Building Full Spectrum Defenders at SECUINFRA

SECUINFRA provides 24/7 managed detection and incident response services, monitoring and neutralizing cyber threats in real time before they cause damage. Over time, the company saw the same problem appear across defensive teams again and again: analysts could learn tooling, but that alone did not prepare them for real investigations.

Klaus Wunder, SECUINFRA’s Principal Cyber Defense Analyst, first experienced OffSec through OSCP in 2015. Years later, at SECUINFRA, he led the effort to bring OffSec into the company’s internal training program for analysts, including beginners and people moving into cyber from completely different careers.

As the company expanded its managed detection and incident response services, SECUINFRA started focusing more heavily on how analysts were being developed internally and what skills defenders actually needed once an investigation became complex.

“The full attack chain is important,” Klaus said. “Defenders need to understand what an attacker would do next.”

That thinking eventually shaped what SECUINFRA calls “Full Spectrum Defenders.”

The idea was not to train analysts only around a specific tool, workflow, or defensive task. SECUINFRA wanted analysts who could understand investigations from multiple angles, connect attacker behavior to customer impact, and think beyond what was immediately visible inside the platform.

The company also wanted training that reflected the reality of customer environments.

Building Full Spectrum Defenders

SECUINFRA started building its analyst development around the “full spectrum defenders” concept.

For Klaus, that meant defenders who understand more than alerts, dashboards, or isolated parts of an investigation. Analysts need to understand how attackers gain access, what they are likely trying to accomplish, how they move through systems, what artifacts they leave behind, how detections work, and how an incident affects the customer operationally.

“It’s very important that defenders see how attackers think,” he said. “Otherwise you miss the full picture.”

That thinking shaped how SECUINFRA approached training internally. Instead of separating defensive and offensive skills into completely different tracks, the company wanted analysts who could investigate from both perspectives and move more naturally between blue team and purple team work.

The company uses OSDA, OSCP, IR-200, TH-200, and OSAI together to help defenders understand the full picture of an attack. Analysts start with defensive foundations and then expand into threat hunting, incident response, offensive techniques, and AI security.

Klaus highlights that everybody in the SOC and blue team goes through OSDA. For analysts coming from a different background, the company may start with OSCC to build a stronger foundation. From there, the expected path includes security operations with OSDA, threat hunting with TH-200, incident response with IR-200, OSCP to build the attacker mindset, and now even OSAI for more senior analysts.

SECUINFRA is not using OffSec as one-off certification prep. OffSec is now a part of their structured Workforce Development.

Preparing defenders for AI-driven attacks

SECUINFRA has also started integrating OSAI into its analyst development paths as AI and LLM-related threats become an operational concern.

Internally, the course is not viewed as offensive-only training. Klaus pointed specifically to the course’s detection engineering and defensive visibility content as a primary value addfor defenders to learn how to identify and respond to AI-assisted attacks.

“I think if defenders only choose one course for AI security, it should probably be OSAI,” Klaus said. “Because it has so much blue team side in it.”

Klaus described it as closer to a purple team course than a traditional offensive course because analysts are learning both how attacks are performed and how they can be detected.

For SECUINFRA, that makes OSAI a future-facing part of defender development, not a niche specialization.

Using Learn Enterprise to match training to the analyst

SECUINFRA has a baseline it wants every analyst to reach, but the path to that baseline does not look identical for everyone.

Analysts come into SECUINFRA with very different strengths. Some need stronger networking knowledge, some need Linux experience, and some already know Python because they came from development backgrounds. There are others who are entering cybersecurity from completely different careers.

The company uses Learn Enterprise assessments and Custom Learning Paths to identify those gaps and build training around what each analyst actually needs to develop.

That allows SECUINFRA to bring analysts from very different technical backgrounds into the same operational environment while focusing training time on the areas that will have the biggest impact on their development.

Learn Enterprise as a working knowledge library

For SECUINFRA, Learn Enterprise is not only used for structured training paths or certification preparation. The team uses the OffSec Learning Library as an active operational resource during day-to-day work.

When something surfaces during an investigation, analysts open the platform. That could mean researching a CVE, improving a forensic workflow, understanding Splunk or Wireshark more deeply, or quickly getting context around an unfamiliar technology or attack technique.

Instead of stopping work to search through disconnected resources, the team has a trusted technical library connected directly to the way they investigate and operate. Analysts are not only training for future work, they are using the platform to solve problems and build knowledge in real time.

Klaus said he uses it the same way himself: “When I want to get into a new topic, I first check the OffSec Learning Library.”

