Hunt The Hacker

" Hunt The Hacker " A practical training that teaches attendees how to discover hackers that have bypassed existing security mechanisms, and are now operating invisibly within the internal network. Brought to you by professional hackers!

Course duration : 2 days of instruction, predominantly in the form of hands-on hunting labs.

Group size : 12 participants maximum

Target audience : Everybody who needs to know more about what threat hunting is, why it is necessary, what is required to start doing it, and how it should be done. Appropriate roles include: CISOs, Security Managers, SOC staffers, Incident Responders, Forensic Analysts and System Administrators.

Pre-requisites : To maximize value to the attendee, prior HOHE participation is highly recommended, but not mandatory.

Price : 2 days, 1200 EUR + VAT

Next public training courses

Contents of the course

Participants learn how to hunt hackers within our Windows and Linux lab network, using a range of highly effective threat hunting technologies and techniques, looking for real life attacks.

Technologies used:

Sysmon : Sysmon is the go-to solution for hunters working with Windows machines, and is the technology that Microsoft itself uses to hunt hackers within their own networks.

Elastic stack, formerly “ELK” : The Elastic Stack is a suite of mature open source technologies that is popularly used for hunting by big name companies. The principles that are taught in this course using the Elastic Stack are also more generally applicable to other data lake products such as Splunk, Sumo and others.

Elastic Security : The Elastic Security adds SIEM and Endpoint security capabilities to Elastic stack and enables threat hunters to collect data, detect anomalies, respond to threats, analyse and correlate large number of datapoints all in one ecosystem.

Osquery : Osquery is an infrastructure monitoring framework created by Facebook. Osquery enables low-level operating system monitoring by exposing the operating system as a high-performance relational database which can be easily queried using SQL syntax.

Hunting techniques:

Known bad : Students will learn how to research and develop hunts for known indicators of attack.

Known good : Students will learn how to “find evil by knowing normal”, using various processes of elimination to reduce a set of raw collected data down to “not known good”. Students will then determine through investigation whether the remaining data constitute indicators of attack or benign in nature. Benign items are labeled as “known good” so that they need not be investigated again.

Outliers : Outlier detection is the “power technique” of threat hunting. Students will learn how to leverage statistical analysis in order to force anomalies in large-scale sets of data to become apparent, which will commonly highlight indicators of attack.

It is important to note that although this course focuses on Linux and Windows endpoints, the building-block technological capabilities and hunting principles are equally applicable on MacOS and others.


Trainers are Karl Raik and Taavi Sonets and Allar Viik .

Karl Raik Karl Raik

Karl joined the team in September 2015 as a Web application pentester. His previous work experience consists mainly of Web Application development. He holds a M.Sc. degree in Cyber Security from Tallinn University of Technology. He wrote his masters thesis about improving Web Attack Campaign overview in Cyber Defense Exercises.
Karl is a trainer of our Hands-on Hacking Essentials (HOHE) course, Hands-on Hacking Advanced (HOHA) course and Hunt The Hacker (HtH) course.

Taavi Sonets Taavi Sonets

Taavi joined the team in April 2015 as a Web application pentester. His previous work experience consists mainly of Web Application development. He holds a M.Sc. degree in Cyber Security from Tallinn University of Technology. He wrote his masters thesis about improving User Simulation Team Workflow in the Context of Cyber Defense Exercise. Taavi is a trainer of our Hands-on Hacking training series (HOHE, HOHE FU, HtH, HOHA).

Allar Viik Allar Viik

Allar joined the team in February 2021. He is a multi-functional specialist with a background in Devops, red teaming, training and cyber exercise development. His previous work has mainly been in the public sector where he has been a part of IT projects in and outside of Estonia. Before joining the team Allar was one of the lead developers for Locked Shields & Crossed Swords exercises. Allar is a trainer of our Hunt The Hacker (HtH) course.

Training methods

The trainers engage participants with lectures, live demonstrations and Q&A sessions. Each participant spends the majority of their time performing a wide variety of hands-on hunts.

Intended outcome

Participants will understand what threat hunting is, be utterly convinced of the need for it, know what infrastructure is required to facilitate it, and be able to start doing it with confidence within their own organizations.

Training environment

The training environment is a remotely accessed lab that can be used by participants anywhere in the world as long as VPN connection via decent Internet connectivity is viable. The hunting lab is hosted on Clarified Security's own virtualized infrastructure. Each student has their own account on the shared hunting infrastructure.


We can deliver on-site at group pricing anywhere in the world where decent Internet connection is available. Ask us for the group pricing or for times and locations of our public courses. Public groups are currently available directly or via partners in Estonia: BCS Koolitus , Äripäeva koolitused, Nordic Koolitus .