theoretical knowledge makes up 40% of the course content, and 60% is devoted to practical exercises. At the end of the course, a Threat Hunting exercise is conducted that can be reproduced at your workplace.


You will learn strategies and tactics to deliver threat hunting campaigns on large scale computer networks:

  • The threat hunting process and how to build a threat hunting team
  • Key Windows internals knowledge for threat hunting
  • How to use data science to hunt for adversaries on large networks
  • Search for indicators of compromise (IOCs) across the entire kill chain
  • Build your own compromise assessment tools
  • Build your own real-time endpoint detection and response tool
  • Rapidly reverse-engineer malware
  • Extract indicators of compromise on the network and the endpoints
  • Rapidly respond and contain intrusions

Intended Audience

Newcomers to the IT security industry, security analysts, threat hunters, incident responders, malware analysts, security engineers, and forensics analysts.


This course is taught by experienced Mossé Security’s instructors. Our instructors have over 10 years of experience delivering penetration testing, red teaming and incident response services for a multitude of industries that have involved complex and multi-faceted approaches. Our instructors each possess the right balance of corporate experience and are competently skilled in presenting and teaching to groups.

Beyond their technical abilities and years of professional experience, our instructors are also trained teachers and public speakers. Their manner of teaching easily conveys their passion for computer security to every one of our students.

Course Outline

Module 1: Introduction

We begin the class with a lecture and open discussion about Threat Hunting. MCSI will answer the most commonly asked questions about Threat Hunting:

  • What is Threat Hunting?
  • How do we get business buy-in to invest in Threat Hunting?
  • What are the main approaches to Threat Hunting?
  • What’s a sound Threat Hunting methodology?
  • What skills do you need to have to be a proficient Threat Hunter?
  • How do we build a team that does Threat Hunting?
  • What documentation and deliverables do we need to generate?
  • What are the main challenges that Threat Hunters face?
  • How do we demonstrate a return-on-investment?

Module 2: Windows Internals

In this module, we impart all the fundamental Operating System concepts Threat Hunters need to master to deliver Threat Hunting engagements in Windows network environments:

  • User-land vs. kernel-land
  • Processes, threads, services and drivers
  • The registry
  • The file system
  • Event logs
  • Users and groups
  • Access tokens
  • Schedules tasks
  • Active Directory
  • Windows Management Instrumentation
  • Networking
  • Command execution and scripting

Module 3: Modelling Cyber Adversaries

We use the MITRE ATT&CK Matrix to create a shared language between security team members to communicate about threat actors, attack techniques, tactics and procedures (TTPs). Then, we present multiple case studies of network intrusions and map attacker TTPs to the MITRE Matrix to design threat hunts.

  • Animal Farm
  • APT28
  • Equation Group
  • Project Sauron

Module 4: Threat Hunting using Python

MCSI teaches how to use Python and its data science libraries (Pandas and Parquet) to hunt for intrusions in large-scale datasets generated by enterprise digital forensics tools.

  • Jupyter Notebook
  • Apache Parquet
  • Dataframes
  • Pandas

In this module, you will practice against three training datasets: an entry-level one with 50 machines, two beyond beginner one with 200 and 500 machines.

By the end of this module, we will be ready to perform threat hunts in small-scale networks.

Module 5: Structured Root Cause Analysis

Threat Hunters are bound to find anomalies on networks that no one has ever documented on the Internet. Thus, we will equip you with a robust structured root-cause analysis methodology that will help you troubleshoot, investigate and rapidly come to a conclusion on suspicious items.

  • Limitations of intuition and random Googling
  • Switching to a structured approach
  • Clarifying the fault/problem/suspicious item
  • Top 9 questions to answer about any incident
  • Hypothesis generation and testing

Module 6: Intermediate Exercise

For three (3) hours you will be tasks with applying all the knowledge, concepts, tools and techniques imparted in the course so far on a dataset with 1000 machine, 1000+ domain users, false positives and real threat actors. At the end of this cyber wargame, the instructor will lead a formal debriefing learning session to mentor all students on areas they could improve on.

Module 7: Rapid Malware Analysis

MCSI teaches a rapid reverse-engineering methodology to help threat hunters validate whether suspicious binaries are malware or not. Even people who have never done any reverse engineering before will be able to perform basic malware analysis tasks after undertaking this module.

  • Different purposes for reverse engineering binaries
  • Rapid binary invalidation techniques
  • Reverse engineering using graphs
  • Using annotations, structured documentation, and code similarities

Module 8: Rapid Incident Response

In medium and large-scale network environments, Threat Hunters are bound to regularly discover security incidents. Luckily, not all these incidents will be major breaches, and thus, MCSI will impart you with a rapid incident response methodology to quickly investigate, resolve and recover from security events.

  • Communication protocols to handle an incident
  • Digital forensics tools for Windows
  • Understanding the impact of the intrusion
  • Denying the adversary future access into the network environment
  • Writing an incident analysis report
  • Proposing a cyber security uplift plan to prevent future intrusions that follow the same attack campaign

Module 9: Threat Intelligence

We end the course by imparting you with techniques to produce your own threat intelligence based on materials captured from incident response and threat hunting.

  • The different types of threat intelligence that can be produced
  • The most valuable type of threat intelligence for private sector organization
  • Using structured approaches to producing intelligence that’s meaningful and impactful
  • Preparing a threat intelligence “product” for your organization

The final Threat Hunting exercise will require you to analyse a dataset of 5000 machines compromised by an adversary that uses tradecraft similar to FIN7 and produce a threat intelligence report to help an imaginary organization make cyber security investments and divestments.

Enrollment & Fees


  • Ticket: $3,500 USD

Terms and Conditions

  • Payment is made via our booking system or by contacting us to receive an invoice.
  • Payment is required at the time of booking.
  • Cancellation notifications within 14 days of the course's start date are not eligible for refund.
  • Cancellations received between 15 and 28 days prior to course commencement will be charged 50% of the course fee.
  • Students are allowed 1 reschedule per class. Transfers received between 15 – 28 days prior to course commencement will be charged a $300 (incl GST) administrative fee. The new session date must be given at the time of the reschedule notification and rescheduled classes must be taken within 6 months of original scheduled date.
  • Transfers received 14 days or less prior to course commencement will be charged 50% of the course fee. The new session date must be given at the time of the reschedule notification and rescheduled classes must be taken within 6 months of original scheduled date.
  • Payment must be made in full prior to any rescheduling.
  • Student substitutions can be made in writing 48 hours prior to a class start.
  • If a student does not attend a scheduled session, there will be no refund or reschedule given. Payment is forfeited. Mossé Security reserves the right to cancel a course and will endeavour to provide participants with as much notice as possible. Upon cancellation, any fees already paid by the participant will be refunded.


Recommended Study

We recommend that you read about the Windows components listed under Module 2 “Windows Internals”. Even if those components will be covered in detailed during the course, studying them prior to the course will make it a lot easier for you to understand every other module in the class.

Software Requirement

Bring a laptop running the Windows or UNIX operating system with the OpenVPN or Tunnelblick client to connect into our training lab in the cloud.

Career Outcomes

Students who have completed the Threat Hunting Master Course from MCSI design and execute threat hunting engagements in large scale enterprise networks to discover cyber adversaries that have evaded and bypassed security defenses.

Certification Detail


Notify me when this course is offered next

Visit our Frequently Asked Questions (FAQ) page for answers to the most common questions we receive.