Introducing Threat-eX™
6-month program of Live Webinars and CYBER RANGES cyberdrill-grade, simulation-based exercises
Threat-eX™ helps you and your team commit to ongoing, demonstrable, security and risk mitigation improvements as well as professional transformation, utilizing regular cyber-drills delivered on CYBER RANGES' world-class cyber range.
Best-In-Class Threat Emulation Experiences by CYBER RANGES
GARTNER (2024): The importance and criticality of training with "live ammunition" or simulated "live ammunition" cannot be over-emphasized.
'Meet The Drill Masters' On-Demand Webinar
'The Threat-eX™ program by CYBER RANGES is like the ultimate platform. In my professional career of 20+ years I have not seen anything like it before, because It is the closest thing to the actual thing.'
'Establishing a recurring series of live monthly cyberdrills provides SOC teams with valuable hands-on incident response practice, enabling them to stay current and better prepared for real-world cybersecurity threats, addressing the common skills gap in shared live incident response experience.'
'Getting realistic cyberdrill scenarios including state sponsored cyber attacks against things like critical infrastructure is something the team have done a great job of building into scenarios on the Threat-eX cyber drill series.'
'This is not just a single player mode kind of event.
You can have teams participate, so this is whereby you have a whole SOC team.
They can all come in together and participate on the same scenario because it involves the realistic attacks that these APT groups perform against enterprises.'
Previous
Next
Threat-eX™ helps Security Leaders to fully appreciate their organization's Attack Surface and Threat Exposure
– Stay ahead of evolving threats against your critical infrastructure
– Achieve an affordable balance between scalable solutions and personalized training
– Focus on actionable outcomes
– Adapt to the constant evolution of the global threat landscape
– Achieve an affordable balance between scalable solutions and personalized training
– Focus on actionable outcomes
– Adapt to the constant evolution of the global threat landscape
Threat-eX™ focuses on demonstrable, measurable cybersecurity practitioner abilities immediately employable in the Incident Response Room.
Threat-eX™ offers you:
– Cloud-based access to Cyber Threat Intelligence (CTI)-informed and Advanced Persistent Threat (APT)-focused scenarios designed for immediate use in training and exercise programs for blue, red and purple teams.
– Scenarios with live and after-action assessments.
– Role-mapped, pre-exercise training content.
– A wrap-up and hot-wash session after each exercise.
– Post-event performance reports (individual and team).
– Actionable insights.
– Personal certificates of completion, digital badges, and CPE credits.
– Evidence of participation in support of your organization’s compliance requirements.
– Scenarios with live and after-action assessments.
– Role-mapped, pre-exercise training content.
– A wrap-up and hot-wash session after each exercise.
– Post-event performance reports (individual and team).
– Actionable insights.
– Personal certificates of completion, digital badges, and CPE credits.
– Evidence of participation in support of your organization’s compliance requirements.
Who would benefit from using Threat-eX™
– Security leaders seeking to understand their organization’s potential threat exposure and attack surface, and how to effectively manage these risks.
– Individuals aiming to hone their skills or gain a deeper understanding of the advanced persistent threat (APT) landscape.
– Technical and cybersecurity teams (such as SOC, CERT, IR, DFIR) and their managers.
– Organizations with large or multiple teams.
– Critical industries requiring robust cybersecurity measures.
– Governmental agencies, military, and non-governmental organizations (NGOs).
– Individuals aiming to hone their skills or gain a deeper understanding of the advanced persistent threat (APT) landscape.
– Technical and cybersecurity teams (such as SOC, CERT, IR, DFIR) and their managers.
– Organizations with large or multiple teams.
– Critical industries requiring robust cybersecurity measures.
– Governmental agencies, military, and non-governmental organizations (NGOs).
The Threat-eX™ schedule for 2024/25
This is the Calendar of Events for your Cyber Defense Team to join:
Wizard Spider
Nov 14-15, 2024
During a successful phishing campaign, a threat actor establishes C2 comms after a staff member of a targetted organization opens an Emotet maldoc. Once the attacker obtained communication on the workstation they managed to discover other assets on the network and successfully exploit vulnerabilities enumerated allowing for them to move laterally within the network. The attacker is able to exfiltrate sensitive medical records of patients as well as destroy backups before rolling out of their ransomware and threatening to expose the information collected. Your task is to unravel the intricate web of deception enabling the adversary’s ransomware deployment.
