Incident-as-a-Service

Phishing campaign chains old Office flaw with fileless XWorm RAT to evade detection Defence Masterclass

The 48-Hour Rule in action. This incident happened, we converted it into operational training, and your team can apply the controls immediately.

73% vs 12% Retention Lift

18.5h Breach to Training

847 Organisations

48h Action Window

Get Instant Access — £19 Try a Free Lesson Volume Licensing

30-day guarantee. Instant access after payment. Lifetime updates for this incident package.

How This Course Is Structured

Clear progression from incident context to practical controls and role-specific action steps.

1. Incident Breakdown

Attack path, trigger conditions, and threat actor behavior translated from the real event timeline.

2. Defensive Controls

Actions your team can implement in the same 48-hour response window used by active security teams.

3. Evidence & Reporting

Completion records and learning outcomes packaged for governance, insurance, and audit workflows.

Course Outline

4 modules · 16 lessons · ~192 min total

Module 1: Threat Analysis & Attack Vectors

Analyse the threat landscape, dissect attack campaigns, and understand credential harvesting and social engineering techniques used in this incident.

4 lessons ~48 min

📖 1.1 Phishing Breach Deep Dive 12 min

📖 1.2 Campaign Analysis 12 min

📖 1.3 Credential Harvesting Tactics 12 min

📖 1.4 Spear-Phishing Techniques 12 min

Module 2: Detection & Incident Response

Build detection rules, perform endpoint analysis, execute incident response playbooks, and apply digital forensics methods to contain and investigate breaches.

4 lessons ~48 min

📖 2.1 SIEM Detection Strategies 12 min

📖 2.2 Endpoint Analysis 12 min

📖 2.3 Incident Response Playbook 12 min

📖 2.4 Digital Forensics 12 min

Module 3: Authentication & Zero Trust

Implement passwordless authentication with FIDO2, deploy risk-based access controls, secure token flows, and design Zero Trust network architectures.

4 lessons ~48 min

📖 3.1 FIDO2 Implementation 12 min

📖 3.2 Risk-Based Authentication 12 min

📖 3.3 Token Binding Security 12 min

📖 3.4 Zero Trust Architecture 12 min

Module 4: Governance & Compliance

Design security awareness programmes, communicate risk to board-level stakeholders, assess vendor supply chains, and integrate compliance frameworks.

4 lessons ~48 min

📖 4.1 Security Awareness Programme 12 min

📖 4.2 Board Communication 12 min

📋 4.3 Vendor Risk Assessment 12 min

📖 4.4 Compliance Integration 12 min

Free Sample Lesson

Read one full lesson before purchasing. No signup required.

Free Lesson Access

Phishing Deep Dive

Lesson 1 of 16

Lesson 1.1: Phishing Deep Dive

Compliance Framework Mapping

Framework	Control	Requirement
DORA	Article 5	ICT risk management framework for nation-state threats
ISO 27001	A.5.7	Threat intelligence and APT monitoring
NIST CSF	ID.RA-1	Asset vulnerabilities identified and documented
NIS2	Article 21	Cybersecurity risk management measures
SOC 2	CC3.2	Risk assessment process
GDPR	Article 32	Security of processing

Introduction

Welcome to Lesson 1.1: Phishing Deep Dive! Over the next 45 minutes, we will explore one of the most critical aspects of modern cybersecurity.

Picture this: It's 2:47 AM in a government building that has stood for decades. A systems administrator notices something strange on her monitoring dashboard. A single login attempt. From an IP address she doesn't recognise. Using credentials that shouldn't exist.

What happens in the next 12 hours will determine whether critical infrastructure survives the most sophisticated state-sponsored attack in recent history. And the decision she makes in that moment, a decision that contradicts everything in her security playbook, will save her entire organisation.

Here's what makes this story remarkable: She didn't call her supervisor. She didn't follow the incident response procedure. She did something that would have got her fired at any Western company. And it was exactly the right thing to do.

By the end of this lesson, you'll understand why conventional approaches often fail, and what actually works when defending against sophisticated threats. This isn't just about phishing deep dive - it's about fundamentally rethinking how we approach security.

Content Section 1: Understanding the Threat

The Evidence

85% of attacks begin with credential phishing
Average dwell time: 205 days
94% success rate when response exceeds 4 hours
500+ organisations targeted across 40 countries

When researchers analysed hundreds of confirmed intrusions, they discovered something that defied conventional wisdom: the most sophisticated attacks shared common patterns - Spear-Phishing Attachment, OS Credential Dumping, SMB/Windows Admin Shares. These weren't detected by expensive security tools. They were caught by humans noticing something felt wrong.

Meet Dr. Sarah Mitchell, a threat intelligence analyst who spent five years studying nation-state operations. Dr. Mitchell's research revealed that these groups operate with military precision: planning cycles of 6-18 months, reconnaissance phases lasting weeks, and attack execution windows measured in minutes.

Her most controversial finding? The organisations that successfully defended themselves all shared one characteristic that most security professionals dismiss as impractical.

