Perched | Security Education, Consulting, and Support
Security Solutions

Perched Analyst

Perched Analyst


This instructor-led course is designed for Intelligence Analysts and focuses on intelligence theory, threat modeling, analysis using enrichment tools, research and analysis methodologies, and leveraging Kibana to analyze data.

This course builds on itself daily, starting with intelligence theory around how intelligence analysis is applied to the cyberspace domain. From there, the course introduces the student to multiple threat models and discusses how to apply them and using open source tools to enrich data. After those frameworks are established, the student will apply those concepts to advanced research and analysis methodologies. Finally, the student will use Kibana to function as a cyber analyst.

After completing each module, the student will apply that knowledge in a series of hands-on labs. By the end of the training, the student will be able to use the Kibana to analyze the data sources from various systems in order to paint a more complete security picture.


Intelligence Analysts who are providing cyber research and analysis support for Defensive Cyber Operations (DCO), Incident Response, and Security Monitoring.


5 Days | 8 hours per day


While there are no prerequisites for this course, however, completion of the Perched Foundation course is recommended.


  • Mac, Linux, or Windows

  • Virtualization platform (VMWare, VirtualBox, etc.)

  • A modern web browser


Day 1

Intelligence in a Cyber World

As an intelligence professional transitions from domain to domain, the topics, terminology, and entities change. What does not change, however, are the core analytical thought processes that make an analyst an indispensable member of a kinetic warfare team are just as relevant and necessary in Cyber as in any other domain.


  • Introduction to Cyber Intelligence – Yes, You Are Relevant

  • Building an Intelligence Program

  • Lexicon

  • Strategic/Operational/Tactical Intelligence


Day 2

Intelligence Pipelines, Modeling, and Application

While a great deal of intelligence work is subjective in nature, our ability as professionals to represent subjective analysis in an objective way is crucial to providing relevant, repeatable, and controlled information to decision makers.


  • The Intelligence Pipeline (incl. lab)

  • Threat Modeling (incl. lab)

  • Applying Threat Modeling (incl. lab)

  • Working with Hunt, Incident Responders, and Security Monitoring Professionals

Intelligence Tools Sets

A great analyst makes the tool, not the other way around; but it's important to remember that of all the things that human beings can do, scaling isn't one of them. Let's take a look at the tools we can use to automate, enrich, and integrate our capabilities.


  • Threat Intelligence Platforms (incl. lab)

  • Node-Link Analysis (incl. lab)

  • Indicator Enrichment (incl. lab)

  • Leveraging Tools for Enrichment (incl. lab)


Day 3

Intelligence Research and Analysis

When it comes to tracking an adversary campaign, there is a lot of information that can be gathered from public sources about the enemy, their tools, and their resources. This course will familiarize analysts with how to use these public sources to enrich the data being provided by their operators.


  • Incident Response Process - Overview

  •  Passive vs. Interactive Open Source Analysis (incl. lab)

  • When to Analyze

  • Public Information Sources (incl. lab)

  • Exploit Databases (incl. lab)


Day 4 & 5

Kibana for Analysts

This course builds on the Kibana training from the Foundations track and teaches analysts how to use Kibana to support them in their analysis.


  • Why Visualize Data?

  • Setting Up Kibana (incl. lab)

  • Kibana Orientation (incl. lab)

  • Adding Data to Elastic from Kibana (incl. lab)

  • Basic Search Parameters (incl. lab)

  • Advanced Search Parameters (incl. lab)

  • Basic Visualizations (incl. lab)

  • Advanced Visualizations (incl. lab)

  • Filters vs. Visualizations (incl. lab)

  • Building Dashboards (incl. lab)

  • A quick look at Canvas & Vega

  • Using Elastic's Graph for Analysis (incl. lab)

  • Using Elastic's Machine Learning for Analysis (incl. lab)

CAPES Install, Operate, and Maintain

CAPES is a self-hosted incident response service hub, providing IR management, communication, documentation, VoIP, collaborative workspaces,
indicator enrichment, data analysis, and data visualization. This course is designed to take an operator or analyst who has never used the CAPES technology stack and bring them up to speed with its capabilities.


  • What is CAPES?

  • System Setup (w/ lab)

  • Installation (w/ lab)

  • Configuration (w/ lab)

  • Administration (w/ lab)

  • Maintenance (w/ lab)