Courses • DFIR • SOC / IR
DFIR (Digital Forensics & Incident Response)
Learn how to investigate cyber incidents, collect and preserve digital evidence, and coordinate a real-world incident response from first alert to final report.
Why this course?
Updated for 2026- ✅ Handle incidents end-to-end (detect → contain → recover)
- ✅ Collect & preserve evidence (hashing, chain-of-custody mindset)
- ✅ Investigate Windows + Linux artefacts like real DFIR work
- ✅ Build timelines & reports that management understands
✓ Playbooks & checklists included • ✓ Case-based labs • ✓ Ethical + authorized practice only
Overview
DFIR combines two critical capabilities: Digital Forensics (finding out what happened on systems and networks) and Incident Response (containing, eradicating and recovering from security incidents).
This course is designed to feel like real work inside a SOC / incident response team. You’ll walk through malware outbreaks, credential theft, insider abuse and web application breaches, learning how to collect evidence, analyze artefacts and help management make decisions under pressure.
Who this is for
- SOC analysts who want to go deeper into investigations.
- Blue-teamers and security engineers handling incidents.
- System / network admins who are “incident owners” in small orgs.
- Students aiming for DFIR, SOC, or cyber forensics careers.
What you’ll be able to do
- Handle an incident from first alert until closure.
- Perform triage on Windows & Linux systems and key log sources.
- Collect, preserve and analyze digital evidence safely.
- Document timelines and write incident reports decision-makers understand.
Hands-on, realistic DFIR
Instead of only learning tools in isolation, you’ll follow complete incident storylines: suspicious login → lateral movement → data exfiltration. You’ll practice thinking like a responder: what do we check first, what to contain, what to preserve, and how to avoid destroying evidence accidentally.
Who should NOT join this course
- If you want only theory and no case-based practice.
- If you don’t want to work with logs, artefacts, and documentation.
- If you’re completely new to OS + networking (start with fundamentals first).
Real student proof
Add 1–2 screenshots here (case notes, incident timeline, report feedback). Blur names and keep it real.
Tip: DFIR proof = timeline + findings + remediation summary.
Curriculum
The curriculum progresses from foundational DFIR concepts to full incident lifecycle handling, with emphasis on repeatable methods (not just tool clicks).
Introduction to DFIR & Incident LifecycleModule 1
Roles in DFIR teams, typical incident lifecycle (prepare, detect, analyze, contain, eradicate, recover, lessons learned). How DFIR fits with SOC, red teams, management and legal/compliance functions.
Evidence, Chain of Custody & Legal AwarenessModule 2
Types of digital evidence (volatile vs non-volatile), integrity, hash values, chain of custody records, and why proper documentation matters. Working with HR, legal and external agencies without leaking sensitive data.
Windows Forensics FundamentalsModule 3
Key artefacts on Windows endpoints: event logs, registry, prefetch, services, startup locations, scheduled tasks, browser artefacts, and user profiles. How attackers abuse these, and how responders read them.
Linux & Server Forensics FundamentalsModule 4
Important paths and logs on Linux/UNIX servers: syslog, auth logs, service logs, configuration files, cron, SSH usage, and common persistence techniques. How to safely capture and analyze these in an investigation.
Network & Log-Centric InvestigationsModule 5
Using network data (firewall logs, proxy logs, NetFlow/PCAP, DNS logs) to identify C2 traffic, data exfiltration patterns, lateral movement and scanning. Pivoting between endpoint and network evidence.
Triage Methods & Rapid ScopingModule 6
How to quickly answer: “What is impacted? How bad is it? What do we do first?” Endpoint triage, log-based triage, and scoping multiple hosts or user accounts under time pressure.
Containment, Eradication & RecoveryModule 7
Containment strategies (account lockdown, host isolation, network blocking) and their pros/cons. Removing malware, closing attacker access, and planning safe recovery without reintroducing the threat.
Malware & Tooling Overview (Blue-team Focus)Module 8
How common malware families and attacker tools behave on disk, in memory and on the network. IOC extraction and using IOCs across SIEM, EDR and network defenses.
Timelines, Reporting & Lessons LearnedModule 9
Building clear incident timelines, mapping actions to MITRE ATT&CK, and writing reports for technical and non-technical audiences. Post-incident reviews and using incidents to drive long-term security improvements.
Labs & Casework
Labs are designed as mini-cases. You’ll receive simulated alerts, partial logs, and endpoint snapshots, and then work towards findings and recommendations, just like a real DFIR engagement.
Endpoint Compromise Case
Identify suspicious processes, login activity, persistence mechanisms and possible data access. Document findings and prepare a containment plan.
Credential Theft & Lateral Movement
Investigate unusual logins and privilege escalation across hosts. Trace attacker movement, affected accounts and systems, and propose remediation.
Web Breach & Data Exfiltration
Analyze web logs, proxy logs and server artefacts. Identify exploit path, data access patterns, exfiltration indicators, and suggest immediate + long-term fixes.
Prerequisites
Recommended background
- Basic understanding of operating systems (Windows and/or Linux).
- Familiarity with common security concepts (malware, phishing, logs).
- Some exposure to networking (IP, ports, basic protocols) is helpful.
Tools & mindset
- A laptop/PC capable of running analysis tools and (optionally) VMs.
- Curiosity to dig into logs, artefacts and timelines patiently.
- Discipline to document steps carefully — DFIR is documentation-heavy.
If you’re unsure about readiness, we can recommend a small foundation path before full DFIR labs.
Outcomes
After this course, you won’t look at “security incidents” as vague scary events. You’ll have a method to investigate, communicate and help organizations recover.
Investigation confidence
Know where to start, what artefacts to pull, and how to build a timeline instead of random tool clicking.
Better SOC / IR performance
Clear incident notes, escalation summaries and closure reports that help teams + management decide faster.
Career-ready DFIR skills
Stronger profile for SOC, incident response, cyber forensics, blue-team engineering and consulting roles.
Schedule & Delivery
DFIR can run as a standalone specialization or part of a broader blue-team track (SOC + SIEM + Incident Response). Batch dates and formats are flexible.
| Mode | Duration | Details |
|---|---|---|
| Weekend cohort | 4–6 weeks | DFIR-focused sessions with extensive case-based labs on Sat–Sun. |
| Weekday evenings | 3–5 weeks | Short sessions plus self-paced lab work with mentor support. |
| Custom / team batch | Flexible | Tailored around your stack, playbooks, and industry requirements. |
Pricing
Choose the plan that matches your learning goal: job-focused DFIR foundations or deeper casework + reporting practice.
Individual (Core DFIR)
For learners who want DFIR fundamentals + complete incident lifecycle handling.
Pro (Casework + Reporting)
More investigation drills, deeper timelines, better reporting practice and response planning.
Team / SOC batch
Custom DFIR training aligned to your tools, playbooks and real incidents.
Get team pricingFAQs
I’ve never done DFIR before. Is this too advanced?
We start from fundamentals and build up. Basic OS and security knowledge is recommended, but prior DFIR experience isn’t required.
Do we use commercial tools?
We focus on methods and artefacts first, then show how workflows map to common SIEM/EDR/log tools. Team batches can align to your stack.
Will I get templates and playbooks?
Yes. Evidence sheets, timeline templates, checklists and report structures are included.
Are sessions recorded?
For most batches, yes. Access window and platform details are shared at enrollment.
Want to build real DFIR skills?
Reach out for upcoming DFIR batches, custom SOC programs, or help designing your incident response roadmap.
Talk to us