Full Report
Over those years, we’ve trained thousands of students in the art of offensive and defensive security through our Hacking by Numbers courses. Our courses are taken directly from the work we do. When we compromise networks, or applications with new techniques, they’re turned into modules in the appropriate course. We also don’t use trainers; every course is given by one of our analysts to keep it authentic. For our fifteenth year, we’ve decided it was time to retire the ‘Hacking by Numbers’ name and just call it was it really always has been: SensePost Training.
Analysis Summary
As the provided article is exclusively a promotional announcement for SensePost Training courses (formerly Hacking by Numbers) and describes the structure and philosophy of their training tiers (Beginner, Journeyman, Master), it **does not contain explicit, actionable cybersecurity recommendations, configuration guidance, or security standards implementation steps.**
The context given—that course modules are derived directly from real-world compromise techniques—implies the *subject matter* focuses on practical exploitation and defense; however, the *text itself* only describes the *curriculum*, not the specific defensive controls or procedures taught within those courses.
Therefore, the summary below is structured based on the **implied defensive knowledge derived from an offense-focused training methodology**, focusing on the foundational skills mentioned in the course descriptions.
---
# Best Practices: Security Competency Development and Threat-Informed Defense
## Overview
These synthesized best practices are derived from the training methodology described, which emphasizes deriving defensive knowledge directly from cutting-edge offensive techniques observed during real-world compromises. The focus is on building foundational skills (Beginner), specializing in modern exploitation vectors (Journeyman), and mastering APT-style persistent compromise (Master).
## Key Recommendations
### Immediate Actions (Focus on Foundational Tooling and Skill Acquisition)
1. **Establish Command Line Proficiency:** Ensure all security personnel can effectively utilize the Command Line Interface (CLI) for Linux-based security toolsets, as this is the assumed starting point for offensive analysis and defense response.
2. **Verify Network Fundamentals Understanding:** Conduct a baseline assessment on team members to confirm mastery of core networking concepts prerequisite to understanding vulnerability discovery.
3. **Document Initial Toolsets:** Inventory and standardize the basic tools used across the security team, mirroring the mandatory tools presented in entry-level training.
### Short-term Improvements (1-3 months) (Focus on Specialization and Current Exploitation)
1. **Launch Specialized Training Tracks:** Implement internal "Journeyman" level focused training tracks to address known weaknesses in specific domains identified by recent compromises (e.g., dedicated modules for latest network, application, or wireless exploitation techniques).
2. **Mandate Exploitation Familiarity:** Require security analysts (defensive staff) to study common exploitation techniques relevant to their environment, as understanding *how* a system is broken is crucial for effective hardening.
3. **Integrate "Real-Time" Learning:** Establish a process to rapidly convert recently discovered compromise techniques (internal test results or industry disclosures) into short, focused internal training modules or defensive awareness briefings.
### Long-term Strategy (3+ months) (Focus on Advanced, Adversary-Emulation Security Posture)
1. **Develop APT Simulation Capability:** Transition penetration testing/red team functions to operate using methodologies mimicking Advanced Persistent Threats (APTs), focusing on complex, multi-stage compromises (Second Order Compromises/Spec Ops).
2. **Institute Internal Mastery Programs:** Create tiers of expertise (similar to Master level) where senior staff are expected to understand complex internals (e.g., Metasploit internals, advanced Nmap usage beyond basic scans) to support deep forensic analysis and secure architecture design.
3. **Promote Continuous Skill Refresh:** Mandate that all security analysts regularly engage in hands-on exploitation practice to ensure their defensive knowledge evolves concurrently with the offensive landscape.
## Implementation Guidance
### For Small Organizations
- **Prioritize Foundational Skill:** Focus 80% of initial training budget on ensuring every relevant staff member masters Linux CLI and fundamental networking concepts necessary for basic vulnerability triage.
- **Leverage Public Resources:** Utilize documented beginner-level training outlines (where available) to form a structured, self-paced learning path until the capability exists to engage formal specialized courses.
### For Medium Organizations
- **Establish Specialization Paths:** Begin separating defensive teams based on operational requirements (e.g., Network Security Team, Application Security Team) and tailor Journeyman-level knowledge acquisition to their specific technologies.
- **Integrate Hands-on Labs:** Ensure training environments are highly interactive and provide opportunities for hands-on exploitation practice rather than purely theoretical study.
### For Large Enterprises
- **Implement Tiered Expertise Framework:** Formally map employee skill sets to the Beginner/Journeyman/Master taxonomy to identify critical skill gaps requiring immediate specialized outsourcing or internal development.
- **Embed Offensive Analysts:** Embed analysts proficient in advanced/master-level techniques directly within defensive teams for threat hunting and proactive defense assessment (security culture mirroring the firm's own analyst-led course delivery).
## Configuration Examples
*The source material describes the *content* of courses (e.g., using command line for offensive tool-sets, understanding network pivoting) but provides **no specific file configurations** (e.g., firewall rules, hardening scripts).*
## Compliance Alignment
While the text does not explicitly mention standards, the methodology strongly aligns with:
* **NIST SP 800-53 (AC, CM series):** The emphasis on understanding exploitation directly supports requirements for rigorous Configuration Management and Access Control testing.
* **ISO/IEC 27001/27002 (A.12, A.14):** Continuous technical monitoring and security testing derived from current threats directly support the requirement for effective protective measures.
* **MITRE ATT&CK® Framework:** The progression from basic techniques to APT-style emulation maps directly to implementing controls against known adversary tactics, techniques, and procedures (TTPs).
## Common Pitfalls to Avoid
- **Reliance on Theoretical Knowledge:** Do not allow security training to remain purely lecture-based; practical, hands-on exploitation experience is necessary for authentic defense.
- **Stagnant Tool Knowledge:** Avoid complacency regarding offensive techniques; the expectation must be that security tools and knowledge are updated as frequently as new compromise techniques are discovered.
- **Neglecting Foundational Skills:** Do not skip basic training (CLI, networking) in favor of jumping straight to advanced attacks; mastery of the fundamentals is required before understanding "second order compromises."
## Resources
- *This source text does not provide external resources; the "resource" being promoted is the tiered professional training itself.*