Hunt Training

Threat Hunting Training Course

Our next session is Saturday, August 12th, 2023 from 11 AM to 5 PM (ET). Register below to attend this course live and receive a certificate. If you cannot attend live, please still register and we will send you a link to the recording.

Over 25,000 students have attended our training live! 


Welcome to our Threat Hunting Training Course!

Here you will find everything you need to complete this training. The information for the course is broken down into different sections:

Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We hope you enjoy this Threat Hunting Training and plan to join us for future webcasts!

Are you interested in taking an Advanced Threat Hunting class? Chris Brenton holds one quarterly with Antisyphon InfoSec Training.

Happy Hunting!

Course Slides


Updated 04/22/2023

Hands-on Labs Info

Our labs are designed to run only on Ubuntu or CentOS 7.


The latter portion of this course will be performed by you using hands-on labs with live instruction and guidance. You will be working with traces of real Command and Control (C2) traffic to reinforce what you have learned. The hands-on labs are not required, but they are the best way to learn the threat hunting process in a way you should be able to remember more efficiently – by actually doing it yourself!

All labs are included in our supplied virtual machines and online instance.

You have four options for obtaining the pre-configured labs. Links for each are in the next section.

Lab Downloads

Labs Updated 03/02/23

Our supplied lab virtual machines are pre-configured on Ubuntu and include all the tools, directories, and files you will need to perform the hands-on portions of this course.

Our virtual machine labs do not require network access. All labs will be done within the VM itself.

We provide four options for accessing the labs. Please choose ONE of these options that work best for you.

Options #1, 2, & 3 – Download VM

VirtualBox VM

Download VirtualBox VM

Size: 13.4 GB (25 GB uncompressed)

CRC32: 16950B61
CRC64: 958BA87965330E3E
SHA1: DCE6DD884EC91F15E5EC258F2DD98071F4BDC50B
SHA256: 2CADE05FEA0E397391269DDF25F873696CFE58464CB7E3E59A279D888F4FF4B1

Generic OVA

Download Generic OVA VM

Name: thunt-L1-2023-r1.ova
Size: 14 GB

CRC32: 7BDEC785
CRC64: 26534335A1465197
SHA256: BC9C52B0C39C38BED85B84748F0C1F869F969430883921B96E209F65D83B8044

VMware Workstation

Download VMware Workstation VM

Size: 14 GB

CRC32: 26A6CA27
CRC64: F7E8458761F77B45
SHA1: 464E94083084E046A75E3D5DF69FA0E0F9964DA4
SHA256: 7038E96657F4890549FF9BC3DCC0D7900A3DA54CB449E22E01B41F975F03DD0F

After you have chosen one of the above VM downloads, complete the following steps.


1: Open the ZIP file with your preferred compression utility.

2: Launch/import the VM with your VM software.

3: At the login prompt, use the following credentials:

Login: threat
Password: hunting

4: You will see the directory “labs” in the home directory. In THAT directory will be lab1, lab2 & lab3.

Option #4 – Online Instance & VM AC-Hunter CE

Don’t want to download the VM? No problem! We have an online option that will let you do most (but not all) of the labs over the Internet. This option will be made available at the start of the class.


Below are links to three AC-Hunter CE cloud instances. We have created three to keep any one of them from getting overloaded. Please choose ONE to use for the labs.

Password: hunting2

Threat Hunting Class FAQ

If you run into trouble, please see the FAQ:

FAQ Updated 05/23/23


If you still have questions or need help, please reach out to us on our Threat Hunter Community Discord Server in the “#acm-general” channel.

Previous Course Video Recording

Recorded April 22nd, 2023

Basic Timeline:

Training Begins – 0:00:00
Hands-on Labs – 2:31:46

Interested in helpful threat hunting tools?

Latest Active Countermeasures Blog Posts: