Perched | Security Education, Consulting, and Support
Security Solutions

Training Courses

Threat Hunting with the Elastic Stack, July 22 - 26

Threat Hunting with the Elastic Stack, July 22 - 26


This 5-day instructor-led and lab-intensive course is designed for threat hunting Analysts and Operators that currently use, or are interested in using, the Elastic Stack to hunt for adversaries in network and endpoint data.

Seating is limited, registration in advance is required

Register Now


This instructor-led and lab-intensive course, is designed for threat hunting Analysts and Operators that currently use, or are interested in using, the Elastic Stack to hunt for adversaries in network and endpoint data.

After completing each module, you will apply what you have learned in a series of hands-on labs. The coursework culminates in a full-day capstone event in which the students will perform a series of increasingly difficult hunting operations using endpoint and network data. This capstone leverages a Capture The Flag (CTF) platform that provides real-time scoring and a feedback loop for the students. This capstone is instructor assisted to ensure that no students are left behind.

By the end of the training, you will be able to use the Elastic Stack to analyze endpoint network traffic and catch bad actors.

Training Itinerary

Day 1 – Threat Hunting Foundations

There is a common problem in technology education, in that many skills require so much prior knowledge, that it's difficult to know where to even begin teaching a skill or concept. All of these nested skills quickly pile up and can often make training overwhelming for the student. The Threat Hunting Foundations module solves this problem by teaching in a way that builds incrementally with each day laying the groundwork that will flow into the next higher concept.

Day 2 – Network Threat Hunting Platforms and Operation

Network data analysis will focus on leveraging the Zeek (formerly Bro) protocol analyzer to collect metadata and the Suricata Intrusion Detection System (IDS) to collect flow data. We will use the open source network security monitoring (NSM) solution, RockNSM, to perform the network threat hunting.

Day 3 – Threat Hunting on the Endpoint

Endpoints contain some of the most difficult types of data to analyze and correlate. Endpoint data, including system logs and activity, will be collected using a combination of Elastic Beats and Powershell. We will also be using GRR Rapid Response to collect volatile artifacts and forensic evidence.

Day 4 – Collecting and Visualizing Threat Data with the Elastic Stack

Once the network and endpoint data is collected, we’ll use the Elastic Stack to explore, visualize, and operationalize this data with a threat hunting contextual lens.

Day 5 – Assisted Hunt Scenarios

This course capstone is designed to walk an operator through 5 progressively harder individual and team-based intrusion campaigns designed to expand their understanding of the hunt tools and techniques.


Bradford Dabbs

Brad is a Solutions Engineer for Perched. He has a background in IT operations, automation, and cybersecurity. He has experience in a variety of roles from small startups to large enterprises and served thirteen years in the Army National Guard. He is very passionate about security and loves helping users solve security challenges using open source tools.

Brandon DeVault

Brandon is an Instructor at Perched. He is currently a member of the Air National Guard in Florida assigned to an Air Operations Center Mission Defense Team. Brandon is the creator of the Endpoint module.

Perched reserves the right to cancel or modify the training, dates, or location as necessary. In the event of any changes, registered attendees will be notified and given the opportunity to receive a refund.


1338, 1071 N Rd
Joint Base Pearl Harbor-Hickam, HI

If you cannot access a military installation, advance notification to Perched is required so we can arrange an escort on post.


Daily Schedule

Times are in HST (UTC -10).

9:00 AM - 10:30 AM
Course Content & Instruction

10:30 AM - 11:00 AM
Morning Break & Networking

11:00 AM - 12:30 PM
Course Content and Instruction

12:30 PM - 1:30 PM

1:30 PM - 2:30 PM
Course Content & Instruction

2:30 PM - 3:00 PM
Afternoon Break & Networking

3:00 PM - 4:30 PM
Course Content & Instruction