IOC vs TTP for Beginners
RCCE students will learn the distinction between Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs), and how each type of intelligence drives different detection and response strategies. RCCE students will learn to collect, analyze, and operationalize both IOCs and TTPs, understand the relative longevity and value of each intelligence type using the Pyramid of Pain framework, develop IOC-based detection rules for rapid response and TTP-based detections for resilient defense, integrate both intelligence types into SIEM and EDR platforms, prioritize detection investments, and produce intelligence products that combine IOC and TTP analysis. Designed for students with no prior experience in this area, this course builds knowledge from the ground up with clear explanations, guided demonstrations, and progressive skill-building. Starting from foundational concepts, RCCE students will learn core concepts through practical examples that connect theory to real-world security operations. By completion, students will have the foundational knowledge and hands-on confidence needed to contribute in professional cybersecurity roles.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing IOC vs TTP for Beginners
- Explain Course Overview fundamentals
- Explain IOC Foundations fundamentals
- Integrate privilege controls with identity providers and SIEM telemetry, including TTP Foundations.
- Execute hands-on tasks for what is threat intelligence?
- Execute hands-on tasks for two core intelligence types — covering Observable artifact of an attack, Examples: IP, hash, domain, URL, Describes how adversaries operate.
- Execute hands-on tasks for ioc (indicator of compromise) — covering Observable artifact of an attack, Examples: IP, hash, domain, URL.
- Execute hands-on tasks for ttp (tactics, techniques, procedures) — covering Describes how adversaries operate, Maps to MITRE ATT&CK framework.
- Execute hands-on tasks for file hash
- Execute hands-on tasks for tactics, techniques & procedures defined
- Execute hands-on tasks for tactics (why)
- Execute hands-on tasks for techniques (how)
- Execute hands-on tasks for procedures (details) — covering Adversary's tactical goal.
| Module 01 | Course Overview |
| Module 02 | IOC Foundations |
| Module 03 | Integration & Operations |
| Module 04 | What Is Threat Intelligence? |
| Module 05 | Two Core Intelligence Types |
| Module 06 | IOC (Indicator of Compromise) |
| Module 07 | TTP (Tactics, Techniques, Procedures) |
| Module 08 | File Hash |
| Module 09 | Tactics, Techniques & Procedures Defined |
| Module 10 | Tactics (Why) |
| Module 11 | Techniques (How) |
| Module 12 | Procedures (Details) |
| Module 13 | Persistence, Exfiltration |
| Module 14 | DLL Side-Loading, Keylogging |
All hands-on labs run on Rocheston Rose X OS. Students practice ioc vs ttp for beginners by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Explain Course Overview fundamentals
- Lab 2: Explain IOC Foundations fundamentals
- Lab 3: Integrate privilege controls with identity providers and SIEM telemetry
- Lab 4: Execute hands-on tasks for what is threat intelligence?
- Lab 5: Execute hands-on tasks for two core intelligence types
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for IOC vs TTP for Beginners, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI