Training Blue Team#
Defender-focused labs, simulators, and CTF environments. The operator runs these to drill detection engineering, threat hunting, memory forensics, and incident response on the receiving end of their own tradecraft. Most are Windows-domain-shaped because that is where most defended estates live.
Labs#
DetectionLab at clong/DetectionLab, a Windows AD domain pre-loaded with Sysmon, Splunk, Velociraptor, and the rest of the canonical detection stack.
WindowsAttackAndDefenseLab at jaredhaight/WindowsAttackAndDefenseLab, the lab kit that backs Sean Metcalf’s class.
Invoke-ADLabDeployer at outflanknl/Invoke-ADLabDeployer, automated Windows + AD test-network builds for both sides.
Sheepl at SpiderLabs/sheepl, generates realistic user behaviour traces so detections fire against human-shaped noise.
MemLabs at stuxnet999/MemLabs, introductory memory-forensics challenges.
CTF and IR#
CyberDefenders at https://cyberdefenders.org/, blue-team CTF challenges built from real incident artefacts.
Blue Team Labs Online at https://blueteamlabs.online/, hands-on detection and forensics scenarios.
DFIR.training at https://www.dfir.training/, curated drill catalogue across forensics specialties.
Certification map#
The community-maintained Reddit progression chart at https://www.reddit.com/r/cybersecurity/wiki/certificationchart/ shows where defensive certs (Security+, BTL1, GCFA, GCIA, GCIH, CCSP) sit relative to each other. Treat it as a sketch, not a prescription.