Perched | Security Education, Consulting, and Support
Security Solutions

Perched Operator

Perched Operator


This instructor-led course is designed for operators that serve or are interested in serving as the “human-in-the-loop” to a suite of cybersecurity tools. This course focuses primarily on the best of breed open source security tools, but the knowledge gained aims to be tool agnostic.

You will start with a discussion of operations process models, to provide a big picture roadmap of putting it all together. The remainder of the course will dig into the individual topics, each building upon the last.

This is a lab-intensive course. After a discussion of each topic, you will apply the new knowledge to a provided data sample, followed by a class discussion of what worked and what didn’t.

The course ends with a 2-day guided hunt capstone containing multiple scenarios that will engage the newly learned skills to find the adversary in the traffic. Each scenario will increase in difficulty to keep the challenge coming.


Cybersecurity operators who need to work as part of a team to analyze data to find evil lurking in their network as part of a machine-assisted, human-driven operation.


5 Days | 8 hours per day


While there are no prerequisites for this course, completion of the Perched Foundation course is highly recommended.


  • Mac, Linux, or Windows

  • A modern web browser

  • An OpenSSH-compatible secure-shell client


Day 1

Introduction to Packet Analysis

This course will introduce operators to doing fine-grained packet analysis and filtering and then address strategies to analyze packets at scale using Google Stenographer.


  • Packet analysis overview

  • Berkeley Packet Filters (w/ lab)

  • Stenographer (w/ lab)

  • Docket (w/ lab)


Day 2

Advanced Bro

This course builds on the Introduction to Bro course from the Foundations track and teaches operators how to leverage Bro for Hunting.


  • Bro Scripting Overview

  • Bro Event Engine

  • Frameworks Overview

  • Intel Framework (w/ lab)

  • Files Framework (w/ lab)


Day 3 & 4

Intrusion Detection Systems

This course will cover what message queuing is all about, how it is used, and why Kafka was chosen for ROCK. This is not a lab-intensive course; it is designed to provide an overview of what is happening in the background with RockNSM.


  • Intrusion Detection Systems Overview

  • Humans over Hardware

  • Anatomy of a Signature

  • Signature Writing (w/ lab)

  • Suricata vs. Snort

  • IDS and Kibana dashboards (w/ lab)

Kibana for Operators

This course builds on the Kibana training from the Foundations track and teaches operators how to use Kibana to support them in their hunting.


  • Building Dashboards to Visualize Anomalies (w/ lab)

  • Security Beats and their dashboards: osquery and NetFlow (w/ lab)

  • Using Graph to Find The Enemy Footprint (w/ lab)

  • Using Machine Learning for Hunting (w/ lab)

  • Leverage Alerting for Automation Actions (w/ lab


Day 5

Guided Hunt

This capstone course is designed to walk an operator through a series of hunt missions designed to expand their understanding of the hunt tools and techniques.

Hunt Preparation

  • Selecting the Right Tool

  • When to Dig Deeper

  • Incident Response operations

Individual Hunt

  • Challenge: Find the Beacons (beginner)

  • Challenge: Find the Beacons (advanced)

  • Group Review

Team Hunt

  • Challenge: Enemy Objectives

  • Challenge: Applying the Kill Chain

  • Challenge: Full-Spectrum Adversary Detection

  • Group Review