# Hands-On vs Lecture-Based Cybersecurity Training: Which Builds Skills

By Charles Givre · 2026-07-17

> Hands-on vs lecture-based cybersecurity training: what the retention research says, why security skills are procedural, and how to vet a vendor's lab claims.

If you are buying training for a security team, the format matters more than the syllabus. Two courses can cover the same MITRE ATT&CK techniques, the same detection methods, the same tools, and produce completely different results depending on whether your people spent the week watching or doing.

The marketing does not help. Nearly every vendor now calls their training "hands-on." Some of it is. A lot of it is a lecture with a screen share.

## What the Research Actually Says

Skip the "learning pyramid" you have seen on a hundred slides, the one claiming people remember 10% of what they read and 90% of what they do. Those numbers have no empirical source. They were fabricated and repeated until they looked like fact.

The real evidence is better and more specific. A 2014 meta-analysis of 225 studies across STEM education ([Freeman et al., PNAS](https://doi.org/10.1073/pnas.1319030111)) found that active learning cut exam failure rates from 33.8% under traditional lecturing to 21.8%, and improved exam scores by roughly 0.47 standard deviations. The authors noted that if these had been drug trials, the results would have justified stopping the study early to switch everyone to the better treatment.

Retention is the other half. The Ebbinghaus forgetting curve describes how quickly memory of new material decays without retrieval practice. A lecture is pure exposure. A lab forces retrieval and application, which is why the skills stick.

## Security Skills Are Procedural, Not Declarative

Here is the part specific to our field. Most of what a security professional needs to learn is procedural knowledge: how to do something, not what something is.

You can memorize the definition of an isolation forest from a slide. That does not mean you can pick features from an auth log, set `contamination` sensibly, read the raw anomaly scores, and decide which flagged events are worth an analyst's time. You can watch someone explain [prompt injection](/blog/prompt-injection-explained). That does not mean you can craft a payload that bypasses a system prompt. You can hear about C2 beaconing. Detecting it in your own [Zeek](https://zeek.org/) `conn.log` is a different skill entirely, as our walkthrough on [hunting C2 beaconing with Python](/blog/hunting-c2-beaconing-python) shows.

Procedural skills are acquired through reps. There is no shortcut, and watching an expert do it is not a rep.

## What Lab-Based Training Looks Like

Real hands-on security training puts the student in a live environment against realistic data and asks them to produce something. A few concrete examples:

- **Detection engineering.** Write a [Sigma](https://github.com/SigmaHQ/sigma) rule, then test it against emulated adversary behavior from [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team) or [MITRE Caldera](https://github.com/mitre/caldera). A rule that fires on `T1059.001` PowerShell execution is easy to write and easy to get wrong:

  ```yaml
  detection:
    selection:
      Image|endswith: '\powershell.exe'
      CommandLine|contains:
        - '-enc'
        - 'FromBase64String'
    condition: selection
  ```

  You only learn where that rule produces false positives by running it against real telemetry.

- **Applied ML for detection.** Load logs into a [pandas](https://pandas.pydata.org/) DataFrame in [Jupyter](https://jupyter.org/), engineer features, fit a model from [scikit-learn](https://scikit-learn.org/), and evaluate it on held-out data. The evaluation step, precision versus recall on your own data, is where the learning happens.

- **AI red-teaming.** Run prompt injection and jailbreak payloads against a local model with [Ollama](https://ollama.com/), then scan it systematically with [garak](https://github.com/NVIDIA/garak). Our [prompt injection lab](/blog/ai-red-teaming-tips-for-beginners) works exactly this way.

In every case the student walks away with an artifact: a working notebook, a tested rule, a documented finding. That is the tell. If the deliverable is a completed slide deck, it was a lecture.

## Where Lectures Still Earn Their Place

Format should match the goal. Lectures are the right tool when the objective is understanding rather than muscle memory. An executive AI risk briefing, a governance framework walkthrough, a threat modeling discussion, an introduction to an unfamiliar domain: these are conceptual, and structured lecture plus discussion works well. Our [executive AI training](/courses/executive-ai-guide) is deliberately built this way, because a CISO needs to make good decisions, not tune a classifier.

The failure mode is using lecture format to teach a skill. No amount of watching someone build a detection pipeline builds one in your team's hands.

## How to Vet a Vendor's "Hands-On" Claim

Since most vendors claim hands-on, make them prove it. Ask:

- What percentage of class time is students in a lab versus watching the instructor?
- What environment do the labs run on, and do students keep access after the course?
- Can you see a sample exercise, and what artifact does the student produce?
- Does every student get their own environment, or does the instructor drive while everyone watches?

A vendor running genuine labs answers these easily. One that dodges them is selling a presentation.

GTK Cyber's courses run on a proprietary lab platform where every student works in their own environment against real security data, taught by practitioners who do this work. The [Applied Data Science and AI for Cybersecurity](/courses/applied-data-science-ai) course and the [AI Cyber Bootcamp](/courses/ai-cyber-bootcamp) are built around exercises, not slides. If you are evaluating training for your team, ask us to show you a lab.

## FAQ

### Is hands-on cybersecurity training more effective than lecture-based training?

For procedural skills, yes. A 2014 meta-analysis of 225 studies (Freeman et al., PNAS) found that active learning cut exam failure rates from 33.8% under traditional lecturing to 21.8%, and raised exam scores by about 0.47 standard deviations. Security operations work is almost entirely procedural: tuning a detection model, writing and testing a Sigma rule, pivoting through data in Jupyter, running a prompt injection payload. You do not learn those by watching. Lectures are still useful for concepts, mental models, and executive-level strategy, but skill acquisition needs reps on real tooling.

### What does lab-based security training actually involve?

Students work in a live environment against real or realistic data, not slides. Concrete examples: loading Zeek conn.log into a pandas DataFrame and building an IsolationForest to flag beaconing, writing a Sigma rule and testing it against emulated adversary activity from Atomic Red Team or MITRE Caldera, or running prompt injection payloads against a local model with Ollama and scanning it with garak. The measure of a good lab is whether the student produces a working artifact (a notebook, a rule, a finding) rather than a completed slide deck.

### How do I tell if a vendor's 'hands-on' training is actually hands-on?

Ask what percentage of class time students spend in a lab versus watching an instructor, what environment the labs run on and whether students keep access afterward, and to see a sample exercise. Ask what artifact the student walks away with. Vendors that demo the instructor 'driving' while students watch are running a lecture with a screen share. Real hands-on training gives every student their own environment and their own keyboard.

### When is lecture-based security training the right format?

For conceptual and strategic content where the goal is understanding, not muscle memory. Executive AI risk briefings, governance frameworks, threat modeling discussions, and introductions to a new domain all work well as structured lecture plus discussion. The mistake is using lecture format to teach a skill: no amount of watching someone tune a model teaches you to tune a model.

### Why do people forget most of what they learn in a training course?

The Ebbinghaus forgetting curve: without retrieval practice, memory of new material decays sharply within days. Passive exposure in a lecture is especially fragile. Hands-on practice forces retrieval and application, which is why lab-based skills stick longer. This is also why one-off training events underperform programs that include follow-up exercises or access to a lab environment after the course ends.


---

Canonical: https://gtkcyber.com/blog/hands-on-vs-lecture-based-security-training/