Producción betaLa plataforma está en fase de pruebas y transformación continua. Puedes subir cursos y usar el campus con normalidad; disculpa cualquier ajuste temporal mientras consolidamos la experiencia.
Designed for people who want to enter or grow inside a modern SOC. We work with realistic telemetry, alert investigations, triage, containment, and incident communication.
8 weeks Intermediate 22 July 2026 Diego R. - Incident responder 620 USD
SOCBlue Team Elite
Program outcome
You will be able to analyze alerts, create threat hypotheses, and produce reusable defensive playbooks.
Learning objectives
Understand the professional objective of the course and its ethical boundaries.
Apply an ordered methodology before running tools.
Work with safe labs and reproducible evidence.
Separate noise, valid findings, impact, and recommendation.
Prepare clear and defensible technical deliverables.
Communicate results to technical and non-technical audiences.
High-level syllabus
Foundations of defensive operations and the incident life cycle.
Endpoint, network, identity, and application telemetry.
SIEM queries, event correlation, and false-positive reduction.
Threat hunting based on MITRE ATT&CK.
Initial forensics, timeline, and evidence preservation.
Playbooks, lessons learned, and continuous improvement.
Included labs
Suspicious sign-in investigation.
Detection of simulated lateral movement.
Crisis table with executive report.
Guided path for inexperienced students
The course is prepared so a student without professional experience can progress through short exercises, guided examples, and evidence reviews.
Week 0 - Arranque guided
Prepare the environment, vocabulary, and expectations without initial friction.
Validate campus access.
Create the note structure.
Review ethical rules and scope.
Complete the orientation practice.
Expected result: The student knows how to study and how to submit evidence.
Bloque 1 - Foundations aplicados
Turn minimum theory into observable actions.
Read short examples.
Complete guided checklists.
Compare good and poor evidence.
Expected result: The student understands what to do before using tools.
Bloque 2 - Practice supervisada
Run labs with judgment and traceability.
Record steps.
Explain decisions.
Request review on specific questions.
Expected result: The student can repeat the lab without copying mechanically.
Bloque 3 - Entrega professional
Turn results into a clear report.
Prioritize findings.
Write impact.
Defend recommendations.
Expected result: The student presents a useful and defensible deliverable.
Step-by-step study method
An operational guide to study with less friction and better retention.
Weekly learning playbook
Before each session
Read the weekly objective.
Prepare notes and evidence.
Check the lab and tools.
During practice
Note the step, result, and conclusion.
Avoid skipping hypotheses.
Save only relevant evidence.
After practice
Summarize the learning.
Mark questions.
Correct the deliverable before submitting it.
Weekly close
Compare against the rubric.
Review common mistakes.
Plan the next block.
Micro-exercises to start with confidence
Short practices to master foundations before entering longer scenarios.
Micro-practice
Micro 1 - Scenario reading
Understand context, scope, and objective before acting.
Duration: 20 min
Read the case.
Identify relevant assets or data.
Write three possible risks.
Mastery signal: You can explain the scenario without looking at the guide.
Micro-practice
Micro 2 - Minimum evidence
Document a test in a reproducible way.
Duration: 25 min
Record date and context.
Capture the result.
Write a short conclusion.
Mastery signal: Another student can repeat your steps.
Micro-practice
Micro 3 - Prioritization
Sort findings by impact and urgency.
Duration: 30 min
List three findings.
Assign impact.
Justify the order.
Mastery signal: The priority is understandable without jargon.
Micro-practice
Micro 4 - Communication
Turn a technical result into a recommendation.
Duration: 30 min
Separate cause, impact, and action.
Remove unnecessary jargon.
Close with the next step.
Mastery signal: The message supports a decision.
Essential glossary for beginners
Simple definitions so technical language does not slow your progress.
Scope
Exact limits of what may be analyzed or executed.
Example: Only lab assets or assets from the authorized case.
Evidence
Data that proves a technical or risk observation.
Example: Screenshot, log, command, query, or document with context.
Traceability
Ability to reconstruct what was done, when, and why.
Example: Logbook ordered by date and lab.
Indicator
Observable signal that helps investigate or validate a case.
