Certified CyberDefender (CCD) Certification

CCD is a vendor-neutral, hands-on blue team training and certification. This training will empower those on their way to becoming the next generation of SOC analysts, threat hunters, DFIR professionals, and blueteams.

(140) Intermediate

CCD Certification Summary

This training introduces you to real-world threats defenders experience in their networks and the tools used to defend against these threats, the essential foundation of modern cyber defense operations. You will learn defense strategies, threat-hunting techniques, adversary detection, and how to investigate security incidents and perform forensic analysis.

Who is this training for?

  • Security (SOC) analysts and blue teams.
  • Threat hunters.
  • Digital forensic and incident response (DFIR) professionals.

CCD Certification Prerequisites

  • Solid understanding of Windows and Linux operating systems.
  • Solid research and problem-solving skills.
  • Familiarity with basic system administration, networks, and security concepts.

About the CCD exam

  • Two exam vouchers included.
  • Manually graded by instructors.
  • Focus on assessing the technical part (no report required).
  • The exam is a 48-hours, 100% practical, and evaluates your skills across the following domains; threat hunting, perimeter defense, disk forensics, memory forensics, and network forensics. You will use Elastic SIEM to hunt threats, investigate real-world intrusion, create an incident timeline, and perform forensic analysis on different attack artifacts.

3 days 100% money back guarantee

If you are not satisfied for ANY reason, request a refund within 3 days after purchase, and we will return your money. No questions asked!

Buy now, Start later!

Ready but too busy to start now? No problem. Take advantage of our buy now, get later option and secure your spot in our CCD blue team training at a discounted price.

CCD Certification Syllabus

  • Module 1: Security Operations (SecOps) Fundamentals
    • SOC Overview
    • SOC components - Tools and Technologies
    • SOC components - People
    • SOC components - Processes
    • Labs:
      • Microsoft Defender for Cloud
      • OSSEC Host Intrusion Detection System (HIDS)
      • Nessus for Vulnerability Assessment
      • Microsoft Sentinel SIEM / SOAR
      • Canary Tokens
    • IR Overview
    • Preparation
    • Detection and analysis
    • Containment
    • Eradication
    • Recovery
    • Post-Incident Activities
    • Labs:
      • Suricata - Network Detection
      • C2 Traffic Detection with Real Intelligence Threat Analytics (RITA)
      • Application Detection - Web Shells
      • Sysmon: Endpoint Perimeter/System Detection
      • Velociraptor - Enterprise Incident Response
    • Introduction
    • Collection and Storage
    • Modeling and Analysis
    • MITRE ATT&CK for CTI
    • Attribution and Intel Sharing
    • Labs:
      • Shodan open-source Intelligence
      • IOC Extraction
      • OpenCTI: Open Cyber Threat Intel Platform
      • Threat Profiling using MITRE ATT&CK Navigator
      • MISP: Malware Information Sharing Platform
    • Introduction
    • Data Acquisition
    • Windows Forensics
    • Memory Forensics
    • Network Forensics
    • Labs:
      • Evidence Collection (memory, triage, and disk images)
      • Windows Forensics Investigation Case
      • Linux Forensics Investigation Case
      • Memory Forensics Investigation Case
      • Network Forensics Investigation Case
      • USB Forensics Investigation Case
    • Introduction
    • Tools and Technologies
    • Security Information and Event Management (SIEM)
    • Network-level Threat Hunting
    • Endpoint-level Threat Hunting
    • Application-level Threat Hunting
    • Threat Emulation
    • Labs:
      • Elastic SIEM
      • Network Hunting Case
      • Endpoint Hunting Case
      • Application Hunting Case
    • Spoofing Threats and Defenses
    • Attachments Threats and Defenses
    • URLs Threats and Defenses
    • Extra Mile Controls
    • Labs:
      • SPF, DKIM, and DMARC Deployment
      • GoPhish Phishing Simulator
      • Detecting Phishing Attacks using Canarytokens

