IOC vs TTP Monitoring and Detection
RCCE students will learn the distinction between Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs), and how each type of intelligence drives different detection and response strategies. RCCE students will learn to collect, analyze, and operationalize both IOCs and TTPs, understand the relative longevity and value of each intelligence type using the Pyramid of Pain framework, develop IOC-based detection rules for rapid response and TTP-based detections for resilient defense, integrate both intelligence types into SIEM and EDR platforms, prioritize detection investments, and produce intelligence products that combine IOC and TTP analysis. This monitoring course teaches comprehensive detection and observability strategies for proactive security operations. At an expert level, RCCE students will learn to instrument systems for security telemetry, build detection pipelines, configure alerting, and maintain monitoring coverage as environments evolve. Students gain the visibility and detection capabilities needed to catch threats early.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing IOC vs TTP Monitoring and Detection
- Monitor and audit privilege usage; detect escalation attempts
- Explain Course Overview fundamentals
- Execute hands-on tasks for learning objectives — covering Distinguish IOCs from TTPs in operations, Apply Pyramid of Pain framework.
- Execute hands-on tasks for distinguish iocs from ttps in operations — covering Apply Pyramid of Pain framework.
- Execute hands-on tasks for course scope — covering Security telemetry instrumentation, Detection pipeline construction.
- Execute hands-on tasks for target outcome — covering Produce intelligence combining IOC and TTP analysis, Prioritize detection investments by intelligence value.
- Execute hands-on tasks for produce intelligence combining ioc and ttp analysis — covering Prioritize detection investments by intelligence value.
- Execute hands-on tasks for what is an ioc? — covering Observable artifact indicating a security breach.
- Execute hands-on tasks for very low
- Build detections and response workflows for privilege escalation
- Execute hands-on tasks for what are ttps? — covering Adversary behavior patterns describing how attacks are conducted, Mapped to MITRE ATT&CK framework for standardization.
- Execute hands-on tasks for ioc characteristics — covering Point-in-time evidence of compromise, Easy to change and rotate by adversary.
| Module 01 | IOC vs TTP Monitoring |
| Module 02 | Course Overview |
| Module 03 | Learning Objectives |
| Module 04 | Distinguish IOCs from TTPs in operations |
| Module 05 | Course Scope |
| Module 06 | Target Outcome |
| Module 07 | Produce intelligence combining IOC and TTP analysis |
| Module 08 | What is an IOC? |
| Module 09 | Very Low |
| Module 10 | Detection Value |
| Module 11 | What are TTPs? |
| Module 12 | IOC Characteristics |
| Module 13 | TTP Characteristics |
| Module 14 | Network/Host Artifacts |
All hands-on labs run on Rocheston Rose X OS. Students practice ioc vs ttp monitoring and detection by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Monitor and audit privilege usage; detect escalation attempts
- Lab 2: Explain Course Overview fundamentals
- Lab 3: Execute hands-on tasks for learning objectives
- Lab 4: Execute hands-on tasks for distinguish iocs from ttps in operations
- Lab 5: Execute hands-on tasks for course scope
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for IOC vs TTP Monitoring and Detection, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI