CyberDefenders
CyberDefenders is a security blue team training platform for SOC analysts, threat hunters & DFIR pro.
05/14/2026
A question every security leader should ask their team:
When did you last train against an attack that looked completely normal, until it wasn't?
Not a phishing simulation. Not a compliance drill.
A real adversary chain: identity abuse, cloud pivoting, AI supply chain compromise, and a destructive wiper; all in a single engagement.
That's what we built for Locked Shields 2026. We're announcing that CyberDefenders is an official scenario design partner for NATO CCDCOE Locked Shields 2026, the world's most demanding live-fire cyber defense exercise.
Teams that worked through our scenario didn't just learn techniques. They learned where their visibility actually ends , not where they assumed it did. They discovered which assumptions in their Conditional Access policies and IAM boundaries hold under adversarial pressure, and which ones collapse in minutes.
Closing that gap is exactly why we exist: https://f.mtr.cool/rkqunvakvq
05/13/2026
3 questions every SOC alert must answer before an analyst moves on. π
Is this real? How serious is it? What do we do next?
Simple questions, but without a structured process, most teams answer them inconsistently.
That inconsistency is where threats slip through. We just published a comprehensive guide to the SOC alert triage process, covering each of the 7 stages with the specific actions, tools, and decision criteria that drive accurate outcomes. π΅οΈ
Whether you're building a SOC from scratch or refining an existing workflow, this is your reference.
π Read the full article: https://f.mtr.cool/brzksboqon
05/12/2026
New Lab Drop: CodeFreeze - Endpoint Forensics π§
After completing the Lab, you'll learn how to:
β
Reconstruct a complete attack timeline from endpoint artifacts.
β
Identify attacker persistence using Windows registry analysis.
β
Detect credential exfiltration through Git and browser forensics.
β
Correlate event log data to map the full kill chain.
This is the lab that builds the skills hiring managers are actually looking for in DFIR roles. π§βπΌ
Investigate here: https://f.mtr.cool/auktntsolc
05/11/2026
Most SOC teams aren't protecting the things attackers actually want.
They're watching the front door while the attacker has already been sitting in the living room for six weeks. π
Inside the full article, you'll find:
β The attacker's priority stack, and where your detection coverage should actually sit.
β The behavioral indicators you're probably missing right now.
β Why patient attackers are invisible to most SIEM logic, and what to do about it.
π Read the full blog: https://f.mtr.cool/mkampopsnf
05/10/2026
We just published a step-by-step technical case study walking you through exactly how SOC analysts should investigate and respond to an M365 cloud compromise. π»
Inside the case study, you'll learn how to:
β
Analyze mailbox audit logs to build an attack timeline
β
Detect OAuth token abuse and suspicious app consent
β
Identify thread hijacking and executive impersonation techniques
β
Contain and remediate the incident with confidence.
Whether you're a junior SOC analyst or a seasoned IR professional, this is the kind of hands-on, log-level detail that sharpens your investigative instincts. Stop reading theory. Start practicing with real-world scenarios.
π Read the full case study now β https://f.mtr.cool/fdsxeyivjd
05/07/2026
Attackers donβt behave the same way in theory vs reality. π΅οΈ
Honeypots expose the difference.
From:
- Initial access attempts.
- Credential abuse.
- Lateral movement patterns.
You get actual attacker behaviorβ¦ not assumptions. π
Thatβs gold for tuning detections in a SOC.
π Check the full guide: https://f.mtr.cool/efunjljtac
05/06/2026
Most AWS breaches donβt start with βhacking the cloudββ¦ βοΈ
They start with misconfiguration + identity abuse.
Minimum baseline:
πΉ CloudTrail β API activity
πΉ VPC Flow Logs β network visibility
πΉ CloudWatch β service telemetry
Without these, incident response in AWS becomes guesswork. π
π Check the Full AWS Guide: https://f.mtr.cool/tlnwlctgrc
05/05/2026
Your CSPM covers your cloud. Your EDR covers your endpoints.π
Neither covers your developers' IDE plugin ecosystem. π§βπ»
CursorJack Lab is a hands-on scenario built around exactly that blind spot, an MCP-based compromise of a Cursor IDE install leading to multi-region cloud takeover and on-chain exfiltration.
Built for cloud security engineers who want to understand this attack surface before it shows up in their queue. βοΈ
π Investigate Now: https://f.mtr.cool/dmkkuquxup
05/04/2026
VPN logs are one of the fastest ways to spot compromised credentials.
Why? Because attackers donβt always exploit vulnerabilitiesβ¦ they log in. π
Look for:
πΉ Impossible travel (geo anomalies)
πΉ Logins outside baseline hours.
πΉ New device fingerprints.
A valid VPN session β a legitimate user.
π Check this Full VPN guide: https://f.mtr.cool/wngotkjsyl
05/03/2026
π New case study released.
Topic: USB Device Alert Investigation on Corporate Endpoints. π»
This is a full investigation playbook covering:
β¦ Insider threat exfiltration detection
β¦ USB-borne malware and HID emulation identification
β¦ Evidence collection across EDR, Windows Event Logs, DLP, and SIEM
β¦ Splunk and KQL query patterns
β¦ Escalation path including Legal coordination
Written as working SOC documentation. No definitions, no theory, just the investigation workflow. π΅οΈ
π https://f.mtr.cool/cejkaaoupb
SOC Simulator: USB Insider Threat Detection Practical SIEM queries for USB investigations using Splunk & Microsoft Sentinel KQL. Covers CrowdStrike telemetry, log correlation, and removable media threats.
Click here to claim your Sponsored Listing.