If you are buying training for a security team, the format matters more than the syllabus. Two courses can cover the same MITRE ATT&CK techniques, the same detection methods, the same tools, and produce completely different results depending on whether your people spent the week watching or doing.
The marketing does not help. Nearly every vendor now calls their training “hands-on.” Some of it is. A lot of it is a lecture with a screen share.
What the Research Actually Says
Skip the “learning pyramid” you have seen on a hundred slides, the one claiming people remember 10% of what they read and 90% of what they do. Those numbers have no empirical source. They were fabricated and repeated until they looked like fact.
The real evidence is better and more specific. A 2014 meta-analysis of 225 studies across STEM education (Freeman et al., PNAS) found that active learning cut exam failure rates from 33.8% under traditional lecturing to 21.8%, and improved exam scores by roughly 0.47 standard deviations. The authors noted that if these had been drug trials, the results would have justified stopping the study early to switch everyone to the better treatment.
Retention is the other half. The Ebbinghaus forgetting curve describes how quickly memory of new material decays without retrieval practice. A lecture is pure exposure. A lab forces retrieval and application, which is why the skills stick.
Security Skills Are Procedural, Not Declarative
Here is the part specific to our field. Most of what a security professional needs to learn is procedural knowledge: how to do something, not what something is.
You can memorize the definition of an isolation forest from a slide. That does not mean you can pick features from an auth log, set contamination sensibly, read the raw anomaly scores, and decide which flagged events are worth an analyst’s time. You can watch someone explain prompt injection. That does not mean you can craft a payload that bypasses a system prompt. You can hear about C2 beaconing. Detecting it in your own Zeek conn.log is a different skill entirely, as our walkthrough on hunting C2 beaconing with Python shows.
Procedural skills are acquired through reps. There is no shortcut, and watching an expert do it is not a rep.
What Lab-Based Training Looks Like
Real hands-on security training puts the student in a live environment against realistic data and asks them to produce something. A few concrete examples:
-
Detection engineering. Write a Sigma rule, then test it against emulated adversary behavior from Atomic Red Team or MITRE Caldera. A rule that fires on
T1059.001PowerShell execution is easy to write and easy to get wrong:detection: selection: Image|endswith: '\powershell.exe' CommandLine|contains: - '-enc' - 'FromBase64String' condition: selectionYou only learn where that rule produces false positives by running it against real telemetry.
-
Applied ML for detection. Load logs into a pandas DataFrame in Jupyter, engineer features, fit a model from scikit-learn, and evaluate it on held-out data. The evaluation step, precision versus recall on your own data, is where the learning happens.
-
AI red-teaming. Run prompt injection and jailbreak payloads against a local model with Ollama, then scan it systematically with garak. Our prompt injection lab works exactly this way.
In every case the student walks away with an artifact: a working notebook, a tested rule, a documented finding. That is the tell. If the deliverable is a completed slide deck, it was a lecture.
Where Lectures Still Earn Their Place
Format should match the goal. Lectures are the right tool when the objective is understanding rather than muscle memory. An executive AI risk briefing, a governance framework walkthrough, a threat modeling discussion, an introduction to an unfamiliar domain: these are conceptual, and structured lecture plus discussion works well. Our executive AI training is deliberately built this way, because a CISO needs to make good decisions, not tune a classifier.
The failure mode is using lecture format to teach a skill. No amount of watching someone build a detection pipeline builds one in your team’s hands.
How to Vet a Vendor’s “Hands-On” Claim
Since most vendors claim hands-on, make them prove it. Ask:
- What percentage of class time is students in a lab versus watching the instructor?
- What environment do the labs run on, and do students keep access after the course?
- Can you see a sample exercise, and what artifact does the student produce?
- Does every student get their own environment, or does the instructor drive while everyone watches?
A vendor running genuine labs answers these easily. One that dodges them is selling a presentation.
GTK Cyber’s courses run on a proprietary lab platform where every student works in their own environment against real security data, taught by practitioners who do this work. The Applied Data Science and AI for Cybersecurity course and the AI Cyber Bootcamp are built around exercises, not slides. If you are evaluating training for your team, ask us to show you a lab.