When we first put together the Offensive Cyber Security Operations: Mastering breach and adversarial attack simulation engagements training and CBAS [Certified Breach and Adversarial Attack Simulation Specialist] certification, for DEF CON Training Las Vegas 2025, the goal was pretty straightforward. Teach people how to actually think and operate like real adversaries. Not just read about TTPs in a slide deck, but execute them. The course has always been about hands-on, threat-informed operations in enterprise environments where EDR, SIEM, and Anti-Virus products are actively watching everything you do.
But here is something we have been thinking about for a while. Open-source tools are great for learning and validation, but enterprise red teams need more. Professional adversary simulation requires tooling built for repeatable covert operations, team collaboration, detailed reporting, and long-term engagements. That is why organizations running serious red team programs invest in commercial platforms like Cobalt Strike. it is designed for professional operators running enterprise grade engagements. The tradecraft is different. The indicators are different. If defenders are not training against the same set of tools, they are preparing for a fight that looks nothing like the real thing.
So starting with our Offensive Cyber Security Operations: Mastering breach and adversarial attack simulation engagementstraining at DEF CON Training Singapore in April 2026, we are making a big change. We are upgrading the primary command and control (C2) framework in the training to Fortra Cobalt Strike C2. We are extremely happy to bring this enhanced training experience to DEF CON Training. This collaboration ensures participants train with fully licensed, up-to-date offensive tooling backed by official support and resources.
For those unfamiliar, Cobalt Strike is a commercial adversary simulation platform developed by Fortra (formerly Help Systems). It is the industry standard for professional red team operations, providing a mature command and control framework with features specifically designed for realistic attack simulation. Its Beacon implant, Malleable C2 profiles, and post-exploitation capabilities make it the go to choice for both legitimate security teams and, unfortunately, real-world threat actors with cracked versions.
Let me be very clear, this is not about throwing out open-source C2 tools. Sliver/Havoc/Adaptix C2 and Caldera, they are still solid, fantastic for structured adversary emulation. All of these will still be covered in the course because they serve real purposes.
But when it comes to full scope breach simulation and realistic red team operations, Cobalt Strike is what professional offensive security teams and red teams actually use. It is the tool that shows up in incident response reports, It is what your SOC will encounter when things get serious with Red Teams.
Here is the reality! if your enterprise is serious about measuring the effectiveness of your cyber defense program and incident response capabilities, you need a platform built for professional red team engagements.
Cobalt Strike is the industry standard for enterprise breach and adversary simulation because it enables security teams to run realistic, controlled and sophisticated breach exercises. As a commercially licensed and supported platform from Fortra, it gives offensive security teams a trusted, repeatable framework for testing defenses.
Cobalt Strike is designed for professional red team operations. It supports multi-operator engagements, provides detailed logging for reports, and integrates into enterprise security workflows. For organizations running purple team exercises, tabletop validations, or full scope red team engagements, it is the platform that changes adversary simulation from a checkbox exercise into a genuine assessment of security maturity.
For the participants, this means learning to operate the same command and control platform used in professional red team engagements worldwide. You will build payloads, configure infrastructure, and execute full attack flows using industry standard offensive tooling and skills that translate directly to real-world adversary simulation. Because every attack generates telemetry, you will also learn where your tradecraft is visible to defenders, helping you refine your operational security.
The core philosophy stays exactly the same. Offensive Mindset, Defensive Impact. We are still focused on the full attack chain, still correlating everything with detection telemetry, still making sure you understand both sides. But now the custom breach simulation modules run on Cobalt Strike from start to finish.
Craft payloads using Cobalt Strike's artifact kit. Customize loaders, work around detections, and learn operational security starting from the first shellcode generation.
Configure Malleable C2 profiles to mimic legitimate traffic. Shape communications to fool network monitoring while understanding what defenders can still detect.
Use Cobalt Strike's built-in evasion features including the Sleep Mask Kit for in-memory encryption, Artifact Kit for payload customization, process injection options, spawn-to configurations, and Beacon Object Files (BOFs) to execute post-exploitation tasks. You will also learn to operationalize these techniques with our internally developed defense evasion tools.
Execute credential harvesting, lateral movement, and privilege escalation. Simulating techniques include pass-the-hash, Kerberoasting, DCSync, and token manipulation in realistic AD environments.
Build and execute full-scope breach simulation exercises. Emulate known threat actors using documented TTPs and threat-intel reports, or design custom scenarios tailored to your organization. Learn to plan, scope, and run end-to-end adversary simulations that test your defenses against both real-world adversaries and dynamic custom attack scenarios.
Map every attack to EDR alerts, SIEM logs, and endpoint forensics. Understand exactly what defenders see and write detections for the gaps.
The ransomware emulation module gets a serious upgrade too. Building and deploying custom ransomware simulations through Cobalt Strike infrastructure is much closer to how such exercises are carried out in enterprise engagements. Understand the full chain from initial access through deployment, and you will see exactly where defenders have opportunities to stop it.
Prove you can design, execute, and validate breach simulations, then demonstrate that your defensive recommendations actually work. Right now this badge is exclusively awarded to the participants of DEF CON Training events.
The proficiency exam structure stays the same. It works, and we are not changing what is not broken. You still need to design, execute, and validate a complete breach simulation against a defended enterprise environment. The difference is that you will now be doing it with industry standard offensive tooling that mirrors real-world engagements.
What makes CBAS different is that passing is not just about breaking in. Anyone can pop a shell in a weak environment. The certification proves you can craft sophisticated breach simulation exercises, identify gaps, improve defenses, and validate that the improvements actually work. Offense and defense, connected. That is the whole point of the training.
Here is something most training programs miss. What happens when you get back to the office on Monday?
You plan and run your first enterprise breach and adversary simulation engagement. You collect threat-intel relevant to your industry, build an adversary emulation plan, and execute it using a combination of tools. Atomic Red Team for technique validation, Caldera/VECTR for structured emulation, Cobalt Strike for dynamic custom adversary simulation operations. And plenty of existing, custom tools and scripts to execute various simulation scenarios including ransomware simulation. You simulate known threat actors targeting your sector, or design custom scenarios to test specific gaps. You validate every attack with your SOC and SIEM telemetry, document what got detected and what was not, and turn those findings into actionable defense improvements.
That is the difference. You leave with the skills to run professional breach and adversary attack simulation engagements, not just individual techniques, but complete operations from planning through reporting.
Earning the CBAS certification demonstrates advanced capability in offensive cyber security operations and breach simulation, enabling you to elevate your role as a trusted security specialist and strengthen your organization's overall defense posture.
Hands-on experience with industry standard tooling and TTPs used in real engagements worldwide
Realistic telemetry and IOCs to tune detections against actual threat behavior
Run exercises that mirror the threats your executive team is actually worried about
For enterprise security teams, this means immediate ROI. Your people return with skills they can deploy that same week. Not theory they will forget by the next quarter. Whether it is internal red team operations, purple team exercises, security control validation, or compliance validation, the training would directly help to perform assessments on production systems.
DEF CON Singapore 2026 | April 26-27 | Marina Bay Sands
Master advanced breach and adversary simulation techniques in a guided, defended lab. Build custom ransomware scenarios, run full breach simulations, and earn the CBAS certification.
View Training Details →The upgraded training makes its debut at DEF CON Singapore at Marina Bay Sands. Two full days covering everything from adversary emulation fundamentals through complete breach simulation, finishing up with a capture-the-flag competition so you can put it all together.
Those who pass the proficiency exam earn certificates/digital badges from DEF CON Training, addition to that the CBAS certification, digital badges, and challenge coins. The exam is optional but recommended as it is the core difference between attending a training and proving you can actually carry it out.
For the participants of the past DEF CON Trainings and CBAS certification holders, I'm working on a way to give them access to the upgraded lab environment. Need to find some workaround to overcome some limitations. Stay tuned!
Our philosophy has always been that defenders must think like attackers. The tusker with a spear does not just endure threats, it anticipates them, tests its own limits, and strikes with precision before the hunter gets close.
Now the tusker has Cobalt Strike in its arsenal.
If your organization is being targeted by adversaries, your offensive security team and defenders should be training against the same. There is no point practicing against attacks you will never see while the real attackers use completely different tradecraft. This is how modern cyber defense should work. Continuous and adaptive attack-validate-harden methodology!
We will see you in Singapore!