July 5, 2026
Become a Defender: Stepping into Defensive Security
Introduction
By Jonathan Sanfer
6 min read
Introduction
Welcome to my walkthrough of the room Become a Defender, the final hands-on challenge within the Attacks and Defenses module, and the ultimate milestone of TryHackMe's Pre Security pathway!
In my previous article, Become a Hacker, we stepped into the shoes of an attacker to explore how vulnerabilities are systematically mapped out, chained together, and exploited using tools like Gobuster and Hydra. In this room, we pivot completely back to the side of protection. We take off the attacker's lens and step into the role of the Blue Team.
We explore how to gain complete visibility into an infrastructure, map system components using real-world analogies, and deploy layered security controls to stop threats before they cause harm.
Catch up on my previous article Become a Hacker by clicking the banner below.
What we will cover
- Defensive Frameworks: Defining the core responsibilities of the Blue Team and the alignment with the CIA Triad.
- Infrastructure Mapping: Gaining environmental visibility by translating abstract network assets into an intuitive city structural layout.
- Layered Defense Deployment: Mitigating active threat vectors by matching specific system vulnerabilities with robust tactical protections.
Room Information
Before setting up our defensive perimeters, let's document our structural target properties.
- Room Name: Become a Defender
- Path: Pre Security
- Module: Attacks And Defenses
- Topic: Introduction / Walkthrough
- Difficulty: Easy
- Room Link: TryHackMe โ Become a Defender
Task 1: What Is Defensive Security?
Defensive Security is the practice of proactively understanding what digital assets need to be protected and implementing precise security measures to prevent, detect, and mitigate the impact of cyber attacks. The ultimate goal is ensuring system visibility, identifying structural weak points, and maintaining the core pillars of the CIA Triad: Confidentiality, Integrity, and Availability.
While ethical hackers look for the one single crack in the wall to exploit, defenders, often referred to as the Blue Team must protect the entire perimeter. To do this effectively, a defender must learn to think like an attacker, anticipate their goals, and understand the paths they take to compromise an environment.
Task 2: Understanding Your Environment
Before you can protect an infrastructure, you must have absolute visibility into what exists inside it. A powerful way to conceptualize this scope is to view your client's network infrastructure as a bustling city. Just as city guards must know the layout, monitor the streets, and secure the gates, cyber defenders must understand how devices, servers, and networks interconnect.
Translating the City Analogy to Cybersecurity:
|--------------------------------------+-------------------------------------+-------------------------------------------|
| Defensive Question | City Analogy | Security Equivalent |
|--------------------------------------+-------------------------------------+-------------------------------------------|
| What are you protecting? | Homes, buildings, people | Client servers, data, workstations, users |
| Can you see what you protect? | Cameras, reports, patrols | Logs, network traffic, alerts |
| What classifies suspicious behavior? | Locked door attempts, circling cars | Repeated logins, unusual IP addresses |
| How do you stop a threat? | Police, blocked roads, curfews | Firewall rules, IP address blocking |
|--------------------------------------+-------------------------------------+-------------------------------------------||--------------------------------------+-------------------------------------+-------------------------------------------|
| Defensive Question | City Analogy | Security Equivalent |
|--------------------------------------+-------------------------------------+-------------------------------------------|
| What are you protecting? | Homes, buildings, people | Client servers, data, workstations, users |
| Can you see what you protect? | Cameras, reports, patrols | Logs, network traffic, alerts |
| What classifies suspicious behavior? | Locked door attempts, circling cars | Repeated logins, unusual IP addresses |
| How do you stop a threat? | Police, blocked roads, curfews | Firewall rules, IP address blocking |
|--------------------------------------+-------------------------------------+-------------------------------------------|Foundational Security Concepts:
- Prevention: Putting controls in place to stop attacks before they happen (e.g., firewalls, antivirus, software patching).
- Detection: Monitoring traffic and logs to identify malicious behavior actively.
- Mitigation: Taking immediate actions during an active incident to limit damage (e.g., isolating compromised endpoints).
- Analysis: Investigating the post-incident logs to discover the root cause and scope of the breach.
- Response & Improvement: Recovering normal operations and hardening defenses to prevent recurrence.
Guided Walkthrough: Mapping the City
We launch the integrated interactive lab site to explore the client's city layout. The lab presents us with a drag-and-drop structural puzzle where we must align real-world network infrastructure tags with their corresponding architectural features inside the defensive perimeter wall.
To successfully map the city environment, we evaluate the layout based on our structural knowledge:
- Employee Devices: Dropped over the residential houses in the upper left section.
- Web Server: Placed on the public-facing storefront endpoint on the left.
- Mail Server: Assigned to the large central administrative hub.
- Firewall: Dragged directly onto the fortified perimeter gate at the bottom.
- Internet: Placed outside the city walls to represent external untrusted space.
Once the final label is dragged outside the defensive perimeter, the verification mechanism triggers a success prompt and reveals the hidden network asset flag.
Questions and Answers
What is the goal when a defender puts security controls in place to stop threats before any damage occurs?
Answer:
PreventionPreventionWhat process involves reviewing logs and evidence to understand how an incident happened and what was impacted?
Answer:
AnalysisAnalysisWhat flag did you receive after successfully mapping your city infrastructure?
Answer:
THM{mapping_infrastructure!}THM{mapping_infrastructure!}Task 3: Defending Your Environment
In defensive security, we must counter the concept of vulnerability chaining. Attackers rarely stop at a single system, they compromise one minor entry point, harvest credentials, and pivot laterally through the network chain to reach high-value targets. Blue teams counter this by applying a layered defense strategy, ensuring that if one control fails, secondary layers stand ready to halt the threat.
Available Defenses: Matching Threats to Controls
|------------------+-------------------------------------------+----------------------------------------------|
| System Component | What Could Go Wrong | Defenses You Will Use |
|------------------+-------------------------------------------+----------------------------------------------|
| Employee Devices | Users download malicious attachments | Antivirus software & regular patching |
| Web Server | Attackers attempt exploit injections | Secure traffic filtering & encryption |
| Mail Server | Deceptive phishing emails arrive | Spam filters & automated attachment scans |
| Firewall | Unauthorized external connection requests | Strict access rules & IP threat blocks |
| The Internet | Multi-vector inbound perimeter threats | Restrict inbound traffic & active monitoring |
|------------------+-------------------------------------------+----------------------------------------------||------------------+-------------------------------------------+----------------------------------------------|
| System Component | What Could Go Wrong | Defenses You Will Use |
|------------------+-------------------------------------------+----------------------------------------------|
| Employee Devices | Users download malicious attachments | Antivirus software & regular patching |
| Web Server | Attackers attempt exploit injections | Secure traffic filtering & encryption |
| Mail Server | Deceptive phishing emails arrive | Spam filters & automated attachment scans |
| Firewall | Unauthorized external connection requests | Strict access rules & IP threat blocks |
| The Internet | Multi-vector inbound perimeter threats | Restrict inbound traffic & active monitoring |
|------------------+-------------------------------------------+----------------------------------------------|Guided Walkthrough: Hardening the City
In this next lab phase, our focus shifts from visibility to active mitigation. We are presented with another drag-and-drop environment, but this time we must deploy the correct security controls to the specific infrastructure assets we mapped earlier.
To harden our city against potential threats, we match our defenses strategically:
- Employee Devices: Secured by dropping Antivirus and Software Updates to neutralize bad programs.
- Web Server: Shielded with Allow Trusted Traffic and Use Secure Communication to filter web injections.
- Mail Server: Hardened by deploying Spam Filters and Scan Attachments to drop malicious emails.
- Firewall: Configured by dragging Block Known Bad IP Addresses directly to the perimeter gate.
- Internet: Monitored by placing Monitor Traffic for Suspicious Activity in the external space outside the walls.
As the final monitoring control is dropped in place outside the city walls, the defensive layers successfully align, halting the simulated attack chain and generating our room flag.
Questions and Answers
Which defender principle focuses on identifying the most critical systems to guide security efforts and focus?
Answer:
Risk PrioritizationRisk PrioritizationWhat flag did you receive after successfully defending your city's infrastructure?
Answer:
THM{defensive_techniques!}THM{defensive_techniques!}Summary & Key Takeaways
Congratulations on hardening your first enterprise infrastructure network! By successfully completing this room, you have crossed the finish line of the entire Pre Security learning path. You now hold a comprehensive foundational understanding of how computing systems communicate, how attackers approach networks, and how blue teams step up to protect critical infrastructure.
Tactical Terms Recap:
- Blue Team: Dedicated security practitioners focused on asset protection and incident response.
- Visibility: The absolute baseline of security; knowing precisely what is running on your network.
- Layered Defense: Utilizing multiple independent security controls to reduce single points of failure.
Potential Career Opportunities:
- SOC Security Analyst: Working on the front lines to monitor alerts and detect suspicious infrastructure activity.
- Threat Intelligence Analyst: Researching emerging adversarial threat trends to proactively prepare corporate defenses.
- DFIR Specialist: Leading digital forensic investigations to analyze breaches, contain active threats, and rebuild compromised nodes.
Key lessons:
- Defense Requires Visibility: You cannot protect what you do not know exists. Building an accurate asset inventory and mapping relationships between components is always a defender's first step.
- Think Like an Adversary: Effective prevention relies on threat anticipation. By analyzing systems through the lens of an attacker's exploit chain, defenders can deploy strategic controls at key intercept points.
- Security is Continuous: Cyber defense is never a static, one-time configuration. As new software exploits emerge and threat landscapes shift, blue teams must continuously adapt, prioritize risks, and refine their analysis patterns.