Incident Response

Free Incident Response Training

In this category, “Beginner” assumes that you have a general understanding of the four core categories listed on the homepage. Networking knowledge is especially important.

Name & Direct LinkPlatformFor BeginnersHands-On ComponentProof of CompletionTopics
Intro to DFIR: The Divide and Conquer ProcessBasis Technology - Brian CarrierYesYes - Certificate of CompletionEndpoint Visibility, Cyber Triage Basics, Malware, Prioritization, OS Configuration Changes, User Activity
Cyber Incident Analysis and ResponseTEEXYesIncident Management, Preparation, Detection, Analysis, Containment, Eradication, Recovery
CNIT 152: Incident ResponseSam Bowne's WebsiteIncident Response, Scope, Live Data Collection, Forensic Duplication, Analysis Methodology, Investigating Windows Systems, Investigating Mac OS X Systems, Investigating Applications, Report Writing.
Using MITRE ATT&CK for Cyber Threat Intelligence TrainingMITRE ATT&CK WebsiteYesYesMapping to MITRE ATT&CK, Storing and Analyzing ATT&CK-mapped data
Ryan Chapman's YouTube Channel (Cyber Forensics Workshop and more)YouTube - Ryan ChapmanYes - The Cyber Forensics Workshop contains the link to the files. Hands-On Computer Security & Incident Response - Email Header Analysis Part 1 contains a link to the files. Check out his website for more workshops: Forensics Workshop, Splunk, JavaScript Deobfuscation, VirusTotal, Email Header Analysis, Malicious use of PowerShell, Hands-OnComputer Security & Incident Response, Interview Tips
Blue Teams AcademyBlue Teams Academy - Chiheb ChebbiYesYesIncident Response, Security Operations, ELK Stack, SIEM, Azure Sentinel, Wazuh, Threat Intelligence, The Hive Project, OSQuery, Kolide, MITRE ATT&CK, OSINT, Shodan, SpiderFoot, WireShark, YARA, Digital Forensics, Radare2, IDA Pro, Ghidra, Memory Analysis
Free Splunk CoursesSplunkYesYesSplunk Fundamentals, Splunk Infrastructure, User Behavior Analytics, SignalFx
Introduction to Splunk WorkshopYouTube - Blacks in CybersecuritySplunk
Free Elastic TrainingElasticYesYesLogging, Metrics, Observability, APM, SIEM, Kibana, Anomaly Detection, Elastic Cloud Enterprise
Security Onion EssentialsYouTube - Security OnionYesSecurity Onion Installation, Analyst Tools, Alert Triage & Case Creation, Hunting, Detection Engineering
Logstash TutorialTutorialspointYesYesLogstash, ELK Stack, Installation, Architecture, Collecting Logs, Grok, Plugins, APIs, Security and Monitoring
Cover6 Solutions YouTube ChannelYouTube - Cover6 SolutionsYesThreat Hunting, Security Onion, Incident Handling, PDF Malware Analysis
Free Short Course: Information Security Incident HandlingCharles Sturt UniversityYes - Certificate of CompletionIncident Handling, Hacking Techniques and Countermeasures, Writing Incident Reports, Protective Controls, Security Architecture
Threat Hunting Training CourseActive CountermeasuresYesYesLogging, Threat Intel, C2, Zeek, Firewalls, Event ID Type 3, Passer, Beacons, AI Hunter, Threat Hunting
Incident Response Playbook GalleryIncident Response ConsortiumYesMalware Outbreak, Phishing, Data Theft, Virus Outbreak, Denial of Service, Unauthorized Access, Elevation of Privilege, Root Access, and Improper Usage Playbooks.
AttackIQ AcademyAttackIQ AcademyYesYesYes - Digital BadgesMITRE ATT&CK, Threat Intelligence, Detection, FIN6, Breach & Attack Simulation, SOC, MSSP, Threat Report ATT&CK Mapper (TRAM), Threat Modeling, OCTAVE
Free Resources for Incident RespondersApplied Incident ResponseYesLateral Movement, Event Log, Memory Analysis with Volatility, Python, Default Windows Processes, WMIC, PowerShell, Lateral Movement, and BYOD.
Wireshark for Incident Response & Threat Hunting Workshop at OWASP SBYouTube - Michael WylieYes - Lab files are HEREWireshark, Incident Response, Threat Hunting
Intrusion Analysis and Threat Hunting with Suricata (Josh Stroschein/Jack Mott)YouTube - SharkFest Wireshark Developer and User ConferenceYes - Lab files are HERESuricata, Kibana, Moloch, Scirius, PCAP Analysis, SELKS, Threat Hunting,
Attack Detection FundamentalsF-SecureYesInitial Access, Code Execution and Persistence, Discovery and Lateral Movement, C2 and Exfiltration
SANS Digital Forensics and Incident Response YouTube ChannelYouTube - SANS Digital Forensics and Incident ResponseThreat Hunting, Open Source Tools, Incident Response, Event Log Analysis, Ransomware, KANSA, Moloch, Threat Intelligence
Free Course Content from eForensics MagazineeForensics MagazineSecurity Onion, Shodan, CyberChef Tutorial, YARA Tutorial
Practical Malware Analysis Essentials for Incident Responders (Lenny Zeltser)YouTube - RSA ConferenceYesFree Malware Analysis Tools, PeStudio, Threat Intelligence, Threat Hunting, Windows
Advanced Wireshark Network ForensicsYouTube - Netsec ExplainedYes - Has a link to PCAP filesWireshark, Hex Editor, Network-Based File Carving, Network Forensics, PCAP Analysis
Open-Source YARA RulesReversingLabsYARA Rules
Finding Evil with YARAYouTube - 13CubedYesWhat YARA is, Anatomy of a YARA Rule, How to use YARA
SOC Analyst Skills - Wireshark Malicious Traffic AnalysisYouTube - Gerald Auger - Simply CyberYesPCAP Analysis, Wireshark, Walkthrough of Analyzing a PCAP from
Defending Against PowerShell Attacks - In Theory, and in Practice by Lee HolmesYouTube - PowerShell.orgHow attackers use PowerShell. How to defend against PowerShell attacks. Obfuscation.
The Increased Use of PowerShell in Cyber Attacks (Slides and detailed whitepaper)SlideShare - SymantecPhases of a PowerShell Attack, Obfuscation, Common PowerShell Malware, Targeted Attacks, Mitigation, Protection, Dual Use Tools and Frameworks. The link to the whitepaper is on the last slide.
Pulling Back the Curtains on EncodedCommand PowerShell AttacksPalo Alto NetworksThis is a detailed blog post about EncodedCommand PowerShell Attacks with examples.
Fileless Malware DemystifiedYouTube - CryptoStopperWhat Fileless Malware is, How it Works, Examples of a Dropper, Examples of Fileless Malware, Fileless Ransomware
I.T Security Labs YouTube ChannelYouTube - I.T. Security LabsYesYesThere are several tutorials here about how to set up a SIEM and analyze data. Topics include: Security Onion, ELK, Graylog, Snort, pfSense, Grafana, Zeek, honeypots, VMware ESXi, Docker
How to Install and Configure Zeek to Ship Logs to SplunkYouTube - Ali HadiSplunk, Zeek
Trainings for Cybersecurity SpecialistsENISAYesThis site contains handbooks with lab exercises, VMs, and Toolsets related to Network Forensics, Incident Response, Incident Detection, Honeypots, and more.
Understanding and Analyzing Weaponized Carrier FilesGitHub - rj-chapYesMaldocs, Analyzing Malicious PDF and Office files, JavaScript, and VBA.
Email Header Analysis and Forensic InvestigationYouTube - 13CubedEmail header fields, SPF, DKIM
RangeForce - Community EditionRangeForceYesYesYes - CPE Credit Certificate after 5 ModulesSnort, Suricata, YARA, Windows Event Logs
The Cuckoo's Egg DecompiledChris SandersYesLocard's Exchange Principle, Forensic Analysis, Timestamps, Network Security Monitoring, Least Privilege, Attack Surface, Process Monitoring, Phishing, Evidence Abstraction, Defensible Network Architecture, OSINT, Diamond Model, PICERL, Honeypots, Evidence Handling
LetsDefend AcademyLetsDefendYesYesSIEM, Incident Response, Malware Analysis, Detection, Threat Intelligence, Event Log Analysis.
Picus Purple AcademyPicusYesYes - CertificateLog Management, SIEM Alert Rules, Threat Hunting, Endpoint Detection and Response (EDR), MITRE ATT&CK.
Free Training at limacharlie.iolimacharlie.ioPrinciples of Detection & Response, Setting up an MSSP

