Wall of Sheep Hands-on Threat Hunting - Brian Markus, Matt Tiner, Ian Foster, Ernest Linchangco - DCSG2026

Name of Training: Wall of Sheep Hands-on Threat Hunting
Trainer(s): Brian Markus, Matt Tiner, Ian Foster, and Ernest Linchangco
Dates: April 26-27, 2026
Time: TBD
Venue: Marina Bay Sands
Early Bird Cost: $3,650 SGD 

Early bird price valid until February 8, 2026.

Short Summary:

This 2-day course will introduce students to the art of threat hunting, focusing on the use of packet analysis to detect and respond to advanced threats. Students will learn how to analyze network traffic and identify file types and metadata.

Course Description:

• Hands-on learning: Go beyond theory and delve into practical exercises where you'll actively hunt for threats in real network traffic.
• Expert instructors: Learn from industry veterans with extensive experience in cybersecurity and threat detection.
• Comprehensive coverage: From network analysis basics to advanced techniques like AI-powered threat identification.
• Receive a certificate: Earn a valuable certificate upon completion of the course.

• Security professionals
• Network engineers
• Threat hunters
• Forensic analysts
• Anyone with an interest in cybersecurity and network security

• Deep dive into packet analysis: Learn how to analyze network traffic and identify file types and metadata.
• Practical enumeration tools: Master techniques for mapping networks and identifying potential threats.
• Comprehensive threat detection: Identify common attack methods like port scanning, man-in-the-middle attacks, and data exfiltration.
• AI for Network Analysis: Learn how to leverage AI for file identification, data enriching, and log analysis.

• Interactive lectures and discussions
• Live demonstrations and exercises
• Challenging practical challenges
• Collaboration with other students and instructors

• Internal/outside investigation
• Criminal
• Compliance

• BIN2DEC 
• DEC2HEX 
• BIN2ASCII 

• [What is ASCII?] 
• [What is base64 and how does it work?]
  • Table, decoding (automated/manual) 
  • Decode exercise 

• File types & headers
• File Metadata
  • Hidden GPS data in JPG metadata 
• File identification
  • 7z Download Challenge 

• Parsing Windows Event Logs 
• Active Directory Event Logs 

• Windows Registry - HKCU Run persistent malware identification 
• Recover a deleted file from a NTFS file system 

• TCP/IP Model / OSI-Model
  • OSI Layer Matching 
• What is an IP / Port
  • Port Matching Challenge 
• IPv4
  • Ethernet Headers 
• Subnets 
• Mac Addresses
  • Mac Address Challenge 

• Enumeration 101 
• NMAP Host Enumeration 

• What is Network Traffic Analysis
• Who performs Network Traffic Analysis
• Network Monitoring Technologies
• What is a Network Packet Analyzer?
• Promiscuous mode
• Why should I capture traffic to a file?

• TFTP file name identification 
• FTP User Password 
• SMB File Transfer 
• FTP of a QRCODE with a base64 encoded message inside. 

• [Cryptography] 
• Cracking ZIP (Dictionary & Brute-force) 

• Port Scanning & SYN Floods 
• Man-in-the-middle Attacks (ARP Poisoning) 
• C2 Beaconing 
• Data Exfiltration 
• Database Leaks 

• File identification/manipulation 
• Data enriching & formatting 
• Log analysis 
• Converting network traffic into an AI friendly format 
• Prompt writing for threat hunting 

Difficulty Level:

Intermediate - The student has education and some experience in the field and familiarity with the topic being presented. The student has foundational knowledge that the course will leverage to provide practical skills on the topic.

This class is designed to be an immersive experience, not a traditional lecture-based course. We move quickly from theory into hands-on labs where you will actively hunt for threats in real network traffic. The focus is on doing, not just knowing.

This course is for students who are already comfortable with computer and networking fundamentals. While we spend time reviewing refreshers, please note that we won't be covering basic concepts beyond what's listed in the syllabus. To get the most out of our exercises and keep up with the material, it's essential to come prepared with a solid foundation in the skills we'll be building upon. Your ability to do so will directly impact your learning experience on day one. If you are not comfortable working in a command prompt or terminal, you will find it very difficult to succeed.

Suggested Prerequisites:

To ensure you have a rewarding experience, you should be confident in the following areas before enrolling.

