Offensive Cyber Security Operations: Mastering Breach and Adversarial Attack Simulation Engagements - Abhijith “Abx” B R - DCTLV2026

Name of Training: Offensive Cyber Security Operations: Mastering Breach and Adversarial Attack Simulation Engagements 
Trainer(s): Abhijith "Abx" B R
Dates: August 10-11, 2026
Time: 8:00 am to 5:00 pm 
Venue: Las Vegas Convention Center
Cost: $2,500 (USD)

Short Summary:

Master advanced breach and adversary attack simulation techniques in a guided, defended lab covering real world TTPs from initial access through exfiltration, with telemetry correlation and step-by-step modules. Build custom ransomware scenarios, run full breach simulations, and convert detection gaps into actionable improvements. Upon successful completion of the proficiency exam, participants will earn Proficiency certificate, validating their ability to design and execute enterprise-grade breach simulations.

This is an updated content version of the CBAS training program, with Cobalt Strike used extensively as the primary C2 framework. New modules cover more defense evasion, cloud adversary simulation, supply chain attack simulation, more control validation exercises, and AI assisted adversary simulation exercises, including the use of AI systems to generate payloads, ransomware campaigns and running autonomous attack simulations.

Course Description:

The hands-on training has been created to provide the participants with a better understanding of offensive security operations, advanced breach and adversary simulation engagements. The goal is to enable the participants to simulate their adversaries based on the industry which their organization is in, both known and unknown adversaries. This release is an updated version of the CBAS training program, with Cobalt Strike used extensively as the primary command-and-control framework across the lab exercises and also covers the use of AI for offensive cyber security operations.

Participants will learn to emulate various threat actors safely in a controlled, enterprise-level environment. In addition to understanding offensive tradecraft and TTPs, participants will gain critical insight into how adversaries operate, building custom ransomware simulation capabilities, executing dynamic adversary simulation plans, test, validate, and improve their own organization's cyber defenses.

This iteration introduces new modules covering defense evasion, cloud adversary simulation, supply chain attack simulation, and a range of control validation exercises. AI assisted adversary simulation is heavily integrated throughout the participants will use AI systems to generate payloads, build evasive tooling, and orchestrate full ransomware campaigns end-to-end.

Performing such attack simulation engagements not only sharpens offensive skills but also enables defenders to proactively identify gaps, assess detection capabilities, and build more resilient security posture.

This training is designed to benefit both offensive and defensive security professionals. Offensive practitioners will enhance their red teaming and simulation planning expertise, while defensiveprofessionals such as SOC analysts, detection engineers, and blue teamers will gain visibility into attacker behaviors, understand real-world evasion techniques, and learn how to harden their environments more effectively.

All machines in the lab environment will be equipped with AV, web proxies, EDR, and other defense systems. The training management platform will provide modules and videos for each attack vector used in the lab environment, alongside a step-by-step walkthrough of the attack paths. This ensures participants can correlate each attack technique with defensive telemetry and response opportunities.

The training provides the participants with access to a breach simulation lab range, where they would be able to perform a full red team-attack simulation scenario in guided mode. Each step of the attack chain would be explained along with the TTPs used, starting from initial access to exfiltration.

Course Outline:

1. Taking the first step: Understanding the fundamentals. 

• Introduction to offensive cyber security operations
• Adversary Emulation vs Adversary Simulation vs Red Teaming vs Purple Teaming
  • definition, scope, use cases, guidelines
• Assessing return on investments (ROI) for Cyber Defense Products
• Introduction to Breach and attack simulation (BAS) platforms
• Evolution of threat-actors, state-sponsored, criminal groups, hacktivist, insider attacks, motivation and capability mapping
• Cyber threat intelligence, Threat-informed defense, Cyber defense systems, blue teams and Importance of purple teaming
• Frameworks and standards, MITRE ATT&CK matrix (updated to v19), Cyber Kill chain, Diamond Model, Pyramid of pain, MITRE D3FEND model, MITRE ATT&CK Navigator and custom layers.
• Adversarial Exposure Validation (AEV) and Continuous Adversary Exposure Validation
• Breach Simulation Engagement scoping, rules of engagement, legal considerations
• How to successfully build an offensive security team in your organization to perform breach and adversary attack simulation engagements

2.    Introduction to adversary emulation engagements 

• Kicking off Adversary emulation engagements in your organization
• Collecting actionable cyber threat intelligence from public sources
• AI assisted CTI processing; collecting, analyzing, and operationalizing threat intel into adversary emulation plans using LLMs
• Identifying and selecting TTPs to emulate, building an emulation plan
• Performing and executing adversary emulation engagements to test cyber defenses, Testing endpoint security controls with adversary emulation techniques.
• Various Open-source and Commercial projects for effective emulation of threats. (Only a few tools and products and mentioned in the outline)
  • Adversary emulation - atomic red team, Executing atomic red team, prerequisites, air gapped network execution, customization
  • Adversary emulation - MITRE Caldera, Deploying caldera in your organization’s environment, Emulating threat-actors with Caldera and Emulating a few known threat-actors with Caldera, Customizing Caldera, Building custom abilities and operations
  • Adversary Emulation with VECTR, Using VECTR for adversary emulation planning, execution, generating reports and documentation, purple teaming.
  • Adversary Emulation with RedTeamSimmer project, Orchestrating adversary emulation through RedTeamSimmer; executing atomic red team cases remotely, building and contributing new test cases to the framework
• Manual adversary emulation exercises for various threat-actor and adversary groups. Building targeted adversary emulation plans for testing various security controls within the organization
• Building technique emulation binaries with AI, scoped binary generation for grouped technique execution
• Target OS based emulation plans for Windows, macOS, and Linux. Platform-specific TTPs, telemetry differences, tooling, emulation plans

3.    Breach and adversary simulation 

• Introducing Breach and adversary simulation range lab environment
  
• Adversary and red team infrastructure
  • Building efficient adversary infrastructure: This module will give an overview of building production ready red team infrastructure to bypass and validate the defenses of your organization.
  • redirectors, domain fronting, malleable profiles, operator OPSEC, payload servers.
• Command and Control
  • Cobalt Strike C2 101 and advanced use cases, Malleable C2 profiles, BOFs, aggressor scripts, External C2
  • Open-source C2 frameworks: Mythic, Havoc, AdaptixC2 , Sliver - comparison, infrastructure build, pros and cons
  • Building adversary infrastructure for Cobalt Strike C2 and Open-source C2
    frameworks for internal operations
• Breach and attack simulation guided walkthrough
  • The lab will have an exact replica of enterprise environment along with security controls. Each phase of the attack path in the red team lab will be demonstrated as a guided lab walkthrough.
  • Command and control (C2), Gaining initial access to the environment – ClickFix, browser-in-browser, OAuth consent Phishing, Container abuse etc.
  • Persistence and privilege escalation, Defense evasion to execute payloads, Credential harvesting, Internal recon and discovery, Lateral movement techniques, Data collection and exfiltration channels.
• Manual Threat actor, Adversary Groups, APT (Dynamic Simulation with Cobalt Strike C2
• Along with the hands-on simulation range, the following modules will also be covered. There will be a full dynamic attack chain walkthrough of Active Directory infrastructure in defended environment.
• Simulating Common Active Directory attacks – Recon, Kerberoasting attacks, unconstrained/constrained delegation, Silver/Golden tickets, ADCS, DCSync, lateral movement, Credential access, bypassing common AD security configuration and defenses, Microsoft Entra ID - Entra Connect compromise, pass-through auth abuse, token theft, conditional access bypass etc.
• Testing endpoint security controls, simulating defense evasion techniques and tools (SysWhispers, AMSI bypass, ETW, Process Injection variants, Custom Shellcode loaders, P/D/Invoke, Direct/indirect Syscalls, Hells gate, Tartarus Gate, module stomping, thread name spoofing, call stack spoofing, etc and more.) EDR Bypass Simulation techniques
• Building a collection of operational tools and techniques for effective defense evasion gap testing
  • LOLBINs and LOLBAS - cataloguing, simulating use cases, building detections from emulation telemetry, BYOVD attacks - vulnerable driver catalogues, EDR-Killer simulations, building a BYOVD emulation plan from scratch
  • Building binaries with AI assisted custom made shell code loader generation framework for defense evasion testing
  • Cobalt Strike defense evasion exercises, User Defines Reflective Loaders, Beacon tuning, sleep masks, in-memory execution techniques etc.
• Using adversary simulation to test and assess AV , EDR systems, security control validation, simulating data exfiltration, reporting and correlation with SIEM systems.
• Adversary simulation against email security controls - payload delivery and bypass testing
• Adversary simulation against web proxies and SWGs - C2 payload delivery and data exfiltration channel testing
• Cloud infrastructure adversary emulation and dynamic simulation for AWS, Azure and GCP
• Supply chain attack simulation with npm/PyPI/GitHub compromise scenarios (In a controlled environment)
• SIEM correlation, alert tuning, detection gap reporting, Continuous adversary exposure validation in practice. Scheduled emulation, automated payload execution
• Incident response plans and validating them with adversary simulation exercises
• Intro to Adversary attack simulation against AI systems and AI agents, Mapping AI-system attacks to OWASP LLM Top 10 and MITRE ATLAS

