EPISODE 9 — THE DNS QUERY THAT DIDN’T MATCH ANY PATTERN Security+ Domain 4 concepts • CySA+ network analytics • SOC DNS anomaly detection

DNS is one of the most misunderstood — and most exploited — protocols in cybersecurity. Attackers use it for stealthy command-and-control, tunneling, and low-and-slow exfiltration because most environments treat DNS as “just infrastructure,” not a high-signal detection source.

In this cinematic scenario, you’ll learn how a single strange DNS query becomes the clue that exposes a hidden attacker channel.

What you’ll learn:

• How DNS tunneling and C2 communication work

• Why random or structured-looking domains signal early compromise

• How SOC analysts correlate DNS telemetry with endpoint behavior

• How attackers use domain generation algorithms (DGAs)

• How unknown domains differ from known-malicious ones

• How to isolate endpoints beaconing through DNS

• How passive DNS and DPI support threat hunting

Security Operations Skills Covered:

✔ Network monitoring

✔ SIEM correlation

✔ DNS analysis

✔ Anomaly detection

✔ C2 discovery

✔ Incident response actions

✔ Threat hunting fundamentals

This scenario reinforces key concepts from:

Security+ (SY0-701) — Network monitoring, DNS analysis, anomaly detection

CySA+ (CS0-003) — DNS-based threat detection, DGA identification, C2 behavior analytics

Designed for exam learners and working defenders.

Ideal for:

— Security+ learners

— CySA+ candidates

— SOC Tier 1 analysts

— Threat hunters

— Anyone learning practical detection techniques

This episode blends exam clarity with real-world intuition — teaching DNS detection the way defenders actually experience it.

New episodes weekly.

Explore the works of M.G. Vance on Amazon — including Security+, CySA+, CISA, CISM, CRISC, and The Breach Nobody Saw Coming titles.

Amazon Author Page: https://www.amazon.com/stores/author/B0FX7TZSV4/

CyberLex Learning — Forge the Defender.

EPISODE 8 — THE PROCESS THAT HID IN MEMORY Security+ Domain 4 concepts • CySA+ behavioral analytics • SOC fileless attack detection

Modern attackers don’t always drop files. Sometimes the entire attack happens in memory — invisible to antivirus, bypassing traditional scans, and relying on stealth to stay ahead of the SOC.

In this cinematic scenario, you’ll see how defenders detect fileless techniques through subtle signals: unusual PowerShell behavior, reflective loading, credential access attempts, and processes that should never run the way they’re running.

What you’ll learn:

• How fileless attacks operate without touching disk • Why memory-only processes are early indicators of compromise • How EDR/XDR telemetry exposes reflective loading & AMSI bypass attempts • How attackers attempt credential access through LSASS • What suspicious PowerShell behavior looks like • How to isolate, contain, and escalate memory-resident threats

Security Operations Skills Covered:

✔ EDR/XDR telemetry interpretation

✔ Memory analysis fundamentals

✔ Fileless malware techniques

✔ Behavioral & heuristic detection

✔ Credential theft monitoring

✔ Threat hunting signals

✔ Incident response workflow for in-memory attacks

This scenario reinforces key concepts from:

Security+ (SY0-701) — EDR/XDR, behavioral detection, malware identification, IR workflows

CySA+ (CS0-003) — Memory-based attacks, credential access attempts, advanced detection analytics

Designed to support both exam learners and working SOC analysts.

Ideal for:

— Security+ learners — CySA+ learners — SOC Tier 1 analysts — Blue team defenders — Incident responders — Anyone learning how modern attackers avoid traditional AV

Short. Cinematic. Practical. A real-world look into attacks designed to stay invisible.

New episodes weekly.

Explore the works of M.G. Vance on Amazon — including Security+, CySA+, CISA, CISM, CRISC, and The Breach Nobody Saw Coming titles.

Amazon Author Page: https://www.amazon.com/stores/author/B0FX7TZSV4/

CyberLex Learning — Forge the Defender.

CyberLex Blue Team Academy — Where Defenders Are Forged.

EPISODE 7 — THE CLOUD BUCKET CREATED AT 3:14 A.M. Security+ Domain 4 concepts • CySA+ cloud analytics • SOC cloud misconfiguration detection

Cloud breaches rarely begin with loud signals. Most start with something small — a resource you didn’t create.

