Threat Hunting
Threat Hunt Tabletop: Lateral Movement
A guided tabletop with injected clues, map hypotheses to observable data, and practice narrating dead ends as well as hits.
- Duration
- 12 hours live over 4 sessions
- Format
- Live workshops
- Tuition (informational)
- ₩520,000
Tuition is informational on this static site. Operational agreements happen offline with your procurement team.
Inside the lab
You sit in a facilitated hunt session where each round adds new telemetry cards. The goal is not to win quickly but to show how you would disprove or support a hypothesis with the next query. Includes a short segment on writing hunt briefs your team can reuse.
What you practice
- Facilitator script with timed reveal cards
- Hypothesis whiteboard export
- Sample hunt briefs from prior cohorts (anonymized)
- Breakout rooms for pair reasoning
- Threat intelligence analyst office hours
Outcomes
- Document at least three falsifiable hypotheses per scenario
- Explain a negative result without sounding apologetic
- Leave with a hunt brief skeleton you can adapt internally
Amara Osei
Threat intelligence analyst who coaches hypothesis-first hunting language.
FAQ — two column tabs
Questions on the left cover access and scope; right column covers expectations.
Blue-team focused. We discuss attacker moves only as they appear in telemetry you can query.
Sessions are recorded for seven days; we recommend attending live for the card reveals.
No production data imports; all clues are authored for the exercise.
Experience notes
“Dead-end narration was the hardest skill and the most useful. Our internal hunts now include a 'what we ruled out' slide.”
“Fast-paced but fair. One scenario felt slightly stacked toward DNS exfil—still good practice.”