MITRE ATT&CK Defenderâ„¢ Training (The training itself is free, not the certifications)

CybraryYes - Courses start with ATT&CK FundamentalsYes - Certificate of CompletionATT&CK Fundamentals, ATT&CK SOC Assessments, ATT&CK Cyber Threat Intelligence
BlackPerl DFIRYouTube - BlackPerlYesIncident Response, YARA Rules, Digital Forensics, Malware Analysis
YARA Rules Guide: Learning this Malware Research ToolVaronisYesHow YARA Rules Function, Use Cases, YARA Elements, How to Write YARA Rules
Operationalize Your SIEM Skills w/Splunk

YouTube - MaxProd TechnologiesYesUtilizing Splunk in a SOC Environment.
Email Forensics WorkshopMetaspike - Arman GungorEmail Message Headers, DKIM, ARC, MIME, Server Metadata, Forensic Preservation Strategies

Cyber CSI: Learn How to Forensically Examine Phishing Emails

BrightTALKHow to Forensically Examine Phishing Emails, Forensic Tools and Techniques, How to Investigate Smishing, Vishing, and Social Media Phishes, How to Enable Your Users to Spot Suspicious Emails, How to Spot Phishing Attempts
Incident Response ProcessYouTube - CSNPYesIncident Response Process, NIST, MITRE ATT&CK, Real-World Scenarios
The DFIR ReportThe DFIR ReportRead detailed reports of various attacks.
Getting Started with CSI LinuxCSI LinuxYesDownloading & Installing CSI Linux, Updating the System, Routing Your Traffic Through Tor, Using the Case Management System
Cobalt Strike, a Defender's GuideThe DFIR ReportDetails about Cobalt Strike
Applied YARA TrainingBrightTALKYesLearn the basis of YARA from scratch, using YARA in real world scenarios.
Deep Dive Into WiresharkYouTube - Cyberwox AcademyYesWireshark, PCAP Analysis