Incident Responder
Contain, eradicate, and recover from security incidents at speed.
12 modules Β· ~12 weeks
Modules
01Windows Forensic Acquisition β Triage, Imaging, and Chain of Custody
intermediateAcquire volatile memory, targeted triage artifacts, and full disk images from Windows systems while preserving forensic integrity and maintaining defensible chain of custody.
5 lessons
02Linux & macOS Forensics β Logs, Persistence, and Artifact Locations
intermediateInvestigate Linux and macOS endpoints β key log locations, persistence mechanisms, artifact collection, and the forensic differences from Windows that trip up Windows-centric responders.
5 lessons
03Memory Forensics β Advanced Volatility, Rootkits, and Credential Extraction
advancedGo beyond basic Volatility plugins β analyze kernel structures, detect rootkit manipulation, extract credentials from LSASS and browsers, and triage memory images at IR speed.
5 lessons
04Network Forensics β PCAP Analysis, Protocol Dissection, and C2 Extraction
intermediateAnalyze full packet captures with Wireshark and tshark, extract C2 communications, recover transferred files, and reconstruct attack timelines from network evidence.
3 lessons
05Malware Triage β Static Analysis, Sandboxing, and Family Identification
intermediateTriage unknown binaries in minutes using static indicators (strings, PE header, imports) and dynamic analysis (sandbox detonation), identify malware families, and extract IOCs for IR scope expansion.
2 lessons
06Ransomware IR β Playbook, Containment, and Recovery
advancedExecute a structured ransomware response: stop encryption spread, scope the blast radius, evaluate decryption options, negotiate or restore from backup, and prevent re-encryption.
2 lessons
07Cloud IR β M365, AWS, and Azure Incident Response
advancedInvestigate and contain cloud-native incidents β compromised M365 tenants, AWS credential abuse, Azure AD breaches β using cloud-native logging, forensic tooling, and containment primitives.
3 lessons
08Active Directory Compromise IR β Golden Tickets, DCSync, and Full Remediation
advancedRespond to AD compromise β detect Golden/Silver Ticket attacks, DCSync, and pass-the-hash; scope the credential blast radius; execute a defensible full AD remediation including the krbtgt reset sequence.
3 lessons
09Legal, Evidence Handling, and Regulatory Notification
intermediateNavigate the legal dimensions of IR β chain of custody, evidence preservation, law enforcement engagement, attorney-client privilege, and mandatory breach notification timelines across GDPR, HIPAA, and state laws.
2 lessons
10Attribution and Actor Profiling β From Evidence to Threat Actor
advancedBuild a structured attribution assessment from IR evidence β map TTPs to ATT&CK groups, apply the Diamond Model, quantify attribution confidence, and understand the limits of technical attribution.
1 lesson
11IR Reporting β Technical Reports, Executive Briefs, and Board Communication
intermediateWrite IR reports that serve three audiences: the technical team (how it happened), legal/compliance (what is owed), and the board/executives (what it means for the business and what changes).
1 lesson
12IR Program Maturity β Tabletops, Playbooks, and Lessons Learned
intermediateBuild and mature an IR program: design tabletop exercises that surface real gaps, write playbooks that survive first contact, run blameless post-mortems, and measure IR capability improvement over time.
1 lesson
// final assessment
Final Exam
20 hard, scenario-based questions spanning the full curriculum. Pass at 80% to earn your certificate.