THP v2

Threat Hunting Professional

Curious about this course?

Enroll now and get access to all of our material and labs!

Plans and Pricing


View enrollment pricing for individual students.


Purchase eLearnSecurity courses for your company.

Study at your own pace

Threat Hunting Professional (THP) is an online, self-paced training course that provides you with the knowledge and skills to proactively hunt for threats in your environment (networks and endpoints). THP will train you to develop a hunting mentality using different and modern hunting strategies to hunt for various attack techniques and signatures. THP also comes with lifetime access to course materials and flexible access to the most sophisticated virtual labs on threat hunting.

Discover Contents

Extremely Hands-on

Practice hunting for different threats using various tools and techniques. THP includes the most sophisticated virtual lab on Network Security: Hera Lab.

Discover Labs

Course at a glance

  • Establish a proactive defense mentality
  • Hunt for threats in your organization’s systems and network
  • Use threat intelligence or hypotheses to hunt for known and unknown threats
  • Inspect network traffic and identify abnormal activity in it
  • Perform memory forensics using Redline, Volatility and a variety of tools to identify in-memory malware
  • Use tools such as Sysmon and SilkETW to collect event logs
  • Detect advanced hacking techniques such as AMSI bypasses, COM Hijacking and sophisticated/evasive malware
  • Use tools such as PowerShell, ELK and Splunk to analyze Windows events and detect attacks such as DCSync, Kerberoasting and obfuscated PowerShell commands
  • Access to dedicated forums

Course material

  • HQ video training material
  • Interactive slides
  • Hands-on challenges in our industry leading virtual labs

Course delivery

  • Self-paced, HTML5, PDF, MP4
  • Off-line access available
  • Access from PC, Tablet and Smartphone

Test drive this course for free

I agree to receive emails from Caendra Inc.


Section: Threat Hunting

  • Module 1 : Introduction to Threat Hunting

    In this module, you will take your first dive into the world of threat hunting and learn what threat hunting is and what it is not. You will also learn how threat hunting correlates with incident response and risk assessments.

  • Module 2 : Threat Hunting Terminology

    This module introduces various threat hunting terms. You will learn how to differentiate between having a mindset that relies mostly on threat intelligence during hunts and having a mindset that uses digital forensics techniques and artefacts during hunts.

  • Module 3 : Threat Intelligence

    In this module, we will tap into threat intelligence by covering how to obtain threat intelligence reports and the latest information on research that you can use during hunts. We will also cover different threat sharing platforms and exchanges. Finally, we will look at indicators of compromise (IOCs), where you will learn how to create and use them in your hunts using Redline and Yara.

  • Module 4 : Threat Hunting Hypothesis

    You will not be expected to start hunting without a concise plan. In this module, you will learn about the MITRE ATT&CK framework, and data collection and analysis which is required to be able to perform successful hunts. You will also learn about the recommended steps to start a hunt, as well as how to create hypotheses, in a 5 steps process, and hunts based on those guesses. Finally, we will cover hunting metrics that one may use to evaluate hunting activity in an organization.

Section: Hunting the Network: Network Analysis

  • Module 1 : Introduction to Network Hunting

    In this module, we will cover network basics as a primer, as well as TCP/IP stack, packets, protocols, networking equipment, and the necessary tools to inspect network traffic.

  • Module 2 : Suspicious Traffic Hunting

    In this module, we will look at each protocol individually. We’ll look at what is normal for a particular protocol and what is not normal for a particular protocol, which will help us identify the misuse of protocol for nefarious purposes.

  • Module 3 : Hunting Web Shells

    In this module, we will look at various common and uncommon web shells. We will also look at tools, such as Loki, and techniques to aid us in hunting for web shells in our environments.

Section: Hunting the Endpoint: Endpoint Analysis

  • Module 1 : Introduction to Endpoint Hunting

    In this module, we will look at the core Windows processes. We will look at the normal behavior of these processes, as well as indicators for when the process is being misused to hide nefarious activities. Also discussed, is the importance of baselines which we can use to flag changes in a particular system.

  • Module 2 : Malware Overview

    In this module, we’ll look at malware. We will discuss the different classifications of malware and how malware uses different techniques to infect our systems; additionally, we will review how malware attempts to evade detection and remain persistent.

  • Module 3 : Hunting Malware

    In this module, we will look at and discuss hunting tools, memory analysis and how to use different tools, like Redline and Volatility, to identify memory artifacts of intrusions and hunt for in-memory malware. We will dive into certain injection techniques and utilize multiple memory hunting techniques to identify them.

  • Module 4 : Event IDs, Logging, & SIEMs

    In this module, we’ll be looking at event logs. We will discuss what event logs are, as well as important event IDs to monitor to detect specific activities in your environment. We’ll also look at tools, such as Sysmon and PowerShell logging, to enhance the traditional Windows logging capabilities. Additionally, we’ll discuss and hunt for advanced techniques such as unmanaged PowerShell, COM hijacking and .NET malware. Lastly, we’ll look at how we can use tools like the ELK stack and Splunk to aid us during hunts.

  • Module 5 : Hunting with PowerShell

    In this module, we will discuss how to use PowerShell during hunts, as well as look at some existing PowerShell frameworks that were created specifically for incident response and threat hunting at large scale. Additionally, we’ll look into Microsoft Advanced Threat Analytics and Azure Advanced Threat Protection, which present possibilities for automated detection.

Download PDF Syllabus


  • A solid understanding of computer networks: switches, routing, security devices, common network protocols, etc. (Recommended)
  • Intermediate understanding of IT security matters
  • Intermediate to advanced understanding of penetration testing tools and methods. (Recommendation: IHRP course)

This training course is for...

  • Security Operations Center analysts and engineers
  • Penetration testers/Red team members
  • Network security engineers
  • Incident response team members
  • Information security consultants and IT auditors
  • Managers who want to understand how to create threat hunting teams and intelligence capabilities


The THP course is a practice-based curriculum containing 27 hands-on labs. Being integrated with Hera Lab, the most sophisticated virtual lab in IT Security, it offers an unmatched practical learning experience. Hera is the only virtual lab that provides fully isolated per-student access to each of the real-world network scenarios available on the platform. Students can access Hera Lab from anywhere through VPN. Modules will be accompanied by many hands-on labs.

