Certified CyberDefender Blue Team Training & Certification

CCD is a vendor-neutral, hands-on cybersecurity training and certification. It is designed to prepare the next generation of SOC analysts, security blue teams, threat hunters, and DFIR professionals.

(140) Intermediate

Certification Summary

This training introduces you to real-world threats defenders experience in their networks and the tools used to defend against them. You will learn defense strategies, threat-hunting techniques, adversary detection, and how to investigate security intrusions and perform forensic analysis.

Who is this training for?

  • Security (SOC) analysts and blue teams.
  • Threat hunters.
  • Digital forensic and incident response (DFIR) professionals.


  • Solid understanding of Windows and Linux operating systems.
  • Solid research and problem-solving skills.
  • Familiarity with basic system administration, networks, and security concepts.

About the certification exam

  • Two exam vouchers are included.
  • Manually graded by instructors.
  • Focus on assessing the technical part (no report required).
  • The exam is a 48-hours, 100% practical, and evaluates your skills across the following domains; threat hunting, perimeter defense, disk forensics, memory forensics, and network forensics. You will use Elastic SIEM to hunt threats, investigate real-world intrusion, create an incident timeline, and perform forensic analysis on different attack artifacts.

3 days 100% money back guarantee

If you are unsatisfied for ANY reason, request a refund within 3 days after purchase, and we will return your money. No questions asked!

Buy now, Start later!

Ready but too busy to start now? No problem. Use our buy now, get later option and secure your spot in our CCD blue team training at a discounted price.

CCD Certification Syllabus

    • Security Operations Fundamentals and CIA Triad:
      • Security Operation Centers (SOC) - Overview
      • Protecting Business with Efficient SOC
      • SOC Deployment Models: Dedicated vs. Virtual
      • Deploying a SOC: When to Consider?
    • SOC components - tools and technologies:
      • Network Firewall - Protecting Communication and Data
      • Network-Based Intrusion and Prevention Systems (NIDS/NIPS)
      • Host-Based Intrusion and Prevention Systems (HIDS/HIPS)
      • Web Application Firewalls (WAFs): Protecting Web Apps
      • Endpoint Detection and Response (EDR/XDR)
      • Web Proxy Servers: An Overview
      • Understanding Vulnerability Management Process
      • Security Information and Event Management (SIEM): Core Component of SOC
      • Automating Security Incident Response with SOAR (Security Orchestration, Automation, and Response)
      • Malware Analysis: Static vs. Dynamic Approaches and Sandboxing
      • Using Honeypots and Decoys for Defense
      • Understanding Cloud Computing and CASB
      • Threat Intelligence: Mitigating and Defending
      • Using Machine and Deep Learning for Security
      • Ticketing Systems for Incident Response
      • The Importance of Asset Inventory in Security
    • SOC components - people:
      • Organizational Chart and SOC Roles
      • Creating Effective Cybersecurity Training Plans
      • Challenges and Solutions for SOC Jobs
      • Avoiding Burnout: Tips for SOC Analysts
    • SOC components - processes:
      • Effective Policies: Business Protection Through Documentation
      • Efficient SOC Procedures: The How-To
      • Security Standards: Compliance is Mandatory
      • Security Guidelines and Benchmarks: Best Practices
      • Perform Windows Security Assessments with CIS-CAT Lite
    • Incident Response (IR) - Overview :
      • Understanding Key Concepts for Incident Response
      • Continuous Incident Response: Before, During, After
      • Remote Incident Response: Challenges and Benefits
      • Structured Approach to Incident Response Phases
    • Preperation :
      • Effective Incident Prevention Strategies and Controls
      • Effective Incident Communication Planning in IR
      • IR Architecture: Defense and Zero Trust
      • IR Policy, Plan, and Procedure
      • Efficient Incident Resolution with Management Platforms
    • Detection & Analysis :
      • Detection Engineering: Building Effective Detectors
      • Network Perimeter-level Detection
      • Endpoint Perimeter Detection: Catching Threats In and Out
      • Achieving System-Level Detection with EDR
      • Application-Level Detection: Prioritize, Monitor, Parse
    • Containment, Eradication, and Recovery :
      • Effective Incident Containment Strategies in IR
    • Attack Remediation: Eliminating Vulnerabilities and Artifacts
    • System Recovery: Restore, Validate, Monitor
    • Post-Incident Activity :
      • Post-Incident Review: Lessons Learned Meeting
      • IR Report: Guidelines for Effective Writing
    • Email Spoofing :
      • Email Attack Prevention: Spoofing & DMARC
      • Understanding SPF: Email Authentication Protocol
      • DKIM: Email authentication with digital signatures
      • Protecting Against Email Spoofing with DMARC
    • Malicious Attachments :
      • Malicious Attachments: Risks and Responses
      • Secure Email Attachments: Best Practices
      • Activity - Cuckoo Sandbox Deployment
    • Malicious URLs :
      • Malicious URLs: A Growing Threat
      • Protecting Users from Malicious URLs
      • Activity – Detect Lookalike Domains
    • Extra Mile Controls :
      • User Education: Key to Email Security
      • Measuring User Awareness with Phishing Simulators
      • Activity - GoPhish Deployment
      • Early Phishing Detection Using Honeypots Tokens
      • Activity - Canary Token Deployment
      • Secure Accounts with Multi-Factor Authentication
      • Conditional Access: Location-Based Access Control
      • Email reconnaissance: How attackers gather intel
      • Mail Server Hardening: DISA & CIS
      • Activity - Evaluate your organization's exposed internal mail headers
    • Responding to Email Attacks :
      • Email defenses: Validate, Mitigate and Remediate
    • Memory Acquisition: Live & Dead Systems
    • Disk Acquisition: Encryption & Write-Blocking
    • Triage Image: Efficient Evidence Collection
    • Acquiring Disk Images: Windows and Linux Systems
    • Mounting Forensic Images: Analysis Tools & Techniques
    • Windows Event Logs: structure & Analysis
    • Windows Registry: Structure and Analysis
    • Profiling Windows Systems
    • Collecting Network connections, and devices
    • Tracking User Activity
    • Tracking File Activities: NTFS Forensics
    • Linking User Actions to Files/Folders
    • Detecting USB Device Intrusions
    • Analyzing Installed Applications
    • Analyzing Execution Activities
    • Collecting OS Info
    • Processes Analysis
    • Network Artifact Analysis
    • Detecting Persistence Techniques
    • Collecting NTFS Artifacts
    • Traffic Statistics
    • Conversations & Streams
    • Files' Extraction
    • Comprehensive Threat Hunting Techniques :
      • Proactive Human-driven Threat Hunting
      • The Importance of Proactive Threat Hunting
      • Essential Requirements for Effective Threat Hunting
      • Stages of Threat Hunting in Detail
    • Elastic SIEM, Kibana, and Advanced Threat Detection :
      • Elastic SIEM: Modern, Scalable Threat Detection
      • Elastic SIEM: Components and Architecture
      • Starting and Accessing Elastic Stack and Kibana
      • Elastic Agent and Fleet Management Overview
      • Enroll Elastic Agent via Fleet in Kibana
      • Exploring Kibana Concepts and Filtering Data
      • Dashboards and Data Visualization in Kibana
      • Creating a Custom Detection Rule with MITRE ATT&CK Framework
    • Proactive Endpoint Threat Hunting and Analysis :
      • Endpoint Threat Hunting: Proactive Security Measures
      • Endpoint Hunting for Persistence
      • Endpoint Hunting for Lateral Movement
      • Endpoint Hunting for Credential Dumping
    • Network Threat Hunting and Intrusion Detection :
      • Proactively Detecting Threats: Network Hunting Fundamentals
      • Network Hunting for Lateral Movement
      • Network Hunting for Data Exfiltration

