Skip to content
>_
SecOps
Log
_
Home
Courses
Learning path
Resources
Topics
Blog
All courses
Advanced Linux security
Advanced
6 sections · 17 lessons · ~8h total · 51-question self-test
Start course
01
The attacker on the host
2 lessons
Test yourself
01
The host threat model
What an attacker does after landing.
12 min
02
The intrusion chain on Linux
Access, escalate, persist, act.
12 min
02
Privilege escalation
3 lessons
Test yourself
01
Local privesc: SUID, sudo, capabilities
The misconfigurations attackers find first.
16 min
02
Kernel & credential escalation
Kernel exploits, cron, PATH, and secrets.
14 min
03
Finding privesc before they do
Audit your own hosts like an attacker.
12 min
03
Persistence & rootkits
3 lessons
Test yourself
01
Where attackers persist
cron, systemd, SSH keys, shell profiles.
14 min
02
Userland stealth: LD_PRELOAD & more
Hooking without touching the kernel.
12 min
03
Kernel rootkits & detection
When you cannot trust the kernel.
14 min
04
Detection engineering
4 lessons
Test yourself
01
The audit pipeline
Collect, normalize, and where it belongs.
14 min
02
osquery for fleet visibility
System state as SQL you can query.
12 min
03
eBPF tracing fundamentals
Probes, maps, and the verifier.
14 min
04
Falco on bare hosts
The k8s runtime tool, minus the k8s.
12 min
05
Hunting & detections
2 lessons
Test yourself
01
Detections that survive contact
Behavior over strings, tests over hope.
14 min
02
Threat hunting on Linux
Hypothesis-driven, proactive searching.
12 min
06
Forensics & incident response
3 lessons
Test yourself
01
Live triage: contain, do not destroy
The first hour, done right.
14 min
02
Linux forensic artifacts
Where the evidence actually lives.
14 min
03
The incident response loop
From detection to lessons learned.
12 min
Final exam
Test yourself on everything
51 questions drawn from all 6 sections — every answer explained as you pick.
Start final exam