O'Reilly logo
live online training icon Live Online training

Expert Incident Response Bootcamp with Hands-On Labs

Threat Hunting with Security Onion and RedHunt OS

Topic: Security
Omar Santos

Take your Incident Response skills to the next level with this intensive, hands-on class with Omar Santos. This live and interactive training is designed to help you understand your network environment, monitor it for threats, perform incident response against identified threats, and learn different adversary tactics, techniques, and procedures (TTPs). You will gain hands-on experience monitoring, responding to, and remediating internal threats (also known as active defense). You will also learn how to use tools such as Security Onion and RedHunt OS to perform digital forensics and incident response (DFIR), as well as Threat Hunting.

This two-day training will give you the hands-on, real-world incident response concepts you need to learn such as using threat intelligence, security monitoring, and utilizing threat analysis and incident response methodologies. You will learn about tools such as Snort, Suricata, Zeek (formerly known as Bro), Sguil, Squert, Elasticsearch, logstash, and Kibana (ELK), Caldera, Atomic Red Team, Metasploit, Maltego, Datasploit, Yeti, Harpoon, and many others. This class is also a great way to gain the extra insight needed to help pass a number of certifications, including CISSP, CompTIA Security+, CompTIA CySA+, CompTIA CASP+, and Cisco CyberOps Associate.

What you'll learn-and how you can apply it

  • Learn digital forensics and incident response (DFIR) practical techniques.
  • Learn how to perform Threat Hunting.
  • You will learn how to create effective incident response teams and best practices on how to contain and remediate cybersecurity incidents.
  • Learn through step-by-step demonstrations.
  • Complete hands-on exercises and participate in interactive discussions.

This training course is for you because...

  • You have an understanding of cybersecurity fundamentals and you want to take your skills further.
  • You are preparing for a security certification, such as Cisco CyberOps Associate, CompTIA Security+, CompTIA CySA+, CompTIA CASP+, CISSP, and more.
  • You want to learn how to extract and create necessary cyber threat intelligence that can help you properly scope the compromise and detect future breaches.
  • You are interested in cybersecurity and penetration testing (ethical hacking) will benefit from this training.
  • You want to learn different methodologies and best practices to perform security penetration testing assessments.


  • Course participants should have a basic understanding of cybersecurity and networking concepts.

The following books and video courses provides a good overview of cybersecurity fundamentals that are prerequisites for this course: - The Complete Cybersecurity Bootcamp (Video Collection): Threat Defense, Ethical Hacking, and Incident Handling - Developing Cybersecurity Programs and Policies, Third Edition

Course Set-up

Recommended Preparation

Recommended Follow-up

About your instructor

  • Omar Santos is an active member of the cybersecurity community, where he leads several industry-wide initiatives. He is the lead of the DEF CON Red Team Village; the chair of the Common Security Advisory Framework (CSAF) technical committee; the co-chair of the Forum of Incident Response and Security Teams (FIRST) Open Source Security working group; and has been the chair of several initiatives in the Industry Consortium for Advancement of Security on the Internet (ICASI). His active role helps businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to increasing the security of their critical infrastructures.

    Omar is the author of over twenty books and video courses, as well as numerous white papers, articles, and security configuration guidelines and best practices. Omar is a principal engineer of the Cisco Product Security Incident Response Team (PSIRT), where he mentors and leads engineers and incident managers during the investigation and resolution of cyber security vulnerabilities. Additional information about Omar’s current projects can be found at omarsantos.io and you can follow Omar on Twitter @santosomar.


The timeframes are only estimates and may vary according to how the class is progressing


Introduction to Incident Response Active Defense and Course Setup 60 minutes

Break: 10 minutes

Installing and Customizing Security Onion 50 minutes

Break: 10 minutes

Monitoring the Network using Snort and Suricata 30 minutes

Using Squert and Sguil for Incident Response 20 minutes

Break 10 minutes

Visualizing Network Attacks Using Elasticsearch, Logstash, and Kibana (ELK) 30 minutes

Replaying Network Traffic to Analyze Cyber Attacks 20 minutes


Introduction to Threat Hunting 30 minutes

Monitoring the Network with Zeek (formerly known as Bro) 20 minutes

Break: 10 minutes

Collecting and Analyzing Malware Packet Captures with Wireshark, tshark, and tcpdump 30 minutes

Parsing Logs using Python and Bash 30 minutes

Break: 10 minutes

Attack Simulation with Caldera and Atomic Red Team. 50 minutes

Break: 10 minutes

Threat Intelligence Sharing with STIX and TAXII 20 minutes

Using Yeti, Harpoon, and Yara Rules for Malware Analysis and Threat Intelligence 30 minutes