Defend Against Modern Targeted Attacks


Defend Against Modern Targeted Attacks (DAMTA) A tailored training for your security team by Outflank in cooperation with Cqure

Get ready for a 3-day knowledge intensive training that teaches you how to defend against the modern offensive techniques that red teams and targeted attackers use.

We’re not going to bother you with the default tools of penetration testers. And you should forget about the out-of-the-box rules in your SIEM that trigger endless false positives. But we are going to feed you with the latest knowledge, tools and techniques of modern targeted attacks that help you become a better defender.

Based on many years of Red Teaming and hands-on SOC/incident response experience, we share with the you the essential concepts and techniques to better understand and defend against modern attacks. In this training no Nmap, Nessus, exploits and Metasploit. Instead we focus on Pyramid of Pain, Course of Action Matrix, Cobalt Strike, Golden Tickets, Kerberoasting, Domain Fronting and other topics that really matter. We have also prepared a massive online lab that represents true corporate IT environments, in which you will spend about half of your time diving into hands-on assignments on offensive and defensive actions.

The video below has been shot during the edition in June 2018.

Attending this event?

For this event you can subscribe. Please fill out this subscription form to notify us of your attendance. Your subscription will be confirmed via email.

To the subscription form

Who should attend?

The training is optimally suited for:

  • Defenders (i.e. Blue Teamers, SOC-specialists) who want to strengthen their skillset, learn directly from Red Teaming specialists, and get hands on experience with offensive and defensive tools in order to better defend against modern offensive methodologies, tools, and techniques.
  • Security professionals interested in expanding their knowledge of modern attack techniques, Red Teaming and defend against it.
  • Forensic professionals who want to better understand the entire flow of an attacker and offensive tactics.
  • Penetration testers and ethical hackers wanting to step into Red Teaming, or wanting to provide better recommendations to their clients on defensive measures.
  • Technical auditors and security officers wanting to increase their hands-on experience and technical skills.

We do require participants to have a technical IT background and a basic level of security knowledge. So you probably do not want to subscribe to this training if you are afraid of the command line, or never ever heard of Golden Ticket and Command and Control traffic. But the training is setup in such a way that it can welcome both novices and veterans.

Key learning objectives

The training is focussed on several key elements:

  • Learn how modern attacks work and how you can better defend against such attacks.
  • Understanding and being able to use key theoretical concepts, e.g. Kill Chain, Course of Action Matrix and Pyramid of Pain.
  • Latest and most effective hacking and detecting techniques.
  • Hands-on learning combined with theory.
  • Hands-on experience with various offensive tools combined with detection and investigation tools in a massive lab environment that resembles a true corporate network.
  • Lab manual that helps the participants and makes it easy to follow.
  • Knowledge packed training material for you to take home and revisit.

Lab environment

During the training, the participants have access to a personal lab environment that acts as a playground area. Having a lab is a key point of the training as we strongly believe it increases the ability to learn. The lab isn't just a vulnerable web app with a linux and windows server. No, this personal(!) environment is comparable to common enterprise networks. You can expect a large number of Windows and Linux servers, Active Directory domain with subdomains, Windows desktops, multiple services, user accounts and service accounts. Furthermore, common insecurities are configured on purpose. Just as important is the central monitoring environments using open source and commercial tool, i.e. Redline, sysmon, WEF and ELK stack. You will use this to track and interpret attacks as they happen. Every student also has a private offensive lab for the execution of several offensive actions. This process is supported by the using the mature and easy to use Cobalt Strike tooling.

Agenda and key topics

Day 1

  • Introduction
  • Core theoretical concepts, e.g. SIEM, SOC, Pyramid of Pain, TTPs, MITRE ATT&CK, Intruder’s dilemma, attacker’s playground, assume compromise, Kill Chain, lateral movement.
  • Lab 1 - Setup: setup access to your defensive lab, setup access to your offensive infrastructure, recon your target and develop an attack scenario.
  • Theory of attack vectors, e.g. watering hole, phishing, the Microsoft Office attack vectors.
  • Lab 2- Attacker lab: Build, edit and review weaponized documents.
  • Theory of the attacker’s network infrastructure, e.g. C2, redirectors, low and slow principle, beacon traffic, Domain fronting, Cobalt Strike.
  • Lab 3 – Attacker lab: Setup your attacking infrastructure and deploy malware.

Day 2

  • Theory of malware prevention and investigation, e.g. anti-virus, anti-spam evasion, C2 basics, drive-by downloads, HTA, Java and Jscript, application whitelisting, End-Point Detection & Response.
  • Lab 4 – Defender lab: Forensics, investigation of a compromised workstation and malicious using Endpoint detection and response tooling, malware sandboxes, YARA.
  • Theory of Privilege escalation & Lateral movement.
  • Windows and Active Directory internals from the attacker's and defender's point of view. Key topics like Wdigest, NETNTLM vs NTLM hashing, Sharphound, WMI, Psexec, Remote PowerShell, Golden and Silver Tickets, SPNs, etc.
  • Lab 5 - Attacker lab: Leverage initial access on workstation further into the lab. Use Cobalt Strike, PowerView, Mimikatz and several lesser known tools.

