Perched | Security Education, Consulting, and Support
Security Solutions

Perched CVA/H Operator Course

Perched CVA/H Operator Course


There is a common problem in technology education, in that many skills require so much prior knowledge, that it's difficult to know where to even begin teaching a skill or concept.  All of these nested skills quickly pile up and can often make training overwhelming for the student. The CVA/H Operator Course solves this problem by teaching Network Security Monitoring (NSM) in a simple way that builds incrementally.  The first days lay the common groundwork that will flow into the next higher concept.

Each day in the course is designed to be as practical and engaging as possible.  Students are provided with an individual system to encourage usage of the platforms throughout the course content.

You will start with a discussion of foundational skills and process models, to provide a big picture roadmap, and the skills, to put it all together. The remainder of the course will dig into the individual topics, each building upon the last.

This is a lab-intensive course. After a discussion of each topic, you will apply the new knowledge to a provided data sample, followed by a class discussion of what worked and what didn’t.

The course ends with a 2-day guided hunt capstone containing multiple scenarios that will engage the newly learned skills to find the adversary in the traffic. Each scenario will increase in difficulty to keep the challenge coming.

Throughout the entire course, the Operator will learn and hone individual tasks, but this also focuses on team-based operations to teach the Operators how to function as a CVA/H team.


CVA/H Operators who need to work as part of a team to analyze data to find evil lurking in their network as part of a machine-assisted and human-driven operation.


10 Days | 8 hours per day


There are no prerequisites for this course.


  • Mac, Linux, or Windows

  • A modern web browser

  • An OpenSSH-compatible secure-shell client


Day 1

Linux CLI

This introductory course is designed to equip a student with basic survival skills for the Linux command line. It is not intended to make them an expert, but rather familiarize them enough that Linux isn’t a barrier to their success.


  • Design Principles

  • File System Layout (w/ lab)

  • Using Vim (w/ lab)

  • Viewing Logs (w/ lab)

  • Package Management (w/ lab)

  • Working With Services (w/ lab)

  • SELinux Basics (w/ lab)

  • Linux Administrative Skills (w/ lab)


Day 2

The Bro Protocol Analyzer

An understanding of Bro is a foundational skill for anyone that wishes to use the CVA/H platform. This course is designed to take an operator or analyst who has never used Bro and bring them up to speed with its capabilities.


  • System Setup

  • What is Bro?

  • Bro Project History

  • Bro vs. Wireshark (w/ lab)

  • Analyzing a packet capture (w/ lab)

  • Running Bro from the Command Line (w/ lab)

  • ASCII Logs Overview (w/ lab)

  • Filtering and Sorting Data (w/ lab)

  • Capture the Flag (w/ lab)


Day 3

The Elastic Stack

Elastic is a data company whose products are integral to CVA/H. This course will provide an overview of the products offered and an introduction to using the three primary products, commonly known as the Elastic Stack.


  • Elastic Company Overview

  • Elasticsearch (w/ lab)

  • Logstash (w/ lab)

  • Kibana (w/ lab)

  • Beats (w/ lab)


Day 4

Data Transformation with Logstash

This course will cover what a data processing pipeline is all about, how it is used, and how Logstash is used in the CVA/H platform. This module includes labs that progress in complexity in order to provide maximum understanding of what is happening in the pipeline with CVA/H.


  • How does Logstash fit into data flow?

  • Logstash Overview

  • ETL Model / History

  • Mutating and Shipping (w/ lab)

  • Building Data Pipelines (w/ lab)Build several pipelines


Day 5

Active On Network Operations

While a “passive first” approach is preferred when responding to a contested environment, there comes a time that defenders must interact with the environment through active response actions. This module will discuss how to perform active on-network operations.


  • Performing Active Operations

  • Asset Enumeration with NMAP (w/ lab)

  • File Collection and Retrieval (w/ lab)


Day 6

Packet Analysis

This course will introduce operators to doing fine-grained packet analysis and filtering and then address strategies to analyze packets at scale using Moloch.


  • Packet analysis overview

  • Berkeley Packet Filters (w/ lab)

  • Moloch (w/ lab)


Day 7

Intrusion Detection Systems

This course will introduce operators to the leading IDS, Suricata, and cover when and how to employ an IDS to support hunt operations.


  • Intrusion Detection Systems Overview

  • Humans over Hardware

  • Anatomy of a Signature

  • Signature Writing (w/ lab)

  • Suricata vs. Snort

  • IDS and Kibana dashboards (w/ lab)


Day 8

Kibana for Operators

This course builds on the Kibana training from the Foundations track and teaches operators how to use Kibana to support them in their hunting.


  • Building Dashboards to Visualize Anomalies (w/ lab)

  • Security Beats and their dashboards: osquery and NetFlow (w/ lab)

  • Using Graph to Find The Enemy Footprint (w/ lab)

  • Using Machine Learning for Hunting (w/ lab)

  • Leverage Alerting for Automation Actions (w/ lab)


Day 9 & 10

Assisted Hunt

This capstone course is designed to walk an operator through a series of hunt missions designed to expand their understanding of the hunt tools and techniques.

Hunt Preparation

  • Selecting the Right Tool

  • When to Dig Deeper

  • Incident Response operations

Individual Hunt

  • Challenge: Find the Beacons (beginner)

  • Challenge: Find the Beacons (advanced)

  • Group Review

Team Hunt

  • Challenge: Enemy Objectives

  • Challenge: Applying the Kill Chain

  • Challenge: Full-Spectrum Adversary Detection

  • Group Review