Maputo
Mozambique
- Zivile Necejauskaite
- Angel Draev
- Ghazi Mabrouk
Intermediate
Event Organizer(s)
Description
This 4.5-day course, organised by the ITU, NRD Cybersecurity and INTIC Mozambique, provides a comprehensive and practical approach to building, modernising, and strengthening national and sectoral Cyber Security Incident Response Teams (CSIRTs) and Security Operations Centers (SOCs). Designed to address today’s evolving threat landscape, the programme combines strategic frameworks with hands-on technical training to equip participants with the skills needed to design, implement, and sustain effective cybersecurity operations.
Participants will explore governance models, define CSIRT and SOC mandates, and align operations with international standards such as NIST, ISO/IEC 27035, and MITRE ATT&CK. Through practical workshops, they will gain experience with tools including IntelMQ, MISP, Shuffle, RTIR, and IntelOwl, while applying their knowledge to real-world scenarios such as ransomware, phishing, and advanced persistent threats.
The course empowers participants to develop scalable and resilient operations, establish SOPs and playbooks, optimise workflows, define measurable KPIs, and strengthen collaboration and continuous improvement mechanisms.
Thanks to funding from the European Union’s Global Gateway initiative, selected applicants may participate free of charge. This includes accommodation, meals, and organised activities. Participants or their organisations are responsible for travel expenses to Maputo, Mozambique, and any applicable visa costs.
This course is intended for professionals responsible for establishing, managing, or enhancing organizational cybersecurity operations, including:
- Government officials and policymakers in charge of cybersecurity strategies, policies, CSIRTs and SOCs.
- Security managers and directors.
- Incident response team leads and members.
- IT and network security administrators transitioning to SOC/CSIRT management roles.
- Organizational leaders and decision-makers involved in cybersecurity governance.
- Representatives from SADC countries who are going to be responsible for sectoral CSIRT establishment are particularly encouraged to apply.
Qualifications or experience needed to participate in this training course:
- At least 5 years of IT technical or management experience.
- At least 2 years of Cybersecurity experience.
- At least 2 years of responsibilities for handling projects or changes, including planning, procurement and implementation..
- Participants must have a foundational understanding of cybersecurity principles and best practices.
- Practical awareness of SOC workflows and procedures.
- Experience or knowledge of commonly used SOC technologies.
Selection criteria:
- Applicants must hold a managerial or leadership position in IT, cybersecurity, or risk management in the organization.
- Must be actively involved in designing, implementing, or modernizing SOC capabilities. Organizations should either be in the process of establishing SOC or modernizing an existing SOC.
- Have the authority to approve SOC technologies and tools, make decisions about staffing and skill development, influence in SOC policy and procedures development.
- Industry and sector relevance for the organization, i.e. from CI or CII in their country.
- Preference for organizations with a clear mandate to improve national or sectorial cybersecurity resilience.
- Complete the application questionnaire and attach an up-to-date CV, a recommendation letter from their employer, or a motivation letter.
Government officials and policymakers from developing countries, particularly women, are encouraged to apply. Selection will be conducted by the course organizers, who will consider the above entry requirements along with an analysis of the application questionnaire and the recommendation/motivation letter of each applicant.
The course is limited to: 30 participants
Upon completion of this course, participants will be able to:
- Integrate national or sectoral CSIRT and SOC functions into the overall security strategy of their organization, while establishing governance models and operational frameworks that align with industry standards and best practices.
- Develop a clear national or sectoral CSIRT/SOC design, define the scope of operations, and craft a mission statement for their cybersecurity operations.
- Design and implement roadmaps for setting up or modernizing national or sectoral CSIRTs and SOCs, including resource planning, staffing, budgeting, and defining critical success factors.
- Foster a culture of proactive security and collaboration with internal stakeholders and external entities by promoting knowledge sharing across teams, ensuring continuous resilience and adaptability in the face of evolving challenges.
- Evaluate the effectiveness of existing national or sectoral CSIRT and SOC capabilities to identify areas for improvement and enhance overall cybersecurity operations.
The training course utilises integrates theoretical knowledge with practical application to ensure an engaging and effective learning experience. The course consists of 10 sessions, each consisting of a structured presentation by an experienced practitioner followed by group discussion or practical exercises. Some exercises will be done in groups, others individually. At the end of each day, a review will be conducted to reinforce the key takeaways.
The methodology is structured around the following key components:
- Lectures: Each session includes expert-led discussions that provide foundational knowledge and real-world insights, supported by visual aids, case studies, and structured explanations to help participants grasp complex concepts.
- Hands-On Exercises: Participants will engage in practical activities such as simulations, scenario-based tasks, and group exercises to reinforce their learning and develop applicable skills. These exercises are designed to mimic real-world challenges and provide immediate feedback.
- Case Studies: Real-world examples and success stories are integrated to demonstrate best practices and offer a practical understanding of how theoretical concepts are applied in operational environments.
- Team Activities: Group discussions and exercises assignments encourage collaboration and foster problem-solving skills, especially in team dynamics and decision-making contexts.
- Discussion and Q&A Sessions: Dedicated time is provided for interactive discussions and questions to ensure participants can clarify doubts and engage directly with instructors and peers.
Participants will be graded based on their engagement to the practical exercises, and final exam score, as defined in the table below.
The final exam will consist of work group (maximum 5 participants per group) assignment to analyse some case studies and to simulate and plan the corresponding scenarios. The case study will be related to CSIRT/SOC resource management.
The attendance of all sessions is mandatory.
Weighting (%)
Active participation in sessions 10 %
Contribution in the practical exercises 40 %
Final exam (group work assignment) 50 %
Total 100%
A total score of 70% or higher is required to obtain the ITU certificate.
Day 1 – Foundations of Cybersecurity Teams
- Session 1: Introduction to Cybersecurity Teams
- Session 2: Preparing for Cybersecurity Team Establishment and Enhancement
- Session 3: Defining the CSIRT/SOC Mandate and Operational Model
Practical exercise: Development of a national CSIRT mandate for a fictional country (“Mountlandia”)
Day 2 – Incident Management in Practice
- Session 4: Mastering Incident Management
- Session 5: Incident Management Tabletop Exercise (TTX)
Day 3 – Threat Intelligence, Collaboration, and Maturity
- Session 6: Network Monitoring and Cyber Threat Intelligence
- Session 7: Building Strong Cybersecurity Collaborations
- Session 8: Measuring Cybersecurity Team Maturity
Practical exercise: SIM3 assessment simulation
Day 4 – Case Study and Applied Learning
- Session 9: Group Case Study
Day 5 – Finalization and Certification
- Course Review and Q&A
- Final Group Presentations
- Closing Ceremony
Tutors
Registration information
Unless specified otherwise, all ITU Academy training courses are open to all interested professionals, irrespective of their race, ethnicity, age, gender, religion, economic status and other diverse backgrounds. We strongly encourage registrations from female participants, and participants from developing countries. This includes least developed countries, small island developing states and landlocked developing countries.
