Advanced Windows Security Course for 2026

The Advanced Windows Security Course for 2026 will cover a diverse range of 12 subjects, all hand-selected by our globally acclaimed TOP cybersecurity experts – Paula Januszkiewicz, Sami Laiho, Peter Kloep, and Amr Thabet to name a few. The crucial topics are set to define the field in 2026, equipping you with the foresight and knowledge to stay ahead of the curve.
Each year, we strive to enhance our program, incorporating feedback and trends to keep it relevant and impactful.
This year get ready for 6 weeks of intense learning featuring.

Crafted by top cybersecurity experts working on the frontlines of the cybersecurity industry, our six-week course for advanced professionals holds practicality at its core. You’ll acquire the tools and techniques necessary to prepare yourself against threats in 2026, irrespective of your work location. 
This unique course takes place ONLY once a year and each edition offers a fresh perspective and a new Syllabus.
Enrollment is exclusive and limited to a select group of students, chosen meticulously through a stringent application process. APPLY NOW – LOCK YOUR PRICE

The Advanced Windows Security Course for 2026 is unique and not everyone’s cup of tea.
It’s designed for those who already have a solid foundation in cybersecurity.
That’s why it’s available BY APPLICATION ONLY.
To make sure everyone can keep up and benefit, we carefully review all applications. 

Course benefits

• You’ll participate in a live, online certification program, divided into 12 modules + 1 bonus module spread over 6 weeks.
• Live, online sessions happening twice a week, 2 hours each (at 7PM CET).
• The syllabus covers 12 modules.
• The program has an interactive, hands-on formula — and after every class, you’ll be able to ask questions.
• During the 6 week program, you’ll also get free access to the CQURE Training Lab and closed Discord group where you can share your challenges and upgrade your network.
• Official CQURE certificate “Windows Security Master 2026” after passing the final exam.
• All the video recordings and extra materials are yours to keep for 12 months from the start of the program.

MODULE 1: Attack Case Studies and Building Incident Response Readiness Strategy
October 28, 2025
with Paula Januszkiewicz & Artur Kalinowski

Case Study: Real-World Ransomware Attack

• Attack vectors (phishing, RDP, exploits)
• Event timeline (detection → response → recovery)
• Key organizational and technical mistakes
• Lessons learned from the incident

Case Study: Insider Threat & Data Exfiltration

• Characteristics of insider threats
• How the attacker bypassed security controls
• Security team’s response
• What failed, what worked

Building an Effective Incident Response Strategy

• What does it mean to be “ready” for an incident?
• Six key IR pillars: Detection, Escalation, Communication, Documentation, Accountability, Recovery
• The role of playbooks and tabletop exercises
• Example metrics for measuring readiness

Hands-On Walkthrough: Building a Basic IR Playbook

• How to build a simple playbook for a ransomware attack
• Tools
• The role of templates and checklists

Helpful Frameworks

• Overview of frameworks (e.g., NIST, SANS IR Steps, MITRE ATT&CK)

MODULE 2: Zero Trust in Practice: Building Secure Architectures Beyond the Perimeter
October 30, 2025
with Sami Laiho

Zero Trust and ZTNA

• What are they?
• What are the benefits?
• Who are they for?

Zero Trust Networking

• Different approaches
• Various technologies
• SWOT of ZTNA

Designing and implementing ZTNA

• Best Practices
• Lessons learned

MODULE 3: Discover your External Perimeter and Open Sourcе Intelligence in Azure
November 4, 2025
with Przemysław Tomasik

• Introduction and core OSINT Techniques
• Information gathering beyond infrastructure
• Azure-specific queries
• Automated Discovery & Practical Application

MODULE 4: Al Agents for Attack Investigation
November 6, 2025
with Amr Thabet

MITRE ATT&CK & Attack Investigation

• Understanding the MITRE ATT&CK Framework
• Using the Current Attack Landscape With Attack Examples
• Understand Incident Response Process & Digital Investigation

Introduction to AI for Cybersecurity

• AI and Machine Learning Fundamentals
• Supervised vs Unsupervised Learning
• Generative AI and Large Language Models
• Hands-on Lab: Simple Chatbot for Threat Analysis & Reporting

Prompt Engineering & Retrieval-Augmented Generation (RAG)