At 3:14 A.M., a new storage bucket appears. No change request. No automation job. No scheduled deployment. Just a new asset, quietly created in your cloud environment.

In this cinematic scenario, you’ll learn how defenders spot unauthorized cloud resources — and how attackers exploit misconfigurations to pivot, store payloads, or prepare for data exfiltration.

What you’ll learn:

• How unauthorized buckets reveal early attacker activity

• Why service account misuse is one of the biggest cloud risks • How to read IAM logs, API calls, and CloudTrail events for abnormal activity

• How attackers conduct stealthy cloud reconnaissance • Why misconfigurations are the easiest path into cloud environments

• How SOC teams contain and remove rogue cloud assets safely

Security Operations Skills Covered:

✔ Cloud monitoring and alerting

✔ IAM misconfigurations & service account abuse

✔ API call pattern analysis

✔ Cloud log correlation and investigation

✔ Reconnaissance behavior in cloud environments

✔ Incident response workflow for cloud-based threats

✔ Secure bucket configuration and guardrails

This scenario reinforces key concepts from:

* Security+ (SY0-701) — Cloud monitoring, access control, misconfigurations, security operations

* CySA+ (CS0-003) — Cloud event analysis, behavioral detection, service account misuse

Designed for learners AND real-world defenders.

Ideal for:

* Security+ learners

* CySA+ learners

* SOC Tier 1–2 analysts

* Cloud security beginners

* DevOps / SRE teams learning secure operations

* Anyone learning how attackers exploit cloud misconfigurations

Short. Cinematic. Practical. Cloud security, told the way defenders actually experience it.

New episodes weekly.

Explore the works of M.G. Vance on Amazon — including Security+, CySA+, CISA, CISM, CRISC, and The Breach Nobody Saw Coming titles.

Amazon Author Page: https://www.amazon.com/stores/author/B0FX7TZSV4/

CyberLex Learning — Forge the Defender.

CyberLex Blue Team Academy — Where Defenders Are Forged.

EPISODE 6 — THE EMAIL THAT PASSED EVERY CHECK Security+ Domain 4 concepts • CySA+ email threat analytics • SOC identity attack detection

Some of the most dangerous attacks never look dangerous at all.

No spelling errors. No suspicious attachments. No fake branding. Everything passes SPF, DKIM, and DMARC.

To most users, the email looks perfect — identical to one the organization would send.

But to a trained defender, subtle signals reveal something deeper: a credential-harvesting attempt built to bypass filters and survive scrutiny.

In this cinematic scenario, you’ll explore how attackers craft stealthy phishing campaigns — and how defenders detect them before identities are stolen.

What you’ll learn:

• How advanced phishing bypasses traditional email filters

• Why lookalike domains are so effective

• How credential-harvesting portals mimic corporate systems • Quiet signals buried in headers, links, and timing

• How MFA fatigue and credential stuffing follow phishing attacks

• How SOC analysts respond to stealthy identity-based threats

Security Operations Skills Covered:

✔ Email filtering fundamentals

✔ Threat hunting for subtle indicators

✔ Identity anomalies

✔ Phishing detection

✔ Sandbox analysis

✔ Log correlation

✔ Credential misuse detection

✔ Incident escalation workflows

This scenario reinforces key concepts from:

* Security+ (SY0-701) — Email security, phishing detection, IAM misuse, incident escalation

* CySA+ (CS0-003) — Behavioral email analysis, threat hunting, credential misuse patterns

Designed for learners AND working defenders.

Ideal for:

* Security+ learners

* CySA+ learners

* ISC2 CC beginners

* SOC Tier 1–2 analysts

* Blue team defenders

* Anyone developing real-world email threat detection instincts

Short. Cinematic. Practical. This episode blends exam relevance with true defender intuition.

New episodes weekly. Security Operations told through story-driven scenarios.

Explore the works of M.G. Vance on Amazon — including Security+, CySA+, CISA, CISM, CRISC, and The Breach Nobody Saw Coming titles.

Amazon Author Page: https://www.amazon.com/stores/author/B0FX7TZSV4/

CyberLex Learning — Forge the Defender.

CyberLex Blue Team Academy — Where Defenders Are Forged.