Core Knowledge:

• Networking Fundamentals: You should understand what the following terms mean:
  
  • TCP/IP (the basics of the protocol suite)
    
  • Packets, Frames, and Ports
    
  • IP Addresses (Public vs. Private, Subnetting)
    
  • DNS and DHCP
    
  • HTTP/S traffic basics
    
  • Common services like SSH, RDP, and FTP

Essential Practical Skills:

• Command Line Proficiency (CRITICAL): This is the most important requirement. We will have exercises that will require some knowledge of both Linux and Windows. You must be able to navigate and perform tasks in a command line interface (like Windows Command Prompt, PowerShell, or a Linux terminal) without assistance. You should be able to:
  
  • Navigate file systems (cd, dir/ls)
    
  • Manage files (copy/cp, move/mv, delete/rm)
    
  • Run basic networking utilities (ping, ipconfig/ifconfig, netstat, route)
    
• Operating System Familiarity: You should be comfortable at a basic level using modern Windows and Linux operating systems and understand core concepts like processes, services, and user permissions.

Recommended Experience: Certifications: Holding a certification like CompTIA Security+ or Network+ (or having equivalent knowledge) is a strong indicator that you are ready for this course.

Pre-Work: If you want to test your readiness, try completing a few introductory network analysis exercises online. If you find those challenges manageable, you are likely prepared for this class.

What Students Should Bring:

Laptop with a modern web browser with an OS that users are very familiar with and should be in English or have translations to English so teachers can assist the students. We understand that every student will bring a different system with a different OS. Our focus is on delivering a high-quality educational experience for all participants and Troubleshooting of BYOD (Bring Your Own Device) will not be available during this course.

What the Trainer Will Provide:

Users will have access to the world class Capture The Packet Cyber range and a Virtual Desktop they can access using their laptop throughout the course.

Trainer(s) Bio:

• Over 30 years as an IT Security Professional 
• CISO for major Aerospace & Defense Contractor
• Information Security Strategy, Design, Policies, Assessments, Awareness Programs, Compliance, etc.
• +25 year experience at DEF CON organizer and event manager 
• Held CTP competitions at DEF CON 15 years
• Bachelors Degree in Computer Information Systems
• MBA with a emphasis in technical management
• CISSP, PGP, NSA-IAM, ITIL, Six Sigma Certified
• Creator of the Wall of Sheep, Capture The Packet, Packet Detective, Phishing Executable Toolkit, Clip-Clean, KeyMetrics
• Co-inventor of Juice-Jacking
• Speaker & Event Organizer (DEF CON, Packet Hacking Village, Toorcon, LayerOne, WyrdCon, SparkleCon, NH/A ISAC, DIB, I/ITSEC, Raytheon)
• Multi-year CTF winner HushCon
• 2013 LayerOne Tamper Evident Champion
• 2015 Bomb-Box Champion

Ian Foster is a Red Team lead and has been on the Red Team of multiple Fortune 500 companies. He specializes in offensive infrastructure and research. On his own time Ian runs dns.coffee a historical DNS database providing DNS data to researchers and threat intelligence groups. Ian also runs a research ISP allowing him to provide specialty infrastructure hosting for security researchers and internet connectivity to non-profits.

Matthew Tiner is a collaborative professional known for his approachable communication style and willingness to engage directly with colleagues and clients. With a preference for real-time problem-solving and hands-on discussion, Matthew brings a practical, no-nonsense approach to his work. His ability to balance professionalism with genuine personality makes him an effective team member who values both results and relationships.

Ernest Linchangco is a veteran IT professional with three decades of experience guiding complex technology initiatives across diverse industries. His expertise includes cybersecurity, infrastructure operations, and systems integration. Known for his strategic mindset and technical versatility, he consistently delivers results in high-stakes environments. In his spare time, Ernest is actively involved in collaborative hacker and maker circles, contributing to events and projects that advance security research and creative engineering.

Registration Terms and Conditions: 

Trainings are refundable before March 27, 2026, minus a non-refundable processing fee of $250.

Between March 27, 2026 and April 21, 2026 partial refunds will be granted, equal to 50% of the course fee minus a processing fee of $250.

All trainings are non-refundable after April 21, 2026.

Training tickets may be transferred to another student. Please email us at training@defcon.org for specifics.

If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).

Failure to attend the training without prior written notification will be considered a no-show. No refund will be given.

DEF CON Training may share student contact information, including names and emails, with the course instructor(s) to facilitate sharing of pre-work and course instructions. Instructors are required to safeguard this information and provide appropriate protection so that it is kept private. Instructors may not use student information outside the delivery of this course without the permission of the student.

By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.

Several breaks will be included throughout the day. Please note that food is not included.

All courses come with a certificate of completion, contingent upon attendance at all course sessions. Some courses offer an option to upgrade to a certificate of proficiency, which requires an additional purchase and sufficient performance on an end-of-course evaluation.