CCD Practical Labs

Microsoft Defender for Cloud
OSSEC Host Intrusion Detection System (HIDS)
Nessus for Vulnerability Assessment
Microsoft Sentinel SIEM / SOAR
Canary Tokens
Suricata - Network Detection
C2 Traffic Detection with RITA
Application Detection - Web Shells
Sysmon: Endpoint Perimeter/System Detection
Velociraptor - Enterprise Incident Response
Shodan open-source Intelligence
IOC Extraction
OpenCTI: Open Cyber Threat Intel Platform
Threat Profiling using MITRE ATT&CK Navigator
MISP: Malware Information Sharing Platform
Evidence Collection (memory, triage, and disk images)
Windows Forensics Investigation Case
Linux Forensics Investigation Case
Memory Forensics Investigation Case
Network Forensics Investigation Case
USB Forensics Investigation Case
Elastic SIEM
Network Hunting Case
Endpoint Hunting Case
Application Hunting Case
SPF, DKIM, and DMARC Deployment
GoPhish Phishing Simulator
Detecting Phishing Attacks using Canarytokens

Blue Team Practiced Tools

AnyRun, Arsenal Image Mounter, BelkaSoft ram capturer, Canary Tokens, Cuckoo SandBox, CyLR, CyberChef, DD, Dumpit, Elastic-SIEM, Esentutil, Event Log Explorer, FTK Imager, GoPhish, INDXRipper, JumpListExplorer, Kape, LECmd, LiME, MFTECmd, Magnet Encrypted Disk Detector (EDD), Microsoft Defender for Cloud, Microsoft Sentinel SIEM, NTFS Log Tracker, Nessus, NirSoft TurnedOnTimeView, NirSoft WifiHistoryView, NirSoft WinPrefetchView, OpenCTI, OSSEC, pfSense, R-Studio recovery, RITA, RegRip, Registry Explorer, SRUMECmd, ShellBags Explorer, ShimCacheParser, Sigma, Suricata, Sysmon, TimeLine Explorer, USB Forensics Tracker, Velociraptor, Volatility 2, WinSearchDBAnalyzer, WireShark, WxTCMD, Yara, Zeek


