Full Report
In the last few years, the infosec training scene has exploded. Arguably, the largest training provider is Blackhat, and in the last 15 years we’ve seen it grow from a handful of courses to 106 at the last BlackHat USA. With many courses purportedly offering the same or similar content, it’s getting harder to choose as a student. This blog entry will cover some of the stuff we think makes our courses pretty great, and why we’re so proud of them. It may also help you to evaluate whether our courses are what you’re looking for at at least how to spot the better courses (not just ours) in a list of 100+. The Basics It’s our belief that if you have a deep passion for the work you do, then not only will you work hard to be great at it, you’ll also enjoy sharing that passion by teaching others. It’s held true for us for many years, and we make a point of putting our best analysts, rather than specialised trainers, to run our courses.
Analysis Summary
This document summarizes actionable security recommendations extracted from the provided context, focusing on best practices for **Selecting and Evaluating Security Training Providers and Content**.
# Best Practices: Training and Education Quality Assurance
## Overview
These practices address how organizations and individuals should evaluate the quality, relevance, and effectiveness of information security training offerings, ensuring the investment yields practical, up-to-date security knowledge.
## Key Recommendations
### Immediate Actions (Evaluation Phase)
1. **Verify Instructor Practitioner Status:** Confirm that instructors actively work as security analysts or practitioners in the subject matter they teach, rather than relying solely on specialized training backgrounds.
2. **Assess Communication Skills:** Prioritize instructors who demonstrate strong teaching and communication abilities, as poor instruction can negate excellent course content.
3. **Scrutinize Title vs. Content:** Do not rely solely on course titles (e.g., "Advanced"). Immediately check the syllabus/synopsis to ensure the content matches the claimed expertise level (Beginner, Journeyman, or Master).
4. **Ensure Practical Coverage:** Confirm that the course offers hands-on practice (lab components) for *every* significant topic covered, moving beyond theoretical knowledge found in books.
### Short-term Improvements (Curriculum Vetting - 1-3 months)
1. **Validate Content Recency:** Inquire about the last major update to the course materials and practical examples. Reject courses heavily featuring outdated vulnerabilities (e.g., MS08-067 in an infrastructure course).
2. **Confirm Foundational Exclusion:** For advanced courses, verify that basic introductory concepts (like initial port scanning or simple brute-forcing) are explicitly *excluded* or briefly touched upon, ensuring the course focuses on depth.
3. **Demand Level Appropriateness:** Ensure the course clearly defines its target level (Beginner, Journeyman, Master) and confirm that the content flow is logical and progresses appropriately (e.g., Journeyman builds clearly on Beginner material).
### Long-term Strategy (Environment & Methodology - 3+ months)
1. **Prioritize Realistic Lab Environments:** Insist on training that utilizes environments reflective of current real-world architectures (e.g., custom mobile apps, corporate domains, cloud orchestration, contemporary C2 structures).
2. **Mandate Unique, Isolated Labs:** Advocate for training platforms that provision a unique, isolated environment (e.g., dedicated cloud instances) for every student to prevent interference, ensure stability, and maximize individual exploitation experience.
3. **Require Guided Practical Exercises:** Ensure practical labs are supported by clear descriptions and guided questions to focus the student’s attention on the critical learning objectives of the exploit or technique.
## Implementation Guidance
### For Small Organizations
- **Focus Budget on Practitioner-Led Experiences:** Since budget may be limited, prioritize fewer, high-quality courses taught by active industry practitioners over numerous, broad, instructor-only-led generic courses.
- **Mandate Hands-On Verification:** Require employees who complete training to deliver a short internal presentation or workshop demonstrating one practical skill learned in their isolated lab environment.
### For Medium Organizations
- **Establish Pre-requisite Flow:** Structure internal training paths so that employees entering a Journeyman course can demonstrate completion or mastery of the relevant Beginner course topics to avoid concept repetition and wasted time.
- **Audit Lab Fidelity:** When selecting training, specifically look for confirmation that the lab environments simulate modern infrastructure components (cloud, containerization, diverse network segments).
### For Large Enterprises
- **Develop Internal Trainer Proficiency Standards:** Implement a formal vetting process for external training providers that mandates technical expert review of instructor credentials and curriculum currency.
- **Leverage Cloud Orchestration for Scale:** Favor training providers capable of using platforms like AWS to dynamically spin up extensive, custom, dedicated environments for hundreds of simultaneous students without resource contention.
## Configuration Examples
*(The source article does not provide specific technical configuration examples (e.g., firewall rules, registry edits), but focuses on the structure of training delivery setups.)*
**Required Training Environment Structure (Conceptual):**
| Component | Best Practice Requirement |
| :--- | :--- |
| **Infrastructure** | Provision of entire, believable virtual corporate domains or complex cloud networks. |
| **Student Isolation** | 1:1 provisioning of unique network environments per student (e.g., using AWS accounts/VPCs). |
| **Content Delivery** | Centralized training portal hosting guided lab instructions, reducing reliance on physical printouts. |
| **Currency** | Environments must reflect current internet and corporate standards, excluding decade-old vulnerabilities. |
## Compliance Alignment
While the article focuses on training quality rather than security mandates, the implementation of robust, current training supports adherence to general security frameworks requiring competent workforce readiness:
- **NIST Cybersecurity Framework (CSF):** Supports the **Workforce Development and Training** aspects under the **Identify (ID)** function.
- **ISO/IEC 27001/27002:** Supports controls related to **Information Security Awareness, Education and Training** (often mapped to A.7 or related Annex A controls).
- **CIS Critical Security Controls:** Supports the implementation of foundational skills necessary to manage and defend infrastructure effectively among operational teams.
## Common Pitfalls to Avoid
1. **Mistaking Passion for Skill:** Assuming that deep passion automatically translates into excellent pedagogical skill and effective communication.
2. **Accepting Misleading Titles:** Allowing course titles starting with high-impact words (like "Advanced") to bypass detailed content review.
3. **Tolerance for Outdated Content:** Allowing students to learn based on historical vulnerabilities that no longer represent current threats in production environments.
4. **Accepting Shared Labs:** Allowing students to utilize environments shared with others, leading to interference, instability, and reduced hands-on learning opportunities.
5. **Focusing Only on Theory:** Selecting courses that primarily lecture on topics without mandatory, reinforcing practical application exercises for every concept.
## Resources
*(The source article names high-level training venues and concepts, which serve as starting points for seeking quality education.)*
- **Search Term Focus:** When searching for training, prioritize requirements such as "Practitioner-Led," "Hands-On Labs," and "Cloud Orchestrated Environments."
- **Industry Benchmarks:** Observe course structures and depth presented by leading large-scale training vendors (e.g., Black Hat courses or similar industry conferences) as a quality benchmark for environment complexity.