Lab IDDescriptionCategory
Lab 1 Hunting with IoCs - Another organization within your ISAC has shared a malicious binary with your security team. They mentioned this malware was detected by one of their threat hunters. The malware was found inside various network shares within the organization, disguising itself as a PDF file. Your manager has tasked you with creating an IOC and YARA rule to scan the network for this malware. Practical
Lab 2 Hunting Insider Threats Part 1 - You are placed on a weekly hunting schedule. Using hypothesis-based hunting you want to hunt for insider threat activity. You decide to capture network traffic from various subnets. You are tasked to review some of the daily PCAP files. Practical
Lab 3 Hunting Insider Threats Part 2 - You and Charles are aware that 2 rogue machines were on the network a few days ago. After speaking with management, you and Charles convince them to allow you to monitor the threats instead of totally eradicating them next time you spot them on the network because you need to learn more about these threat actors, who seem to be malicious insiders. You have several IOCs created and you are running full packet captures in order to see if there is any evidence of these maliciousness on the network. Now you’re hunting based on intelligence but don’t forget that an adversary can change their methods. Keep that in mind as you hunt. Practical
Lab 4 Network Hunting & Forensics (NEW!) - In this lab you will practice hunting for suspicious network connections and communications. Zeek, RITA and Wireshark will be used to analyze multiple malicious traffic samples. Practical
Lab 5 Hunting Web Shells Part 1 - Your manager, Tony, assigns you a hunting schedule. Once a week you need to inspect the web servers, including those in the DMZ, for any signs of suspicious activity. Your task in this lab is to hunt for any signs of web shells within the network traffic and web server. Practical
Lab 6 Hunting Web Shells Part 2 - Your manager, Tony, wants to ensure that you can even catch web shells that might not be detected by the tools used previously, such as LOKI which can only detect PHP-based web shells. Tony knows this and has scheduled you for a hunting exercise to locate 1 or more ASP and/or ASPX-based shells on an IIS server. Practical
Lab 7 Hunting in Memory (NEW!) - Lab 1: The organization you work for is asking you to perform memory threat hunting on a randomly selected machine. As a hunting exercise to keep you sharp, the IT Security manager tasked you specifically with looking for anomalous connections and memory injections. Lab 2: The organization you work for is also asking you to perform memory threat hunting on a Linux machine. As a hunting exercise to keep you sharp, the IT Security manager tasked you specifically with looking for the existence of Linux rootkits. Practical
Lab 8 Hunting for Process Injection & Proactive API Monitoring (NEW!) - Attackers love hiding/injecting malicious code into processes. In this lab, you will learn how to hunt for various process injection techniques and how to leverage userland API monitoring for more effective hunts. Practical
Lab 9 Advanced Endpoint Hunting (NEW!) - Inside THP you will find two (2) distinct labs on advanced hacking techniques hunting at the endpoint level. Specifically, you will learn how to hunt for process doppelganging, AMSI bypasses, parent PID spoofing, reflective DLL injection, module stomping etc. Practical
Lab 10 Hunting Malware Part 1 - Your manager, Tony, wants you to keep an eye on the machine for the administrative assistant to the CFO. Email logs show that there has been a spike in spam emails attempting to reach her email address. Even though she has completed the security awareness class, Tony doesn’t want to take any chances. Tony hands you a Mandiant Analysis File to load into Redline and see if there is anything suspicious that is running, or was running, on her machine. After analysis, Tony, requires you to get a recent Mandiant Analysis File to analyze. Practical
Lab 11 Hunting Malware Part 2 - Your manager, Tony, received 2 memory files from another facility within the ISAC. These 2 memory files were from actual incidents that took place within their facility a few years ago. Tony wants you to analyze them to see if you are able to analyze them for any signs of code injection and/or a rootkit to prepare you to detect APT attacks. Practical
Lab 12 Hunting Empire - Your manager, Tony, wants to make sure that you can detect the widely used attacking tool, Empire. A hunting exercise has been scheduled, where you are tasked with detecting Empire’s presence on an endpoint. Practical
Lab 13 Hunting Responder - Your manager, Tony, wants to make sure that you can detect the widely used LLMNR, NBT-NS and MDNS poisoning tool, Responder. Tony was also informed, after a recent penetration test, that a PowerShell-based Responder variant, called Inveigh, is being used in the wild. A hunting exercise has been scheduled, where you are tasked with detecting Responder’s or Inveigh’s presence on the network. Practical
Lab 14 Hunting .Net Malware (NEW!) - Lab 1: The organization you work for has matured its cyber defence by implementing the CIS 20, enhancing its logging capability, performing quarterly assume-breach tests and having an Incident Response team in place. The IT Security manager has now tasked you, the only Threat hunter, with performing a hunt. Specifically, he wants you to look into .NET malware as he has heard about recent .NET abuse cases where .NET has been utilized in targeted campaigns against organizations in your line of business. The manager heard that the C2 utilized during the campaigns is SILENTTRINITY, so he has asked you: Has SILENTTRINITY been executed in our environment? You will have to identify any SILENTTRINITY “traces” to be able to hunt for it. Lab 2: Extreme times call for extreme measures. In this lab, you will dive deeply into the underpinnings of .NET malware as well as witness how proactive hooking can result in more effective .NET malware hunting. Practical
Lab 15 Hunting for WMI Abuse, Parent Process Spoofing & Access Token Theft (NEW!) - The IT Security manager has now tasked you, the only Threat hunter, with performing multiple hunts regarding WMI attacks, Parent Process spoofing and Access Token theft. Once you successfully conclude your hunts, you can inform the rest of the blue team about the “traces” these attacks leave behind. Practical
Lab 16 Hunting with ELK (NEW!) - Lab 1: The IT Security manager has asked your internal Penetration team to generate malicious PowerShell traffic in the environment and has now tasked you, the only Threat hunter,to create detection rules for potentially malicious usage of PowerShell. He has directly tasked you with ensuring that your rules/queries detect their commands. Through additional research, he also expects you to take the detection rules/queries a step further by ensuring that they expand the range of detection to attack variations (where possible). Lab 2: This lab will make you even more comfortable with the ELK stack. Specifically, you will be given descriptions of specific attacker TTPs and then, you will be asked to create the appropriate query to hunt for each one of them. The related events will be accessible through Kibana, so that you can put your queries to the test. Lab 3: This lab features an ELK-based SIEM loaded with events related to numerous attacker TTPs. Use it as a detection playground to practice your ELK-query-writing skills. Practical
Lab 17 Hunting with Splunk (NEW!) - Inside THP you will find five (5) distinct Splunk-based labs where you will hunt for various attacker TTPs and evasion techniques. Advanced Active Directory attack hunting and extending your visibility through network IDS logs are only a subset of the tasks you will perform in these labs. Practical
Lab 18 Hunting at Scale with Osquery (NEW!) - In this lab you will learn how to hunt for process injection on Linux endpoints with the help of Osquery. You will also be shown how to execute pre-baked Osquery queries through Kollide fleet. Practical


