Practice Cybersecurity Like the Professionals Do
Real cybersecurity work isn't a series of isolated exercises. Campaigns weave detection, hunting, and response into a single story — the way the job actually happens.
Posted by

The way real cybersecurity works
A real engagement doesn't arrive in your queue with a tidy label that says "threat hunting exercise." It starts as a finance team flagging a weird cloud bill. Or a low-severity alert at 4 PM on a Tuesday that nobody else is looking at. Or a help desk ticket that mentions a workstation behaving oddly.
By the time the incident is closed, you've touched five skills you used to think of as separate. You hunted the thread. You contained the host. You shipped the detection rule that should have caught it. You wrote the after-action notes. You made a dozen judgment calls under time pressure with incomplete information.
The skill that hiring managers actually want is the muscle to handle that blur.
Isolated lab exercises are great for reps in a single skill — you need those, and Defend the Org has them. But isolated reps don't teach the muscle of moving across skills inside one evolving story. That's the gap Campaigns close.
What a campaign is
A campaign is a multi-act security scenario that threads several labs together into one cohesive storyline. You don't hop from a hunting exercise to a detection exercise to an IR exercise — you live inside a single incident from the first weird signal to the final debrief.
Between exercises, you get short cinematic briefings. The same Defend the Org cast you've seen across the platform — the Sentinel, the Hunter, the Watcher, the Responder, the Operator — hands you the situation, raises the stakes, debriefs after action. They're the colleagues you'd learn from on a real team.
Each campaign has a unique mission patch you unlock when you finish it. The patches stack on your profile as a record of the engagements you've actually run end-to-end — not just exercises you've clicked through.
Why this maps to the real job
Four parallels matter:
- The skill mix is messy on purpose. Real engagements don't respect organizational silos. Campaigns don't either. One hand-off can shift you from threat hunting to incident response to detection engineering inside the same forty minutes.
- Decisions chain. What you do in act one shapes what's on the table in act two. Containment choices have downstream cost. Detection rules you ship now are commitments you'll be paged for later. The campaigns force you to live with those consequences instead of resetting between exercises.
- There's always a debrief. Every real incident ends with a retro — what we won, what we still owe, what we should have done sooner. Campaigns end with a debrief beat that frames the engagement the same way.
- It will test you to ensure you're well-rounded. You'll be tested on all of the skills in the platform, not just the ones you're most comfortable with. You'll need to grow as a professional in order to complete these campaigns.
What you'll do in the campaigns that are live today
First Light · Easy · ~22 minutes
Aldra Bio's CFO flagged a 14% cloud-compute spike that the SOC missed. You pull the thread as the Hunter and catch a research workstation beaconing every nine minutes to an external command-and-control host. You hand off to the Responder to contain the host and lock the stolen account. Then, as the Watcher, you ship a behavior-based detection rule so the next workstation that gets popped doesn't sit silent for a month.
Three skills, one incident, one continuous story. It's the entry-level intrusion you'd catch on shift — start here.
Standing Watch · Medium · ~38 minutes
Cordelta Finance is migrating from EC2 to a hybrid EKS environment. As the Watcher, you frame and ship a fleet-burst detection rule for the new cluster. Three weeks later — your own rule fires. You triage with the Operator and realize it's the cluster autoscaler doing legitimate work. False positive. Now you have to decide: retire the rule, or tune it.
Standing Watch teaches the part of the job nobody trains for: detections are commitments, not artifacts. Write, watch, tune, repeat.
What you take home
Three things, in increasing order of importance:
- A mission patch per campaign. Distinct from XP badges. Each one marks an engagement you ran end-to-end. They're receipts.
- Story arcs that carry forward. The campaigns shipping over the coming months will introduce named threat actor groups you'll see across engagements — the way you'd develop a working theory about the same crew across multiple intrusions in the field. The arc is part of the training.
- The muscle for skill blur. This is the big one. It's the difference between "I can write a query" and "I can run an incident." Hiring managers can feel it in interviews. Senior engineers on your team can feel it in your first month.
Where to start
If you're new to the platform, start with First Light. It mirrors a realistic entry-level intrusion, takes about twenty minutes, and gets you a sense of the rhythm — brief, act, hand-off, act, debrief — without dropping you in the deep end. Standing Watch is waiting for you after that.
If you want to feel how the job actually flows — not as a series of siloed exercises but as one continuous engagement — grab a seat and run your first campaign tonight.