Blue Team Practiced Tools

AnyRun, Arsenal Image Mounter, BelkaSoft ram capturer, Canary Tokens, Cuckoo SandBox, CyLR, CyberChef, DD, Dumpit, Elastic-SIEM, Esentutil, Event Log Explorer, FTK Imager, GoPhish, INDXRipper, JumpListExplorer, Kape, LECmd, LiME, MFTECmd, Magnet Encrypted Disk Detector (EDD), Microsoft Defender for Cloud, Microsoft Sentinel SIEM, NTFS Log Tracker, Nessus, NirSoft TurnedOnTimeView, NirSoft WifiHistoryView, NirSoft WinPrefetchView, OpenCTI, OSSEC, pfSense, R-Studio recovery, RITA, RegRip, Registry Explorer, SRUMECmd, ShellBags Explorer, ShimCacheParser, Sigma, Suricata, Sysmon, TimeLine Explorer, USB Forensics Tracker, Velociraptor, Volatility 2, WinSearchDBAnalyzer, WireShark, WxTCMD, Yara, Zeek

CCD Instructors

Muhammad Alharmeel is a CyberDefense and blue team consultant with more than 15 years of experience. He helped multiple organizations improve their security, performed numerous security assessments, and responded to attacks for clients in government, financial, high technology, healthcare, and other industries. He holds multiple hands-on respected certifications within defensive and offensive domains, such as the prestigious GIAC Security Expert, Offensive Security Certified Expert OSCE, and the Certified Information Security Manager - CISM designation.

Ahmed Shawky is a former CERT member and X-IBMer. Throughout his career, he has honed his expertise in threat intelligence, and incident response. As a former lead threat hunter in IBM, he played a critical role in identifying and responding to advanced persistent threats (APTs) and other sophisticated cyberattacks. He has also made significant contributions to the open-source community, writing a number of Blue team tools such as Detection Lab ELK and Mail Header Analyzer that are widely used in SOC enterprises.

Get a sneak peek into our CCD blueteam labs

Browse through the images to get a taste of the hands-on, interactive learning experiences that await you in our blue team labs.

slide 3 of 4

How will this training help your organization?

  • Applicable: realistic and can be applied to most organizations.
  • Lean: achieves better results with minimal effort.
  • Impactful: has a more noticeable impact on security and significantly enhances overall security posture.

In other words, skills that most defenders and blue teams can smoothly apply to get security off the ground and maintain a reasonable level of cyber hygiene.

CCD Certification Reviews

How students rated our blue team training


(Based on 155 reviews)


I have practiced with Cyberdefenders' free challenges in the past and they are great. Therefore, when I read they were coming up with a new certification, I did not think of it twice and I bought the course in beta state. In general, the course is also great, and one of the most valuable part is the Digital forensics module, which has so many useful tips. The labs are challenging and they make you level up your skills. I already passed the exam, and I am still enjoying the course with the new content they are releasing.

Amin Harbawi Technical Team Lead

CCD is actually crazy good! Now that I am almost finished with the email security module and comparing it to that other course, which I regret paying for. lol! The entire forensics module is impressive, not just about technical stuff but realistic notes that authors provided from their experience in the field.

CCD is really awesome, and the content is relevant (and huge). Course labs are also challenging, and adapting the '๐‘ซ๐’†๐’‡๐’†๐’๐’… ๐‘บ๐’Ž๐’‚๐’“๐’•๐’†๐’“, ๐‘ต๐’๐’• ๐‘ฏ๐’‚๐’“๐’…๐’†๐’“' way of thinking (credits to: Muhammad Alharmeel) ๐Ÿ‘They are not straightforward cases with a blind-typing keywords actions to get the correct answer - you have to know the commands (and why to use this one not another one) and their outputs and how to interpret those outputs.

Jason Taylor Security Analyst @Oklahoma Fidelity Bank

Quality content and amazing labs without the fluff! CCD is made up of excellent quality content. It reminds me of a SANS course, with concentrated technical details without the fluff of other courses. The online labs are equally excellent, providing the ability to work in the environments and analyze forensic artifacts and working in a full-featured SIEM complete with data to hunt for threats in.

Ahmed Ali CyberSecurity Researcher

Mind-bending! CCD really requires attention to detail, it's just like if you blink you would miss it.!

James Ducroiset V.P. Security and Networking

Great course so far. What is being taught, and reinforced with labs, is a very practical approach and skill set that can be immediately put to use in any organization.

Abdullah Samir Aspiring Security Analyst

I have never had a training course like CCD before. The content is Great and Clear, and the most important part is how cooperative and responsive the CyberDefenders team is.