Threat Actor
Wizard Spider
Threat Type
Ransomware
Attacker Tools
Ryuk , Emotet
Threat Rating
High
Threat Impact
Data Exfiltration Service Availability
Difficulty
Hard
MITRE ATT&CK® TTPs Covered:
– Acquire Infrastructure: Server – T1583.004
– Develop Capabilities – T1587
– Phishing: Spearphishing Attachment – T1566.001
– User Execution – T1204
– Defense Evasion – TA0005
– Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – T1547.001
– Process Discovery – T1057
– Gather Victim Host Information – T1592
– Compromise Client Software Binary – T1554
– Password Policy Discovery – T1201
– Permission Groups Discovery: Domain Groups –
T1069.002
– Account Discovery: Domain Account – T1087.002
– Remote System Discovery – T1018
– Valid Accounts: Local Accounts – T1078
– Windows Management Instrumentation – T1047
– Steal or Forge Kerberos Tickets – T1558
– OS Credential Dumping – T1003
– Compromise infrastructure – T1584
– Exfiltration Over C2 Channel – T1041
– Data Encrypted for Impact- T1486
– Account Discovery: Domain Account – T1087.002
– Remote System Discovery – T1018
– Valid Accounts: Local Accounts – T1078
– Windows Management Instrumentation – T1047
– Steal or Forge Kerberos Tickets – T1558
– OS Credential Dumping – T1003
– Compromise infrastructure – T1584
– Exfiltration Over C2 Channel – T1041
– Data Encrypted for Impact- T1486
Ransomware Rampage
Dec 18-19, 2024
An attacker exploits an SMB server within the corporate DMZ, leading to the establishment of command-and-control communication. Operating system credentials are extracted from the compromised server, providing valid usernames and corresponding hashes. This information enables the attacker to execute a credential-stuffing attack on the corporate LAN, permitting login to a single workstation through a standard user account. Once within the LAN, the attacker leverages an unquoted service path vulnerability to elevate privileges to NT\Authority. Further exploitation involves additional operating system hash extraction. With the obtained credentials, the attacker initiates a ransomware deployment on the LAN workstations. Your task is to unravel the intricate web of deception enabling the adversary’s infiltration.
Threat Actor
LockBit
Threat Type
Ransomware
Attacker Tools
Custom Ransomware
Threat Rating
High
Threat Impact
Data Exfiltration Service Availability
Difficulty
Intermediate
MITRE ATT&CK® TTPs Covered:
– Acquire Infrastructure: Server – T1583.004
– Active Scanning – T1595
– Brute Force – T1110
– Gather Victim Identity Information – T1589
– Command and Scripting Interpreter – T1059
– OS Credential Dumping – T1003
– System Owner User Discovery – T1033
– Remote System Discovery – T1018
– Active Scanning – T1595
– Brute Force – T1110
– Gather Victim Identity Information – T1589
– Command and Scripting Interpreter – T1059
– OS Credential Dumping – T1003
– System Owner User Discovery – T1033
– Remote System Discovery – T1018
– Account Discovery: Domain Account – T1087.002
– Permission Groups Discovery – T1069
– Valid Accounts: Local Accounts – T1078
– Valid Accounts: Domain Accounts – T1078.002
– Exploitation for Privilege Escalation – T1068
– Compromise infrastructure – T1586
– Archive Collected Data – T1560
– Data Encrypted for Impact – T1486
– Permission Groups Discovery – T1069
– Valid Accounts: Local Accounts – T1078
– Valid Accounts: Domain Accounts – T1078.002
– Exploitation for Privilege Escalation – T1068
– Compromise infrastructure – T1586
– Archive Collected Data – T1560
– Data Encrypted for Impact – T1486
Atom Silo
Jan 15-16, 2025
After a network configuration change, an application endpoint is exposed to the internet. Attackers successfully exploits a vulnerability on the exposed endpoint and gain code execution. They are able to bring additional malware on to the target and establish C2 communication. The attackers then proceed to perform post-exploitation procedures to gain privileges and move laterally accross various infrastructures on the organization’s internal networks. Once they have achieved the escalation objective, they proceed to deploy ransomware across the workstations of the network.
Your task is to unravel the intricate web of deception enabling the adversary’s infiltration.
Threat Actor
Atom Silo
Threat Type
Ransomware
Attacker Tools
Atom Silo Ransomware
Threat Rating
High
Threat Impact
Data Exfiltration
Difficulty
Intermediate
MITRE ATT&CK® TTPs Covered:
– Acquire Infrastructure: Server – T1583.004
– Active Scanning – T1595
– Exploitation of Remote Services – T1210
– Valid Accounts: Domain Accounts – T1078.002
– Deploy Container – T1610
– Active Scanning – T1595
– Exploitation of Remote Services – T1210
– Valid Accounts: Domain Accounts – T1078.002
– Deploy Container – T1610
– Command and Scripting Interpreter – T1059
– Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – T1547.001
– Exfiltration Over C2 Channel – T1041
– Impair Defenses: Disable or Modify Tools – T1562.001
– Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – T1547.001
– Exfiltration Over C2 Channel – T1041
– Impair Defenses: Disable or Modify Tools – T1562.001
Silverthorn
Power Plant Attack
Feb 19-20, 2025
An attacker successfully sends a phishing mail with link to a backdoored putty setup to a user. The user downloads and runs the backdoored putty file and the attacker manages to gain code execution on the server and establish C2 comms. The attacker can run various commands and enumerate various information on the workstation. The attacker was able to get the IP address, perform keylogging (capturing user credentials), list shares in the network, list running processes, list contents of the shares, exfiltrate contents in the shares, and retrieve browser history. Your task is to unravel the intricate web of deception enabling the adversary’s infiltration.
Threat Actor
Lazarus Group
Threat Type
Ransomware
Attacker Tools
Dtrack
Threat Rating
High
Threat Impact
Data Exfiltration
Difficulty
Easy
MITRE ATT&CK® TTPs Covered:
– Exfiltration Over C2 Channel – T1041
– Develop Capabilities: Malware – T1587.001
– Phishing: Spearphishing Attachment – T1566.001
– User Execution: Malicious File – T1204.002
– Gather Victim Host Information – T1592
– Gather Victim Network Information – T1590
– Account Discovery: Domain Account – T1087.002
– Develop Capabilities: Malware – T1587.001
– Phishing: Spearphishing Attachment – T1566.001
– User Execution: Malicious File – T1204.002
– Gather Victim Host Information – T1592
– Gather Victim Network Information – T1590
– Account Discovery: Domain Account – T1087.002
– Data Destruction – T1485
– Data Encrypted for Impact – T1486
– Abuse Elevation Control Mechanism: Bypass User Account Control – T1548.002
– Access Token Manipulation – T1134
– Command and Scripting Interpreter: Windows Command Shell – T1059.003
– Inhibit System Recovery – T1490
– Data Encrypted for Impact – T1486
– Abuse Elevation Control Mechanism: Bypass User Account Control – T1548.002
– Access Token Manipulation – T1134
– Command and Scripting Interpreter: Windows Command Shell – T1059.003
– Inhibit System Recovery – T1490
Attacker in the Middle
Mar 19-20, 2025
An attacker successfully phishes an IT officer at the targeted organization and is able to get access to a Windows file share server as this user. On this beachhead server, they can use legitimate software to execute their payload as well as set persistence using a link file. They can then gain access to the load balancer on the network from where they move further laterally into the network. Additionally, from the compromised email account, the attacker is able to perform spear phishing attacks against privileged users. After that, the attacker is able to disrupt operations by bringing down the load balancer but before that, they exfiltrate data, disable privileged accounts, roll out ransomware and partially delete files. They then demand for a ransom after rolling out ransomware to the rest of the network.
Your task is to unravel the intricate web of deception enabling the adversary’s infiltration.
Threat Actor
Lazarus Group
Threat Type
Ransomware
Attacker Tools
Proxy Mail Server
Wannacry
Threat Rating
High
Threat Impact
Data Exfiltration Service Availability
Difficulty
Hard
MITRE ATT&CK® TTPs Covered:
– Spearphishing with a link – T1566.002
– Proxy – T1090
– User Execution: Malicious Link – T1204.001
– Browser Session Hijacking – T1185
– Account Discovery – T1087
– Remote Access Software – T1219
– Boot or Logon Autostart Execution – T1547
– Hijack Execution Flow: DLL Side-Loading – T1574.002
– Active Scanning – T1595
– External Proxy – T1090.002
– Bidirectional Communication – T1102.002
– Ingress Tool Transfer – T1105
– Proxy – T1090
– User Execution: Malicious Link – T1204.001
– Browser Session Hijacking – T1185
– Account Discovery – T1087
– Remote Access Software – T1219
– Boot or Logon Autostart Execution – T1547
– Hijack Execution Flow: DLL Side-Loading – T1574.002
– Active Scanning – T1595
– External Proxy – T1090.002
– Bidirectional Communication – T1102.002
– Ingress Tool Transfer – T1105
– Input Capture: Keylogging – T1056.001
– Exploitation of Remote Services – T1210
– Server Software Component: Webshell – T1505.003
– Account Discovery: Domain Account – T1087.002
– OS Credential Dumping – T1003
– Exfiltration Over C2 Channel – T1041
– Network Denial of Service – T1498
– Disk Wipe – T1561
– Data Encrypted for Impact – T1487
– Account Access Removal – T1531
Alloy Taurus
Apr 09-10, 2025
In a covert breach, an unsuspecting bank employee downloaded an application, unknowingly opening the door to a
sophisticated cyber attack. This concealed software, leveraging a well known vulnerability, established stealthy
Command and Control (C2) communications on boot-up. The attacker, having compromised the initial system, began
mapping out the lay of the land and establish potential attack paths. Leveraging covert techniques, the attacker
maneuvered through critical network nodes, reaching a gateway to financial systems. Funds were subtly redirected.
As the organization’s vigilant system analyst, armed with comprehensive access to corporate system logs, you are
entrusted with the critical mission of Incident Response. Your task is to unravel the intricate web of deception enabling
the adversary’s infiltration.
Threat Actor
Alloy Taurus
Threat Type
Ransomware
Attacker Tools
Cobalt Strike
Mimikatz
Threat Rating
High
Threat Impact
Money Theft Data Exfiltration
Difficulty
Hard
MITRE ATT&CK® TTPs Covered:
– Acquire Infrastructure: Server – T1583.004
– Develop Capabilities – T1587
– Hijack Execution Flow: DLL Side-Loading, Sub-technique T1574.002
– Defense Evasion – TA0005
– Gather Victim Network Information – T1590
– Account Discovery: Domain Account – T1087.002
– Network Share Discovery – T1135
– Command and Scripting Interpreter: Windows Command Shell – T1059.003
– Develop Capabilities – T1587
– Hijack Execution Flow: DLL Side-Loading, Sub-technique T1574.002
– Defense Evasion – TA0005
– Gather Victim Network Information – T1590
– Account Discovery: Domain Account – T1087.002
– Network Share Discovery – T1135
– Command and Scripting Interpreter: Windows Command Shell – T1059.003
– System Network Connections Discovery – T1049
– Exploitation for Privilege Escalation – T1068
– Steal or Forge Kerberos Tickets: Kerberoasting –
T1558.003
– OS Credential Dumping – T1003
– Exfiltration Over C2 Channel – T1041
– Archive Collected Data – T1560
– Data Destruction – T1485
– Data Encrypted for Impact – T1486
CYBER RANGES Threat-eX™ offers continuous enrolment throughout the year.
The Threat-eX™ series will restart in April 2025 while introducing new threat emulations along the way.
To maximize the economies of delivery and thanks to the high orchestration / automation / scalability of the CYBER RANGES platform, the Threat-eX™ events are offered as joint participation by multiple organizations, whose respective teams can experience the threat scenario in full confidentiality.
Developing Cybersecurity Muscle Memory and Organizational Resilience
Threat-eX™ is a comprehensive, enterprise-grade, 6-month program of Live Webinars and CYBER RANGES cyberdrill-grade, simulation-based exercises, delivering effective, threat-informed operations training, professional development and certification
Just as physical strength is built through consistent "sets-and-reps," effective cybersecurity capabilities are developed through rigorous and continuous practice.
Threat-eX™ addresses the missing link in traditional training by integrating comprehensive, hands-on exercises that build practical skills and improve resilience against Advanced Persistent Threats (APTs).
'Meet The Drill Masters' On-Demand Webinar
'CYBER RANGES is the ultimate platform which I've used in my 20 plus years as a cyber security professional.
I've not seen anything like it before because it is closest to the actual thing, and how else can you improve on that?'
'Putting everything all together into a committed, recurring, live series of cyberdrills month to month, helps to tackle the lack of real live incident response experience that many SOC teams lack.'
'This is not just a single player mode kind of event.
You can have teams participate, so this is whereby you have a whole SOC team.
They can all come in together and participate on the same scenario because it involves the realistic attacks that these APT groups perform against enterprises.'
'Getting realistic cyberdrill scenarios including state sponsored cyber attacks against things like critical infrastructure is something the team have done a great job of building into scenarios on the Threat-eX cyber drill series.'
Previous
Next
Your Drill Masters
Dr. Wesley Phillips
CCISO CRISC CISM GSLC CASP PENTEST PMP
Director of the Quantico Cyber Range
Wes has gained over 20 years of combined law enforcement, physical security, network security, and risk management experience, plus over 16 years specifically on counterintelligence, technical surveillance countermeasures (NSA graduate).