• Prompt Engineering Best Practices
• Different Prompt Templates for Cybersecurity Use Cases
• Intro to Retrieval-Augmented Generation (RAG)
• Incorporating RAG & Prompt Engineering

Intro To AI Automations & Tool Calling:

• AI Automation & n8n Workflows
• Tool Calling Principles in AI
• Hands-on DNS Domain Check

AI Pitfalls & Obstacles

• AI Hallucinations & How to Avoid it
• Prompt Injections & AI Security

MODULE 5: Azure Cloud Incident Response Part 1. Detection
November 11, 2025
with Marcin Krawczyk

Opening & Introductions

• Welcome and participant introductions
• Training objectives and expected outcomes
• Overview of Azure security landscape

Azure Security Architecture Overview

• Microsoft Defender for Cloud
• Azure Sentinel architecture and capabilities
• Integration with Azure Monitor and Log Analytics
• Native security tools ecosystem

Threat Detection in Azure

• Hands-on Demo: Navigating Defender for Cloud dashboard
• Understanding security alerts and severity levels
• Azure Sentinel analytics rules and detection methods
• Custom KQL queries for threat hunting
• Interactive Exercise: Writing basic KQL queries

Incident Classification and Initial Response

• Azure incident categorization framework
• Severity assessment and business impact analysis
• Escalation procedures and notification workflows
• Case Study: Real-world incident classification examples

MODULE 6: Privileged Access Abuse in Databases: Detection and Defense
November 13, 2025
with Damian Widera

Introduction – The Risk of Privileged Access Abuse

• Definition of privileged access abuse
• Real-world examples of incidents
• Common abuse scenarios:
• Data theft
• Privilege escalation
• Creation of hidden accounts
• Tampering with audit logs

Privileged Access in SQL Server – Architecture and Risks

• Overview of high-risk roles: sysadmin, CONTROL SERVER, db_owner
• Differences between logins and users
• Role chaining and impersonation
• Common misconfigurations and privilege creep

Abuse Scenarios – What Attackers Do With Privileges

• Creating backdoor logins
• Granting roles silently
• Disabling auditing or deleting logs

Detection Techniques – How to Identify Privileged Abuse

• Using SQL Server Audit (Enterprise edition)
• Extended Events for tracking GRANT, REVOKE, ALTER, EXECUTE AS
• Default Trace usage
• Monitoring login attempts, privilege changes, and schema modifications

Defense and Mitigation

• Principle of least privilege
• Avoiding fixed server roles when possible
• Regular review of privileges
• Implementing alerts and controls

Advanced Detection Patterns (Optional)

• Tracking EXECUTE AS usage
• Detecting chained escalation scenarios
• Forwarding audit logs to an external SIEM

Q&A and Wrap-up

• Summary of detection and defense strategies
• Resources and script package

MODULE 7: Real-World Pentesting: Windows Tips, Tricks, and Countermeasures
November 18, 2025
Artur Kalinowski

Introduction

• Scope: practical Windows attacks in real-world pentests
• Focus on obfuscation, LOLBins, covert exfiltration, SMB relay, ADS, IFEO

Obfuscation

• PowerShell and binary obfuscation basics
• Practical examples of obfuscation for stealth
• Why attackers use obfuscation during engagements

Using LOLBins

• Using built-in Windows binaries for payload execution and file transfer
• Key LOLBins: rundll32, regsvr32, certutil, bitsadmin
• Using LOLBins for stealth data exfiltration

Covert Exfiltration

• Exfiltrating data via ICMP, DNS, HTTP
• HTML smuggling for bypass and delivery
• Using malicious links + LLMNR/NBT-NS to capture/relay credentials

SMB Relay Attacks

• LLMNR/NBT-NS poisoning for credential capture
• Performing SMB relay when SMB signing is disabled

Using Alternate Data Streams (ADS)

• Hiding and executing payloads within ADS
• Practical usage and detection considerations

Abuse of Image File Execution Options (IFEO)

• Using IFEO for persistence or defensive evasion
• Practical examples from engagements

Practical Attack Flow Example

• Combining covered techniques into a realistic internal pentest chain

MODULE 8: PowerShell for Digital Investigation & Threat Hunting
November 20, 2025
Amr Thabet