EPISODE 5 — THE FIREWALL RULE THAT QUIETLY OPENED Security+ Domain 4 concepts • CySA+ network analytics • SOC enterprise control monitoring

Some compromises start with noise. Others start with silence — a quiet adjustment deep in the firewall.

A single rule widens outbound access. No ticket. No change request. No approval. Just a subtle shift in enterprise controls… and the start of something deeper.

In this cinematic scenario, you’ll follow how defenders detect unauthorized firewall modifications and uncover early-stage attacker activity hiding beneath normal network traffic.

What you’ll learn:

• How to interpret firewall diffs and rule change logs

• Why unauthorized rule expansion signals compromise

• How attackers abuse admin credentials to modify enterprise controls

• How SIEM correlation reveals outbound staging & exfil behavior

• How baseline monitoring detects unusual outbound patterns

• How defenders roll back changes safely and initiate incident response

Security Operations Skills Covered:

✔ Enterprise security controls (firewalls, IDS/IPS, filtering)

✔ Outbound traffic monitoring & DNS analysis

✔ Unauthorized admin activity detection

✔ Network anomaly detection

✔ Incident response triggering conditions

✔ Change control & configuration integrity

This scenario reinforces key concepts from:

* Security+ (SY0-701) — Enterprise security controls, firewall management, monitoring & escalation

* CySA+ (CS0-003) — Network anomaly detection, admin misuse, exfiltration patterns

Designed for exam learners and real SOC environments.

Ideal for:

* Security+ learners

* CySA+ learners

* SOC Tier 1–2 analysts

* Blue team defenders

* Network & infrastructure teams

* Anyone learning how attackers quietly shape the network to their advantage

This isn’t a lecture. It’s how real defenders spot the threat before it announces itself.

New episodes weekly. Security Operations told through cinematic, story-driven scenarios.

Explore the works of M.G. Vance on Amazon — including Security+, CySA+, CISA, CISM, CRISC, and The Breach Nobody Saw Coming titles.

Amazon Author Page: https://www.amazon.com/stores/author/B0FX7TZSV4/

CyberLex Learning — Forge the Defender.

CyberLex Blue Team Academy — Where Defenders Are Forged.

EPISODE 4 — THE LOGIN THAT DIDN’T BELONG TO THE USER Security+ Domain 4 concepts • CySA+ authentication analytics • SOC identity anomaly detection

Some attacks don’t start with a password guess…They start with a login that looks valid — but doesn’t make sense.

A user signs in at a time they never work. From a device they don’t own. From a network they’ve never touched. And yet… authentication logs say everything is normal.

In this cinematic scenario, you’ll learn how defenders identify identity anomalies — the subtle authentication signals that reveal compromise long before the attacker makes noise.

What you’ll learn:

• How SOC analysts detect suspicious authentication events

• Why valid credentials can still indicate compromise

• How MFA fatigue leads to real-world breaches

• How to correlate logs, timing, geography, and behavior

• How attackers perform reconnaissance after initial access

• Why IAM monitoring is essential for modern operations

Security Operations Skills Covered:

✔ IAM fundamentals & monitoring

✔ MFA misuse & authentication anomalies

✔ Session analysis

✔ Rogue device detection

✔ Behavioral baseline deviations

✔ When and how to initiate incident response

This scenario reinforces key concepts from:

* Security+ (SY0-701) — IAM, authentication monitoring, behavioral anomalies

* CySA+ (CS0-003) — Identity analytics, credential misuse detection, MFA attack patterns

Designed to support exam learners and real SOC analysts.

Ideal for:

* Security+ learners

* CySA+ learners

* ISC2 CC beginners

* SOC Tier 1 analysts

* Identity & Access teams

* Anyone learning to detect authentication misuse early

This isn’t a lecture. It’s how identity-based attacks actually unfold — quiet signals, subtle inconsistencies, and high-stakes decisions made in seconds.

New episodes weekly.

Explore the works of M.G. Vance on Amazon — including Security+, CySA+, CISA, CISM, CRISC, and The Breach Nobody Saw Coming titles.

Amazon Author Page: https://www.amazon.com/stores/author/B0FX7TZSV4/

CyberLex Learning — Forge the Defender.

CyberLex Blue Team Academy — Where Defenders Are Forged.

