← All Roles

Incident Responder

Contain, eradicate, and recover from security incidents at speed.

12 modules Β· ~12 weeks

Modules

01Windows Forensic Acquisition β€” Triage, Imaging, and Chain of Custody

intermediate

Acquire volatile memory, targeted triage artifacts, and full disk images from Windows systems while preserving forensic integrity and maintaining defensible chain of custody.

5 lessons

02Linux & macOS Forensics β€” Logs, Persistence, and Artifact Locations

intermediate

Investigate Linux and macOS endpoints β€” key log locations, persistence mechanisms, artifact collection, and the forensic differences from Windows that trip up Windows-centric responders.

5 lessons

03Memory Forensics β€” Advanced Volatility, Rootkits, and Credential Extraction

advanced

Go beyond basic Volatility plugins β€” analyze kernel structures, detect rootkit manipulation, extract credentials from LSASS and browsers, and triage memory images at IR speed.

5 lessons

04Network Forensics β€” PCAP Analysis, Protocol Dissection, and C2 Extraction

intermediate

Analyze full packet captures with Wireshark and tshark, extract C2 communications, recover transferred files, and reconstruct attack timelines from network evidence.

3 lessons

05Malware Triage β€” Static Analysis, Sandboxing, and Family Identification

intermediate

Triage unknown binaries in minutes using static indicators (strings, PE header, imports) and dynamic analysis (sandbox detonation), identify malware families, and extract IOCs for IR scope expansion.

2 lessons

06Ransomware IR β€” Playbook, Containment, and Recovery

advanced

Execute a structured ransomware response: stop encryption spread, scope the blast radius, evaluate decryption options, negotiate or restore from backup, and prevent re-encryption.

2 lessons

07Cloud IR β€” M365, AWS, and Azure Incident Response

advanced

Investigate and contain cloud-native incidents β€” compromised M365 tenants, AWS credential abuse, Azure AD breaches β€” using cloud-native logging, forensic tooling, and containment primitives.

3 lessons

08Active Directory Compromise IR β€” Golden Tickets, DCSync, and Full Remediation

advanced

Respond to AD compromise β€” detect Golden/Silver Ticket attacks, DCSync, and pass-the-hash; scope the credential blast radius; execute a defensible full AD remediation including the krbtgt reset sequence.

3 lessons

09Legal, Evidence Handling, and Regulatory Notification

intermediate

Navigate the legal dimensions of IR β€” chain of custody, evidence preservation, law enforcement engagement, attorney-client privilege, and mandatory breach notification timelines across GDPR, HIPAA, and state laws.

2 lessons

10Attribution and Actor Profiling β€” From Evidence to Threat Actor

advanced

Build a structured attribution assessment from IR evidence β€” map TTPs to ATT&CK groups, apply the Diamond Model, quantify attribution confidence, and understand the limits of technical attribution.

1 lesson

11IR Reporting β€” Technical Reports, Executive Briefs, and Board Communication

intermediate

Write IR reports that serve three audiences: the technical team (how it happened), legal/compliance (what is owed), and the board/executives (what it means for the business and what changes).

1 lesson

12IR Program Maturity β€” Tabletops, Playbooks, and Lessons Learned

intermediate

Build and mature an IR program: design tabletop exercises that surface real gaps, write playbooks that survive first contact, run blameless post-mortems, and measure IR capability improvement over time.

1 lesson

// final assessment

Final Exam

20 hard, scenario-based questions spanning the full curriculum. Pass at 80% to earn your certificate.