Training — Live Attack Simulation
A proprietary live attack simulation lab built on a real Azure tenant — forensic artifacts planted across every phase of the Cyber Kill Chain. Your security team investigates a simulated breach, follows the evidence trail, and documents their findings exactly as they would in a live incident. Real tools. Real logs. Real investigation skills.
hashmu-attack-lab — investigation.kql
►
Initializing Hashmu Attack Lab environment...
// Azure tenant provisioned — artifacts loaded
►
SecurityEvent
| where TimeGenerated > ago(72h)
| where EventID == 4624
| where LogonType == 3
| summarize count() by Account, IpAddress
| order by count_ desc
✓ Suspicious lateral movement detected
→ Kill Chain phase: Lateral Movement
→ IOC found: 172.16.4.22 → DC01
// Document finding in investigation report
►
Continuing investigation...
What participants do
Every participant works through the same three-phase structure — building the investigation skills used in a real enterprise IR engagement.
01
Analyze logs using real hands-on skills
Participants access the live Azure environment and work through real log sources — Entra ID sign-in logs, audit logs, endpoint telemetry, and Microsoft Sentinel data. Every query and every pivot is done hands-on in the actual platform, not a simulation of it.
02
Follow the evidence trail
Artifacts are connected across Kill Chain phases — a finding in one phase leads to the next. Participants must reconstruct the attacker timeline chronologically and identify what was accessed, when, and how. The investigation is non-linear by design.
03
Document the investigation report
On completion, each participant produces a structured investigation analysis report — covering attacker timeline, evidence per Kill Chain phase, IOCs identified, and remediation recommendations. The same report format used in a real IR engagement.
Who this is for
SOC analysts & incident responders
Analysts who work in a SOC or IR function and want to build end-to-end investigation skills beyond alert triage. Ideal for teams that respond to incidents but have limited experience running a full forensic investigation from scratch.
Security teams preparing for IR certifications
Professionals pursuing SC-200, GCFE, GCIH, or similar certifications who want hands-on practice before their exam — working through real scenarios rather than memorizing theory from a study guide.
Corporate SOC teams — team exercise
Organizations wanting to run a structured team-based investigation exercise — testing collective SOC capability, identifying skill gaps, and building shared investigation methodology. Functions like a technical tabletop with real execution.
BOOK THE LAB