Never Imagined a Whole Constructing Defense Ecosystem
Building a cybersecurity course sounds like a straightforward endeavor. Ostensibly, you generate content that showcases your expertise in certain areas in a format where others can follow along, package it up, set a price, advertise and off you go. Never could I have imagined where the ConDef journey would lead me. With courses, free materials, AI and so much more, it’s turned into an entire Constructing Defense Ecosystem of sorts. I thought it would be fun to share with you the history and evolution of what I thought would be a fun little side project.
It all started with a single course concept. However, when it’s time to roll up your sleeves and get to work, a number of complications arise:
- What exactly am I trying to get across ?
- What skills do I want to convey within the course without overwhelming people ?
- Do I use videos, screenshots, text or a combination ?
- Do I even have enough expertise to put this all together ?
- What order do I want information presented ?
These are but a sampling of thoughts and questions that I had going through my head as Constructing Defense was in its conceptual stages. This blog aims to provide a bit of a behind the scenes view into Constructing Defense: its history, why certain decisions were made, and where it stands now.
The First Ideas
During my cybersecurity career, I was fortunate enough to have a diverse set of experience. I started working in Service Desk, moved into a GRC role, then moved into a more hands on detection engineering / threat hunting type role before moving into the consulting space for a few years, then onto vendorland, followed by my current role at Huntress.
Throughout, logs and telemetry were at the forefront of a lot of my work. Why? Because:
- Auditors wanted to see examples of logs and telemetry being reviewed
- Detection engineering & hunting work required a rich set of telemetry
- Purple team engagements during my consulting years succeeded or failed largely based on the available telemetry
- Potential customers for the product team that I was a part of needed to be shown how raw telemetry could be turned into security insights
- Investigations and IR efforts require expertise with various strands of telemetry
To me, it seemed like large functions of the cybersecurity industry relied on logging pipelines and telemetry being generated. However, when working with numerous teams, it became clear to me that various analysts & engineers did not have a good handle on all the available types of security telemetry.
Take for example performing a Kerberoasting attack using a binary called kerberoast.exe. I found that many organizations and security teams did not have full grasp of the various telemetry crumbs that this execution example leaves behind and at which particular layer these crumbs may fall. Teams assumed that their EDR had line-of-sight into this kind of execution. Although many EDR products did, many don’t and those teams rarely if ever verified this hypothesis. Therefore, when a custom binary was used to perform a Kerberoasting attack, one that bypassed EDR defenses, folks did not understand the Active Directory events left behind by such execution nor the network components.
I asked myself, “What are these teams missing?” Most were well resourced, very sharp and had the relevant skill sets. What I found was missing was hands-on practice. Folks seemed to rely on various write-ups and blogs for their understanding of tooling and techniques. While this approach is certainly valid, I always believed that there is zero substitute for trying things yourself. This is where the foundations of Constructing Defense was born.
I was determined to show people how to:
1) build a telemetry-rich lab environment from scratch
2) demonstrate various executions in this lab environment to demonstrate what gets logged and at which layer
These two concepts would become the “North Star” to which Constructing Defense aligns itself.
The First Iteration
With the two above concepts front and center, I set about creating the first iteration of Constructing Defense. This version would use Sumo Logic as a SIEM/logging platform and would provide instructions on setting up a lab with:
- Windows Endpoint logging via Sysmon
- Active Directory & Active Directory Certificate Services telemetry configured
- Full packet capture
- Linux telemetry
- Kubernetes telemetry
- Azure & AWS Cloud telemetry
The idea here was to show students how telemetry pipelines get configured. Going back to the Kerberoasting example above, the idea was to have a lab environment where all the various “layers” of logs were available. When you execute a Kerberoasting attack in the Constructing Defense lab, you could see kerberoast.exe via Sysmon/endpoint logs, the ticket requests in the Active Directory logs, and the Kerberos network traffic through PCAP.
Our industry moves super-fast with new tools being released all the time. However, the one constant in ConDef is your lab environment and understanding how to tactfully utilize available telemetry. The idea is that your lab remains your lab! So, even after you have completed the actual modules in Constructing Defense, you still have the lab environment as your playground.
Automation & SIEM
In the first few months of Constructing Defense existing, my main focus was on the addition of new modules. More advanced attacks and defenses were added including Kerberos trade craft, DPAPI and more advanced layers of telemetry via ETW.
Participants of the course appreciated these additions; however, I noticed that most people were not progressing through the course at the pace I thought they would be.
After soliciting some feedback, it was clear that building a complex lab like Constructing Defense from scratch was a time-consuming process that was understandably too much for some folks. People didn’t want to click through boring wizards and follow along with literally hundreds of screenshots that walk you through setting up the lab environment, before they could ever get to the fun stuff.