EPISODE 3 — THE VULNERABILITY THAT CAME BACK Security+ Domain 4 concepts • CySA+ vulnerability analytics • SOC lifecycle investigation

In Security Operations, few things are more frustrating—or more dangerous—than a vulnerability that comes back after it was supposedly fixed.

A patch shows as “successful.” Logs confirm installation. The scanner reports clean.

Then a week later… the same high-severity finding reappears.

Something changed. And defenders must figure out what, why, and how fast.

This cinematic scenario walks through the real-world reasons vulnerabilities return, and how analysts investigate configuration drift, patch rollback, and hidden system changes.

What you’ll learn:

• How vulnerabilities reappear due to misconfigurations or drift

• Why validation is the most critical phase in remediation

• How automation tools silently undo patches

• How baselines affect patch persistence

• How to interpret recurring high-severity findings

• How SOC analysts escalate returning vulnerabilities

Security Operations Skills Covered:

✔ Vulnerability lifecycle (Identify → Analyze → Remediate → Validate → Report)

✔ Patch management signals & silent failures

✔ Baseline drift & configuration rollback

✔ Scanner output vs. real-world logs

✔ Change management interactions

✔ Handling recurring findings professionally

This scenario reinforces key concepts from:

* Security+ (SY0-701) — Vulnerability management, patch validation, remediation workflow

* CySA+ (CS0-003) — Vulnerability analytics, configuration drift detection, recurring threat signals

Designed to support exam learners and real SOC analysts.

Ideal for:

* Security+ learners

* CySA+ learners

* SOC Tier 1–2 analysts

* Vulnerability management teams

* Cloud & infrastructure defenders

* Anyone developing real-world investigation instincts

This isn’t a lecture. This is how vulnerability management actually feels—quiet failures, unexpected returns, and signals that something deeper is happening beneath the surface.

New episodes weekly. Security Operations told through cinematic, story-based scenarios.

Explore the works of M.G. Vance on Amazon — including Security+, CySA+, CISA, CISM, CRISC, and The Breach Nobody Saw Coming titles.

Amazon Author Page: https://www.amazon.com/stores/author/B0FX7TZSV4/

CyberLex Learning — Forge the Defender.

CyberLex Blue Team Academy — Where Defenders Are Forged.

EPISODE 2 — THE DEVICE THAT STILL HAD A NAME Security+ Domain 4 concepts • CySA+ asset behavior analysis • SOC rogue device detection

In Security Operations, the most dangerous device is often the one that shouldn’t exist.

A retired laptop that suddenly reappears. An inactive asset that becomes active again. A device authenticating in ways that don’t match its lifecycle.

These are small signals — but they often point to much bigger problems.

In this cinematic scenario, you’ll learn how defenders investigate unexpected asset behavior and identify when a device is more than just “misconfigured.”

What you’ll learn:

• How asset management ties directly into cybersecurity

• Why untracked or orphaned devices pose massive risk

• How inventory drift becomes an attack signal

• How SOC analysts investigate quietly suspicious hardware

• How logs and metadata reveal unauthorized activity

• How to escalate cases involving shadow IT or rogue devices

Security Operations Skills Covered:

✔ Asset tracking across hardware & software

✔ Unauthorized device detection

✔ Lifecycle validation (acquisition → assignment → disposal)

✔ Monitoring unexpected authentication patterns

✔ Early detection of compromise via asset inconsistencies

This scenario reinforces key concepts from:

* Security+ (SY0-701) — Asset management, unauthorized devices, lifecycle validation

* CySA+ (CS0-003) — Behavioral analytics, inventory drift detection, rogue device signals

Designed for exam learners and real-world SOC analysts.

Ideal for:

* Security+ learners

* CySA+ learners

* ISC2 CC beginners

* SOC Tier 1–2 analysts

* IT Asset Management teams — Anyone learning how defenders identify devices that shouldn’t exist

New episodes weekly. Security Operations told through cinematic, story-driven scenarios.

Explore the works of M.G. Vance on Amazon — including Security+, CySA+, CISA, CISM, CRISC, and The Breach Nobody Saw Coming titles.

Amazon Author Page: https://www.amazon.com/stores/author/B0FX7TZSV4/

CyberLex Learning — Forge the Defender.