Microsoft Endpoint Security · Agentic Attack Training

Harden your Microsoft endpoint stack. See what an AI-driven attack actually looks like.

Thornwall is a Canadian cybersecurity firm specializing in Microsoft E5 endpoint security. Defender XDR, Sentinel, MDE, Intune, and Entra ID. We also run agentic attack tabletops and red team versus blue team exercises that show leadership and SOC teams what AI-driven attacks look like in their industry.

Book a discovery call See how we work ↓

Most Microsoft E5 deployments aren't operating at their potential. Most leadership teams haven't seen what AI attacks actually look like.

Microsoft E5 is one of the most powerful security stacks in the world. Most organizations running it are still flipping between four portals, leaving Attack Surface Reduction rules in audit mode, deploying Sentinel content packs without customization, and getting more alerts than their team can triage. The tooling is there. The operational maturity often isn't.

On the leadership side, the threat landscape has changed. AI agents now compromise enterprise environments in minutes, not hours. They pivot, escalate, and exfiltrate without a human operator in the loop. Most boards and executives have read about this. None of them have watched it happen in their industry's environment.

Thornwall addresses both. We do hands-on Microsoft endpoint security work for Canadian organizations, and we run adversarial exercises that show what AI-driven attacks look like up close. The exercises are how leadership and security teams experience the threat. The endpoint work is how it gets defended.

What we do

One paid service. Two exercises that show why it matters.

Our professional services work focuses on Microsoft endpoint security. Our agentic attack CTFs and red team versus blue team exercises are how we demonstrate the threat, and where most engagements start.

Professional Services

Microsoft Endpoint Security

Project-based · Pricing on request

Hands-on professional services to harden your Microsoft E5 endpoint security deployment. Delivered by a senior operator with five years of federal-level operational experience, not a sales engineer reading from a script.

Defender XDR. Deployment review, portal consolidation, unified incident management, advanced hunting query development.
Microsoft Sentinel. Content engineering, custom KQL detection rules, analytics tuning, workbook development, automation playbooks.
Defender for Endpoint. Policy hardening, Attack Surface Reduction enforcement, EDR tuning, custom indicators, evidence collection.
Microsoft Intune. Compliance policy review, conditional access architecture, application protection, device configuration hardening.
Microsoft Entra ID. Conditional access design, privileged identity management, identity protection tuning, sign-in risk policies.
Telemetry gap analysis. Mapped to MITRE ATT&CK, identifying coverage holes in your current deployment.

Typical engagement length: 2 to 8 weeks.

Exercise

Executive Agentic Attack CTF

Half-day tabletop for leadership

A four-hour tabletop where C-suite leaders watch an AI agent compromise an environment that mirrors how their industry actually operates. We use the open-source enterprise software those industries run, so the exercise is realistic without requiring any internal information from your team.

Pre-engagement scoping call to confirm industry fit
Half-day live exercise (on-site or virtual)
60-minute structured debrief mapped to your compliance framework
Written report with recommendations the leadership team can act on
One follow-up Q&A session

Best for: Boards, executive teams, and senior leadership who need to see, not just hear about, what AI-driven attacks look like.

Exercise

Red Team vs Blue Team Training Range

Multi-day adversarial training for SOC and IT teams

Hands-on adversarial training for your SOC and IT operations team on Thornwall's pre-built training range. Live agentic red team running against your defenders, who learn to detect, contain, and recover in real time. Industry scenario selected to match your sector.

Pre-built lab matching your industry's architecture pattern
1 to 5 days of live adversarial exercises
Structured detection engineering workshops
Threat hunting and KQL training, Microsoft-stack focused
Written after-action report and detection rules your team keeps

Best for: SOC analysts, IR teams, and IT operations staff who need hands-on experience defending against AI-driven attacks before they encounter one in production.

Industries

Four pre-built industry scenarios.

Each scenario is built around the architecture and threat surface of how that industry actually operates, not your specific environment. Realistic without requiring you to share anything internal.

Financial Services

Banks. Wealth managers. Credit unions.

