Clear advice with a hacker mindset

Tailored trainings for your security team

Windows and Active Directory security in-depth (WinADSec)

This two-day knowledge-packed training is a deep-dive into the inner workings and security of Windows and Active Directory. This training will help you to understand and implement security controls that aid in stopping or detecting modern attacks attack techniques used by red teams and targeted attackers.

Combining a large and private hands-on lab and having instructors with over 12+ year’s experience in breaking into Windows networks, you will leave this training excited and prepared for the next steps in Windows and AD security.

Interested in this training? Take a look at our planned training dates here.

Who should attend

The training is optimally suited for:

  • Defenders, Windows and Active Directory administrators who want to strengthen their knowledge of Windows and Active Directory internals, security concepts and defensive measures.
  • Penetration testers and ethical hackers wanting to provide better recommendations to their clients on defensive measures.
  • Security professionals interested in expanding their knowledge of Windows and Active Directory related modern attack techniques, Red Teaming and defend against it.
  • Forensic professionals who want to better understand the entire flow of an attacker and offensive tactics.
  • Technical auditors wanting to increase their hands-on experience and technical skills.
  • Attendees of other Outflank trainings who are looking for more in-depth knowledge on Windows and Active Directory security concepts as well as defensive measures.

Key learning objectives

The training is focussed on several key elements:

  • Key theoretical concepts e.g. kill chain, course of action matrix, pyramid of pain, tiering security model, etc.
  • Windows inner workings and key concepts that are often abused by attackers, or can help you in stopping or detecting attackers. Amongst others: How do processes work in detail? ACL and security descriptors, AMSI, Local Security Authority Subsystem Service, DCOM/WMI, relaying attacks.
  • Active Directory inner workings and key concepts that are often abused by attackers, or can help you in stopping or detecting attackers. Amongst others: the inner workings of Kerberos and LDAP, attacks abusing the Kerberos protocol (i.e. golden ticket, silver ticket), domain trusts and attacks such as unconstrained delegation, resource-based delegation or Microsoft Exchange and common misconfigurations.
  • Windows logging in detail, with amongst others topics such as WEF, Sysmon, centralised logging, ATT&CK and EDR features.
  • Security of networking protocols, and the power of the built-in Windows firewall.
  • Recent developments related to Azure Active Directory that could introduce new risks or help you addressing them.
  • Relevant security models to enhance the security of Windows and Active Directory environments. Amongst others: privilege access workstations, the clean source principal and the Microsoft tiering model.


This training uses the same approach as other trainings by Outflank. This means:

  • Interactive setting with multiple trainers, each bringing their dedicated area of expertise.
  • A combination of theory and learning by doing.
  • Large lab environments per student that represent real office networks.
  • Students will learn about and perform both offensive and defensive steps in the lab; working with Cobalt Strike and with modern ways of log centralisation and security monitoring.
  • Detailed labmanual that guides the students through each lab assignment, including extra assignments for more experienced students.
  • Full set of training material to take home and restudy at a later moment.

Personal lab environment

During the training, participants have access to a personal lab environment that acts as a playground area. Having a personal lab is a key differentiator compared to many other labs. This environment is comparable to common enterprise networks as it contains Windows servers and desktops, an Active Directory domain, multiple services, user accounts and service accounts. Furthermore, commonly found insecurities are configured on purpose, as well as detective measures are in place, e.g. central monitoring environments using open source and commercial tools (e.g. IDS, Splunk/ELK stack). We have spent significant time making this lab as real as possible.

Pratical notes

Hardware requirements: A laptop that has the ability to run a Remote Desktop Connection.

Knowledge requirements: It helps if you already have detailed experience with Windows and Active Directory, commonly found in a systems engineering role. Yet, the training is setup in such a way that any participant with a technical IT background and a basic level of security knowledge can follow the topics; it welcomes both novices and veterans. There are extra lab assignments for students that want to go the extra mile.

Practical notes

The training is hosted by three trainers. Working at the Dutch company Outflank, they focus on Red Teaming operations and advanced penetration tests. The training is created based on their 10+ years of experience with offensive operations and advising their clients on defending against targeted attackers. They each bring their own unique expertise to this training, ranging from SOC operations, custom malware and infrastructure security.

About the trainers

  • "Great training that fits perfectly with the current complexity of securing Windows networks against real and modern attacks. Especially the modules on the Azure Cloud were very helpful."
    (Requested to remain anonymous)
  • "The trainers really know what they are talking about, and also are very good in transferring their knowledge. Trainings by Outflank are one of the best trainings I’ve ever had."
    (Stefan Cox, systems engineer at Hogeschool Rotterdam)

Are you interested in this training?

Reach out to us

Other services

We provide you with the best experts and aim for the highest quality.

Advanced security tests

Dedicated penetration testing on complex environments.

Strategic threat information

Learn about the latest attacker tactics, techniques and procedures applicable to your organization.

Need help right away?
Call our emergency number

+31 20 2618996

Or send us an email and we'll get back to you as soon as possible