4.    Ransomware Simulation [1 hour]

• Emulating ransomware in a controlled environment, Custom build ransomware simulation for assessing endpoint security controls and defense systems.
• AI assisted ransomware simulation, per-engagement payload variants, Threat actor specific TTP chaining exercises, How threat actors use AI in real ransomware operations and how to emulate them.
  • Building a ransomware simulation platform from scratch architecture, BOFs for encryption simulation, double-extortion modelling, backup destruction, data wiper simulation
  • Adding guardrails and controlled execution
  • APT-style ransomware simulation

5.    AI in Offensive Operations

• The state of AI use in offensive operations, Writing and porting exploits and emulation scenarios using AI agents.
• Building an AI agent system for AI assisted adversary emulation - agent architecture, tool integration, sandboxing, security controls and guardrails. AI assisted malware and technique-emulation binary development.
• Designing, building and executing AI Assisted breach and adversary simulation exercise

6.    Cyber defense teams: Launching your first purple teaming exercise

• Connecting all dots from the previous modules to perform a purple team engagements
  
• Frameworks, standards, and prerequisites
  
• Carrying out purple team engagement in your organization
  
  • Planning, executing, collaborative analysis, Detection engineering Reporting and presentation.
• Defensive implications and detecting AI-generated artefacts in your environment
• Detection engineering and detection-as-code, Mapping TTPs to detections using DeTT&CT and Sigma

7.    Capture the flag competition and badges

• CTF competition for the participants
• Challenge coins

• CBAS Digital badges

Difficulty Level:

Beginner to Advanced

Beginner Definition - The student has an interest in the topic presented and general technology knowledge that a power user or undergraduate student may have acquired.

Intermediate Definition - The student has education and some experience in the field and familiarity with the topic being presented. The student has foundational knowledge that the course will leverage to provide practical skills on the topic.

Advanced Definition - The student is expected to have significant practical experience with the tools and technologies that the training will focus on.

Suggested Prerequisites:

Basic understanding of offensive security tradecraft and adversary emulation

What Students Should Bring:

A Windows/Linux laptop with at least 16 GB of RAM, Access to Internet

What the Trainer Will Provide:

• Course material (PDF),
• Lab access, training portal access to lab guides
• Certified breach and adversarial attack simulation specialist (CBAS) certification – DEF
• CON Edition (Proficiency exam required)• Digital badges and challenge coins (Proficiency exam required)
• Custom malware/ransomware simulation/loaders and payloads code samples, Access to private code repositories
• Adversary simulation plans and playbooks
• Downloadable VM images for offline practice
• Detection engineering resources (Sigma rules, EQL/KQL queries)
• Reporting templates and sample reports
• Post-training reference toolkit and exercises (curated open-source tools and scripts)
• One year of training portal access to continuously updated lab guides, training materials, and code samples.

Trainer(s) Bio:

Abhijith B R, also known by the pseudonym Abx, has more than a decade of experience in the offensive cyber security industry, serves as the Director of BreachSimRange, and Founder of Adversary Village.

