What is HackTheBox Certified Defensive Security Analyst (CDSA)

The HackTheBox Certified Defensive Security Analyst (CDSA) is a certification offered by HackTheBox that validates a professional’s skills in defensive security, incident response, and threat detection. It’s designed to test practical, hands-on abilities in identifying, analyzing, and mitigating threats in realistic environments, focusing on the capabilities required of security analysts working in Security Operations Centers (SOCs) and other defense-oriented roles.

Target Audience

The certification is ideal for cybersecurity professionals looking to strengthen their blue team skills. This includes roles like SOC analysts, threat hunters, and incident responders. It’s also beneficial for anyone involved in security monitoring, log analysis, and security operations.

Exam Structure

The HackTheBox CDSA certification exam typically involves a hands-on lab environment where candidates must respond to incidents and analyze threats. Some key elements include:

  • Time-Bound Exam: 7 days long
  • Lab-Based Challenges: The exam consists of challenges simulating real-world threats, often including network traffic analysis, endpoint investigation, and log analysis.
  • Reporting and Documentation: Candidates are required to document their findings, explain their analysis, and provide mitigation recommendations, mirroring real-world incident response documentation.

About HTB CDSA Exam

The HackTheBox CDSA certification tests a broad set of defensive skills, including:

  1. Threat Detection and Analysis
    • Identifying indicators of compromise (IoCs) and malicious activity within network traffic, logs, and endpoint behavior.
    • Using tools to detect threats, understand how they operate, and evaluate their impact on the system.
  2. Incident Response
    • Applying incident response principles, including identifying and containing threats, investigating their scope, and mitigating their effects.
    • Understanding the incident response lifecycle and documenting findings throughout the process.
  3. Log Analysis and Forensics
    • Analyzing logs from multiple sources (e.g., Windows Event Logs, network logs, firewall logs) to identify malicious actions and trace attack vectors.
    • Using log analysis to perform root cause analysis and track attacker movements.
  4. Network and Endpoint Monitoring
    • Monitoring network traffic for anomalies using tools like Wireshark, Zeek, or other network monitoring solutions.
    • Detecting unusual behavior on endpoints, such as suspicious processes, file modifications, or registry changes.
  5. Threat Hunting
    • Proactively searching for threats within the environment by creating and executing hypotheses.
    • Using tools like Sysmon and endpoint monitoring solutions to gather data and hunt for IoCs and attacker techniques.
  6. SIEM and Detection Engineering
    • Configuring and using a Security Information and Event Management (SIEM) tool to aggregate and analyze security data.
    • Writing detection rules and alerts to identify threats and anomalous activity in real time.

How to Prepare for HTB CDSA Exam

To prepare for the CDSA, candidates should focus on practical, hands-on learning and defensive skills development:

  1. HackTheBox Labs and Challenges
    • HackTheBox offers labs specifically geared toward defensive security, such as endpoint monitoring, log analysis, and threat hunting challenges.
  2. SIEM and Log Analysis Tools
    • Familiarize yourself with SIEM tools like Splunk or the ELK Stack for aggregating and analyzing logs.
    • Practice analyzing logs from different sources (e.g., Sysmon logs, firewall logs) and creating detection rules.
  3. Network Traffic Analysis Tools
    • Learn to use tools like Wireshark, tcpdump, and Zeek to capture and analyze network traffic. Understanding common network attack patterns and traffic anomalies is crucial.
  4. Incident Response Knowledge
    • Understand the incident response lifecycle and practice with incident response frameworks, such as the NIST Incident Response Framework.
    • Practice documenting and reporting incident findings, which is an essential part of the exam.
  5. Proactive Threat Hunting Skills
    • Use tools like Sysmon and YARA to perform threat hunting on Windows and Linux endpoints.
    • Develop hypotheses for threat hunting and use logs and forensic data to validate them.

Machines to Practice

1. Blue Team Labs

  • Windows Event Logs: Practice analyzing Windows Event logs to detect malicious behaviors, including suspicious logons, process creation, and registry modifications.
  • Splunk Fundamentals: A lab focused on using Splunk for log aggregation, analysis, and correlation—essential for incident response and SOC operations.
  • Wireshark Essentials: Hands-on practice in network traffic analysis to identify anomalies, detect threats, and understand network packet structures.
  • Zeek (Bro) Network Security Monitor: This lab focuses on using Zeek (formerly known as Bro) for network monitoring and incident detection. Zeek logs are often used for network threat hunting and analysis.
  • Sysmon Essentials: Provides experience in monitoring endpoint activities using Sysmon, which logs detailed information about process creation, network connections, and file modifications.

2. HTB Academy Modules

HTB Academy has modules specifically designed for defensive security skills. Some recommended ones include:

  • Log Analysis Basics: Focuses on understanding logs from various sources (e.g., Windows, Linux) and analyzing them for security incidents.
  • Incident Response Fundamentals: Covers the incident response lifecycle, from preparation to recovery and lessons learned.
  • Endpoint Security and Monitoring: This module includes labs on monitoring endpoints and using tools like OSQuery for proactive threat detection.
  • SIEM Basics with Elastic Stack: Provides hands-on practice with the ELK Stack, which is valuable for log management, threat detection, and incident response.

3. HackTheBox Blue Team Machines

HackTheBox machines offer environments that simulate real-world security challenges. Here are some machines aligned with blue team skills:

  • Dancing: Focuses on analyzing compromised Linux logs to find unauthorized access and isolate attack patterns. It emphasizes log analysis and root cause determination.
  • RouterSpace: Involves detecting suspicious network activity and discovering the extent of a security breach. This machine is excellent for network traffic analysis and log correlation.
  • Cuckoo: A machine that requires basic malware analysis skills. It provides an opportunity to investigate a system infected with malware, gather IoCs, and conduct static and dynamic malware analysis.
  • Entropy: Focuses on analyzing a compromised web server, requiring skills in log analysis and vulnerability detection.
  • Knife: This machine tests your ability to spot misconfigurations and insecure application setups commonly exploited in real-world attacks, which you can then correlate with system logs for defensive insights.

4. Pro Labs for Advanced Blue Team Skills

  • Rastahack: Offers a larger environment with multiple systems that simulate a small organization’s network, allowing for complex incident detection and response exercises.
  • Fortress: A Pro Lab designed to simulate a full-scale enterprise network with multiple machines. The lab includes various network configurations and an AD environment, which can be used to practice real-world defensive skills, including network defense, host monitoring, and log analysis.

Get a Copy of HackTheBox Certified Defensive Security Analyst (CDSA) Study Notes

Table of content:

– About The Exam

– Exam Objectives

– HTB Machines and Materials For Preparation

– Necessary Tools To Understand

– Additional Tips To Pass

– Module 1: Incident Response

– Module 2: Cyber Threat Intelligence

– Module 3: Log Analysis Essentials

– Module 4: Network Traffic Analysis

– Module 5: Endpoint Security and Monitoring

– Module 6: SIEM and Detection Engineering

Page Count: 738

Format: PDF + Markup

Testimonials (LinkedIn)

How to buy the study notes?

You can buy the booklet directly by clicking on the button below

HackTheBox Certified Defensive Security Analyst (CDSA) Study Notes

After you buy the booklet, you will be able to download the PDF booklet along with the markup files if you want to import them to Obsidian software.

HTB CDSA vs BTL1

1. Certification Overview

HackTheBox CDSA (Certified Defensive Security Analyst)

  • Focus: Intermediate-level defensive security skills in real-world scenarios.
  • Content: Covers key blue team skills such as threat detection, log analysis, network and endpoint monitoring, and incident response.
  • Target Audience: Security professionals, SOC analysts, incident responders, and those looking to work in defensive security roles.
  • Goal: Prove capability in analyzing, identifying, and responding to threats in complex, hands-on environments.

Blue Team Level 1 (BTL1)

  • Focus: Foundational blue team skills, with a strong emphasis on entry-level security analysis and monitoring tasks.
  • Content: Covers core defensive security skills such as understanding network traffic, endpoint security, basic threat detection, and SIEM fundamentals.
  • Target Audience: Individuals new to defensive security, entry-level SOC analysts, IT professionals looking to transition into cybersecurity.
  • Goal: Build a foundational understanding of defensive security principles and validate essential blue team skills.

2. Exam Format and Difficulty

HTB CDSA

  • Format: Lab-based, hands-on exam in a complex environment with scenario-based challenges.
  • Difficulty: Intermediate level, requiring familiarity with real-world defensive security concepts, tools, and analysis.
  • Time and Structure: Typically, the exam has a set time limit ( 7 days) and requires solving a series of challenges that simulate real-world incidents.
  • Scope: Includes analysis of network traffic, incident response workflows, endpoint monitoring, and forensic investigation. Candidates must analyze logs, detect threats, and document findings.

BTL1

  • Format: Challenge-based exam with practical exercises covering foundational skills.
  • Difficulty: Beginner-friendly, designed to introduce key concepts in a manageable, step-by-step format.
  • Time and Structure: Often structured around straightforward tasks that test basic blue team concepts and skills.
  • Scope: Focuses on understanding basic network security, monitoring, and log analysis. Less emphasis on complex incident response or forensic skills compared to CDSA.

3. Skills Tested

HTB CDSA

The CDSA certification tests advanced blue team skills in areas such as:

  • Threat Detection and Analysis: Identifying IoCs and malicious activity in network traffic and logs.
  • Incident Response: Applying incident response principles and documenting findings in a structured manner.
  • Log Analysis and Forensics: Analyzing logs from various sources (e.g., Sysmon, firewall, endpoint) to track attack vectors.
  • Network and Endpoint Monitoring: Using tools like Wireshark, Sysmon, or SIEMs to monitor network and endpoint behavior.
  • Threat Hunting: Proactively searching for indicators of compromise and applying techniques like YARA for malware identification.

BTL1

The BTL1 certification covers essential defensive security skills, including:

  • Basic Threat Detection: Recognizing common indicators of compromise and understanding malware behaviors.
  • Log Analysis Basics: Introducing log analysis from basic sources such as Windows Event Logs or firewall logs.
  • Network Monitoring Basics: Understanding network protocols and traffic flow, with limited focus on advanced network forensic analysis.
  • Foundational SIEM Skills: Basic experience with a SIEM for aggregating logs, creating simple alerts, and identifying suspicious activity.
  • Endpoint Security Fundamentals: Introduction to endpoint security practices, process monitoring, and minimal threat-hunting activities.

4. Preparation and Study Resources

HTB CDSA Preparation

To prepare for the CDSA, candidates typically need hands-on experience in defensive security environments, including:

  • HackTheBox Blue Team Labs: Labs like Sysmon Essentials, Windows Event Logs, and network traffic analysis.
  • SIEM Tools and Log Analysis: Familiarity with tools like Splunk, the ELK Stack, and understanding how to use Sysmon, Wireshark, and Zeek for threat detection.
  • Incident Response Training: Knowledge of incident response frameworks (e.g., NIST), documentation, and reporting is essential.

BTL1 Preparation

BTL1 preparation focuses on building a foundation in defensive security skills:

  • HackTheBox Academy Modules: Modules like Introduction to Defensive Security, Windows Event Logs, and Network Traffic Basics.
  • Basic SIEM Use: Exposure to SIEM tools and understanding log aggregation, simple filtering, and alerting.
  • Blue Team Basics: Foundational knowledge of network protocols, common security tools, and defensive concepts.

5. Career Impact and Value

HTB CDSA

  • Target Roles: SOC analysts, incident responders, blue team analysts, and threat hunters in intermediate to advanced positions.
  • Career Impact: The CDSA serves as a respected certification for validating practical, intermediate-level blue team skills. It demonstrates the ability to handle real-world threats, making it suitable for mid-level roles in SOCs and blue team operations.

BTL1

  • Target Roles: Entry-level SOC analysts, junior blue team members, IT professionals transitioning into security.
  • Career Impact: BTL1 is valuable for those new to defensive security, as it covers the fundamental skills needed for entry-level positions. It serves as a stepping stone for further training and advanced certifications like the CDSA.

What about the notes updates?

if you have been watching my YouTube Channel, you definitely know that those who subscribe to the second tier of my channel membership they instantly get access to a vast catalog of cybersecurity, penetration testing, digital marketing, system administration and data analytics notes catalog for 10$ along with the ability to receive all notes updates as long as they are subscribed so what does that mean?

This means if you want to stay up to date with the changes and updates to the notes and get access to other categories, I encourage to join the channel membership second tier instead. However, if you are fine with downloading the current version of this section of the notes then you can buy this booklet instead for a one-time payment.

Will the prices of this booklet change in the future?

Once another version of this booklet is released, which it will, the price will slightly change as the booklet will include more contents, notes and illustrations.

Free Blue Team & SOC Training

Checkout the playlist below on my YouTube channel for free Free Blue Team & SOC Training