Summary
HTB Academy’s Detection & OpSec Cyber Range is an advanced extension of the purple modules, designed to support both detection engineering (from initial artifact discovery to rule validation) and operational security assessment following user-driven attack simulations. It provides isolated, fully interactive networks featuring Windows and Linux purple module targets that actively generate logs and telemetry data in response to user-executed attacks. Unlike traditional purple module setups, the cyber range centralizes monitoring by forwarding data to enterprise-grade SIEM platforms, specifically to Splunk and Wazuh, with Wazuh configurations also integrating with TheHive for incident handling and case management. This allows users to focus on detection, log analysis, and detection engineering without requiring direct access to the endpoints, though remote access remains available for more in-depth forensic and detection engineering workflows.
Designed for both newcomers and seasoned professionals, HTB Academy’s Detection & OpSec Cyber Range comes with Atomic Red Team, pre-installed to safely and effectively simulate adversary TTPs.
Red teamers can also use the range to test and refine custom TTPs and malware, enhancing their operational security and reducing the likelihood of detection.
Disclaimer: Please note that completion of the Introduction to Academy's Purple Modules module is a strict prerequisite for this module, as it equips learners with critical baseline knowledge of the purple module targets, specifically their built-in logging pipelines, telemetry generation, and the suite of pre-installed Digital Forensics and Incident Response (DFIR) tools. This module is intended for experienced professionals in the field, aiming to highlight the capabilities of the Detection & OpSec Cyber Range. As such, the DFIR/SIEM toolset included, as well as the attacking and detecting techniques discussed, will not be covered in exhaustive detail.
This module is broken into sections with accompanying hands-on exercises to gauge your understanding of the various topic areas.
You can start and stop the module anytime and pick up where you left off. There is no time limit or "grading", but you must complete all of the exercises to receive the maximum number of cubes and have this module marked as complete.
The module is classified as "medium" and assumes participants have a foundational understanding of how Windows and Linux systems operate, along with familiarity with common attack techniques and detection principles.
A firm grasp of the following modules can be considered prerequisites for the successful completion of this module:
- Intro to Academy (Available only on the consumer platform)
- Intro to Academy's Purple Modules
- Intro to Network Traffic Analysis
- Intermediate Network Traffic Analysis
- Working with IDS/IPS
- Windows Event Logs & Finding Evil
- Security Monitoring & SIEM Fundamentals
- Understanding Log Sources & Investigating with Splunk
- Detecting Windows Attacks with Splunk
- Introduction to Threat Hunting & Hunting With Elastic
- YARA & Sigma for SOC Analysts
- Introduction to Malware Analysis
- Introduction to Digital Forensics
Introduction to Detection & OpSec Cyber Range
What is the Detection & OpSec Cyber Range?
HTB Academy’s Detection & OpSec Cyber Range is an advanced extension of the purple modules, designed to support both detection engineering (from initial artifact discovery to rule validation) and operational security assessment following user-driven attack simulations. It provides isolated, fully interactive networks featuring Windows and Linux purple module targets that actively generate logs and telemetry data in response to user-executed attacks.
Unlike the standard purple modules, where users remotely log into each target post-exploitation to conduct forensic analysis, the Detection & OpSec Cyber Range centralizes all monitoring and investigation workflows by forwarding data to enterprise-grade SIEM platforms, specifically to Splunk and Wazuh. In setups using Wazuh, alerts are also forwarded to a TheHive instance, enabling users to explore basic incident handling workflows and case management. This allows users to focus entirely on detection, log analysis, and detection engineering tasks without needing direct access to the endpoints.
While the Detection & OpSec Cyber Range centralizes monitoring, remotely logging into each target is still fully supported and encouraged for more elaborate detection engineering or in-depth forensic workflows.
Red team operators can also leverage the Detection & OpSec Cyber Range to test TTPs and evaluate custom-built or modified malware payloads in a controlled environment. By observing the resulting alerts, logs, process behavior, and other telemetry data captured by the purple module targets and the SIEM, red teamers can analyze how their activities are detected and use this insight to refine their techniques, improve operational security (OpSec), and reduce detection opportunities in future operations.
Built for both blue and red team professionals, the range's reusable infrastructure and pre-installed tooling provide a safe and dedicated environment for identifying post-attack artifacts, developing and validating detections, and evaluating tradecraft exposure, without the need to set up or manage complex, technically demanding infrastructure.
For users who may lack extensive red teaming knowledge, both the Windows and Linux purple module targets come pre-installed with Atomic Red Team, a framework that facilitates the simulation of adversary Techniques, Tactics, and Procedures (TTPs). Atomic Red Team is accessible via an easy-to-use PowerShell module, allowing users to safely execute a wide range of attack techniques that generate meaningful telemetry for analysis, making the range approachable for learners while still valuable for experienced professionals.
Detection & OpSec Cyber Range Use Cases
-
Blue Team Use Cases of Detection & OpSec Cyber Range:- Blue team professionals can transfer evidence from other compromised machines into the Detection & OpSec Cyber Range for in-depth analysis, leveraging the built-in DFIR tools.
- They can install vulnerable software of their choosing, simulate attacks on it, and analyze the resulting artifacts, gaining practical insights into threat behaviors and identifying indicators of compromise (IOCs).
- They can utilize the verbose logs and DFIR toolset within the range to develop and refine detection rules for the identified IOCs.
- They can use the range to develop and validate threat hunting hypotheses by emulating attack chains and investigating the associated logs and system changes.
- They can also collect telemetry to reverse-engineer malware behavior in a controlled environment and design incident response playbooks.
-
Red Team Use Cases of Detection & OpSec Cyber Range:- Red team professionals can test custom-built or modified malware payloads to observe logs, process behavior, and other telemetry. This data can then be used to refine techniques and minimize detection.
-
Purple Team Use Cases of Detection & OpSec Cyber Range:- Blue and Red team professionals can collaborate to simulate full attack-and-detection cycles, using the Detection & OpSec Cyber Range as a shared, controlled platform for learning and innovation.