Wes is a proven project manager, strategist, educator, and technologist. He is a collaborative team leader, college instructor, certification instructor, skill-based instruction, and effective communicator.
His hobbies include conducting CTFs, penetration testing, building anything cyber-related (e.g., SIEMs), martial arts instruction and practice, and playing music (piano, organ, drums, vocals).
Amarjit 'Labu' Labhuram
Threat Emulation Lead
Labu leads the Threat Emulation team at CYBER RANGES specializing in Offensive Security and Red Teaming with over 10 years’ experience in infosec.
His role involves regular training and guiding stakeholders on effective detection, response, and mitigation strategies. He has built strong field practitioner experience in Red Team and Adversary Simulation operations, with offensive capability development. Labu has led on the technical exercises during several cyberdrills for financial and government entities.
Labu is particularly drawn to the intricacies of Microsoft Windows system programming and is actively engaged in research, including the crafting of custom implants and refining Tactics Techniques and Procedures (TTPs) for Simulated Attack missions.
Labu proudly holds such industry certifications as CRTE, SEC565 Red Team Operations and Adversary Emulation, and CRTO, as evidence of his expertise in the security field.
Csaba Virág
Head of Capacity Programs
Csaba leads Cyber Capability Development at CYBER RANGES. Csaba’s expertise is rooted in both the technical and operational sides of cybersecurity, yet he places a significant emphasis on the importance of a human-centric approach to security and digital transformation.
Csaba collaborates with international organizations such as the International Telecommunication Union (ITU), European Cyber Security Organisation (ECSO), European Commission, and European Union Agency for Cybersecurity (ENISA), European Defence Agency (EDA).
Previously, as the Chief Strategy Officer at Nortal Csaba guided the strategic vision and direction of cybersecurity solutions, delivering future-ready solutions to harvest the benefits of cybersecure ecosystems, environments, and businesses.
James Billingsley OSCP
Range Master
James has gained 20 years’ experience as an Examiner, Consultant, Trainer and Speaker in the InfoSec and DFIR fields. He has developed tools for Internet Browser forensics used globally by a number of law enforcement agencies and international corporations.
James has led PCI investigations for major payment providers including Visa and Mastercard. As a Senior eDiscovery consultant James supported legal eDiscovery reviews for complex global litigation issues hosted on leading vendor platforms.
A course author and lead trainer for internal & external training for leading DFIR software vendors, James has worked together with UN’s ITU on a number of ITU cyberdrills, supporting their effort to build knowledge and skills for national CIRTs.
Beyond Technology - The Human Element
Threat-eX™ goes beyond technology by emphasizing the human element, ensuring that your team not only comprehends the tools but also knows how to apply them to combat sophisticated threats.
It's not just about technology, it's about integrating People, Processes and Technology and the human aspect into technology to develop a robust defense strategy.
👇 What's Included in Threat-eX™ 👇
Threat-eX™ focuses on demonstrable, measurable cybersecurity practitioner abilities that are at once employable in the Incident Response Room.
– Cloud-based access to Cyber Threat Intelligence (CTI)-informed and Advanced Persistent Threat (APT)-focused scenarios designed for immediate use in training and exercise programs for blue, red and purple teams.
– Scenarios with live and after-action assessments.
– Role-mapped, pre-exercise training content.
– A wrap-up and hot-wash session after each exercise.
– Post-event performance reports (individual and team).
– Actionable insights.
– Personal certificates of completion, digital badges, and CPE credits.
– Evidence of participation in support of your organization’s compliance requirements.
– Scenarios with live and after-action assessments.
– Role-mapped, pre-exercise training content.
– A wrap-up and hot-wash session after each exercise.
– Post-event performance reports (individual and team).
– Actionable insights.
– Personal certificates of completion, digital badges, and CPE credits.
– Evidence of participation in support of your organization’s compliance requirements.
All-In-One
$6,000 per user
$25,000 per 5-pax team
– Access to all 6 events in the calendar
– Role-mapped, pre-exercise training content provided
– Post-event Performance Reports and Insights (team and users)
– Certificate of completion / Digital Badge / CPE credits
Want to learn more?
Ready to buy?
Flexi
$1,250 per user, per event
$5,750 per 5-pax group, per event
Choose up to 5 events
– Flexible Access to up to 5 events in the calendar
– Date confirmation is required minimum 72 hours before each event
– Role-mapped, pre-exercise training content provided
– Post-event Performance Reports and Insights
– Certificate of completion / Digital Badge / CPE credits