Kenan Ayalp Enterprise Detection Senior Engineer @SAP

It's a great Cyber Defense hands-on course! From a content perspective, it is well-written and structured. It offers a very nice blend of various skills of Cyber Defense. The strength of CyberDefenders resides in its labs! It prepares you to do the job, not just teach a bunch of theories and tools.

On-site training

CCD Blue team Certification - BlackHat

This training is for SOC analysts, blue teams, incident responders, and security engineers who want to learn the essential skills of CyberDefense; prevention, detection, and response.

avatar avatar avatar 27+
Nov 19-23, 2022


After passing the CCD certification exam, you qualify for up to 40 CPE credits for your GIAC/SANS, EC-Council, and (ISC)2 certifications.
Two exam attempts. However, you can purchase additional exam attempts.
All candidates receive 6 months of access to course materials and labs.
Yes, 3 months starting window for individual orders and 12 months for corporate orders (3 or more students). Please mention the date you want your access to start in your purchase order.
The exam is 100% practical. It will evaluate your technical skills across the following domains; threat hunting, perimeter defense, disk forensics, memory forensics, and network forensics. You will use Elastic SIEM to hunt threats and investigate a real-world intrusion, create an incident timeline, and analyze attack artifacts using digital forensics tools.
70% is the minimum score to pass the CCD certification exam.
You will have forty-eight (48) hours to complete your exam from the moment you click the Start button. Once started, you will see a timer at the top of your exam view. The exam duration does not necessarily mean it's difficult; we want to ensure you have enough time and do not feel pressured.
No. The exam focuses on assessing your technical skills only.
No. CCD labs are cloud-based, and you can start/stop anytime. No need to set up anything on your side. Don't worry about labs...it's the most convenient, realistic, and exciting part of the course.
Yes, an Accredible badge will be awarded to certified CyberDefenders, and an electronic PDF certificate.
All certified individuals will receive the CCD silver coin, except those who pass with a score higher than 85% will receive the gold coin.
Yes, we do. The next run is at BlackHat costs $4000 per seat.
We can speak only for ourselves. But we can highlight CCD core values in the following points:
  • Challenging: unlike other similar certifications, CCD is not a spoon-fed experience. It challenges you to become a REAL DEFENDER by improving your research skills and changing your mindset 'Defend Smarter, Not Harder.' After getting certified, you will feel confident taking over a defender role in any organization.
    CCD should be your choice if you want real advancement. But, if you just need a certificate to grow your CV, then there are many other cheaper and easier certifications.
  • Quality: we value quality over quantity. We put a lot of time and effort into developing course labs to be as realistic and valuable as possible and not only throw a bunch of lessons and labs at you. A single threat hunting or forensic lab may weigh in quality a bunch of other labs you see elsewhere. Our work is referenced by top industry organizations.
  • Community: we have a fantastic private community for course students and certified professionals where you will experience cool technical discussions, suggestions, and even mentorship tips.
For more info, please check the course syllabus, community, and instructors and see if it meets your expectations.

Corporates can benefit from the following:

  • Discounts on bulk purchases (5+ seats).
  • Transferable licenses.
  • One-year validity for the procured licenses (buy not, start later).
CCD will challenge your research skills (like real-world investigations). You are good to start if you feel comfortable solving any of BlueYard's threat-hunting/digital forensics challenges questions.

Get Certified

No fluff! This blueteam training is straightforward, focused, and to the point, ensuring that you can practically apply every topic in your work environment. Challenge the exam after completing the training to validate your knowledge.

$499.99 $799.99 40% off (ending soon)

Whatโ€™s included

  • 25+ hands-on blueteam browser labs
  • Two certification exam attempts
  • 200+ Lessons
  • Study offline
  • Six months access
  • Instant support and mentorship

Training 5 or more people?

Get your team access to CCD course anytime, anywhere.

Contact Us
$499.99 $799.99 40% off (ending soon)

Whatโ€™s included

  • 25+ hands-on blueteam browser labs
  • Two certification exam attempts
  • 200+ Lessons
  • Study offline
  • Six months access
  • Instant support and mentorship

Training 5 or more people?

Get your team access to CCD course anytime, anywhere.

Contact Us
$799.99 40% off