Beat the Breach: Defend, Respond, Survive - McKay Hardy & Wes Wagstaff - DCTLV2026 **1-day Course - Friday**

Name of Training: Beat the Breach: Defend, Respond, Survive
Trainer(s): McKay Hardy and Wes Wagstaff
Dates: August 7, 2026 **1-day course**
Time: 8:00 am to 5:00 pm 
Venue: Las Vegas Convention Center
Cost: $2,250 (USD)

**Please note: This one-day training will be held Friday, August 7. Participants will receive a DEF CON Human Badge with their registration**

Short Summary:

Beat the Breach throws participants into a live, hostile enterprise compromise where nothing is scripted and outcomes depend entirely on team decisions. You'll hunt, contain, and coordinate through a real incident in motion-learning what actually breaks, what actually works, and why this feels nothing like any lab or training you've done before.

Course Description:

Beat the Breach is an immersive, live-fire incident response simulation designed to replicate the chaos, uncertainty, and pressure of a real enterprise compromise. Participants are dropped into an active breach with their own analyst workstations and must investigate, contain, and coordinate as a team while the incident evolves in real time. There are no slides, no scripted labs, and no predetermined paths-the environment adapts to participant decisions, forcing teams to confront the same ambiguity and cascading consequences found in real incidents.

Students work together in rotating roles such as SOC analyst, threat intel lead, and incident commander while navigating a fully realized enterprise environment that includes Active Directory, endpoints, applications, logs, attacker infrastructure, and adversary communications. The simulation emphasizes real-world skills-alert triage, lateral movement detection, containment tradeoffs, and crisis decision-making-while incorporating subtle gamified pressure to keep the experience intense and engaging. By the end of the course, participants walk away having experienced what most people only encounter during an actual breach, gaining instincts and confidence that can't be taught through traditional training.

Course Outline: 

Beat the Breach is not a slide-driven or lecture-based course, and therefore does not follow a traditional scripted syllabus. The training is delivered as an adaptive, live-fire simulation where participant decisions shape the sequence, timing, and intensity of events. While the environment dynamically responds to the team's actions, the course is still structured around defined phases of an enterprise cyber incident. The outline below reflects the planned progression, core learning objectives, and approximate timing of major modules; however, specific subtopics, pacing, and investigative paths vary organically based on the team's choices, just as they would during an actual breach.

This approach is intentional: this training is designed to replicate real-world incident response conditions where events do not occur in a fixed order, timelines are fluid, and teams must prioritize, adapt, and collaborate under pressure.

Module 1 - Orientation, Environment Familiarization & Scenario Launch

• Overview of enterprise environment: AD structure, user accounts, endpoints, web assets, file servers
• Introduction to analyst workstation: SOC dashboards, logs, alerts, investigative tools
• Threat briefing: known indicators, executive expectations, initial intelligence
• Rules of engagement, communication norms, team structure
• Scenario activation: first indicators of compromise, initial alerts, early triage pressure

Module 2 - Dynamic Incident Response Simulation (Investigation, Containment & Crisis Operations)

*A continuous, adaptive module representing the core of the live-fire exercise.*

Focus areas include:

Investigation & Analysis

• Alert triage: phishing, malware execution, suspicious authentications
  
• Log analysis across multiple platforms (EDR, SIEM, network telemetry)
  
• Identifying patient zero and initial attack vector
  
• Lateral movement detection (SMB, RDP, MFA fatigue, token abuse)
  
• Privilege escalation analysis

Containment & Defensive Actions

• Host isolation decisions
  
• Network segmentation choices
  
• Blocking C2, disabling accounts, identifying persistence mechanisms - Evaluating containment impact and blast radius
  
• Tradeoffs and consequences of containment timing

Forensic Pivoting & Threat Actor Tracking

• Artifact collection (memory captures, malicious binaries, logs, PCAPs)
• Infrastructure analysis: domains, servers, dark web comms
  
• Correlating attacker behaviors into a timeline
  
• Identifying ransomware staging behavior

Communication, Coordination & Human Factors

• Drafting internal executive updates under time pressure
  
• Managing PR exposure and responding to manipulated media
  
• Engaging with mock threat actor channels
  
• Team coordination: SOC <-> IR <-> CTI <-> Incident Commander
  
• Decision-making under uncertainty and incomplete data

Gamified Pressure Elements (Without Sacrificing Realism)