In response, I decided to add a little bit of lab automation via Terraform. This would stand up the main Linux machines and Windows domain, and then you would follow the instructions to setup the rest of the components. This dynamic helped somewhat, as the lab deploy time frame was shortened, but folks still wanted a more automated solution.
At this point, I was starting to get asked about using Ludus for building out the lab. After tinkering with the tool, it was clear that this would be a game changer for the Constructing Defense lab.
I set out to automate as much of the lab build as possible with Ludus. While I was making such a big change, I also decided to replace the Sumo Logic SIEM with Splunk, as Splunk is more widely used and adopted.
At first, the Ludus lab build was only semi-automated. It spun up the domain, the Splunk installation and configured the Linux hosts, but setting up Kubernetes event collection and the PCAP appliance were still manual efforts.
Currently, after many months of hard work and trial and error, the Constructing Defense Lab is fully automated! After installing Ludus, only one command gets you setup with the full Constructing Defense lab. Not only that, this lab build is now completely free and available on GitHub.
A New Platform
As noted earlier, upon inception, building a lab manually was a huge focus for Constructing Defense. I should note that this option is still available within the course for folks who still want to build their lab from scratch, something I personally consider a worthy endeavour! It’s like doing math by hand first and only moving to a calculator once you have a solid understanding of how it all works.
Another consideration is that not everyone has access to a machine with enough resources to actually run the lab. This especially rings true today, as RAM prices skyrocket.
This is why the course moved platforms to Just Hacking Training (JHT), where the course is now available pre-configured and cloud-hosted. You can now access the lab directly from your browser, without having the beefy hardware required to run the massive lab environment on-premises.
This dynamic means that you can now, either:
- Build the lab on your own hardware via automated deploy
- Build the lab on your own hardware manually, step by step
- Skip the lab build all together, and just use the lab from your browser
While we were making such a big change into an entire new platform, we also took the opportunity to look at how the material was presented. It wasn’t just the lab environment that was growing and becoming complex, but the included instructional material was getting cumbersome. Therefore, while making the move to JHT, we also break up the single enormous course into 3 logically separate areas of learning. Thus was born the 3-course Constructing Defense Path.
The Dawn of AI
Constructing Defense was built before ChatGPT was a known entity. The AI wave was just getting started as Constructing Defense was maturing.
The course itself features some hands-on work with AI components, specifically analyzing Windows endpoint logs with Hayabusa and Langchain.
As the AI boom widened, it became clear that the way people were interacting with information was starting to change. Suddenly, reading material via your web browser felt like a “legacy” experience. After all, why should the course dictate learning paths and styles rather than the student.
This is the reason why the Constructing Defense MCP was built, to give students a new and novel way to interact with the mountain of content found in Constructing Defense. For those students who don’t know what they want, the tried-and-true method of following the pre-determined path laid by the instructor is still there. But now you have options.
Using the MCP, you can now make the course uniquely “yours” – you can build custom learning paths, simplify and summarize lessons, link lessons to MITRE ATT&CK and even export the entire course as an Obsidian notebook, so that you can take your own notes. In addition, you can even use the MCP to help you navigate your career and to help you utilize Constructing Defense to study for other certifications.
The Value Proposition of the Constructing Defense Ecosystem
Today, in combination with the automated lab build, additional modules and MCP, Constructing Defense grew to become more than just another cybersecurity course. I now see it as an entire ecosystem. ConDef is the anchor which helps not only launch your cybersecurity career but also continues as your open playground to further your research progression. What’s cool here is that a large part of this ecosystem is totally free to use.
Here’s an example roadmap:
- If you’re newer to the industry and want to get hands-on experience, check out the quick Free Upskill Challenge for Sysmon.
- After getting a handle on the basics of Sysmon, you can play with your custom Sysmon configurations and deploy them with my free SysmonConfigPusher tool.
- After you’ve progressed with Sysmon a little bit and need a more advanced lab, utilize the free Constructing Defense lab to start dipping your toes.
- Get the full 3-course Path for a more structured learning experience, 100+ videos, step-by-step instructions with screenshots and access to me and other students in the JH Discord.
Once you’ve gotten a good handle on Sysmon, maybe played around in the lab environment, and decide that the more structured course is right for you, we still give you options that best meet your needs and budget.
You can dive into either ConDef Lite ($150 USD) if you have the hardware to run the lab yourself or the full Constructing Defense 2026 ($500 USD) where the lab is hosted for you. Either purchase grants you lifetime access to all the materials, manual lab build instructions as well as the Constructing Defense MCP.
These price points reflect our commitment to provide affordable cybersecurity training for EVERYONE! Even with all the various additions to Constructing Defense: new modules, new SIEM, additional deployment options, an MCP, the price has not increased, and we have no plans to do so.
We hope that you grab the course, enjoy the MCP and utilize the lab for the entirety of your cybersecurity career!