Day 3

  • Theory of Detection & Incident Response, e.g. log collection using Windows Event Forwarding, SIEM, shim caches, netflow, structure and templates for incident reporting, containment methods.
  • Lab 6 – Defender lab: Detection, hunting and investigation. Using the lab's SIEM environment to unravel complex attacks.
  • Theory Mitigation & Improvement: ASD top 35, important papers and defensive concepts from Microsoft, LAPS, AppLocker and non-Windows solutions.
  • Lab 7 - Final technical deep dive – surprise topic.

Location, price and dates


BCN Amsterdam ArenA
Atlas Arena Complex Gebouw Azië - 5th floor
Hoogoorddreef 5
1101 BA Amsterdam

Plan your route

BCN Bijlmer ArenA is located at a walking distance of train station Amsterdam Bijlmer ArenA. If you want to travel with car, we recommend usage of Parking garage P9 or P10, which are located across or on a short walking distance of BCN Amsterdam ArenA. This parking garage provides paid parking only. You can also chose to P+R. In that case we advise to park at the Q-Park P+R in Duivendrecht and continue your travel to station Bijlmer ArenA. Your parking cost will be € 6,00 in this case (price changes reserved).

Price and dates

The training will be covering three full days and is scheduled November 26, 27 and 28 of this year, between 09:00 and 17:00 hours. During these days you will be served drinks and lunch, and we organise a dinner after the first day of training. At this dinner you get the chance to meet your trainers and your co-attendees in an informal setting. At the end of the training you will receive a certificate of participation. All this together will cost you € 1950,- excluding tax, per person.


The course material is written in English. The training can be given in either Dutch or English. If one more attendees make this request, the training will be full in English, so please let us know if you'd like to attend this training in English. You need to bring your own laptop to the training which is capable of running an RDP. This is possible on either Windows, MacOS or Linux.

Participant references

A selection of reactions from previous participants:

  • “Excellent training, excellent and complementary skill sets brought to the table by the trainers!”
  • “Very refreshing to learn from an offensive point of view. Thanks so much!”
  • “Simply superb!! An excellent exercise to see things from the perspective of an attacker and use the methods and tools. Also, to attack not a single server but to gain entrance to a complex network, this made it much more real and rewarding!”
  • “Nice team, good presentations, presenters clearly control the material.”
  • “Good improvement plans for your own organization, both short and longer term”
  • “Lots of useful information about incident lifecycle management in security incidents!”

Your trainers

The training is given by 3 of the following trainers: Pieter Ceelen, Stan Hegt, Jarno van de Moosdijk and Marc Smeets. All working at Outflank, they focus on Red Teaming operations and advanced penetration tests. The training is based on their many years of experience with offensive operations and advising their clients. They each have their own expertise in this training. You can read more about the trainers in the profiles at the bottom of the page.


We hope to have informed you suffieciently, but if any questions remain or arise or you simply just want some extra information about this training or the possibility to host this training at your company, we love to help you. You can reach out to Dennis Nuijens of Cqure for questions and other information. He can be reached via +31 (0) 6 588 12 977 or

Attend this training?

This event requiers you to subscribe as it is paid. Fill in the subscription form and we will confirm your attendance via email.

To the subscription form  Download the English information booklet


  1. Pieter Ceelen IT security expert, hacker & co-founder bij Outflank

    Pieter is een ervaren technisch beveiligingsanalist met meer dan 8 jaar ervaring. Hij heeft ervaring met technische beveiligingsbeoordelingen/ -advies, penetratietesten, respons op incidenten en dreig..

    More about Pieter Ceelen

    View on Linkedin

  2. Stan Hegt Digital security expert and co-founder at Outflank

    Stan is een digitale beveiligingsspecialist en een professionele hacker. Hij heeft meer dan een decennium aan ervaring op dit gebied en heeft een Master of Science-graad in Information Security Techno..

    More about Stan Hegt

    View on Linkedin

  3. Jarno van de Moosdijk Digital security expert, ethical hacker & director at Outflank

    Jarno is een IT security specialist en professionele hacker. Door zijn jaren van offensieve ervaring, gecombineerd met zijn achtergrond in systeem- en infrastructuur consultancy en beheer, weet h..

    More about Jarno van de Moosdijk

  4. Marc Smeets IT security expert, ethical hacker & co-founder bij Outflank

    Marc is een ervaren professionele hacker en red teamer. Met 10+ jaar ervaring in IT security en 3 jaar als systeem- en netwerkengineer weet hij hoe in te breken en ook hoe te verdedigen. Zijn specifie..

    More about Marc Smeets

    View on Linkedin