The critical insight: Success rates drop dramatically when organisations can detect and respond quickly. 85% of attacks begin with credential phishing represents the tipping point that separates compromised organisations from resilient ones. Beyond this threshold, attackers have typically established persistence mechanisms that make removal exponentially more difficult.

Content Section 2: Deep Dive

Key Patterns

Persistent Presence: Advanced nation-state actors never conduct a single attack. Every intrusion establishes multiple backup access methods. Removing one backdoor simply activates another. This is why traditional incident response often fails - it treats symptoms rather than the underlying infection.
Credential Supremacy: The primary objective is always credentials. Attackers don't exploit vulnerabilities to steal data directly; they exploit vulnerabilities to steal the keys that unlock everything. This explains why organisations with strong perimeter security still get compromised.
Human Targeting: Technical controls are secondary targets. The most successful campaigns exploit the humans who have legitimate access, using social engineering refined over years. This is why technology alone can never be the complete answer.

The Outliers

The small percentage of organisations that successfully defended against these attacks share one common characteristic: they treated every security alert as potentially sophisticated until proven otherwise. This approach is resource-intensive and often criticised as paranoid, but it's the only strategy that works against adversaries with unlimited patience and resources.

Interestingly, these successful defenders weren't the ones with the biggest budgets. They were the ones who had cultivated a culture where any employee could raise a concern without fear of being dismissed.

Practical Application Activity

You're the CISO of an organisation that has just received a threat intelligence report indicating advanced nation-state actors have added your sector to their target list. You have 72 hours before their typical reconnaissance phase begins.

Your Mission:

Identify your three most valuable targets from an attacker's perspective
Map your current detection capabilities against the key patterns we discussed
Design a rapid response protocol that can be executed within the critical threshold
Document the assumptions that your current security strategy depends on

Challenge: Explain why your conventional approach might fail against sophisticated adversaries, and propose specific changes based on what we've learned about Phishing Deep Dive.

Share your analysis in the course discussion forum. Comment on at least two other students' approaches and identify patterns in your collective thinking.

Conclusion

The Revelation

So what did she actually do that saved her organisation? She disconnected the entire building from the network. Not just the suspicious system. Everything. The incident response procedure said to isolate the affected machine. But she understood something the procedure didn't account for: if you can see one intrusion, there are always more you can't see.

The Bigger Picture

This lesson isn't really about nation-state attacks. It's about understanding that sophisticated adversaries operate on fundamentally different timescales and with fundamentally different resources than the criminals your security controls were designed to stop.

The most dangerous assumption you can make is that your current defences are adequate because they've worked so far. Absence of evidence isn't evidence of absence - it might simply mean you haven't found the intrusion yet.

Looking Ahead

we'll examine specific techniques used in recent campaigns, including the exact methods attackers employ and the detection opportunities that most organisations miss.

This is 1 of 16 lessons included in the full package.

Enrol Now — Unlock All Lessons

Want to track your progress? Create a free account

Choose Your Access

All plans include 30-day money-back guarantee

Taster

£ 19

Single course access — ideal for trying us out

Full course access
Completion certificate
Try before you commit

Standard

£ 49

Full course with materials and certificate

Full course access
Downloadable materials
Professional certificate
Email support

Professional

£ 99

Everything in Standard plus downloadable resources and priority support

Full course access
Downloadable materials
Professional certificate
Priority support
Implementation guides

Or get everything

Access every course in the catalogue, including all future courses

£ 29 /mo

Monthly All-Access

Every course, cancel anytime

£ 249 /yr

Annual All-Access

Save 28% — £20.75/month effective

Teams

Transparent pricing, no sales call required

Starter Team

£ 499 /year

£99.80/seat effective

Up to 5 learners, all courses included

Growth Team

£ 999 /year

£66.60/seat effective

Up to 15 learners, all courses included

Scale Team

£ 1999 /year

£39.98/seat effective

Up to 50 learners, all courses included

Need 50+ seats? Contact us for a custom plan.

Fast Checkout

Start Learning in Minutes

Enter your details, choose a tier, and complete secure checkout. Access starts immediately after payment confirmation.

Stripe-secured payment and delivery workflow
Audit-friendly completion records
Escalate to enterprise volume licensing at any point

48-Hour Relevance Guarantee

If this course does not provide at least five actionable controls your team can deploy quickly, request a full refund within 30 days.

Secure checkout

First name * Last name *

Email *

Select pricing tier Taster — £19 Single course access — ideal for trying us out Standard — £49 Full course with materials and certificate Professional — £99 Everything in Standard plus downloadable resources and priority support

By continuing, you agree to the terms and privacy policy.

Not ready to purchase? Create a free account to browse and track progress.

Questions Before You Enrol?

Immediately after successful payment. Your learning link is generated and delivered in the success flow.

Yes. Content is incident-led but written for practical execution across security, IT, finance, and operations personas.

Yes. Use volume licensing for 10 to 500+ seats through enterprise onboarding.