hashmu-attack-lab — investigation.kql

Training — Live Attack Simulation

Hashmu
Attack Lab

Hashmu
Attack Lab

A proprietary live attack simulation lab built on a real Azure tenant — forensic artifacts planted across every phase of the Cyber Kill Chain. Your security team investigates a simulated breach, follows the evidence trail, and documents their findings exactly as they would in a live incident. Real tools. Real logs. Real investigation skills.

hashmu-attack-lab — investigation.kql

Lab architecture

Lab architecture

The full Cyber Kill Chain — simulated

The full Cyber Kill Chain — simulated

The full Cyber Kill Chain — simulated

Forensic artifacts are planted across all seven Kill Chain phases. Participants must follow the evidence trail sequentially — uncovering each phase through real KQL investigation in a live Azure environment.

Exposes gaps before attackers do

Unclear escalation paths, missing playbooks, and communication breakdowns are discovered in a safe environment — not during a live ransomware event at 2am.

SC-200

SC-300

AZ-500

Exposes gaps before attackers do

Unclear escalation paths, missing playbooks, and communication breakdowns are discovered in a safe environment — not during a live ransomware event at 2am.

SC-200

SC-300

AZ-500

Aligns technical and executive teams

Tabletop exercises are one of the only training formats where your CISO and your CFO sit in the same room and work through a breach together — building shared understanding of roles and responsibilities.

SC-300

SC-400

AZ-104

Aligns technical and executive teams

Tabletop exercises are one of the only training formats where your CISO and your CFO sit in the same room and work through a breach together — building shared understanding of roles and responsibilities.

SC-300

SC-400

AZ-104

Validates your IR plan on paper

Most IR plans have never been tested. A tabletop exercise puts your documented procedures under real pressure — identifying where the plan works, where it breaks down, and what's missing entirely.

AZ-104

AZ-500

SC-100

Validates your IR plan on paper

Most IR plans have never been tested. A tabletop exercise puts your documented procedures under real pressure — identifying where the plan works, where it breaks down, and what's missing entirely.

AZ-104

AZ-500

SC-100

What participants do

Three objectives. One complete investigation.

Every participant works through the same three-phase structure — building the investigation skills used in a real enterprise IR engagement.

Every participant works through the same three-phase structure — building the investigation skills used in a real enterprise IR engagement.

OUR APPROACH

How an engagement runs

A structured, methodical process — from first contact through final report. No improvisation, no scope creep.

01

Scoping call

We discuss your organization's size, industry, existing IR plan maturity, and which audience track you want to run — executive, technical, or a combined exercise. We agree the scenario type and confirm participant list and logistics.

02

Scenario design

The scenario is built around your specific threat profile — attack vector, industry context, system types, and regulatory environment. Injects (new developments introduced mid-exercise) are planned to test decision-making under evolving conditions.

03

Facilitated exercise

The facilitator walks participants through the scenario — introducing injects, asking probing questions, and ensuring all key decisions and communications are discussed. The facilitator does not provide answers — the exercise surfaces what your team would actually do.

04

Live debrief

Immediately following the exercise, a structured debrief covers what went well, where the gaps were, and what decisions were made differently than your IR plan documents. Participants reflect on the exercise while the scenario is still fresh.

05

Post-exercise gap analysis report

A written report delivered within 5 business days — documenting observed gaps, decisions that deviated from the IR plan, missing procedures, and a prioritized list of remediation recommendations. The deliverable your security leadership can act on and present upward.

OUR APPROACH

How an engagement runs

A structured, methodical process — from first contact through final report. No improvisation, no scope creep.

OUR APPROACH

How an engagement runs

A structured, methodical process — from first contact through final report. No improvisation, no scope creep.

01

Scoping call

We discuss your organization's size, industry, existing IR plan maturity, and which audience track you want to run — executive, technical, or a combined exercise. We agree the scenario type and confirm participant list and logistics.

02

Scenario design

The scenario is built around your specific threat profile — attack vector, industry context, system types, and regulatory environment. Injects (new developments introduced mid-exercise) are planned to test decision-making under evolving conditions.

