Threat hunting Incident Handling
RCCE students will learn proactive threat hunting methodologies including hypothesis-driven hunting, data-driven hunting, intelligence-driven hunting, and hunt team operations. RCCE students will learn to develop threat hunting hypotheses based on MITRE ATT&CK techniques, design hunting queries across SIEM, EDR, and network data, identify indicators of compromise and attacker behavioral patterns, distinguish normal from anomalous activity in complex environments, document and share hunting findings, convert successful hunts into automated detections, and build threat hunting programs that continuously improve organizational detection capabilities. This incident response course prepares students to act decisively during security incidents with structured workflows and clear decision frameworks. Building on core knowledge, RCCE students will learn containment, evidence collection, eradication, and recovery procedures specific to this domain. Students practice incident scenarios that build the composure, coordination, and documentation skills essential for effective incident handling.
- SOC Analysts and Incident Responders
- Detection Engineers and SIEM Content Authors
- Threat Hunters improving adversary coverage
- Security Operations Team Leads
- Professionals implementing Threat hunting Incident Handling
- Execute hands-on tasks for threat hunting &
- Execute hands-on tasks for incident handling
- Execute hands-on tasks for threat hunting goals
- Execute hands-on tasks for incident handling goals — covering What You Will Build.
- Execute hands-on tasks for threat hunting fundamentals
- Execute hands-on tasks for what is threat hunting?
- Execute hands-on tasks for why hunt? — covering Proactive search for threats, Dwell time averages 10+ days.
- Build detections and response workflows for privilege escalation, including Proactive search for threats, and Dwell time averages 10+ days.
- Design a scalable privilege management architecture with policy and enforcement
- Execute hands-on tasks for hypothesis-driven hunting
- Execute hands-on tasks for core concept — covering Start with a testable hypothesis, Based on threat intel or ATT&CK.
- Execute hands-on tasks for hypothesis template — covering IF adversary uses [technique], THEN we expect [observable].
| Module 01 | Threat Hunting & |
| Module 02 | Incident Handling |
| Module 03 | Threat Hunting Goals |
| Module 04 | Incident Handling Goals |
| Module 05 | Threat Hunting Fundamentals |
| Module 06 | What Is Threat Hunting? |
| Module 07 | Why Hunt? |
| Module 08 | Hunting vs Detection |
| Module 09 | Hunting Maturity Model |
| Module 10 | Hypothesis-Driven Hunting |
| Module 11 | Core Concept |
| Module 12 | Hypothesis Template |
| Module 13 | Building Effective Hypotheses |
| Module 14 | Strong Hypothesis Traits |
All hands-on labs run on Rocheston Rose X OS. Students practice threat hunting incident handling by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Execute hands-on tasks for threat hunting &
- Lab 2: Execute hands-on tasks for incident handling
- Lab 3: Execute hands-on tasks for threat hunting goals
- Lab 4: Execute hands-on tasks for incident handling goals
- Lab 5: Execute hands-on tasks for threat hunting fundamentals
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Threat hunting Incident Handling, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI