Train to become OSTH certified
TH-200: Foundational Threat Hunting
Starting at $1,749
Level
20054h of content
- Learn threat hunting basic concepts and skills, including using common tools like CrowdStrike Falcon and Splunk to detect network and endpoint Indicators of Compromise (IoCs) and respond to threats
- Earn the OffSec Threat Hunter (OSTH) certification upon passing the exam
Overview
TH-200 equips learners with essential skills to proactively detect and investigate cyber threats through behavioral analysis, threat actor profiling, and the use of network and endpoint indicators
TH-200: Foundational Threat Hunting equips learners with the essential skills and mindset to operate on the defensive side of cybersecurity. In today’s threat landscape, defenders must go beyond reactive security measures. Threat hunting is a proactive practice where security professionals seek out and identify threats before they can cause harm.
This course introduces the core concepts, tools, and methodologies used by enterprise defenders to detect, track, and respond to adversaries within networks and endpoints.
Learners will develop key capabilities, including:
- Understanding the threat actor landscape, with a focus on ransomware and Advanced Persistent Threats (APTs)
- Utilizing both network and endpoint Indicators of Compromise (IoCs) for proactive threat detection
- Highlighting the role of Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), like Suricata, in monitoring for suspicious activities
- Explorations of various ransomware groups, including LockBit, CLOP, and BlackCat/ALPHV, with examples of how they exploit specific vulnerabilities
- Recognizing custom threat hunting, focusing on behavioral analysis and data correlation to detect advanced threats, using tools like CrowdStrike Falcon
TH-200 is organized into 7 modules with associated hands-on lab experiences and assessment questions. After completion of the content modules and labs, learners can work on a comprehensive Challenge Lab, which brings all of the skills they have learned in the course together and prepares them for the OSTH exam.
TH-200 is for anyone looking to build a strong foundation in threat hunting, including SOC analysts, IT security specialists, and those aiming to transition into specialized cybersecurity roles. While there are no course prerequisites, it is encouraged that learners have some experience in cybersecurity, a solid foundation in TCP/IP networking, and a familiarity with Linux and Windows operating systems.
Becoming OSTH certified
-
8-hour proctored
All exams are proctored by an OffSec employee in a private VPN
-
Hands-on labs
Identify, exploit, and report real-world vulnerabilities in live lab systems
-
Conduct a threat hunting sprint
Identify indicators of a compromise by a threat actor
-
Identify compromised systems
Assess the impact of attacker actions and determine if data has been exfiltrated or encrypted
OSTH certification
About the OSTH exam
The OffSec Threat Hunter certification demonstrates proficiency in foundational threat hunting practices
OffSec is trusted by
Start learning with OffSec
$2,749/year*
Best value
Learn One
Includes one year of access to one 200 or 300-level course, the associated labs, and two exam attempts
$1,749/once
Most popular
Course + Cert Bundle
Includes 90 days of access to one 200 or 300-level course, hands-on labs, and a single exam attempt
Flexible pricing for teams of any size
Scalable options to fit your team's training needs
TH-200 FAQ
-
Who is the TH-200 course for?
TH-200 is ideal for:
- Individuals looking to build a strong foundation in threat hunting
- Those aiming to transition into specialized security roles
- SOC Analysts
- IT Security Specialists
-
What are the TH-200 prerequisites?
While there are no formal prerequisites, it’s strongly encouraged that you have:
- A solid foundation in TCP/IP networking
- Familiarity with Linux and Windows operating systems
- Basic understanding of cybersecurity concepts
All of the above can be found in our Threat Hunting Foundations Learning Path
-
Does the OSTH certification expire?
Yes, the OSTH will expire 3 years after the date you passed the exam. To maintain the validity of your certification, consider one of the following renewal options before your expiration date:
- Pass a Qualifying Exam: Take and pass an OffSec certification exam within the same category at the same level or higher before your certification expires.
- Recertification Exam: Take and pass a recertification exam within six months before your certification’s expiration date to extend validity.
- Continuing Professional Education (CPE) Program. You may refer to the CPE handbook for more information.
Please note that, if your certification expires, you will need to retake and pass the same certification exam.
-
What job roles do OSTH certified professionals often hold?
The OffSec Threat Hunter (OSTH) certification is designed for cybersecurity professionals who want to specialize in proactively detecting and responding to threats within enterprise environments. It emphasizes advanced threat hunting techniques, including behavioral analysis, endpoint forensics, and adversary emulation.
With the OSTH certification, you demonstrate the ability to go beyond alerts and logs—identifying stealthy intrusions, uncovering hidden attacker behaviors, and strengthening an organization’s overall security posture.
Career roles suited to OSTH-certified professionals include:
- Threat Hunter
- Incident Responder
- SOC Analyst (Tier 2 or 3)
- Blue Team Analyst
- Cyber Threat Intelligence Analyst
- Defensive Security Engineer
OSTH is especially valuable for professionals in environments where proactive defense and in-depth investigation are key to minimizing dwell time and reducing the impact of advanced persistent threats (APTs). It pairs well with other defensive or offensive certifications to round out a complete detection and response skill set.
-
How do I get CPE points for the IR-200 course?
All of our fully released courses may qualify students for up to 40 (ISC)² CPE credits. To know if you are eligible to request a completion letter or to find course completion requirements, please visit our How can I obtain (ISC)² CPE credits and/or a course completion letter for my course article.
Are you ready to #TryHarder?
You're closer than you think.
You don’t need to be perfect. You need to be persistent. If you can question normal activity, follow small anomalies, and hunt for hidden threats...
Success stories from the field
Excited to share that I've successfully passed OffSec's brand-new Threat Hunter (OSTH) exam! The exam was an 8-hour hands-on challenge, followed by a report on my findings, which were both graded by OffSec. I had a great time with the course, working with Splunk, CrowdStrike Falcon, and Wireshark. Big thanks to the team for creating such an awesome experience!
-
On-demand lab access
Train anytime in up-to-date, practical, cutting-edge labs
-
Structured learning modules
Progress through clear, goal-driven topics
-
Challenge-based learning
Build skills through real-world, hands-on challenges
-
AI-powered learning assistant
Get instant, guided help with complex topics
Realistic lab environments
Built to sharpen your team's skills through practical learning
Request a demo 
Hornet Tracer
The fastest can pierce through any defense, striking with lethal speed and leaving no trace behind.
OSTH Certification
TH-200
Level
Origin
Born from the chaos of the digital wilds, Hornet Tracer zips through the cyber world with relentless speed, stinging systems with calculated precision. With an instinct for detection, Hornet Tracer breaks through defenses swiftly and silently, leaving only the hum of a successfully executed strike.
Strengths
Expert in network intrusion; excels at bypassing complex defenses and quickly exploiting weaknesses before the system can react.
Traits
Tactics
Rapid, high-impact exploitation with zero hesitation, striking at the heart of defenses before they can mount a response.