Example: Domain, hash, IP, event, policy, or permission.
Playbook
Repeatable procedure for acting on a case.
Example: Triage, containment, documentation, and closure steps.
Remediation
Action to reduce or remove risk.
Example: Patch, policy change, hardening, or training.
Common mistakes by new students (and how to correct them)
Real blocking patterns and the immediate corrective action.
Starting with tools without understanding the objective.
Cause: Impatience or lack of method.
Correction: Read the scenario, scope, and success criteria before acting.
Saving evidence without context.
Cause: Confusing a screenshot with proof.
Correction: Note step, result, conclusion, and date.
Prioritizing by intuition.
Cause: Not connecting technique with impact.
Correction: Use impact, likelihood, and urgency as criteria.
Copying commands or templates without understanding.
Cause: Mechanical learning.
Correction: Rewrite in your own words and validate with the mentor.
FAQ for students without offensive experience
Direct answers to typical questions from the first month.
Can I join if I am a beginner?
Yes. The course file includes leveling material, a weekly routine, and micro-practices so you can start in an organized way.
What happens if I get stuck?
You must document what you tried, write a specific question, and review the rubric before asking for help.
Do I need paid tools?
Not for the base path. Community tools, internal labs, and internal templates are prioritized.
How is it assessed?
Through evidence, deliverables, quality criteria, and final project defense.
Complete path for students without experience
A progress path with concrete criteria to advance without jumps or frustration.
Level-by-level progress ladder
Level 1 - Understanding
Window: First third of the course
What you will already be able to do:
Explain core concepts.
Prepare the environment.
Follow the guided checklist.
Mentor support:
Review of initial evidence.
Correction of vocabulary questions.
Exit criterion: You can explain a simple lab in your own words.
Level 2 - Practice
Window: Central block
What you will already be able to do:
Run labs.
Record results.
Distinguish noise from findings.
Mentor support:
Feedback on prioritization.
Deliverable review.
Exit criterion: Your evidence allows the exercise to be repeated.
Level 3 - Autonomy
Window: Course closing stage
What you will already be able to do:
Solve the full case.
Write the report.
Defend recommendations.
Mentor support:
Defense simulation.
Final report correction.
Exit criterion: You present a professional and coherent deliverable.
Step-by-step guided cases
Educational scenarios to practice technical decisions, evidence, and professional communication.
Initial
Case 1 - Operational preparation
Configure environment, scope, and logbook.
Case steps
Read the briefing.
Prepare the folder structure.
Define evidence criteria.
Case deliverable: Initial logbook and environment checklist.
Intermediate
Case 2 - Guided analysis
Apply methodology to a controlled case.
Case steps
Observe signals.
Run the permitted practice.
Record findings.
Case deliverable: Short report with evidence and recommendations.
Closing stage
Case 3 - Professional presentation
Communicate the result to a mixed audience.
Case steps
Prioritize risks.
Prepare the executive summary.
Defend decisions.
Case deliverable: Final presentation and technical appendix.
Complete weekly plan
Professional schedule with sessions, weekly focus, and required deliverables.
Week 1
Foundations of defensive operations and the incident life cycle.
Guided class: concepts, common mistakes, and module examples.
Lab: Suspicious sign-in investigation.
Trabajo with herramienta o template: Wazuh
Review of questions, evidence, and delivery criteria.
Deliverable: Weekly logbook with evidence, conclusion, and recommended action.
Week 2
Endpoint, network, identity, and application telemetry.
Guided class: concepts, common mistakes, and module examples.
Lab: Detection of simulated lateral movement.
Trabajo with herramienta o template: Elastic
Review of questions, evidence, and delivery criteria.
Deliverable: Weekly logbook with evidence, conclusion, and recommended action.
Week 3
SIEM queries, event correlation, and false-positive reduction.
Guided class: concepts, common mistakes, and module examples.
Lab: Crisis table with executive report.
Trabajo with herramienta o template: Sigma
Review of questions, evidence, and delivery criteria.
Deliverable: Weekly logbook with evidence, conclusion, and recommended action.
Week 4
Threat hunting based on MITRE ATT&CK.
Guided class: concepts, common mistakes, and module examples.