Compromised customer database. Intercepted SWIFT MT103 wire transfers. Material non-public M&A intel exfiltrated from a trader's terminal. Mapped to PCI-DSS and SOC 2 expectations.

Healthcare

Hospitals. Clinic networks. Health authorities.

Patient records exfiltrated from the EHR. DICOM medical imaging accessed without authentication. Networked medical devices compromised via Modbus. Mapped to PHIPA, HIPAA Security Rule, and Health Canada CDSA narcotic tracking.

Legal

Law firms. In-house legal teams.

Privileged M&A documents read in plain text. Trust account balances exposed. Class action defence strategy memos exfiltrated. Mapped to LSO Rules of Professional Conduct, FLSC Cybersecurity Guidance, and PIPEDA.

Technology & SaaS

Series A through enterprise SaaS.

GitLab repositories cloned. Jenkins pipelines tampered with. AWS IAM privileges escalated. Production database with plaintext API keys exfiltrated. Mapped to SOC 2 Type II, ISO 27001, and GDPR.

How it works

How a Thornwall engagement progresses.

Discovery (1 hour)

Sixty-minute call to understand your environment, security posture, and which engagement makes sense. Endpoint advisory work, an executive CTF, a team training engagement, or some combination.

Scoping (1 week)

For endpoint work: review of your current Defender XDR, Sentinel, MDE, Intune, and Entra ID configuration, scope of work definition, and SOW. For CTF or training: industry scenario selection and logistics.

The Engagement

Endpoint work: 2 to 8 week project, delivered remotely with on-site components as needed. CTF: half-day exercise. Training range: 1 to 5 days.

Deliverables

For endpoint work: documented configuration changes, custom KQL detections, policy hardening, written runbook, and knowledge transfer to your team. For CTF or training: structured debrief, written report with prioritized recommendations.

Low-friction first engagement

No NDAs to negotiate. No internal documents to share. No environment access required for our exercises.

Most adversarial security exercises require a signed MSA, an exchange of architecture diagrams, security baselines, and detailed environment information before the engagement can even start. That's a lot of trust to extend to a vendor before you've seen them deliver.

Thornwall's CTF and training engagements work differently. The lab is already built. The scenarios are designed around how Canadian financial services, healthcare, legal, and SaaS environments operate at the architecture level. Your team participates in an exercise that mirrors your industry. We use realistic synthetic data, the open-source enterprise software your sector uses, and attack patterns calibrated to your compliance regime. Nothing internal needs to be shared.

The endpoint security advisory work is different. It requires access to your environment under a standard MSA. But the CTF and training don't, which makes them low-friction ways to see how we work before any deeper engagement.

About

About Thornwall.

Thornwall Security is an Ottawa-based cybersecurity firm focused on Microsoft endpoint security advisory work for Canadian organizations. Founded in 2026 by Khalid Ozal, a SOC analyst and endpoint security engineer with five years of operational experience running Microsoft enterprise security stacks in Canadian federal environments. Sentinel, Defender XDR, Defender for Endpoint, Intune, and Entra ID.

We are deliberately small. Every engagement is delivered by someone with hands-on experience in operational security, not a sales engineer reading from a script. We take a limited number of clients each quarter so we can deliver the depth this work requires.

Khalid Ozal

Founder

Khalid is a SOC Analyst and Endpoint Security Engineer based in Ottawa. Five years of hands-on experience operating Canadian federal Microsoft E5 environments: endpoint detection, threat hunting, incident response. Active homelab built on Wazuh, Velociraptor, OPNsense, and a distributed honeypot network, with components that inform the Thornwall lab. Currently pursuing the Microsoft SC-200 certification and a BS in Cyber Operations through the University of Maryland Global Campus.

Contact

Let's talk.

Tell us about your environment and what you're looking for. We respond to every inquiry within one business day.

Name *

Company / Organization *

Role

Email *

Industry

What are you interested in?

Microsoft endpoint security work Executive CTF Red vs Blue Training Not sure yet

Brief description *

Prefer to reach out directly?

khalid@thornwallsecurity.ca linkedin.com/in/khalidozal Ottawa, Ontario, Canada