Subscription

Analyst Defense Labs.

Continuous, hands-on skills development and investigation labs for SOC analysts and defenders who want to sharpen real-world skills — not chase points on a leaderboard.

New labs added regularly · Cancel anytime

See Plans Browse Labs ↓

What’s Inside

Each lab is a self-contained investigation or skill module you can complete at your own pace.

🔍

Investigation scenarios

Work through realistic compromise cases — BEC, server breaches, network intrusions — analyzing real artifacts in guided, in-browser environments.

🛠️

Detection & analysis labs

Build practical skills in Sigma rules, YARA detection, Splunk analysis, threat intelligence, and phishing investigation using industry tools.

🔄

Growing library

New labs added regularly covering emerging threats, new tools, and expanding investigation domains. Your subscription gets more valuable over time.

Who It’s For

SOC Analysts
Sharpen triage and investigation skills with real-world cases
Incident Responders
Stay current on attack techniques and investigation tools
Detection Engineers
Practice writing Sigma and YARA rules against real samples
Career Builders
Build portfolio-ready investigation experience

Lab Library

All labs included with your subscription. New labs added regularly.

Detection Engineering with Sigma

Learn how to design, validate, and operationalize Sigma detections—from single-event rules to correlation-based attack detection—using real SOC workflows.

Malware Detection with YARA

Malware Identification with YARA is a hands-on course that teaches analysts how to write effective YARA rules to detect, classify, and hunt malware across disk and memory using real-world samples and investigation-driven labs.

Foundations of Cyber Threat Intelligence

This course introduces the core concepts, frameworks, and analytical practices of Cyber Threat Intelligence.

React2Shell Server Compromise Investigation

A guided, real-world investigation of a React web application compromise that teaches analysts how to perform high-fidelity network (PCAP) and Linux server forensics using advanced, command-line–driven investigative techniques.

Microsoft 365 BEC Investigation

Investigate Business Email Compromise (BEC) using Microsoft 365 unified audit log telemetry.

Splunk BOTS v3

A hands-on Splunk investigation course that builds real-world SOC analysis skills by analyzing a realistic enterprise dataset to identify, scope, and correlate multiple concurrent security incidents using SPL and SIEM methodology.

BEC Investigation with SOF-ELK

This course builds on Microsoft 365 UAL fundamentals by introducing SOF-ELK as a scalable investigation platform for analyzing audit log data and identifying Business Email Compromise activity.

Coming Soon

Phishing Email Detection with Sublime

Email threat detection and phishing analysis using the Sublime Security platform, progressing from email fundamentals through hands-on detection engineering.

Analyst Defense Labs

Really enjoying the Analyst Defense Labs. This one teaches you how to correlate Microsoft Entra ID with Exchange logs — specifically the ExchangeAdmin and AzureActiveDirectoryStsLogon records. Looking forward to doing even more labs from this path.

AI

Adrian Iuliano

DFIR Engineer · PSAP · CSIL-CCFI

Choose Your Plan

Full access to every lab from day one. Cancel anytime.

Monthly
$29 /mo

Full access from day one

Start Monthly →
Best Value
Annual
$299 /yr

Save $49 vs. monthly

Start Annual →

Want the complete training path? ADL is included free for 12 months with the Hero Bundle →

Training a team? The Hero Bundle for Teams includes volume discounts, a team lead dashboard, and centralized progress tracking. Learn more →

How It Works

1

Subscribe

Pick monthly or annual. Instant access to every lab.

2

Pick a Lab

Choose an investigation scenario or skill lab. Start in your browser.

3

Investigate

Analyze real artifacts, follow the evidence, and build the skills that matter on the job.

Frequently Asked Questions

What do I get with my subscription?
Full access to every lab in the library — investigation scenarios, detection labs, and skill modules. New labs are added regularly and included automatically. Everything runs in your browser, no setup required.
Is this different from the training tracks?
Yes. The training tracks (Analyst Core, Analyst I, Analyst II) are structured course progressions with video lessons and certification paths. ADL is a standalone lab subscription focused on continuous, practical investigation practice across multiple domains. Think of the tracks as your structured education and ADL as your ongoing gym membership.
Do I need to complete a training track first?
No. ADL labs are designed for working analysts at various levels. Some labs are beginner-friendly, others are advanced. Each lab clearly indicates the skill level and prerequisites.
Can I cancel anytime?
Yes. Monthly subscriptions can be cancelled at any time. Annual subscriptions run for the full year. No surprise charges, no auto-upgrades.
Is ADL included with the Hero Bundle?
Yes — the Hero Bundle includes 12 months of full ADL access at no extra cost, on top of all three training tracks and the PWFA certification.
What tools or software do I need?
Just a browser. All labs run in our Cyber Lab Hero platform — no software installation, no VMs to manage. Log in and start investigating.
How often are new labs added?
New labs are added regularly, covering emerging threats, new investigation tools, and expanding domains like cloud forensics, detection engineering, and threat intelligence.

Ready to Start Investigating?

Full access to every lab. New scenarios added regularly. Cancel anytime.

Or get ADL free for 12 months with the Hero Bundle

Scroll to Top

Training Waitlist

Join our waitlist and get notified when training becomes available.

Contact Information
Professional Experience
I'm interested in

*By submitting this form, you’re agreeing that we will contact you and to receive our free email newsletter. (You’ll never be spammed and you can unsubscribe at any time.) We do not share your information with third-parties.