EPISODE 9 — THE DNS QUERY THAT DIDN’T MATCH ANY PATTERN Security+ Domain 4 concepts • CySA+ network analytics • SOC DNS anomaly detection

DNS is one of the most misunderstood — and most exploited — protocols in cybersecurity. Attackers use it for stealthy command-and-control, tunneling, and low-and-slow exfiltration because most environments treat DNS as “just infrastructure,” not a high-signal detection source.

In this cinematic scenario, you’ll learn how a single strange DNS query becomes the clue that exposes a hidden attacker channel.

What you’ll learn:

• How DNS tunneling and C2 communication work

• Why random or structured-looking domains signal early compromise

• How SOC analysts correlate DNS telemetry with endpoint behavior

• How attackers use domain generation algorithms (DGAs)

• How unknown domains differ from known-malicious ones

• How to isolate endpoints beaconing through DNS

• How passive DNS and DPI support threat hunting

Security Operations Skills Covered:

✔ Network monitoring

✔ SIEM correlation

✔ DNS analysis

✔ Anomaly detection

✔ C2 discovery

✔ Incident response actions

✔ Threat hunting fundamentals

This scenario reinforces key concepts from:

Security+ (SY0-701) — Network monitoring, DNS analysis, anomaly detection

CySA+ (CS0-003) — DNS-based threat detection, DGA identification, C2 behavior analytics

Designed for exam learners and working defenders.

Ideal for:

— Security+ learners

— CySA+ candidates

— SOC Tier 1 analysts

— Threat hunters

— Anyone learning practical detection techniques

This episode blends exam clarity with real-world intuition — teaching DNS detection the way defenders actually experience it.

New episodes weekly.

Explore the works of M.G. Vance on Amazon — including Security+, CySA+, CISA, CISM, CRISC, and The Breach Nobody Saw Coming titles.

Amazon Author Page: https://www.amazon.com/stores/author/B0FX7TZSV4/

CyberLex Learning — Forge the Defender.

EPISODE 8 — THE PROCESS THAT HID IN MEMORY Security+ Domain 4 concepts • CySA+ behavioral analytics • SOC fileless attack detection

Modern attackers don’t always drop files. Sometimes the entire attack happens in memory — invisible to antivirus, bypassing traditional scans, and relying on stealth to stay ahead of the SOC.

In this cinematic scenario, you’ll see how defenders detect fileless techniques through subtle signals: unusual PowerShell behavior, reflective loading, credential access attempts, and processes that should never run the way they’re running.

What you’ll learn:

• How fileless attacks operate without touching disk • Why memory-only processes are early indicators of compromise • How EDR/XDR telemetry exposes reflective loading & AMSI bypass attempts • How attackers attempt credential access through LSASS • What suspicious PowerShell behavior looks like • How to isolate, contain, and escalate memory-resident threats

Security Operations Skills Covered:

✔ EDR/XDR telemetry interpretation

✔ Memory analysis fundamentals

✔ Fileless malware techniques

✔ Behavioral & heuristic detection

✔ Credential theft monitoring

✔ Threat hunting signals

✔ Incident response workflow for in-memory attacks

This scenario reinforces key concepts from:

Security+ (SY0-701) — EDR/XDR, behavioral detection, malware identification, IR workflows

CySA+ (CS0-003) — Memory-based attacks, credential access attempts, advanced detection analytics

Designed to support both exam learners and working SOC analysts.

Ideal for:

— Security+ learners — CySA+ learners — SOC Tier 1 analysts — Blue team defenders — Incident responders — Anyone learning how modern attackers avoid traditional AV

Short. Cinematic. Practical. A real-world look into attacks designed to stay invisible.

New episodes weekly.

Explore the works of M.G. Vance on Amazon — including Security+, CySA+, CISA, CISM, CRISC, and The Breach Nobody Saw Coming titles.

Amazon Author Page: https://www.amazon.com/stores/author/B0FX7TZSV4/

CyberLex Learning — Forge the Defender.

CyberLex Blue Team Academy — Where Defenders Are Forged.

EPISODE 7 — THE CLOUD BUCKET CREATED AT 3:14 A.M. Security+ Domain 4 concepts • CySA+ cloud analytics • SOC cloud misconfiguration detection

Cloud breaches rarely begin with loud signals. Most start with something small — a resource you didn’t create.

At 3:14 A.M., a new storage bucket appears. No change request. No automation job. No scheduled deployment. Just a new asset, quietly created in your cloud environment.

In this cinematic scenario, you’ll learn how defenders spot unauthorized cloud resources — and how attackers exploit misconfigurations to pivot, store payloads, or prepare for data exfiltration.

What you’ll learn:

• How unauthorized buckets reveal early attacker activity

• Why service account misuse is one of the biggest cloud risks • How to read IAM logs, API calls, and CloudTrail events for abnormal activity

• How attackers conduct stealthy cloud reconnaissance • Why misconfigurations are the easiest path into cloud environments

• How SOC teams contain and remove rogue cloud assets safely

Security Operations Skills Covered:

✔ Cloud monitoring and alerting

✔ IAM misconfigurations & service account abuse

✔ API call pattern analysis

✔ Cloud log correlation and investigation

✔ Reconnaissance behavior in cloud environments

✔ Incident response workflow for cloud-based threats

✔ Secure bucket configuration and guardrails

This scenario reinforces key concepts from:

* Security+ (SY0-701) — Cloud monitoring, access control, misconfigurations, security operations

* CySA+ (CS0-003) — Cloud event analysis, behavioral detection, service account misuse

Designed for learners AND real-world defenders.

Ideal for:

* Security+ learners

* CySA+ learners

* SOC Tier 1–2 analysts

* Cloud security beginners

* DevOps / SRE teams learning secure operations

* Anyone learning how attackers exploit cloud misconfigurations

Short. Cinematic. Practical. Cloud security, told the way defenders actually experience it.

New episodes weekly.

Explore the works of M.G. Vance on Amazon — including Security+, CySA+, CISA, CISM, CRISC, and The Breach Nobody Saw Coming titles.

Amazon Author Page: https://www.amazon.com/stores/author/B0FX7TZSV4/

CyberLex Learning — Forge the Defender.