Lab Essentials

About this episode

This episode explores how cybersecurity teams can build certification programs that do more than issue badges by focusing on real-world skill validation, hands-on practice, and measurable learner outcomes. Gabriel Hartnett and Jonathan Pereira from Darktrace discuss the rise of AI-driven attacks, the need for AI-powered defense, and how flexible training models, virtual labs, and practical certifications can improve product adoption, reduce support needs, and strengthen overall security maturity.

Transcript of the video

Jeremy Davis: Hello, everybody. Welcome to our latest webinar. We’re excited for this one. Today we’re talking about how to build cybersecurity certification programs that work. We’ll give everyone a couple of minutes to join, so grab your coffee, water, and whatever you want to use for notes. In the meantime, we’d love to hear where you’re joining from, so feel free to share in the chat.

Jeremy Davis: We’ve got people joining from San Francisco, North Georgia, Canada, and Brazil. Welcome, everyone. I think we’re ready to get started. This is going to be an interactive discussion, and I’m joined by Gabriel Hartnett and Jonathan Pereira from Darktrace. We’re excited to have both of you here. From our previous conversations, it’s clear you both bring a tremendous amount of experience in both cybersecurity and customer education, and I think everyone is going to get a lot out of this discussion.

Jeremy Davis: Before we begin, I want to get everyone warmed up with a poll question: Is a hot dog a sandwich?

Jonathan Pereira: In Brazil, it is not a sandwich.

Gabrial Hartnett: I have to disagree. Alton Brown says a hot dog is a sandwich, and I agree with him.

Jeremy Davis: The audience has spoken, and the result is no, it is not a sandwich. That may be the only lighthearted debate we have today. Now let’s get into the real conversation. For anyone in the audience who may not know Darktrace well, tell us a little about what Darktrace does and what you offer.

Gabrial Hartnett: Darktrace offers an AI security platform. We are an AI-driven security vendor providing threat detection, alerting, and response across the entire infrastructure, including network, email, and cloud. We provide automated, machine-speed response. We also approach security differently from many traditional vendors. We were among the first to bring dedicated, home-built AI into the security space. Rather than relying on rules and signatures, we work from the underlying behavioral models of the clients themselves. We use client data to determine who is doing what and when, normalize patterns of behavior across the infrastructure, and then raise alerts, notifications, and proactive machine-speed responses against novel threats across the entire platform. The goal is that we do not have to wait until someone else is hit first so rules and signatures can be rolled out. We can deal with threats that are new to your network, whether or not they have been seen before in the wild.

Jeremy Davis: That’s really interesting. Let’s get into our first discussion. It seems like there’s an AI arms race out there. On one side, you have AI-driven threat detection and defense, and on the other, AI-generated attacks. What does that battlefield look like? What are people doing? What is Darktrace doing to handle it? What should people be aware of? I was listening to a podcast this morning that mentioned a huge increase in fraud in the United States from one year to the next, with AI-generated attacks playing a major role. What is happening in that battlefield?

Gabrial Hartnett: We’ve seen the proliferation of generative AI tools like Copilot, ChatGPT, and many others, and it would be naive to think only the good guys are using them. We have seen real attacks in the wild that are AI-driven and operating at machine speed from threat actors. That means more connections, more things flying under the radar, and more activity happening simultaneously across the threat landscape—things that are extremely difficult for humans to detect. Traditional security teams are struggling to keep up.

Gabrial Hartnett: If the bad guys are using these tools, the only way to compete is for the defenders to use them too. That is where AI defense comes in. AI can operate around the clock, regardless of human availability. It can take proactive action, not just reactive action, against new and novel threats at machine speed and without requiring human intervention. That gives human teams time to catch up if something happens overnight or on the weekend. Everyone has on-call staff, but teams are always stretched thin. If you have an AI support system that can put up blocks, stop lateral movement, stop infections, and stop data exfiltration as it happens, and then alert your security team that a major incident is underway, you give every team the ability to do more with less and handle threats they could not manage with only in-house skills and tools. There is a real need for these new AI defensive tools to keep up with what threat actors are doing.

Jeremy Davis: Jonathan, what have you seen in terms of how your students are reacting to this? What defensive measures are they taking when you present the data and show them what Darktrace does? Are they having conversations around the need to step up their game?

Jonathan Pereira: Yes. Across multiple clients, we’ve observed a growing feeling that they need to become much more proactive through automation. Threat actors are using AI not just for scale, but for finesse and more advanced technical attacks. On the blue-team side, the only real response is proactive protection and automated containment. It is the same race it has always been, but now at machine speed. This is the time to use artificial intelligence to predict malicious behavior as quickly as possible and to anticipate the kinds of scenarios that AI-enabled attackers can create in any environment. Any security product or defense mechanism that wants to stay relevant in the market for the foreseeable future will need to use automation and AI to reach that level. Otherwise, we are all headed toward failure.

Jeremy Davis: That’s good to know, and I hope everyone watching is taking it seriously. Let’s shift to the courses you’re offering. Tell us a little about what you offer to students and who your users are.

Jonathan Pereira: We offer both types of training. As a company, we want our clients to get the most value from our products, so we provide public sessions about the products. We also use those sessions to talk about cybersecurity more broadly, because we operate within that larger landscape. We talk about real deployment scenarios, use cases, and defense techniques in public webinars. We also offer private sessions tailored to a client’s specific needs, where we can customize the environments and the experience just for them. And we also provide on-demand training through a course library, so users can consume knowledge when they need it and in the way that works best for them.

Jeremy Davis: Who are you working with? What kinds of people are joining these programs? Is there a specific user type, or is it really anyone and everyone?

Gabrial Hartnett: We work with people across the entire spectrum, from highly security-focused organizations to small and medium-sized businesses. We work with government, manufacturing, educational institutions, local governments, and all kinds of vendors. We serve end users, technical specialists, administrators, implementers, partners, and resellers.

Gabrial Hartnett: On the CloudShare side, we use virtual labs and on-demand learning with dedicated clients. In some cases, clients are high-security organizations and we cannot use their live environment, so we spin up environments in CloudShare and run virtual training there. That allows us to meet the needs of each client rather than delivering a one-size-fits-all program. We need to be able to offer e-learning for bite-sized, on-demand modules, live instructor-led sessions, instructor-led sessions with virtual lab support, and dedicated training for a specific audience. We have to be able to support all of that across the full landscape.

Jeremy Davis: Gabriel, you’ve been with the company for many years. How did you get started with this system? How did you build what you have today? I talk to a lot of clients who used to do all their training live and onsite, which was expensive, time-consuming, and not scalable. Tell us how you built your current approach.

Gabrial Hartnett: That is exactly where we started at Darktrace. When I joined the team, everything was done live, in person, and onsite. We would fly out every week and teach one client at a time in their own environment. Even when the client is covering airfare, hotels, and expenses, there are still all the administrative and processing costs behind the scenes. It is a very expensive training model.

Gabrial Hartnett: One of the first things I pushed for was moving to an online environment. Nearly a decade ago, there was still a strong belief that online training was inferior and that real training had to happen face to face. My question was: why does face to face on a screen not count as face to face? We could scale by doing it online—not just self-paced e-learning, but live instructor-led training online as well.

Gabrial Hartnett: I actually got into trouble at work because I ran our first online session when that was not the standard. The company wanted to maintain a high-end brand image built around live, in-person interaction. After I ran the session, I got several angry emails asking who had approved it. Then I had to explain to leadership that I had over a hundred attendees in the session from a large number of clients, and suddenly the reaction changed to, “Wait, that was really good. Let’s do more of that.”

Gabrial Hartnett: That is really the story of scaling. Everybody starts small, but as you grow, you cannot keep doing the same things you did when you were much smaller. Our online platforms let us scale.

Jeremy Davis: I can also imagine that the sales team sometimes likes onsite training because it can be packaged as a line item or used as part of a discount discussion, and then suddenly when it becomes virtual they lose that lever.

Gabrial Hartnett: It is important to note that online programs do not have to be free. Darktrace offers paid programs, and a lot of companies do. It is about providing value. We have free online sessions for clients. We have clients who want more of a guided, consulting-style experience, so we offer dedicated paid learning sessions. And for people who simply cannot schedule live training because they are wearing too many hats, we have an e-learning library.

Gabrial Hartnett: This is different from a lot of more traditional approaches. We only do well when our clients do well. We cannot sell something and then walk away. If they get hit with something or cannot use the tools effectively, that reflects back on us. So we need to make sure we are providing value wherever the client is—whether they are a small business with one or two people handling everything, or a massive organization with multiple SOC teams across multiple offices around the world that all need the same training, the same quality, and the same content. That is why we do many different things.

Jeremy Davis: That makes sense. A lot of companies offer both off-the-shelf and highly tailored training experiences, and that flexibility matters because customers are so different. You might have a small business on one end and a large enterprise on the other, and even within those organizations, individuals are at very different levels. Having a variety of classes and formats plays a major role in helping users get the information they need and feel confident using the product.

Gabrial Hartnett: Exactly. That is one of the reasons high-value training programs are difficult to build, especially in cybersecurity. Many people entering this space are not doing cybersecurity because they chose it as a career path. Executive teams tell them the company needs to get more serious about security, so someone in IT or networking suddenly gets handed a new responsibility: now they also have to do cybersecurity. They often have little to no cybersecurity training, and we have to explain that cybersecurity is an entire field of its own. It is related to networking and IT, but it is not the same thing. It involves a whole separate body of knowledge, tools, people management, and executive engagement across the estate.

Gabrial Hartnett: That makes it very difficult for people who have spent their whole careers in IT and now have to learn an entirely new language and set of tools. You have to meet clients where they are. And one of the hardest parts is that very few people will admit they do not know something. Most people think of themselves as average or baseline. Managers, team leads, and salespeople all assume their client is advanced, so they put them into advanced training. Then they show up to class and they are not actually advanced.

Jonathan Pereira: That happens often. It also reflects company culture. In some regions, the standard path is that someone from IT moves into cybersecurity and learns from the person next to them. Without off-the-shelf or on-demand training, they would be learning secondhand rather than directly from the vendor, with knowledge tied to real concepts, exact processes, and best practices.

Jonathan Pereira: When people learn from on-demand training or videos, they start to realize there is more to the field than they thought. Then they move into public webinars where we teach the product and its capabilities while also talking about cybersecurity. I have lost count of the number of times I have started a session with little engagement because people are shy and do not want to expose gaps in their knowledge. By the middle or end of the class, the number of questions becomes so large that we have to set aside extra time just to address them. Their thinking opens up. They begin to see new possibilities tied to their company’s needs, or they realize they had been relying on secondhand information. That is one of the most rewarding parts of the work. It is why we support as many branches of learning as possible.

Jeremy Davis: Before we get into what people are looking for when they sign up, I want to ask the audience a second poll question: Do you have a certification program in your company? Most respondents say they do, and a smaller group say they do not but want to build one. That gives us a good setup for the next part of the conversation.

Jeremy Davis: Let’s talk about certifications. There is a provocative question here: Is certification a cash grab? A lot of people in the audience already have programs, and others want to build one or improve what they have. Tell us about your certification program. How did it get started, and what are you trying to achieve with it?

Gabrial Hartnett: First, I want to give a shout-out to my certification manager, who is in the chat. I did not build this alone. A lot of people were involved over time. But when you think about the industry, certification often is a cash grab. Everybody has a certification for everything. I am not going to call out any vendor specifically, but I have given my own team a hard time over this question: What is our certification actually doing? If we say we are certifying something, then what exactly are we certifying? What is the point? What is the goal?

Gabrial Hartnett: If the only goal is to make money, that is one thing. But if we want to provide real value to clients, then the certification has to validate something meaningful. For me, certification has to be about validating educational outcomes. I want to see the objectives and how the certification proves those objectives have been met. A simple test is the lowest form of validation, and often not the most effective one. But with virtual tools, virtual labs, and realistic scenarios, you can build a more mature certification model that clearly shows what a learner can actually do: analyze, investigate, deduce, respond, and work in real tools.

Gabrial Hartnett: The sales side is always going to talk about stickiness, engagement, renewals, and upsell. I understand those concerns, but my team is technical. Our focus is on helping clients be effective, grow their security maturity, and operationalize our tool within the rest of their stack. If our tool stands alone and becomes shelfware or fails to integrate with their broader security environment, then they cannot use it effectively. So we want to show not just how to use our product, but how it fits into real workflows across the entire tech stack.

Gabrial Hartnett: When it comes to whether certification should be paid, there is no single right answer. Some companies can absorb the cost of simple certification programs and offer them for free. Smaller organizations often cannot. Large companies like Cisco and Microsoft can subsidize free training and certifications in a way smaller businesses simply cannot. So there is no universal rule there.

Jeremy Davis: That connects to a poll we ran in our community about the main goal of certification programs. The most common answers were increasing customer adoption and retention, and reducing product support tickets. Jonathan, I know you had strong opinions on that. What is your take?

Jonathan Pereira: It can be both, but as someone who has earned certifications myself, I know the difference between a good certification and one that is not really tied to real-world scenarios. There is value in different kinds of certifications, but with Darktrace, the goal is to get as close as possible to a production-level scenario. Our certifications are hands-on and practical. Users are given environments where they have to conduct analysis and investigations. It is not only about using the tool. We want to understand how the user arrived at the response. There are multiple ways to defend against an attack, but we care about the thought process behind the decision and how the user works with the information available.

Jonathan Pereira: There is effectively no difference between that behavior and a real-world investigation. So when people say they want to reduce support tickets, that is valid, but I do not see it as the end goal. It is a byproduct of building a certification program that is so close to reality that users become knowledgeable enough to leverage the product fully on their own.

Jonathan Pereira: The same is true of adoption and retention. If your certification program reflects the real process end to end, then those outcomes follow. Some programs focus on micro-certifications for a single tool or feature, but that is like teaching someone to place one nail in one spot without showing them how to build the whole car. Our certifications are designed around the full process. When you certify an analyst, you are certifying someone who can perform cybersecurity analysis and provide useful defensive feedback to leadership. Once you do that, reductions in support tickets, greater adoption, and increased industry credibility become natural side effects. A real, hands-on certification signals that someone has practical knowledge, not just the ability to memorize answers.