He is a professional hacker, offensive cyber security specialist, red team consultant, security researcher, trainer and public speaker.

Currently, he is building BreachSimRange.io as the Founder and Director and is involved with multiple organizations as a consulting specialist to help them build offensive cyber security operations programs, improve their current security posture, assess cyber defense systems, and bridge the gap between business leadership and security professionals.

In the past, he led the offensive security team at Envestnet, Inc., held the position of Deputy Manager - Cyber Security at Nissan Motor Corporation, and prior to that, he worked as a Senior Security Analyst at EY.

As the founder of Adversary Village (https://adversaryvillage.org/), Abhijith spearheads a community initiative focused on adversary simulation, adversary-tactics, purple teaming, threat actor/ransomware research-emulation, and offensive cyber security. Adversary Village is part of DEF CON Villages and organizes hacking villages at prominent events such as the DEF CON Hacking Conference, RSA Conference etc.

Abx also acts as the Lead of an official DEF CON Group named DC0471. He is actively involved in leading the Tactical Adversary project (https://tacticaladversary.io/), a personal initiative that centers around offensive cyber security, adversary attack simulation and red teaming tradecraft.

Abhijith has spoken and delivered trainings at various hacking and cyber security conferences such as, DEF CON hacker convention - Las Vegas, RSA Conference - San Francisco, The Diana Initiative -Las Vegas, DEF CON 28 safemode - DCG Village, Opensource India, Security BSides Las Vegas,

BSides San Francisco, BSides Tampa, Hack Space Con – Kennedy space center Florida, Nullcon – Goa, c0c0n – Kerala, BSides Delhi, DEF CON Singapore etc.

Proficiency Exam Option:

This course has the option for a proficiency certificate add-on. 

Exam Format: Practical, hands-on lab assessment
Time Allowed: 90 minutes
Passing Criteria: Minimum 70% overall performance
Exam attempts: 2

Students are required to design and execute a custom, realistic attack simulation plan against a controlled enterprise lab with EDR, SIEM, AV, and other defenses. From a set of predefined offensive and red team scenarios, one must be selected and approved by the trainer for execution.

The exam is divided into three parts:

1. Design and building: Build a real-world attack simulation plan using custom payloads and procedures. The plan must be submitted to and approved by the trainer before execution.
2. Execution and correlation: Execute the adversary simulation plan, correlate SOC/EDR/SIEM telemetry, map detections, document gaps, and create custom rules for undetected techniques.
3. Re-test and validation: Re-execute the attack with defensive improvements applied. At least 70% of the previously executed attacks must now be prevented to demonstrate improved detection and defensive capability.

The final report will be reviewed and assessed by the trainer against predefined scoring criteria. The objective of this exam is to ensure students can both attack and defend, validating defenses from an offensive perspective, closing detection gaps, and strengthening overall resilience. This training and proficiency exam confirms that students can carry out advanced breach simulations and strengthen organizational cyber defenses.

Please reach out to training@defcon.org for any questions related to the proficiency exam and certificate option.

Registration Terms and Conditions: 

Trainings are refundable before July 11, 2026, minus a non-refundable processing fee of $250.

Between July 11, 2026 and August 5, 2026 partial refunds will be granted, equal to 50% of the course fee minus a processing fee of $250.

All trainings are non-refundable after August 5, 2026.

Training tickets may be transferred to another student. Please email us at training@defcon.org for specifics.

If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).

Failure to attend the training without prior written notification will be considered a no-show. No refund will be given.

DEF CON Training may share student contact information, including names and emails, with the course instructor(s) to facilitate sharing of pre-work and course instructions. Instructors are required to safeguard this information and provide appropriate protection so that it is kept private. Instructors may not use student information outside the delivery of this course without the permission of the student.

By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.

Several breaks will be included throughout the day. Please note that food is not included.

All courses come with a certificate of completion, contingent upon attendance at all course sessions. Some courses offer an option to upgrade to a certificate of proficiency, which requires an additional purchase and sufficient performance on an end-of-course evaluation.