Blue vs Red Bootcamp: From Attacker Playbooks to Defender Detections - Carlo Anez Mazurco & Mariana Ruiz - DCTLV2026 **4-day Course - Saturday-Tuesday**

Name of Training: Blue vs Red Bootcamp: From Attacker Playbooks to Defender Detections
Trainer(s): Carlo Anez Mazurco & Mariana Ruiz
Dates: August 8-11, 2026 **4-day Course**
Time: 8:00 am to 5:00 pm 
Venue: Las Vegas Convention Center
Cost: $4,000 (USD)

**Please note: This four-day training will be held Saturday-Tuesday (August 8-11). Participants will receive a DEF CON Human Badge with their registration**

Short Summary:

A fun, beginner‑friendly “blue vs red” immersion built with Blue Team Village (BTV) DNA: learn attacker playbooks from a defender’s perspective, then turn every step into telemetry, detections, and incident reporting with AI to accelerate triage and reasoning. The course culminates in a Project Obsidian‑style mini‑CTF (CTFd) plus a graded incident report and detections mapped to MITRE ATT&CK.

Course Description:

This four‑day, hands‑on bootcamp is built for aspiring defenders and junior analysts. Students learn the intent behind common Red Team Village‑style tradecraft (initial access → execution → movement → exfiltration), then apply the Blue Team Village workflow: collect evidence, correlate signals, and produce actionable detections and response decisions.

AI is integrated at every stage as a force multiplier summarizing logs, proposing hypotheses, drafting detection logic, and accelerating reporting while students validate outputs against raw evidence. The capstone uses a DEFCON 34‑inspired, Project Obsidian‑style kill chain that includes an AI chatbot abuse track (“Ghost in the Assistant”), so students practice monitoring and defending LLM/agent systems in a SOC.

Course Outline:

Day 1 – Foundations: How attacks become signals 

• Orientation: ethics, lab access, workflow, and success criteria 
• Core concepts: networking, identity, and common enterprise telemetry 
• Attack-to-evidence mapping: what each tactic “looks like” in logs and network data 
• AI-in-the-loop fundamentals: prompt patterns for triage, correlation, and analyst reasoning 
• Lab: investigate a guided “single host + network” incident from provided artifacts; build a timeline 
• Debrief: write a concise incident summary and key takeaways 

Day 2 – Red Team Basics: Build empathy for the adversary

• Initial access patterns (phishing, drive‑by, credential misuse) and safe demonstrations 
• Execution/persistence basics and what to monitor 
• Lab: artifact analysis (process/auth/network) to reconstruct attacker steps 
• AI lab: extract indicators/entities, propose hypotheses, and identify missing telemetry 
• Detection engineering I: writing high-signal queries/rules; tuning false positives 
• Checkpoint: mini knowledge check + Q&A 

Day 3 – Blue Team Ops: Hunt, detect, and respond 

• Lateral movement and exfiltration signals (auth anomalies, SMB/RDP patterns, DNS/HTTP beacons)
• PCAP/Zeek workflow: fast pivoting, session reconstruction, and file/hash extraction 
• Lab: threat hunt across provided dataset; identify pivot, scope, and affected assets 
• AI lab: clustering/correlation and drafting detection hypotheses with evidence checks 
• Detection engineering II: convert findings into detections + response playbook steps 
• Capstone briefing: rules, scoring, graded deliverables rubric 
  

Day 4 – Purple Team + Capstone CTF (Project Obsidian‑style kill chain) 

• Capstone setup and expectations
• CTFd mini‑CTF: investigate multiple “tickets” across the full kill chain, including an AI‑assistant prompt/agent‑injection defense challenge; points for correct findings + quality of analysis 
• Graded deliverables: incident report + at least 2 detections (queries/rules) including one bot/LLM monitoring rule, all mapped to evidence 
• Re-test and tune detections for signal quality; bonus points for reductions in false positives 
• Present‑outs: short briefing to a SOC lead / manager persona 
• Wrap‑up: take‑home lab pack + roadmap for next steps 
  

Difficulty Level:

Beginner - The student has an interest in the topic presented and general technology knowledge that a power user or undergraduate student may have acquired.

Suggested Prerequisites:

Required: general technology comfort (files/folders, browser, basic troubleshooting).

Helpful (not required): basic networking (IP/DNS/HTTP) and basic Linux/Windows navigation.

Pre‑work (required): a 20–30 minute environment readiness checklist (Docker/WSL2/VM) completed before Day 1.

