Constructing Defense

The lab is hosted either on your own hardware ( some kind of hypervisor, or a Ludus host) or in your self-hosted AWS cloud. The on-premises component of the lab consists of seven (7) virtual machines. Not all the machines are required to be powered on at the same time however.

Please note - that at this time, full packet capture is not available if you go with the AWS self-hosted option. However, all the PCAP related materials have associated videos and screenshots so you can still get a feel for what full packet capture offers. I am working on a solution to bring some packet/network level visibility to the AWS hosted option.

This is tough to give a fully accurate answer to as systems handle virtual machine workloads differently.

If you have run 3-4 virtual machines with reasonable specs (4-8 GB of RAM, 60+ GB of disk) and an internet connection, you should be able to build the lab and complete the exercises.

The course includes step by step screenshots and videos for every module. The only real prerequisite is that you are comfortable working with virtual machines ( installing an operating system on some kind of hypervisor from an ISO file )

The course fee includes lifetime access so you can review the material and watch the videos without actually building the lab and performing the exercises and still get value out of the course.

We will be using a free trial of Sumo Logic which combined with the auditing and the telemetry policies of the lab provides enough ingestion quota for Azure, AWS and on premises telemetry like Sysmon and other Windows and Linux events.

There is no expiry date for course access, you have access forever / indefinitely. The course will be updated based on feedback and to generally keep up with new techniques / tactics!

There are many tools and projects out there that help you build labs in the cloud in an automated fashion. These are really wonderful projects that this course does not compete with. It just takes a different approach. The goal of this course is to show how each and every bit of telemetry gets configured and ingested. In addition, all effort is made to minimize costs associated with hosting labs in the cloud.

If you want to build the lab in the most automated way possible, a Ludus deploy version is available. This option will get you up and running quickly.

If you have access to cloud resources, there is nothing stopping you from re-creating the lab in the cloud if you wish!

Continuing professional education (CPEs) are calculated differently by various providers. However, this course has about 5-6 hours of video content, this metric can be used in calculating CPE submissions.

Yes, a certificate of completion is provided.

Yes, there are about six (6) hours worth of videos in the course. All videos are 4K quality and hosted on YouTube. All videos have an instructor (me) talking and all audio was recorded with a high quality Shure microphone.

If you complete the cloud components of the course within 30 days while the Azure free trail and AWS free tier is in place, then no there will not be any costs. However, if you keep the cloud infrastructure up, some costs may be incurred. As of writing (December 2023) these costs are about 20-30 dollars Canadian per month for both AWS and Azure. This will obviously change if you choose to provision cloud resources beyond those covered in the course.

Constructing defense and the course author take no responsibility for any cloud costs incurred.

These definitions change depending on who you ask. The course is a mix of all three disciplines. You will be running certain pen test / red team tools and C2 frameworks and you will be querying for the telemetry generated by these executions. However, you will not be crafting phishing emails, bypassing any EDRs or conducting enterprise incident response activities. The course is designed to provide an introduction to many areas in order to give participants a start in that area; a thread to pull on.

Great question! There are a lot of sections in order to get participants in the course familiar with the telemetry from these areas and to set up a testing/lab environment for them.

A good example here is Active Directory Certificate Services (ADCS). There are so many attack paths and tools out there for ADCS but this course only covers one of them. However, after completing one execution, you have the lab setup and necessary telemetry configured to test more and go deeper.

Other areas like credential access we dive deeper into, as there are many variations and strands of telemetry to look at.

Yes, sections will be added and updated. You have lifetime access to the course materials.

Please get in touch: anton@constructingdefense.com and we can talk!

The set up of the lab is broken down into a few sections: downloading the various ISO files, getting the systems provisioned/stood up, and then finally configuring and collecting the telemetry. Plan to spend at least a few days setting the lab up taking into account the various moving pieces.

Yes you can still take the course and just follow along with the sections that cover Azure and AWS.

No. Every piece of content for this course was made by a human using the references linked in the relevant section combined with years of hands-on experience. No AI was used to generate any content for the course. In fact, all effort was made to make the videos feel less formal and more conversational to remove the robotic feel of AI.

Yep! Please check below