Muhammad Alharmeel is a CyberDefense and blue team consultant with over 17 years of experience. He helped multiple organizations improve their security, performed numerous security assessments, and responded to attacks for clients in government, financial, high technology, healthcare, and other industries. He holds multiple hands-on respected certifications within defensive and offensive domains, such as the prestigious GIAC Security Expert, Offensive Security Certified Expert OSCE, and the Certified Information Security Manager - CISM designation.

Ahmed Shawky is a former CERT member and X-IBMer. Throughout his career, he has honed his expertise in threat intelligence, and incident response. As a former lead threat hunter in IBM, he played a critical role in identifying and responding to advanced persistent threats (APTs) and other sophisticated cyberattacks. He has also made significant contributions to the open-source community, writing a number of Blue team tools such as Detection Lab ELK and Mail Header Analyzer that are widely used in SOC enterprises.

Get a sneak peek into CCD blue team labs

Browse through the images to get a taste of the hands-on, interactive learning experiences that await you in our blue team labs.

slide 3 of 4

How will this training help your organization?

  • Applicable: realistic and can be applied to most organizations.
  • Lean: achieves better results with minimal effort.
  • Impactful: has a more noticeable impact on security and significantly enhances overall security posture.

Acquiring skills that most defenders can apply to get security off the ground and maintain a reasonable level of cyber hygiene.

Success Stories

"Unlocking Potential: Real Stories from Certified CyberDefenders"

Oliver Hall

I recently completed the Certified CyberDefender (CCD) course offered by CyberDefenders and wanted to share my thoughts on the experience. read more

Krzysztof Kuzin

I passed the Certified CyberDefender (CCD) certification offered by CyberDefenders platform back in February and wanted to write few words about my thoughts and experience, both on the course and the exam. read more

Jason Taylor

The Certified CyberDefender (CCD) is a blue team oriented training course with high quality, in depth material. The learning material is reinforced with multiple hands on, practical, online labs that are very similar to their BlueYard CTF platform. After completing the training material you can attempt the Certified CyberDefender exam which is a practical exam setup just like the online labs. read more

Satyender Yadav

The reason me buying the CCD course just after a few months after the release is that I have been solving labs on the Cyberdefenders website for a very long time and have played multiple CTFs hosted by Cyberdefender Team and from these CTFs and labs, I know these guys have great knowledge about their domains. So I thought let’s take the course and see if it is really worth it and you will find this answer later in the blog. read more

How students rated our blue team training


(Based on 8 reviews)


Profile Image

RehanOshba On 18 May 2023

Excellent blue team training! I enjoyed study the course and learning more about blueteam mainly DFIR & SOC

Profile Image

aghiadmassarani_ On 18 April 2023

Building a strong foundation in Blue Teaming. The lessons were very well-delivered, structured, and informative. I particularly enjoyed the labs which offered a variety of tools and techniques to practice. The course also helped me develop a defensive mindset which is critical in cybersecurity. Overall, the course covers a wide range of topics related to blue teaming and it was a great learning experience for me.

Profile Image

cynd0d On 18 April 2023

Challenging and Fun!. This course has been great and it has been challenging. I would say this course does force you to learn some things on your own which is important with anything technology related. I have yet to take the exam so I can not say how well it has prepared me for the exam, but overall the course was very enjoyable. The content isn't boring or super lengthy. I highly recommend!

Profile Image

Hernan Colmenarez On 04 March 2023

Awesome quality! I have practiced with Cyberdefenders' free challenges in the past and they are great. So when I read they were coming up with a new certification, I did not think of it twice and bought the course in beta state. In general, the course is also great and one of the most valuable part is the Digital forensics module which has a lot of useful tips. The labs are challenging. I already passed the exam and I am still enjoying the course with the new content they are releasing.

Profile Image

rufflabs On 22 January 2023

Quality content and amazing labs without the fluff. The Certified CyberDefender course is made up of excellent quality content. It reminds me of a SANS course, with concentrated technical details without the fluff of other courses. The online labs are equally excellent, providing the ability to work in the environments and analyze forensic artifacts and working in a full featured SIEM complete with data to hunt for threats in.

Profile Image

Tron On 19 January 2023

Mind-bending! This course really requires attention to details, it's just like if you blink, you would miss it

Profile Image

Jd50 On 30 October 2022

Practical Defenders Skills. Great course so far. What is being taught, and reinforced with labs, is a very practical approach and skill set that can be immediately put to use in any organization.