Lab: Suspicious sign-in investigation.
Trabajo with herramienta o template: YARA defensive
Review of questions, evidence, and delivery criteria.
Deliverable: Weekly logbook with evidence, conclusion, and recommended action.
Week 5
Initial forensics, timeline, and evidence preservation.
Guided class: concepts, common mistakes, and module examples.
Lab: Detection of simulated lateral movement.
Trabajo with herramienta o template: MITRE ATT&CK
Review of questions, evidence, and delivery criteria.
Deliverable: Weekly logbook with evidence, conclusion, and recommended action.
Week 6
Playbooks, lessons learned, and continuous improvement.
Guided class: concepts, common mistakes, and module examples.
Lab: Crisis table with executive report.
Trabajo with herramienta o template: Wazuh
Review of questions, evidence, and delivery criteria.
Deliverable: Weekly logbook with evidence, conclusion, and recommended action.
Week 7
Foundations of defensive operations and the incident life cycle.
Guided class: concepts, common mistakes, and module examples.
Lab: Suspicious sign-in investigation.
Trabajo with herramienta o template: Elastic
Review of questions, evidence, and delivery criteria.
Deliverable: Weekly logbook with evidence, conclusion, and recommended action.
Week 8
Endpoint, network, identity, and application telemetry.
Guided class: concepts, common mistakes, and module examples.
Lab: Detection of simulated lateral movement.
Trabajo with herramienta o template: Sigma
Review of questions, evidence, and delivery criteria.
Deliverable: Weekly logbook with evidence, conclusion, and recommended action.
Detailed curriculum by module
Internal lessons, practices, and quality deliverables for every module.
M01
Foundations of defensive operations and the incident life cycle.
10h
Master this block with practice, evidence, and professional judgment.
Concepts and operational vocabulary
Module objective.
Key terms.
Ethical and technical limits.
Practice: Concept map applied to the course case.
Deliverable: One-page operational summary.
Step-by-step procedure
Preparation.
Controlled execution.
Result recording.
Practice: Ejercicio guiado usando Wazuh.
Deliverable: Logbook with reproducible evidence.
Closing and communication
Validation.
Prioritization.
Professional recommendation.
Practice: Writing a finding or decision.
Deliverable: Rubric-reviewable submission.
M02
Endpoint, network, identity, and application telemetry.
10h
Master this block with practice, evidence, and professional judgment.
Concepts and operational vocabulary
Module objective.
Key terms.
Ethical and technical limits.
Practice: Concept map applied to the course case.
Deliverable: One-page operational summary.
Step-by-step procedure
Preparation.
Controlled execution.
Result recording.
Practice: Ejercicio guiado usando Elastic.
Deliverable: Logbook with reproducible evidence.
Closing and communication
Validation.
Prioritization.
Professional recommendation.
Practice: Writing a finding or decision.
Deliverable: Rubric-reviewable submission.
M03
SIEM queries, event correlation, and false-positive reduction.
10h
Master this block with practice, evidence, and professional judgment.
Concepts and operational vocabulary
Module objective.
Key terms.
Ethical and technical limits.
Practice: Concept map applied to the course case.
Deliverable: One-page operational summary.
Step-by-step procedure
Preparation.
Controlled execution.
Result recording.
Practice: Ejercicio guiado usando Sigma.
Deliverable: Logbook with reproducible evidence.
Closing and communication
Validation.
Prioritization.
Professional recommendation.
Practice: Writing a finding or decision.
Deliverable: Rubric-reviewable submission.
M04
Threat hunting based on MITRE ATT&CK.
10h
Master this block with practice, evidence, and professional judgment.
Concepts and operational vocabulary
Module objective.
Key terms.
Ethical and technical limits.
Practice: Concept map applied to the course case.
Deliverable: One-page operational summary.
Step-by-step procedure
Preparation.
Controlled execution.
Result recording.
Practice: Ejercicio guiado usando YARA defensive.
Deliverable: Logbook with reproducible evidence.
Closing and communication
Validation.
Prioritization.
Professional recommendation.
Practice: Writing a finding or decision.
Deliverable: Rubric-reviewable submission.
M05
Initial forensics, timeline, and evidence preservation.