Jeremy Davis: That leads perfectly to our next poll question: How many of you are currently using a virtual lab for training? Everyone who responded says they are, which is great to hear.

Jeremy Davis: You’ve built the certification program, and you have your goals. Now let’s talk about measuring success. How do you measure whether the certification program and training in general are working?

Gabrial Hartnett: This is a very deep topic, and a lot of people start with no real way to measure anything. If you are not tracking things, you cannot verify anything or improve it. If your program is succeeding, you do not know why. So it comes down to breaking things down into individual metrics that you can track not just once, but over time. You need to know where you are gaining momentum, where you are losing it, and what changes are making a difference.

Gabrial Hartnett: You might start by asking how many sessions you ran and whether that is up or down over time. Then you look at pass rates. How many people are passing? But here is an important question: if everyone is passing your certification, is it actually doing anything? A lot of people new to training think that high pass rates automatically mean success, but that can just mean you are testing things that do not need to be tested.

Gabrial Hartnett: You have to decide whether your certification was designed for a certain pass rate and whether you are hitting that target, or whether you need to make adjustments. You also need to look at other goals: are you trying to drive higher engagement, higher uptake, stronger retention among trained or certified users, or broader growth in the program?

Gabrial Hartnett: Business leaders often want bigger numbers, but if the business has a bad quarter or provides fewer people to train, then some of those percentage-based targets become unrealistic. That is why a well-built and well-planned certification program matters so much. It allows you to track meaningful metrics regardless of what is happening elsewhere in the business.

Gabrial Hartnett: You also have to look at operational friction. Are users getting lost in the sign-up process? Are multiple systems creating manual work that makes the path harder than it should be? In our own case, some of our educational tools do not integrate perfectly, and that creates manual transfer work between systems. That kind of friction absolutely affects participation.

Gabrial Hartnett: In the end, the right metrics depend on your business and your goals. What matters for me may not matter for you. You have to start by asking what is important in your context and what you are trying to accomplish, and then measure accordingly.

Jeremy Davis: That is exactly right. Different companies are tasked with different goals. Some training teams are expected to generate revenue or at least break even, while others are explicitly supported as an investment in customer success and enablement. That changes the way you measure success. In some cases, it is about how many people are certified or how many completed the training. In others, it is about revenue contribution or profitability. And sometimes it is about less direct measures, like whether customers feel confident using the product, whether support tickets go down, or whether usage of key features increases. Not everything can be measured perfectly, so it is important to keep your company’s goals in mind when building KPIs for your certification program.

Gabrial Hartnett: You also have to remember that people are people. A lot of instructors, trainers, and businesses get frustrated because sometimes someone has a bad day and leaves a bad review, not because the certification was poor, but because they were frustrated generally. Outliers are real. My instructors are excellent, and when one of them gets a low score, they immediately ask what went wrong. The right response is to look at the broader population. If everyone else rated the session highly and one person did not, that may simply be an outlier rather than a program issue.

Gabrial Hartnett: That is why you cannot rely only on business KPIs. Training, education, and certification are human experiences. You need to understand how people perceive your offerings. Give them a way to provide not just numerical ratings, but also written feedback. What are they thinking? What do they like? What do they not like?

Gabrial Hartnett: People have all had bad instructors or brilliant experts who simply could not communicate their knowledge in a way others could absorb. It does not matter how accurate the information is if it is not delivered in a friendly, clear, and open way. Not everyone is a good trainer or presenter. So you have to track the performance of the program, the questions, the instructors, and the students across the entire lifecycle. If you find correlations, then you likely have a problem to solve. If there is no clear pattern, then it may just be a bad day or a one-off experience.

Gabrial Hartnett: Ultimately, you want the program to provide real value, not just measurable value. Customers, partners, resellers, and users need to feel that they have everything they need to validate their skills, use the product effectively, sell it properly, and defend their networks. That is the goal of these systems.

Jeremy Davis: We’re at the top of the hour, so we’re going to wrap up. This has been extremely useful, and I’m sure everyone who stayed with us got a lot from it. Gabriel and Jonathan, thank you both. This has been incredibly insightful for me and, I’m sure, for the audience as well. Thank you to everyone for joining us. If you have any questions, please let us know. We’re happy to answer them. If you’re interested in using virtual labs to improve your certification program, please reach out to CloudShare. We’re here to help take your program to the next level. And if you want to join the CloudShare community and continue these conversations, I’m adding a link in the chat. Feel free to join and ask any additional questions. We’re happy to pass them along to Gabriel and Jonathan as well.

Jeremy Davis: Thank you again, everyone. Have a great rest of your day, evening, or morning, wherever you are in the world.

Gabrial Hartnett: Have a great one, everyone.

Jonathan Pereira: Thank you, everyone.