The host threat model
What an attacker does after landing.
The hardening course made a host harder to break into; this course assumes someone got in anyway and asks the harder questions — what will they do next, how would you see it, and how do you respond. That mindset shift is what separates advanced Linux security from configuration: you stop thinking only about walls and start thinking like the person already inside, because you cannot detect or investigate an attacker whose playbook you do not understand.
An attacker who lands on a Linux host almost always arrives as an unprivileged user — a compromised web app running as www-data, a stolen low-privilege SSH key, a poisoned dependency executing in a service account. From that foothold their goals are predictable: escalate to root, establish persistence so they survive a reboot or a patch, and then act — steal data, pivot to other hosts, or use the machine’s resources. Everything in this course maps to seeing and stopping one of those moves.
Assume breach is not pessimism
Assuming a breach will happen is not giving up on prevention — it is acknowledging that prevention is never perfect, so a mature security posture also invests in detection and response. A host you have hardened but cannot see into is a host where an attacker operates in the dark; a host with good visibility means their every escalation attempt, persistence mechanism, and lateral move leaves a trace you can catch. Defense in depth means the walls and the alarms and the response plan, not just the walls.