Why PowerShell for IR

• Benefits for live investigations
• Risks and common abuse patterns

Collecting Evidence

• Processes, network connections, event logs
• Registry and scheduled tasks

Threat Hunting Techniques

• Detecting suspicious processes and scripts
• Finding lateral movement and persistence

Case Study: Live Investigation with PowerShell

• Using PowerShell for timeline building
• Identifying attacker activities

Detection and Logging

• PowerShell logging and Script Block Logging
• Correlating with Sysmon and EDR

Best Practices

• Safe evidence collection
• Avoiding contamination and ensuring validation

MODULE 9: Azure Cloud Incident Response Part 2. Response and Recovery
November 25, 2025
with Marcin Krawczyk

Evidence Collection and Investigation

• Azure logging architecture and data sources
• Hands-on Lab: Collecting evidence using Azure tools
  • Activity logs and diagnostic logs
  • VM snapshots and network flow logs
  • Using Azure Resource Graph for investigation
• Preserving evidence for forensic analysis

Containment and Remediation Strategies

• Network isolation using NSGs and Azure Firewall
• Identity-based containment (revoking access, MFA)
• Practical Exercise: Incident containment sce

• narios
• VM isolation and quarantine procedures

Automation and Orchestration

• Azure Sentinel Playbooks demonstration
• Logic Apps for incident response automation
• Demo: Automated response workflow creation
• Integration with external ticketing systems

Recovery and Post-Incident Activities

• System restoration from backups
• Security posture improvement
• Documentation and lessons learned process

MODULE 10 Tiering, Just-In-Time, and Admin-Forest in „Real-Life" (Experience From the Field)
November 27, 2025
with Peter Kloep

Planning and Processes

• From Zero to “Tier0”
• Why is tiering essential?
• Which systems are Tier0?
• Common misconfiguration in current networks
• Naming convention and Role- and Permission-definition

Lessons from the Field

• What works in real-world deployments
• What stopped customers from successfully implementing tiering
• How to get from A to B?
• How to achieve user / admin-acceptance?

Implement Tiering

• PowerShell-Scripts
• GPOs
• Moving resources
• Administrative workstation / Jump-host

Just-In-Time-Administration

• Simple Just-In-Time solution
• Required / useful tools

Administrative Forest

• Benefits of an Admin Forest
• Automatic synchronization
• Tools for easy management

MODULE 11: How to Think About Azure Kubernetes Security
December 2, 2025 
with Michał Furmankiewicz
 

• Base infrastructure of the cluster
• Cluster Networking (traffic going outside, coming inside, and in the cluster)
• Identity & Permissions (RBAC model)
• Monitoring and Security Monitoring

MODULE 12: Securing Windows Server and Applications in.NET with TLS: Implementation, Pitfalls, and Best Practices
December 4, 2025
with Przemysław Tomasik
 

• TLS Fundamentals and Windows Server Implementation
• Scanning and Hardening the System-Wide TLS Settings
• Securing .NET Applications with TLS
• Discovering, understanding, and fixing issues in code

In the realm of cybersecurity, knowledge is the ultimate currency. While the digital world may offer unlimited access to information, it’s critical to discern that not all information holds significant value. AWSC is a certified 6-week online cybersecurity course created for advanced professionals as well as all the geeks who are already fluent in the Windows environment (including security skills, penetration testing, etc.).
Intermediate to advanced Windows Security Professionals
This program is for you, if you want to level up and become key expert in your company (or even in your field). We promise to challenge your ways of thinking and executing.
Ethical Hackers (who are familiar with…)
Attendee needs to have general fluency in Windows environment (including security skills, penetration testing etc.) Active Directory related knowledge is required. Take the quiz to see where are you at.
Brave Newbies
If you are a newbie you can still apply, but the program WILL NOT cover the basics — so it might be really challenging for you to get in or to keep up with the group.

This course is for geeks who want to become advanced Windows security experts. If you want to set yourself (and your company) apart from your competition, this is the course for you. You must already be fluent in the Windows environment (including security skills, penetration testing, etc.). Active Directory-related knowledge is required. We already have a great group of approved applicants from the Microsoft Ignite Conference where we did a soft launch of this course. Including:

• Professionals with over 5 years of experience in Windows and security-related projects.
• Working in public, commercial, and security consulting companies.