Hunt Training

Threat Hunting Training Course

Over 30,000 students have attended our training live! 

Our next live course is Tuesday, June 25th, 2024 from 11 AM to 5 PM (ET).

Register below to attend this course live and receive a certificate. If you cannot attend live, please still register and we will send you a link to the recording.


Introduction to This Threat Hunting Training Course

In the following video, Chris Brenton provides a brief overview of what you can expect from taking this course.

Welcome to our Threat Hunting Training Course!

Here you will find everything you need to complete this training. The information for the course is broken down into different sections:

Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We hope you enjoy this Threat Hunting Training and plan to join us for future webcasts!

Are you interested in taking an Advanced Threat Hunting class? Chris Brenton holds one quarterly with Antisyphon InfoSec Training.

Happy Hunting!

Course Slides


Updated 04/12/2024

Hands-on Labs Info

Our labs are designed to run only on Ubuntu or CentOS 7.


The latter portion of this course will be performed by you using hands-on labs with live instruction and guidance. You will be working with traces of real Command and Control (C2) traffic to reinforce what you have learned. The hands-on labs are not required, but they are the best way to learn the threat hunting process in a way you should be able to remember more efficiently – by actually doing it yourself!

All labs are included in our supplied virtual machines and online instance(s).

You have four options for obtaining the pre-configured labs. Links for each are in the next section.

Lab Downloads

Labs Updated 08/08/23

Our supplied lab virtual machines are pre-configured on Ubuntu and include all the tools, directories, and files you will need to perform the hands-on portions of this course.

Our virtual machine labs do not require network access. All labs will be done within the VM itself.

We provide four options for accessing the labs. Please choose ONE of these options that work best for you.

Options #1, 2, & 3 – Download VM

VirtualBox VM

Download VirtualBox VM

Size: 13.1 GB

CRC32: 4525DF25
CRC64: B32C9217A729ACEA
SHA256: 5CF82AAEA859F9297CB33569BCFDC5023CAB87E78BD7605C82844D65BB41B899

Generic OVA

Download Generic OVA VM

Size: 13.8 GB

CRC32: 3E068517
CRC64: 5313D0F3A37D3F2C
SHA1: 3F332AFBFB51484443C6FD228899BDF0317589DE
SHA256: D210F54CDC3E425E10C8FF66AE7F9B1EF0AC5924CE6A5543E1DDDC765252F992

VMware Workstation

Download VMware Workstation VM

Size: 13.1 GB

CRC64: 04A3E9177191E1AF
SHA1: 9A747DD825A10439F12980337E96B62AD13ADCB6
SHA256: 57E63852D10BC3C0D9F5B86E369FEFA555D8BF6B6ADA5D31A3E175F9B5109144

After you have chosen one of the above VM downloads, complete the following steps.


1: Open the ZIP file with your preferred compression utility.

2: Launch/import the VM with your VM software.

3: At the OS login prompt, use the following credentials:

Login: Threat Hunter

Password: hunting

(sudo Password: hunting)

4: If you are presented with an option to update Ubuntu or anything else within the VM – don’t run updates, please leave it as is. Updating the VM may cause issues.

5: In Files/Home or the “threat” shortcut on the Desktop, you will find the “labs” directory. Inside the labs directory will be the subdirectories: lab1, lab2 & lab3. (the CLI path is ‘home/threat/lab*’)


Launching the Chrome browser will provide access to the AC-Hunter UI (

AC-Hunter login credentials:

Password: hunting2

Option #4 – Online Instance of AC-Hunter CE with Lab Data

Don’t want to download the VM? No problem! We have an online option that will let you do most (but not all) of the labs over the Internet.


Below are links to multiple AC-Hunter CE cloud instances. We have created more than one to keep any one of them from getting overloaded. Please choose ONE of them to use for the labs.


AC-Hunter login credentials:

Email Address: 
Password: hunting2

Threat Hunting Class FAQ

If you run into trouble, please see the FAQ:

FAQ Updated 04/12/24


If you still have questions or need help, please reach out to us on our Threat Hunter Community Discord Server in the “#acm-general” channel.

Previous Course Video Recording

Recorded April 12th, 2024

Interested in helpful threat hunting tools?

Latest Active Countermeasures Blog Posts: