Amman, Jordan · 2025–2026
Cybersecurity & Digital Forensics Program
Overview FAQ Roles 100 learners 16 weeks Dual track Hybrid delivery
Modern workforce training for security teams

Cybersecurity &
Digital Forensics

A 16-week dual-track program designed for today’s hiring market, combining strong technical foundations, hands-on practice, and applied project work in cybersecurity and digital forensics.
100 learners total 75 cybersecurity 25 digital forensics Security+ → CySA+ → CASP+ Career pathway: Cybersecurity Analyst (SOC/IR)
Operating model Outcomes FAQ Roles
3
Cohorts
Two cybersecurity cohorts and one digital forensics cohort delivered in a coordinated weekly model.
3
Schedules
Shared virtual concept sessions with track-specific in-person and online lab rotations during the week.
$7–11k
Initial infrastructure
A lean delivery model with reusable digital forensics hardware and manageable recurring cost.
2 tracks
One program
A shared foundation with specialization in cybersecurity or digital forensics.
<
Program architecture

A sequence designed for execution, not just instruction

The program is designed to build strong fundamentals first, develop track-specific expertise next, and finish with applied collaborative work that reflects real security and investigation environments.
Phase 1
Wks 0–2

Shared foundation

All learners begin with systems, networking, lab setup, evidence-safe practice, and core security workflows.

Phase 2
Wks 3–12

Diverge — specialty tracks

Learners move into cybersecurity or digital forensics while continuing to build communication, documentation, and operational discipline.

Phase 3
Wks 13–16

Converge — applied capstone

Final work brings both tracks into realistic scenarios, executive reporting, and artifacts that demonstrate readiness for employers and partners.

Why this structure works

Strategic rationale

  • AI is changing entry-level work. Learners need judgment, validation habits, and operational thinking, not just tool familiarity.
  • One umbrella, two pathways. The program supports a clear career narrative while still giving learners meaningful specialization.
  • Cross-functional fluency matters. Employers value analysts who can understand both technical action and investigative consequence.
  • Digital forensics is highly relevant. Incident response, evidence handling, and defensible reporting align well with enterprise and regulated environments.
  • Professional practice is built in. Documentation, validation, and responsible AI use are treated as core habits, not optional extras.
  • Strong foundations strengthen both tracks. Shared early learning creates better specialists later in the program.
Operating rhythm

Weekly flow

  • Sunday: core concept teaching for both tracks, delivered virtually
  • Cyber Cohort 1: Monday and Wednesday in person, with Tuesday and Thursday online for demos and reinforcement
  • Cyber Cohort 2: Monday and Wednesday remote, with Tuesday and Thursday in person
  • Digital Forensics: Monday–Thursday in person, with dedicated online instruction and support time
  • Shared cadence: all cohorts progress through the same weekly structure
  • Capstone: the final phase emphasizes collaboration, communication, and decision-ready outputs
3 hybrid groups shared schedule artifact-based
Shared foundation

Weeks 0–2 establish core technical and operational readiness

The program begins with a shared foundation in systems, networking, lab practice, and security workflows so every learner starts with the same core capabilities before moving into track-specific training.
Week Topics — both tracks Lab / do Why it matters
Wk 0 Laptop hardening; VM install (Kali + Windows Server 2022); OSI/TCP-IP primer; Git and CLI refresh; lab isolation safety check; timezone setup Self-paced setup verification; snapshot restore check; network isolation validation; CLI exercise via Git Every learner starts with a functioning, isolated lab so class time is not lost to setup failure.
Wk 1 OS and networking foundations; security mindset and ethics; Rules of Engagement; SIEM/log reading; evidence-safe habits including hash validation and chain of custody Packet capture baseline; OS artifact discovery report; hash verification of provided image; chain-of-custody form; basic ELK query Learners build habits in documentation, safe evidence handling, and technical observation from the start.
Wk 2 Virtualization deep-dive; scripting intro; Windows internals; Red/Blue feedback loop where offense creates traces and DFIR analyzes them Red runs Nmap/Masscan enumeration and documents it; Blue extracts Event IDs, registry changes, and file artifacts; both write a joint one-page report This early crossover exercise helps learners connect technical action, evidence, and investigation in a practical way.
Program highlight: early in the training, learners participate in a shared red/blue exercise that helps connect offensive actions to observable evidence and investigation practice.
Track design

Two tracks, one coherent hiring story

Learners choose a clear area of focus while still graduating with a shared foundation in modern cybersecurity practice, communication, and operational readiness.
Cybersecurity track · 75 learners

Offense with defensive accountability

  • Wks 3–4: Recon Pt 1 & 2 — Nmap, Masscan, OSINT, asset catalog, vuln sweep, attack surface map
  • Wk 5: Web attacks — OWASP, SQLi/XSS, Burp + SQLmap, remediation-ready reporting
  • Wks 6–7: Exploitation & automation — Metasploit chains, Python tool chaining, logged AI-assisted workflow
  • Wk 7: Passwords & social engineering — Hashcat, Gophish, ethics-gated ROE
  • Wks 8–9: AD attack paths — BloodHound, graph analysis, mitigation mapping
  • Wk 10: Priv-esc / EDR evasion — LotL tradeoffs, visibility, detected vs undetected paths
  • Wk 11: C2 & OPSEC — minimal Sliver/Mythic, teardown discipline, Blue-team review
  • Wk 12: Detection-aware offense — Sysmon, ELK/Wazuh mapping, “what to monitor” list per TTP
Key principle: every offensive week includes detection thinking and reporting, not just tool use.
Security+ CySA+ CASP+ MITRE ATT&CK
Digital forensics track · 25 learners

Evidence, timelines, and defensible analysis

  • Wk 3: Chain of custody & imaging deep-dive — full SOP, write blocker practice, hash validation, no-boot handling
  • Wk 4: Windows artifacts — registry, event IDs, timeline stitching, Red recon artifact analysis
  • Wk 5: Linux / macOS artifacts — unified logs, plists, cross-OS correlation
  • Wk 6: Unified timelines & rapid triage — Plaso, Timesketch, manifest discipline
  • Wks 7–8: AI-assisted triage pipeline — local/offline only, derived artifacts only, legal admissibility and validation
  • Wk 9: Memory forensics — Volatility, process tree correlation, triage report
  • Wk 10: Malware analysis — static triage, sandbox awareness, defensive recommendations
  • Wk 11: Mobile forensics — AFU/BFU decision tree, ALEAPP/ILEAPP, privacy and scope memo
  • Wk 12: VM & cloud artifacts — audit-log correlation, privacy boundaries, retention logic
Lab design: the digital forensics hardware setup is intentionally lean and purpose-built, emphasizing RAM, SSD capacity, write blockers, removable media, and mobile-device workflows over unnecessary extras.
Security+ CySA+ CASP+ Chain of custody
Cross-cutting layer

AI integration as professional discipline

  • Not a standalone module. AI is embedded throughout the program as a visible, logged, validated workflow.
  • Cybersecurity: AI supports variants, drafting, and workflow acceleration with explicit validation checks.
  • Digital forensics: local or offline use only, with derived artifacts and strong evidence boundaries.
  • Both tracks: learners practice responsible AI usage, governance, and documented review habits.
  • Career framing: graduates learn how to supervise and evaluate AI-enabled workflows, not simply rely on them.
Audit logs Validation Governance Defensible use
A differentiator of the program is teaching AI as accountable operational practice, not novelty tooling.
Operating model

A layout designed to support good decisions

The program is designed to be practical to deliver, realistic in cost, and strong in learner support, making it relevant to students, instructors, partners, and investors alike.
Delivery model

Rotational hybrid keeps the current room footprint viable

The program does not require larger classrooms if delivery is structured around scheduled hybrid rotation instead of full-cohort physical attendance. Concept sessions remain virtual for all learners, while in-person space is reserved for the highest-value lab moments, guided practice, and collaborative exercises.

Classroom strategy
  • Sunday concept: fully virtual for all learners
  • Mon–Thu labs: hybrid all day, with controlled physical attendance
  • All three groups are hybrid: no fully remote group
  • Thursday: comparison, demos, and reporting anchor
  • All groups stay synchronized by week
Track priority
  • Digital forensics: priority access during hardware-dependent weeks
  • Cybersecurity: rotates in-person participation for guided labs, debugging, and applied work
  • Online participation: synchronous, structured, and artifact-driven
  • Physical presence is scheduled, not assumed
Bottom line: the main challenge is not real estate. It is thoughtful hybrid orchestration, group synchronization, and strong learner support.
Cybersecurity and digital infrastructure illustration
Lab infrastructure — cost model

Lean, reusable, and aligned to the real training need

  • Virtual / cloud lab stack: approximately $10–15 per learner per month for core range access, shared infrastructure, and platform costs
  • Monthly virtual cost: approximately $1,000–1,500 across the full cohort of 100 learners
  • 4-month cohort virtual cost: approximately $4,000–6,000
  • DFIR shared hardware kit (25 total): lean, purpose-built kit focused on imaging and mobile forensics rather than a full sysadmin or networking toolkit
  • Target hardware priority: sufficient RAM and SSD capacity for VM-heavy workflows, plus write blockers, removable media, and limited mobile devices for DFIR lab use
  • Estimated DFIR hardware cost: approximately $125–200 per kit = roughly $3,125–5,000 one-time
  • Wireless routers and extra networking accessories: optional backup equipment only, not standard per-kit requirements
  • Additional classroom cost: none required
Total Cohort 1 infrastructure cost: approximately $7,125–11,000
Future cohort cost: approximately $4,000–6,000
Staffing & assessment

Built for parity across in-room and online learners

  • Core delivery: 1 virtual concept session + hybrid labs across 3 groups
  • Wks 0–2: Lead Instructor ×1, Support Instructor ×2, TA support
  • Wks 3–12: Lead Instructor ×1, Support Instructor — Cybersecurity ×1, Support Instructor — Digital Forensics ×1, minimum 3 TAs, preferred 4–5 TAs
  • Wks 13–16: Support Instructor — Cybersecurity and Support Instructor — Digital Forensics jointly support capstone execution; Lead Instructor oversees instructional coherence, standards, and selected live touchpoints
  • Instructional model: Lead Instructor sets standards and approves direction; Support Instructors own applied execution; Teaching Assistants provide daily support, grading workflows, and early risk visibility
  • Hybrid facilitation rule: one person owns the room, one owns the online experience
  • Assessment: identical deliverables and grading standards regardless of participation mode
1 lead + 2 support Instructors 3–5 TAs Hybrid parity Artifact-based
Outcomes

What all graduates can do

  • Log triage and SIEM-style detection thinking
  • Incident-response reasoning and MITRE ATT&CK mapping
  • Windows/Linux administration basics with VM fluency
  • Python, PowerShell, and Bash automation in documented workflows
  • Executive reporting with remediation logic and AI governance awareness
  • Applied collaboration with both technical and investigative perspective
SOC analyst L1/L2 IR analyst DFIR analyst Jr. threat hunter Jr. pen tester
Market positioning

How this should be framed externally

  • Single umbrella credential: Cybersecurity Analyst (SOC/IR) with specialization line
  • Digital forensics framed as IR: strong fit for banks, telcos, and compliance-heavy environments
  • Cert sequence: Security+ and CySA+ as near-term baseline; CASP+ as stretch path
  • AI fluency: governed, validated AI practice becomes a concrete differentiator
  • Portfolio over certs: capstone artifacts create decision-ready evidence for employers and partners
Risk mitigation

Critical flags to manage early

  • Evidence habits must begin in Wk 1, not Wk 3
  • Detection thinking must remain mandatory in the cybersecurity track
  • AI audit logging must be visible from the first week
  • Offline VM materials should exist before launch
  • DFIR hardware scheduling should be published before Week 0
  • Hybrid parity is operational, not optional
Instructional team

Roles & responsibilities

The program operates through a four-role instructional system designed to maintain high standards while distributing execution, learner support, and track-specific leadership clearly.
Explore roles

Instructional roles

Each role is clearly defined with distinct responsibilities across curriculum, delivery, and learner support.

Lead Instructor ↗ Support Instructor — Cybersecurity ↗ Support Instructor — Digital Forensics ↗ Teaching Assistant ↗
System model

How the system works

  • Lead Instructor defines standards, approves curriculum direction, and leads selected concept sessions
  • Support Instructors own applied delivery, labs, and track execution
  • Teaching Assistants provide daily support, grading workflows, and early risk visibility
Clear separation of roles ensures quality, speed, and consistency across the program.