Certified CyberDefender (CCD)

Certified CyberDefender is a vendor-neutral, hands-on cyber defense training and certification. This course will jumpstart and empower those on their way to becoming the next generation of SOC analysts, blue teams, and security engineers.

(140) Intermediate


Are you looking for a quick and effective way to acquire modern real-world CyberDefense skills and be a competent security analyst, engineer, or blue teamer?

This course introduces students to real-world threats defenders experience in their networks and the tools used to defend against these threats. It provides the essential foundation of modern cyber defense operations. Students will learn the inner working of the three core pillars of CyberDefense; prevention, detection, and response. In addition, how to defend an enterprise using essential blue team incident response tools and techniques.

Who is this training for?

Course objectives:

This training is for aspiring SOC analysts, blue teams, incident responders, and forensic analysts who want to learn the essential skills of CyberDefense; prevention, detection, and response.

  • Minimize attack surface.
  • Engineer a solid detection functionality.
  • Prepare SOC analysts with tools, techniques, and knowledge to perform their job efficiently.
  • Perform efficient threat hunting.
  • Prioritize what to work on to achieve a better return on investments.
  • Develop a solid analytical, problem-solving and persistent mindset.

Learn CyberDefense skills that are:

  • Applicable: realistic and can be applied to most organizations.
  • Lean: achieves better results with minimal effort.
  • Impactful: has a more noticeable impact on security and significantly enhances overall security posture.

In other words, skills that most defenders can smoothly apply to get security off the ground and maintain a reasonable level of cyber hygiene.


  • Module 1: Security Operations (SecOps) Fundamentals
    • SOC Overview
    • SOC components - Tools and Technologies
    • SOC components - People
    • SOC components - Processes
    • Labs:
      • Microsoft Defender for Cloud
      • OSSEC Host Intrusion Detection System (HIDS)
      • Nessus for Vulnerability Assessment
      • Microsoft Sentinel SIEM / SOAR
      • Canary Tokens
    • IR Overview
    • Preparation
    • Detection and analysis
    • Containment
    • Eradication
    • Recovery
    • Post-Incident Activities
    • Labs:
      • Suricata - Network Detection
      • C2 Traffic Detection with Real Intelligence Threat Analytics (RITA)
      • Application Detection - Web Shells
      • Sysmon: Endpoint Perimeter/System Detection
      • Velociraptor - Enterprise Incident Response
    • Introduction
    • Collection and Storage
    • Modeling and Analysis
    • MITRE ATT&CK for CTI
    • Attribution and Intel Sharing
    • Labs:
      • Shodan open-source Intelligence
      • IOC Extraction
      • OpenCTI: Open Cyber Threat Intel Platform
      • Threat Profiling using MITRE ATT&CK Navigator
      • MISP: Malware Information Sharing Platform
    • Introduction
    • Data Acquisition
    • Windows Forensics
    • Linux Forensics
    • Memory Forensics
    • Network Forensics
    • Labs:
      • Evidence Collection (memory, triage, and disk images)
      • Windows Forensics Investigation Case
      • Linux Forensics Investigation Case
      • Memory Forensics Investigation Case
    • Introduction
    • Tools and Technologies
    • Security Information and Event Management (SIEM)
    • Network-level Threat Hunting
    • Endpoint-level Threat Hunting
    • Application-level Threat Hunting
    • Threat Emulation
    • Labs:
      • Elastic SIEM
      • Network Hunting Case
      • Endpoint Hunting Case
      • Application Hunting Case
    • Spoofing Threats and Defenses
    • Attachments Threats and Defenses
    • URLs Threats and Defenses
    • Extra Mile Controls
    • Labs:
      • SPF, DKIM, and DMARC Deployment
      • GoPhish Phishing Simulator
      • Detecting Phishing Attacks using Canarytokens

Muhammad Alharmeel is a CyberDefense consultant with more than 15 years of experience. He helped multiple organizations improve their security, performed numerous security assessments, and responded to attacks for clients in government, financial, high technology, healthcare, and other industries. He holds multiple hands-on respected certifications within defensive and offensive domains, such as the prestigious GIAC Security Expert, Offensive Security Certified Expert OSCE, and the Certified Information Security Manager - CISM designation.

Ahmed Shawky is a Lead ThreatHunter @IBM and application security expert with a high commitment to open-source. He authored multiple SOC-related tools, such as Detection Lab ELK and Mail Header Analyzer, and is a big fan of Detection Engineering & SecOps automation.