03

Facilitated exercise

The facilitator walks participants through the scenario — introducing injects, asking probing questions, and ensuring all key decisions and communications are discussed. The facilitator does not provide answers — the exercise surfaces what your team would actually do.

04

Live debrief

Immediately following the exercise, a structured debrief covers what went well, where the gaps were, and what decisions were made differently than your IR plan documents. Participants reflect on the exercise while the scenario is still fresh.

05

Post-exercise gap analysis report

A written report delivered within 5 business days — documenting observed gaps, decisions that deviated from the IR plan, missing procedures, and a prioritized list of remediation recommendations. The deliverable your security leadership can act on and present upward.

OUR APPROACH

How an engagement runs

A structured, methodical process — from first contact through final report. No improvisation, no scope creep.

Service Image
Service Image

What participants do

Three objectives. One complete investigation.

Three objectives. One complete investigation.

Every participant works through the same three-phase structure — building the investigation skills used in a real enterprise IR engagement.

01

Analyze logs using real hands-on skills

Participants access the live Azure environment and work through real log sources — Entra ID sign-in logs, audit logs, endpoint telemetry, and Microsoft Sentinel data. Every query and every pivot is done hands-on in the actual platform, not a simulation of it.

02

Follow the evidence trail

Artifacts are connected across Kill Chain phases — a finding in one phase leads to the next. Participants must reconstruct the attacker timeline chronologically and identify what was accessed, when, and how. The investigation is non-linear by design.

03

Document the investigation report

On completion, each participant produces a structured investigation analysis report — covering attacker timeline, evidence per Kill Chain phase, IOCs identified, and remediation recommendations. The same report format used in a real IR engagement.

Lab architecture

The full Cyber Kill Chain — simulated

The full Cyber Kill Chain — simulated

Forensic artifacts are planted across all seven Kill Chain phases. Participants must follow the evidence trail sequentially — uncovering each phase through real KQL investigation in a live Azure environment.

Most Microsoft authorized training is delivered by instructors who hold the MCT credential but have never operated the tools in a real enterprise environment. At Hashmu, every course is taught by someone who spent years running the same tools — at Microsoft's own global CIRT.

Authorized Microsoft Training Services Partner — official status to deliver Microsoft curriculum and issue recognized training completions

Microsoft Certified Trainer (MCT) — the vendor credential required to deliver official Microsoft courseware

98% five-star post-session student rating — consistently recognized for clarity, hands-on delivery, and real-world context

Every participant works through the same three-phase structure — building the investigation skills used in a real enterprise IR engagement.

Who this is for

Built for practitioners, not beginners

Built for practitioners, not beginners

Built for practitioners, not beginners

The Hashmu Attack Lab is designed for security professionals who have foundational knowledge and want to develop real investigation capability through hands-on practice — not theory.


The Hashmu Attack Lab is designed for security professionals who have foundational knowledge and want to develop real investigation capability through hands-on practice — not theory.

SOC analysts & incident responders

Analysts who work in a SOC or IR function and want to build end-to-end investigation skills beyond alert triage. Ideal for teams that respond to incidents but have limited experience running a full forensic investigation from scratch.

Security teams preparing for IR certifications

Professionals pursuing SC-200, GCFE, GCIH, or similar certifications who want hands-on practice before their exam — working through real scenarios rather than memorizing theory from a study guide.

Corporate SOC teams — team exercise

Organizations wanting to run a structured team-based investigation exercise — testing collective SOC capability, identifying skill gaps, and building shared investigation methodology. Functions like a technical tabletop with real execution.

BOOK THE LAB

Ready to put your team through the Hashmu Attack Lab?

Contact us with your team size and preferred format. We'll scope the engagement and confirm available dates.

Book the Attack Lab

View all training services

© 2026 Hashmu Cybersecurity Consulting – All rights reserved.
QFC Tower 1, Floor 9, Office No. 4, West Bay, Doha, Qatar