What Students Should Bring:

A laptop capable of running labs via Docker (preferred) or a VM:

• 16 GB RAM minimum (32 GB recommended)
• 4‑core CPU minimum (8 cores recommended)
• Minimum of 120 GB free disk space.
• Windows 11 with WSL2, macOS, or Linux
• Docker Desktop installed (or VMware/VirtualBox)
• Ability to import VM images and/or pull Docker containers; local admin rights strongly recommended
• Power supply and a modern browser
  

What the Trainer Will Provide:

• Prebuilt lab images and container bundles, including downloadable VM images and offline fallback artifacts for troubleshooting and post-course practice.
• Curated investigation datasets for each module, including PCAPs, Zeek-style logs, endpoint and authentication telemetry, and capstone artifacts.
• Student materials in PDF format, including the workbook, lab guides, cheat sheets, reporting templates, sample incident reports, and optional extra practice labs.
• Lab access throughout the training, plus LMS access to guides, walkthroughs, and reference materials.
• A post-training toolkit with curated open-source tools, scripts, and guided follow-on exercises for continued practice.
• A CTFd instance for the capstone, along with a scoring rubric that rewards validated findings, analysis quality, and detection outcomes.
• Detection engineering resources, including example Sigma rules and sample EQL/KQL queries for investigation, hunting, and alerting exercises.
• Access to selected course repositories containing playbooks, scripts, and supporting automation used in the training.

Trainer(s) Bio:

Carlo Anez Mazurco is a Lead Cybersecurity Subject Matter Expert at DataMachines Corp with 18+ years in cyber defense, threat hunting, incident response, and security engineering. He contributes to applied AI efforts that accelerate SOC workflows, triage, correlation, detection engineering, and reporting while keeping analysts accountable to evidence.

Carlo is an active DEFCON community member: a Blue Team Village (BTV) member, DEFCON speaker (“CTI 101: Leveling Up Threat Intel with AI”), and contributor to Blue Team Village CTF engineering (Project Obsidian). His training style is practical, collaborative, and focused on turning concepts into detections and decisions students can use immediately.

Carlo is currently a Lead Cybersecurity Instructor with Educate360 / TCM Security Academy, where he teaches hands-on courses preparing students for SOC, DFIR, and penetration testing roles. His instruction emphasizes real-world telemetry, adversary tradecraft, and defender workflows.

Previously, Carlo served as a Lead Cybersecurity Instructor for the University of Michigan Nexus program for 5 years, delivering applied cybersecurity education and incorporating AI-driven learning techniques to enhance adult learning and engagement.

In addition, Carlo has supported enterprise security and cyber risk initiatives similar to IronCircle-style defensive and resilience programs. He is the creator of the IgniteCyber OpenSOC project and a core contributor to Project Obsidian, where he designs realistic Blue Team CTF kill chains using Zeek, PCAPs, identity telemetry, and AI-assisted analysis.

Mariana Ruiz de Streuhhofer is a WiCyS mentor with an M.S. in Cybersecurity (UMBC, 2024) and a Post‑Master’s Certificate in Cybersecurity Operations (UMBC, 2023). She brings hands‑on blue‑team tooling experience (Wireshark, Splunk, Suricata, Zeek, NetworkMiner, CyberChef, Nmap) and an operations mindset grounded in practical investigation workflows.

Mariana also brings extensive program and project delivery experience (Scrum Master, Product Owner, PRINCE2, ITIL, SAFe Scrum Master) and community engagement through WiCyS and ISACA volunteering, supporting smooth lab execution, troubleshooting, and consistent student feedback during hands‑on work.

Social media and online publications

• LinkedIn: https://www.linkedin.com/in/carloanez/

• Website: https://carloanez.com/

• IgniteCyber Academy: https://ignitecyber.academy

• IgniteCyber / OpenSOC Labs: https://github.com/carloanez/IgniteCyber-OpenSOC

• Discord Community: https://discord.gg/QCErFvmd8y

Proficiency Exam Option:

This course has the option for a proficiency certificate add-on. 

Students who select the proficiency add-on complete an additional graded capstone assessment. To pass, they must achieve at least 70% on the rubric and submit all required deliverables: validated capstone findings, a concise incident report, and at least 2 functional detections, including 1 bot/LLM monitoring rule mapped to evidence from the exercise.

Students who pass receive a DEF CON Training Certificate of Proficiency. Eligible participants may also receive an IgniteCyber Academy digital badge, and top performers may be recognized with a challenge coin.

Please reach out to training@defcon.org for any questions related to the proficiency exam and certificate option.

Additional Information:

Students also receive post-training support through IgniteCyber Academy, including follow-on exercises, offline lab assets, detection engineering examples, and Discord community access to support continued practice: https://discord.gg/QCErFvmd8y

Registration Terms and Conditions: 

Trainings are refundable before July 11, 2026, minus a non-refundable processing fee of $250.

Between July 11, 2026 and August 5, 2026 partial refunds will be granted, equal to 50% of the course fee minus a processing fee of $250.

All trainings are non-refundable after August 5, 2026.

Training tickets may be transferred to another student. Please email us at training@defcon.org for specifics.

If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).

Failure to attend the training without prior written notification will be considered a no-show. No refund will be given.

DEF CON Training may share student contact information, including names and emails, with the course instructor(s) to facilitate sharing of pre-work and course instructions. Instructors are required to safeguard this information and provide appropriate protection so that it is kept private. Instructors may not use student information outside the delivery of this course without the permission of the student.

By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.

Several breaks will be included throughout the day. Please note that food is not included.

All courses come with a certificate of completion, contingent upon attendance at all course sessions. Some courses offer an option to upgrade to a certificate of proficiency, which requires an additional purchase and sufficient performance on an end-of-course evaluation.