Course prerequisites

what you should know before you start this course:

  • Solid understanding of Windows and Linux operating systems.
  • Reasonable research and problem-solving skills.
  • Familiarity with basic system administration, networks, and security concepts.
  • Access to an enterprise environment is a plus.

Get Certified

No fluff! The course is straightforward, focused, and to the point, ensuring that you can practically apply every topic in your work environment. Challenge the exam after completing the course to validate your knowledge.

Course - Frequently Asked Questions

Q- How many exam attempts are included with the course?

Two exam attempts. You can purchase additional exam attempts, though.

Q- What does the exam look like?

The exam is 100% practical. It will evaluate your technical skills across the following domains; incident response, disk forensics, memory forensics, and network forensics. You will use Elastic SIEM to investigate a real-world intrusion, create an incident timeline, and analyze attack artifacts using digital forensics tools.

Q- What is the passing score?

70% is the minimum score to pass the exam.

Q- What is the exam duration?

You will have forty-eight (48) hours to complete your exam from the moment you click the Start button. Once started, you will see a timer at the top of your exam view. The exam duration does not necessarily mean it's difficult; we want to ensure you have enough time and do not feel pressured.

Q- Am I required to write a report?

No. The exam focuses on assessing your technical skills only.

Q- Am I allowed to use the internet during the exam?

Yes, just like real-world investigations! The exam has an open book policy, and you can use the internet on your computer. However, the exam machines do not have an internet connection.

Q- How long will I have access to course materials?

All candidates receive 6 months of access to course materials and labs.

Q- Do I have to set up something on my machine to practice labs?

No. Course labs are cloud-based, and you can start/stop anytime. No need to set up anything on your side. Don't worry about labs...it's the most convenient, realistic, and exciting part of the course.

Q- Certified CyberDefender (CCD) is a relatively new certification. Why should I try it out?

We admit that CCD is a relatively new cert. However, we are 100% confident of the quality and effort we have put into it. In particular, the realistic application and practicality of what students learn come from what we have seen in big enterprises and service providers. Give it some time, and get back to this later!

Q- How does CCD compare to other similar certifications?

We can speak only for ourselves. Please check the course syllabus, details, depth, and instructors and see if it meets your expectations.

Q- Will I receive a digital badge after passing the exam?

Yes, an Accredible badge will be awarded to certified cyberdefenders and an electronic PDF certificate.

Q- Do you offer printed certificates and coins?

We might consider printed certificates and coins, but no guarantee. Having a coin or a printed cert is nice and shiny, but it's not something that can help you in a real-world investigation or a job interview! That was one reason behind our Motto, 'Less Hype, More Value.' Our core focus is on the skills you can utilize right away. We hope you perceive us as a mindset changer.

Q- Do you deliver on-site training in security events (e.g., BlackHat)?

Yes, we do. Our last run at BlackHat costs $4000 per seat. The next scheduled run is at Riyadh, KSA May 2023. If interested, please fill out this form.

Q- I have more questions. What is the best way to contact you?

For more information, please join the CyberDefenders Discord channel.

How students rated this courses


(Based on 27 reviews)



Jason Tayler Security Analyst @Oklahoma Fidelity Bank

Quality content and amazing labs without the fluff! The Certified CyberDefender course is made up of excellent quality content. It reminds me of a SANS course, with concentrated technical details without the fluff of other courses. The online labs are equally excellent, providing the ability to work in the environments and analyze forensic artifacts and working in a full-featured SIEM complete with data to hunt for threats in.

Ahmed Ali CyberSecurity Researcher

Mind bending! this course really requires attention to detail, it's just like if you blink you would miss it.!

James Ducroiset V.P. Security and Networking

Great course so far. What is being taught, and reinforced with labs, is a very practical approach and skill set that can be immediately put to use in any organization.

Abdullah Samir Aspiring Security Analyst

I have never had a training course like this before. The content is Great and Clear, and the most important part is how cooperative and responsive CyberDefenders team is.

Kenan Ayalp Enterprise Detection Senior Engineer @SAP

It's a great Cyber Defense hands-on course! From a content perspective, it is well written and structured. It offers a very nice blend of various skills of Cyber Defense. The strength of CyberDefenders resides in its labs! It prepares you to do the job, not just teach a bunch of theories and tools.

$500 $800

Enroll now and save 40%. Use promo code "CCD40"


What’s included

  • 20+ hands-on labs
  • Two certification exam attempts
  • 150+ Lessons
  • Study offline
  • Six months access
  • Instant support and mentorship