Training in labs that feel like real investigations

SECUINFRA treats the defensive labs, Cyber Ranges, Grimoires and CTFs as a major training advantage.

For incident responders specifically, the value comes from how closely the labs resemble actual investigation work. Analysts are not working through isolated examples with obvious answers. They are dealing with firewall logs, system logs, multiple data sources, large volumes of information, and the need to quickly decide where to focus first.

Those are the same investigative skills SECUINFRA expects analysts to apply during real customer engagements.The labs are directly relevant to operational work, not disconnected training exercises.“If there’s a CVE with major impact, we want analysts to reproduce it, understand it, and then build detections around it,” Klaus explained.

Applying the Try Harder Mindset before the job demands it

SECUINFRA also connects strongly with OffSec’s “Try Harder” philosophy.

The company wants analysts to encounter difficulty during training instead of facing those situations for the first time during a live customer incident. The practical exams are a major part of that approach. The 24-hour exam and reporting requirement force analysts to collect information carefully, document findings clearly, and explain investigations in a structured way under pressure.

For SECUINFRA, that difficulty is valuable. Analysts are not expected to immediately find the answer to every problem. Sometimes they need to change direction, rethink assumptions, or work through unfamiliar situations before they reach the solution.

Investigating beyond the tooling

Instead of relying completely on dashboards or predefined detections, analysts became more comfortable investigating beyond the tooling itself. They developed a stronger understanding of how logs were generated, how systems behaved underneath the platform layer, and how attackers moved through Windows, Linux, and network environments once they gained access.

“The content goes really into depth,” Klaus said. “Analysts understand what happens under the hood.”

That became especially important during customer investigations where environments rarely looked identical and visibility was incomplete. Analysts needed to keep moving even when a detection failed, a log source was missing, or activity did not immediately match a known pattern.

Klaus pointed to PowerShell as one example. Early on, some analysts questioned why they needed to manually pull logs or work directly with scripts when a SIEM could already display the information. Over time, they started understanding why that knowledge mattered operationally.

The goal was not simply to make analysts better at using tools. It was to help them understand what the tools were actually showing them.

Improving investigation quality and analytical thinking

SECUINFRA also saw analysts becoming more structured and methodical during investigations.

The practical exams forced analysts to collect evidence carefully, validate assumptions, document findings clearly, and explain investigations in a way another person could follow from beginning to end.

“The exam changes a lot of analysts,” Klaus said. “You need to collect information properly and explain it clearly.”

That training carried over into customer-facing work. Investigation handovers improved, reporting became clearer, and analysts developed stronger investigative discipline during complex engagements.

According to Klaus, hypothesis building was also an important part of that growth. Analysts became more deliberate about testing assumptions instead of jumping to conclusions too early during an investigation. That deeper analytical thinking became especially valuable during incident response work where teams often needed to work through incomplete or conflicting information under pressure.

Faster detection during live engagements

The impact also showed up during real investigations.

Klaus described one engagement where analysts identified heavily obfuscated PowerShell activity during what later turned out to be a purple team exercise. Because the analysts had already worked through similar attacker techniques during OffSec training, they recognized the behavior quickly, decoded the scripts, isolated the affected host early, and disrupted the engagement before it could progress further.

“They understood right away that it was malicious,” Klaus said.

For SECUINFRA, that became one of the clearest examples of why offensive training mattered for defensive analysts. The team was not simply reacting to alerts. They understood the attacker behavior behind the activity and responded before the exercise could fully develop.

Building credibility with customers

SECUINFRA also started using its OffSec training paths as part of customer discussions.

According to Klaus, OffSec certifications carry strong recognition across the German market, particularly because of the practical exam structure and the realism of the training.

The company regularly walks customers through how analysts are trained internally and how certifications fit into employee development because it helps demonstrate how the team approaches investigations operationally.

“They realize how much work goes into it,” Klaus said. “The practical exams matter.”

For SECUINFRA, OffSec stood out because the training reflects how real investigations actually work.

The company wanted more than theoretical content or heavily gamified exercises. Analysts needed to work through realistic scenarios, understand attacker behavior, investigate beyond the tooling, and develop the persistence required to handle live incidents under pressure.

That combination of practical exams, realistic labs, offensive training for defenders, deep technical content, and flexible Learning Paths aligned directly with how SECUINFRA develops analysts internally.

See how OffSec helps security teams build defenders who can investigate beyond the alert. Connect with us and explore Learn Enterprise.