Nexus SecOps Labs¶
Hands-on labs provide practical experience with the concepts covered in the Nexus SecOps textbook. Each lab uses synthetic, non-sensitive data or free-tier cloud environments and can be completed without production infrastructure.
Lab Overview¶
| Lab | Title | Difficulty | Duration | Chapter |
|---|---|---|---|---|
| Lab 1 | Synthetic Alert Triage | ⭐⭐ Intermediate | 60–75 min | Ch 6 |
| Lab 2 | Detection Rule Tuning | ⭐⭐⭐ Advanced | 75–90 min | Ch 5 |
| Lab 3 | Incident Response Simulation | ⭐⭐ Intermediate | 60–90 min | Ch 9 |
| Lab 4 | SOAR Safety Checks | ⭐⭐⭐ Advanced | 60–75 min | Ch 8 |
| Lab 5 | LLM Guardrails Evaluation | ⭐⭐ Intermediate | 45–60 min | Ch 11 |
| Lab 6 | Active Directory Attack Paths | ⭐⭐⭐⭐ Expert | 3–4 hrs | Ch 16–17 |
| Lab 7 | Malware Triage & Analysis | ⭐⭐⭐ Advanced | 2–3 hrs | Ch 18 |
| Lab 8 | Cloud Security Audit (AWS) | ⭐⭐⭐ Advanced | 2–3 hrs | Ch 20, 29 |
| Lab 9 | Purple Team Exercise | ⭐⭐⭐⭐ Expert | 3–4 hrs | Ch 36 |
| Lab 10 | Threat Hunting | ⭐⭐⭐⭐ Expert | 3–4 hrs | Ch 38 |
| Lab 11 | Adversarial ML Attack | ⭐⭐⭐ Advanced | 2–3 hrs | Ch 37 |
| Lab 12 | DFIR Artifact Analysis | ⭐⭐⭐ Advanced | 3–4 hrs | Ch 27 |
| Lab 13 | Cloud Red Team Simulation | ⭐⭐⭐ Advanced | 3–4 hrs | Ch 46 |
| Lab 14 | AI & LLM Red Team | ⭐⭐⭐ Advanced | 3–4 hrs | Ch 37, 50 |
| Lab 15 | Purple Team Automation | ⭐⭐⭐⭐ Expert | 4–5 hrs | Ch 6, 41, 49 |
| Lab 16 | DFIR Memory Forensics | ⭐⭐⭐⭐ Expert | 4–5 hrs | Ch 27, 28 |
| Lab 17 | Cloud IAM Privilege Escalation | ⭐⭐⭐⭐ Expert | 4–5 hrs | Ch 20, 33, 46 |
| Lab 17 | Cloud IAM Privilege Escalation | ⭐⭐⭐⭐ Expert | 5–7 hrs | Ch 20, 33, 39, 46 |
Prerequisites¶
All labs require: - Completion of the relevant chapter(s) - A text editor or IDE - Python 3.10+ (for dataset generation) - Optionally: a SIEM trial account (free tiers of Elastic, Splunk, or Microsoft Sentinel work)
You do NOT need a production security environment. All labs use synthetic data.
Synthetic Dataset¶
Labs reference a shared synthetic dataset of security events. Generate the dataset locally:
See Datasets for the full schema and sample data.
Learning Path¶
flowchart LR
L1[Lab 1\nAlert Triage] --> L2[Lab 2\nDetection Tuning]
L1 --> L3[Lab 3\nIR Simulation]
L2 --> L4[Lab 4\nSOAR Safety]
L3 --> L4
L4 --> L5[Lab 5\nLLM Evaluation]Complete Lab 1 first. Labs 2 and 3 can be done in parallel. Lab 4 benefits from completing both Lab 2 and Lab 3 first.
Instructor Notes¶
If using these labs in a training context:
- Lab 3 (IR Simulation) works well as a group tabletop exercise (3–5 participants)
- Lab 1 can be scored objectively using the answer key — suitable for assessment
- Lab 5 benefits from comparison between participants who used different AI tools
Facilitation guides are included in each lab.