Profile Image

0xAbdullah On 24 October 2022

Great Effort! I never had a training course like this before, the content is Great and Clear, the most important point was the #CyberDefenders team cooperate with us to solve any Issues. Thanks Cyberdefenders!

On-site training

CCD Blue team Certification - BlackHat

This training is for SOC analysts, blue teams, incident responders, and security engineers who want to learn the essential skills of CyberDefense; prevention, detection, and response.

avatar_blue_team_certification avatar_blue_team_certification avatar_blue_team_certification 27+
Nov 19-23, 2022

Get Certified

No fluff! This training is straightforward, focused, and to the point, ensuring you can practically apply every topic in your work environment.

Challenge the exam after completing the training to validate your knowledge.


After passing the CCD certification exam, you qualify for up to 40 CPE credits for your GIAC/SANS, EC-Council, and (ISC)2 certifications.
All candidates are granted a 4-month access period to course materials and labs. Additionally, they receive one year of access to the exam. Within this one-year period, candidates have the flexibility to purchase exam attempts and time extensions at any time.
By default, you have two exam attempts available. If you want to attempt the exam more than twice, you can purchase additional attempts for $100 each. It is important to note that your first attempt must be made within the 4-month access period. However, you have the flexibility to take your second attempt at any time within the one-year access period.
Yes, 3 months starting window for individual orders and 12 months for corporate orders (3 or more students). Please mention the date you want your access to start in your purchase order.
The exam is 100% practical. It will evaluate your technical skills across the following domains; threat hunting, perimeter defense, disk forensics, memory forensics, and network forensics. You will use Elastic SIEM to hunt threats and investigate a real-world intrusion, create an incident timeline, and analyze attack artifacts using digital forensics tools.
70% is the minimum score to pass the CCD certification exam.
You will have forty-eight (48) hours to complete your exam from the moment you click the Start button. Once started, you will see a timer at the top of your exam view. The exam duration does not necessarily mean it's difficult; we want to ensure you have enough time and do not feel pressured.
No. The exam focuses on assessing your technical skills only.
No. CCD labs are cloud-based, and you can start/stop anytime. No need to set up anything on your side. Don't worry about labs...it's the most convenient, realistic, and exciting part of the course.
Yes, an Accredible badge will be awarded to certified CyberDefenders, and an electronic PDF certificate.
All certified individuals will receive the CCD silver coin, except those who pass with a score higher than 85% will receive the gold coin.
Yes, we do. The next run is at BlackHat costs $4000 per seat.
We can speak only for ourselves. But we can highlight CCD core values in the following points:
  • Challenging: unlike other similar certifications, CCD is not a spoon-fed experience. It challenges you to become a REAL DEFENDER by improving your research skills and changing your mindset 'Defend Smarter, Not Harder.' After getting certified, you will feel confident taking over a defender role in any organization.
    CCD should be your choice if you want real advancement. But, if you just need a certificate to grow your CV, then there are many other cheaper and easier certifications.
  • Quality: we value quality over quantity. We put a lot of time and effort into developing course labs to be as realistic and valuable as possible and not only throw a bunch of lessons and labs at you. A single threat hunting or forensic lab may weigh in quality a bunch of other labs you see elsewhere. Our work is referenced by top industry organizations.
  • Community: we have a fantastic private community for course students and certified professionals where you will experience cool technical discussions, suggestions, and even mentorship tips.
For more info, please check the course syllabus, community, and instructors' profiles and see if it meets your expectations.

Corporates can benefit from the following:

  • Discounts on bulk purchases (5+ seats).
  • Transferable licenses.
  • One-year validity for the procured licenses (buy now, start later).
Yes, we do. CCD will challenge your research skills (like real-world investigations). You are good to start if you feel comfortable solving any of BlueYard's threat-hunting/digital forensics challenges questions.

If you have an EDU email, you can claim your 20% discount code under your CyberDefenders profile.
Please post your question on our Discord server, and you will get an instant response.
$499.99 $799.99 40% off (ending soon)

What’s included

  • 25+ hands-on blue team browser labs
  • Two certification exam attempts
  • 350+ Lessons
  • Study on-demand
  • Four months access
  • Instant support and mentorship

Training a team of 5 or more people?

Take advantage of group discounts for bulk seat purchases – request your personalized quote now!

Contact Us
$499.99 $799.99 40% off (ending soon)

What’s included

    25+ hands-on blue team browser labs

    Two certification exam attempts

    350+ Lessons


    Four months access

    Instant support and mentorship

Training a team of 5 or more people?

Take advantage of group discounts for bulk seat purchases – request your personalized quote now!

Contact Us
$799.99 40% off