Your Cohort
Starts In
Twelve weeks. Live breach simulations. Instructors who've defended Fortune 500 networks at 3 a.m. When you graduate, you'll triage a live compromise before the SOC team finishes their coffee.
247 graduates across six cohorts
Not ready to commit?
A regional hospital's radiology network
was encrypted at 4:47 p.m.
on a Friday.
This is a real anonymized incident. What follows is how Breach graduates responded — and what they knew that the hospital's team didn't. Read it as a post-mortem. You'll recognize the syllabus without ever seeing a course list.
16:47
Detection
Radiology PACS goes dark
A nurse calls the help desk. Files won't open. IT assumes a drive failure — the first 12 minutes are lost. A Breach graduate would have pulled NetFlow logs before touching the endpoint.
17:03
Containment
Lateral movement confirmed
The attacker pivoted from a VPN concentrator compromised 11 days earlier. Breach graduates isolate the affected VLAN in under 4 minutes using pre-built runbooks. The hospital's team spent 47 minutes on the phone with a vendor.
17:51
Eradication
IOCs extracted, persistence removed
Three scheduled tasks, two registry run keys, and a renamed LOLBin. Our graduates learn to hunt these artifacts in week 6 — not from slides, but inside a live replica of this exact environment.
19:22
Recovery
Imaging resumes. Post-mortem begins.
The hospital restored from clean backups in 94 minutes. The incident report — written by a Breach graduate on practicum — became a case study for a regional ISAC.
Threat Lab — Replica environment built from real incident data
Cohort Outcomes
94%
placed within 90 days
+$38k
median salary increase
12
weeks to certification
3
live incidents per student
A municipal water utility was
probed for 19 days
before anyone noticed.
Two Breach graduates on the incident response team caught it on day 20. Here's what they knew — and who they were before the bootcamp.
Marcus D.
Cohort 04 · CompTIA CySA+
+$41,000
salary increase
"Week 3, I'm pulling packet captures from a simulated exfiltration. Week 8, I'm doing it for real at my new employer. The gap between those two sentences is the bootcamp."
Before
Help Desk Lead, county school district
After
Incident Response Analyst, regional health system
Priya N.
Cohort 05
"I'd been doing tickets for six years. I knew the infrastructure cold. Breach gave me the adversary mindset I was missing…"
James "Kel" K.
Cohort 03
"My clearance opened doors. Breach gave me the technical depth to walk through them. The instructors understood that mili…"
Graduates now working at
A cloud storage provider lost
4.7 TB in 11 minutes.
The attacker was already gone.
The curriculum maps directly to incident phases. Every module is a phase of a real breach. You don't study theory — you work the case until the case is closed.
You're not studying theory. You're inside a simulated enterprise — 200 endpoints, real Active Directory, live DNS — and your job is to understand how attackers think before you learn how to stop them.
Simulated: Phishing campaign targeting an accounting firm
Tools Used
Log triage at scale. You'll pull 2 million events and find the four that matter. Baseline behavioral analysis, alert fatigue management, and the difference between a false positive and a missed detection that ends a career.
Simulated: Credential stuffing against a healthcare portal
Tools Used
Network segmentation under pressure. Firewall rule deployment in 90 seconds. Isolation without causing more damage than the attacker. This is where most responders freeze — you won't.
Simulated: Ransomware lateral movement across manufacturing OT network
Tools Used
Persistence mechanisms, LOLBins, living-off-the-land techniques. You'll learn to find what attackers leave behind — and remove it without triggering what they left as a trap.
Simulated: Supply chain compromise at a municipal utility
Tools Used
Clean imaging, backup validation, and the post-incident hardening that prevents the same attacker from walking back in six weeks later. Most orgs skip this. You won't.
Simulated: Hospital system restoration under regulatory deadline
Tools Used
A 48-hour continuous incident simulation. Real attacker TTPs, real pressure, real documentation. Graduates emerge with a portfolio-ready incident report and a certification exam voucher.
Capstone: Multi-vector attack on a financial services firm
Tools Used
What You Graduate With
- CompTIA CySA+ or eCIR voucher
- Portfolio-ready incident report
- 48-hour capstone documentation
- Alumni ops network access
- Employer intro program
Seats Remaining
A telecom carrier's BGP routes
were hijacked for 68 minutes.
Nobody noticed until Twitter did.
The instructors who teach Breach have worked incidents like this. Not as case studies — as operators with phones ringing and executives in the room. That context is what they bring to every session.
Col. (Ret.) Diana Marsh
Lead Instructor — Threat Hunting
22 years, US Army Cyber Command. Led incident response for three classified infrastructure breaches. Now teaches the methodology she built in the field.
22 yrs
experience
Rafael Okonkwo
Instructor — Network Forensics
Former red team operator at a Big 4 cybersecurity practice. Has conducted over 80 incident response engagements across healthcare, finance, and critical infrastructure.
14 yrs
experience
Soo-Jin Park
Instructor — SIEM & Detection Engineering
Built the detection engineering function at a Fortune 100 insurer from the ground up. Designed 400+ custom Sigma rules now used across the healthcare vertical.
11 yrs
experience
The next incident
is already in progress.
You've read three incidents. You've seen the gap. Breach graduates respond while others are still forming a bridge call. Your cohort starts in 23 days. Seven seats remain.
Threat Lab Syllabus
12-week curriculum · PDF · 24 pages
Get the complete week-by-week breakdown, tools list, and capstone requirements — no commitment required.
One email. No sequences. Unsubscribe instantly.