• Live ransomware countdown clock
  
• Conditional branching events triggered by team actions
  
• "Forking paths" where good decisions slow the attack, missteps accelerate it

Module 3 - Recovery, Debriefing & Playbook Development

• Final containment and eradication decisions
  
• Validating ransomware prevention or mitigation success - Root cause analysis and incident timeline reconstruction
  
• Review of team communication patterns and decision-making loops
  
• Identifying gaps ni RI process, tooling, detection logic, and escalation paths
  
• Building a tailored incident response playbook based on team performance
  
• Delivery of post-exercise artifacts, lessons learned, and recommended improvements

Difficulty Level:

Intermediate

Intermediate Definition - The student has education and some experience in the field and familiarity with the topic being presented. The student has foundational knowledge that the course will leverage to provide practical skills on the topic.

Explanation:
This course is designed for participants who already have foundational cybersecurity knowledge and some practical experience working ni enterprise or security-adjacent environments. Students are expected to be comfortable with basic security concepts, logs, systems, and investigative workflows, but do not need prior incident response specialization.

The training leverages existing knowledge and places participants into a realistic, high- pressure simulation where they apply and expand their skills through hands-on investigation, decision-making, and team coordination. Absolute beginners are not recommended, while highly experienced practitioners will still find the adaptive environment challenging due to its realism and evolving complexity.

Suggested Prerequisites:

Participants should have prior hands-on experience in cybersecurity, IT operations, or a closely related technical role. While formal incident response experience is not required, students will benefit most fi they are comfortable working within enterprise environments and interpreting technical signals without step-by-step guidance.

Recommended background includes:

• Familiarity with enterprise operating systems (Windows and Linux)
  
• Basic understanding of Active Directory concepts, authentication, and user permissions
  
• Experience reading and interpreting logs or alerts from security or system sources
  
• General knowledge of common attack techniques (phishing, credential abuse, lateral movement)
  
• Comfort working at the command line and navigating unfamiliar systems

This course is not tool-specific, and no prior knowledge of a particular vendor platform is required. Participants may optionally bring their own tools or scripts, provided they comply with applicable licensing and usage terms.

No pre-work or advance reading is required. All context necessary to engage in the simulation is provided during the course, allowing students to focus on hands-on investigation, decision-making, and team coordination from the start.

What Students Should Bring:

Everything will be provided for the students.

What the Trainer Will Provide:

Each participant will be provided a complete analyst workstation which includes laptop, mouse, keyboard.

Trainer(s) Bio:

McKay Hardy is a cybersecurity consultant with more than 13 years of hands-on experience across incident response, insider threat investigations, digital forensics, penetration testing, software development, and ICS/OT integrations. He has led and supported incident response efforts for organizations in highly regulated and operationally critical environments, bringing a practical, mission-focused approach to defending real-world systems.

Westley Wagstaff has seven (7) years of experience in security governance, risk and compliance (GRC). He has managed enterprise level risk management and third party risk management programs that considered the organizations risk tolerance, security risk frameworks, and legal obligations.

Registration Terms and Conditions: 

Trainings are refundable before July 11, 2026, minus a non-refundable processing fee of $250.

Between July 11, 2026 and August 5, 2026 partial refunds will be granted, equal to 50% of the course fee minus a processing fee of $250.

All trainings are non-refundable after August 5, 2026.

Training tickets may be transferred to another student. Please email us at training@defcon.org for specifics.

If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).

Failure to attend the training without prior written notification will be considered a no-show. No refund will be given.

DEF CON Training may share student contact information, including names and emails, with the course instructor(s) to facilitate sharing of pre-work and course instructions. Instructors are required to safeguard this information and provide appropriate protection so that it is kept private. Instructors may not use student information outside the delivery of this course without the permission of the student.

By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.

Several breaks will be included throughout the day. Please note that food is not included.

All courses come with a certificate of completion, contingent upon attendance at all course sessions. Some courses offer an option to upgrade to a certificate of proficiency, which requires an additional purchase and sufficient performance on an end-of-course evaluation.