10h
Master this block with practice, evidence, and professional judgment.
Concepts and operational vocabulary
Module objective.
Key terms.
Ethical and technical limits.
Practice: Concept map applied to the course case.
Deliverable: One-page operational summary.
Step-by-step procedure
Preparation.
Controlled execution.
Result recording.
Practice: Ejercicio guiado usando MITRE ATT&CK.
Deliverable: Logbook with reproducible evidence.
Closing and communication
Validation.
Prioritization.
Professional recommendation.
Practice: Writing a finding or decision.
Deliverable: Rubric-reviewable submission.
M06
Playbooks, lessons learned, and continuous improvement.
10h
Master this block with practice, evidence, and professional judgment.
Concepts and operational vocabulary
Module objective.
Key terms.
Ethical and technical limits.
Practice: Concept map applied to the course case.
Deliverable: One-page operational summary.
Step-by-step procedure
Preparation.
Controlled execution.
Result recording.
Practice: Ejercicio guiado usando Wazuh.
Deliverable: Logbook with reproducible evidence.
Closing and communication
Validation.
Prioritization.
Professional recommendation.
Practice: Writing a finding or decision.
Deliverable: Rubric-reviewable submission.
Lab catalog
Realistic practice with measurable objectives and auditable evidence.
LAB-01
Suspicious sign-in investigation.
Escenario academico aislado para practicar operaciones SOC, deteccion y respuesta.
Estimated duration: 8h
Objectives
Prepare a safe environment.
Run the practice with traceability.
Extract evidence and conclusions.
Required evidence
Technical logbook.
Relevant screenshots or records.
Prioritized recommendations.
LAB-02
Detection of simulated lateral movement.
Escenario academico aislado para practicar operaciones SOC, deteccion y respuesta.
Estimated duration: 8h
Objectives
Prepare a safe environment.
Run the practice with traceability.
Extract evidence and conclusions.
Required evidence
Technical logbook.
Relevant screenshots or records.
Prioritized recommendations.
LAB-03
Crisis table with executive report.
Escenario academico aislado para practicar operaciones SOC, deteccion y respuesta.
Estimated duration: 8h
Objectives
Prepare a safe environment.
Run the practice with traceability.
Extract evidence and conclusions.
Required evidence
Technical logbook.
Relevant screenshots or records.
Prioritized recommendations.
Assessment system
Comprehension quizzes
(10%): They validate vocabulary, limits, and baseline judgment.
Lab deliverables
(35%): Evidence, order, reproducibility, and conclusions are reviewed.
Intermediate report
(15%): Assesses technical clarity, prioritization, and recommendations.
Final capstone
(30%): Full project with defense and professional rubric.
Technical participation
(10%): Questions, peer reviews, and continuous improvement.
Final project: SOC investigation with reusable detections
The student investigates a simulated incident, creates threat hypotheses, correlates telemetry, and delivers actionable playbooks for a SOC.
Project phases
Briefing and scope.
Case execution.
Evidence record.
Final report.
Oral or written defense.
Complete course documentation
Academic documentation pack to run the course at professional standard, without depending on a demo.
Document
D1 - Official syllabus
Defines objectives, schedule, and assessment criteria.
Competencies by module.
Weekly calendar.
Academic rules.
Summarized rubric.
Document
D2 - Manual of lab
Explica preparacion, ejecucion segura y cierre de practicas.
Requisitos tecnicos.
Flujo de snapshot o respaldo.
Checklist antes/despues.
Canal de soporte.
Document
D3 - Guia of evidence
Estandariza bitacoras, capturas y conclusiones.
Formato de evidencia.
Trazabilidad.
Control de versiones.
Errores frecuentes.
Document
D4 - Plantilla of report
Convierte practica tecnica en entrega profesional.
Resumen ejecutivo.
Detalle tecnico.
Riesgo y prioridad.
Plan de accion.
Document
D5 - Guia of certification
Describe evaluacion, recuperacion y verificacion.
Blueprint.
Criterios de aprobacion.
Recuperaciones.
Emision de certificado.
Academic and ethical policies
All practices are performed only in environments authorized by the academy.
Course techniques may not be used against third parties without explicit permission.