Get the eCTHPv2 Certification

eLearnSecurity's eCTHPv2 (Certified Threat Hunting Professional) certification is the most practical and professionally oriented certification you can obtain in threat hunting and threat identification in general. Instead of putting you through a series of multiple-choice questions, you are expected to perform an actual threat hunt on a corporate network. This threat hunt is modeled after real-world scenarios and cutting-edge malware.

Learn more


  • Dimitrios Bougioukas
    Dimitrios Bougioukas

    Dimitrios Bougioukas, Training Director of eLearnSecurity, holds a B.Sc. in Computer Science from the Athens University of Economics and Business. He is also an (informal) ENISA expert at Incident Response technical training. Dimitrios has worked as a Business Information Security Engineer and Information Security Analyst for a major financial institution, as a Penetration Tester within EY's practice, and as a Senior IT Security Researcher and Trainer within eLearnSecurity. Dimitrios specializes in advanced cyber threat simulation, threat intelligence, and purple team tactics. He has been engaged in numerous penetration testing activities against critical infrastructure, web applications, and mobile applications. In terms of research, Dimitrios has presented at information security conferences such as BSides and has received acknowledgements from security, telecom, and other major companies for finding and reporting vulnerabilities in their web applications, in a responsible manner (IBM Trusteer, LG, etc.). In the context of his professional career, his work led to international and regional information security awards in prestigious and highly competitive contests such as Retail Banker International Awards.

  • Slavi Parpulev
    Slavi Parpulev

    Slavi Parpulev holds a M.Sc in Cyber Security from the Danish Technical University. He has worked as a Security Advisor for both KPMG Denmark and Improsec ApS, specializing in the Red and Blue team sides of the industry. Slavi has been a member of numerous 'external' red team engagements (TIBER-EU), engineered complete large-scale Windows environments with Active Directory Tiering, system security hardening, network segmentation and CIS20 implementation. Currently, Slavi is an IT Security Trainer and Researcher at eLearnSecurity, where he continues to expand and share his knowledge of the field. He is also one of the few holders of the prestigious eLearnSecutity's Advanced Penetration Path, which he achieved prior to joining eLearnSecurity. In his free time, he likes long walks, playing billiards and going to the gym.

Enroll now and get access to all of our material and labs!


The mix of Video Tutorials, exercises and support from fellow students on the forum was fantastic. Anyone who wants to specialize in Threat Hunting, this course is a must to get you started. Thanks for your efforts in making this happen

Denis Hancock
Manager Consulting Pty Ltd

Having been in the security field for over 5 years I assumed this would be a quick and easy certification. After getting into the training course I was pleased to find that I was learning new things and that the course was certainly more challenging than I had anticipated. I found that it filled in several knowledge gaps when it comes to pentesting, and I would recommend this course to both veterans and newcomers to the security field.

Steven Collins

eLearnSecurity's training really dives deep into the underlying concepts beneath pentesting tools.

Timothy E. Everson
Novell inc

Go to top of page