Every submission must include evidence and sources used.
Plagiarism of reports or evidence results in academic suspension.
Certification requires passing deliverables and the final project.
VulnHunters protects your experience
We use technical cookies to keep sessions secure and, only with your permission, academy measurement and communications. You can accept all, keep only essentials, or configure each preference.
Cookie preference center
VulnHunters Academy uses cookies and local storage to keep sessions secure, remember preferences, and measure site performance. Non-essential cookies are enabled only after consent.
Strictly necessary cookies
Required for login, CSRF-protected forms, consent records, interface preferences such as light/dark mode, and misuse prevention.
Performance analytics cookies
Help us understand performance, navigation errors, most consulted sections, and technical quality. Data is handled in aggregate whenever possible and is not used for automated academic decisions.
Communication and campaign cookies
Measure the effectiveness of academy communications, admission notices, course updates, and internal campaigns. You can browse and buy courses with these disabled.
Consent management
You can change preferences at any time from the footer. Rejecting non-essential cookies does not limit basic content, registration, or required academic features.
Terms and conditions
1. Authorized use
All learning is oriented toward defense, authorized auditing, responsible research, and improvement of systems you own or have explicit permission to assess.
2. Ethical conduct
Using academy knowledge, labs, or materials to access third-party systems, bypass controls, or cause harm is prohibited.
3. Intellectual property
Materials, guides, challenges, and templates belong to VulnHunters Academy or their authors. Commercial redistribution is not allowed without permission.
4. Payments and access
Paid-course access is activated after transaction confirmation. Refund policies are communicated before enrollment is completed.
5. Privacy
We process personal data under GDPR/LOPD. Until an official mailbox is enabled, access, rectification, or deletion requests are handled through the internal contact form.
6. Responsibility
Students are legally responsible for any misuse outside environments authorized by the academy.
7. Certification
Certificates are issued after rubrics, minimum attendance, and deliverables are completed. The academy may revoke them in case of academic fraud.
Privacy policy
VulnHunters Academy collects registration data, preferences, academic activity, and payment information to provide the educational service. We do not sell personal data or disclose information to third parties except where legally required or necessary providers operate the platform.
Data is retained while an account remains active or during applicable legal periods. Until an official mailbox is enabled, rights requests are handled through the internal contact form.
We apply reasonable technical measures: HttpOnly session cookies, CSRF validation, activity logs, data minimization, and separation of sensitive folders.
Professional cookie policy
Last updated: May 2026.
This policy explains how VulnHunters Academy uses cookies, local storage, and equivalent technologies on the web platform. Its purpose is transparency, user control, and safe operation of courses, marketplace, chat, profiles, and private panels.
1. What cookies are
Cookies are small files or technical records stored by the browser when you visit a website. We may also use local browser storage to remember language, consent, or interface preferences.
2. Controller
The controller is VulnHunters Academy. For privacy, consent, or rights requests, use the internal contact form until an official mailbox is enabled.
3. Strictly necessary cookies
These cookies are essential to provide the requested service: session continuity, CSRF protection, basic preferences, security measures, consent state, and private-area navigation.
4. Performance analytics cookies
These cookies help measure stability, load times, technical errors, visited pages, and aggregated use of features. They are enabled only with consent.
5. Communication and campaign cookies
These cookies measure internal academy communications, admission forms, course promotions, marketplace updates, and informative campaigns. You may reject them without losing essential features.
6. Specific purposes
We use cookies for authentication, security, fraud prevention, user preferences, consent management, technical analytics, content improvement, campaign measurement, and interactive features such as chat and marketplace.
7. Legal basis
Technical cookies are based on the need to provide the requested service. Analytics and communication cookies are based on consent, which can be granted, rejected, or withdrawn at any time.
8. Retention and providers
Session cookies are normally deleted when the browser closes or the session expires. Where payment, security, analytics, email, or hosting providers are involved, access is limited to the contracted purpose.
9. Withdrawing consent
You can change preferences from the Cookie settings link in the footer. You can also remove or block cookies from your browser settings.
10. Policy changes
We may update this policy to reflect legal, technical, or functional changes. When a change is relevant, the platform may request consent again.