Sign Up for our Free One-Day SOC Summit Event March 25, 2026 Register Here

Threat Hunting & Incident Response with Velociraptor

Course Authored by and .

Threat Hunting Incident Response with Velociraptor with Eric Capuano and Whitney Champion

Master the art of threat hunting and incident response with Velociraptor, a rapidly emerging powerhouse in cybersecurity.

Course Length: 16 Hours

Includes a Certificate of Completion



Description

Master the art of threat hunting and incident response with Velociraptor, a rapidly emerging powerhouse in cybersecurity.

This hands-on course, led by industry experts Eric Capuano and Whitney Champion, goes beyond the basics—unlocking Velociraptor’s full potential for rapid triage, deep forensic analysis, and proactive threat detection. Through immersive labs and real-world attack simulations, you’ll learn to craft custom queries, isolate compromised systems, and contain threats with precision. Dive into advanced features and customization, ensuring Velociraptor fits seamlessly into your security operations. Whether you’re refining your existing skills or exploring new strategies, this course equips you with immediately applicable expertise to stay ahead of evolving threats.

  • System Requirements
    • Any computer with a web browser will suffice, even a Chromebook. All lab VMs are hosted in the cloud.

Syllabus

Course Learning Objectives:

Upon successful completion of this course, students will be able to:

    • Deploy and configure Velociraptor in various environments, including local and cloud-based deployments

    • Utilize Velociraptor for proactive threat hunting and real-time incident response

    • Execute custom Velociraptor Query Language (VQL) queries to collect forensic artifacts and analyze endpoint data

    • Automate detection, triage, and remediation workflows to streamline incident response operations

    • Conduct deep forensic investigations, including persistence analysis, binary hunting, and network anomaly detection

    • Leverage advanced Velociraptor features such as scheduled hunts, telemetry streaming, and automated labeling

Course Outline

Section 1: Getting Started with Velociraptor

    • Introduction to Velociraptor (Lecture)

        • Overview of Velociraptor’s capabilities and architecture

        • Understanding the server-client model

    • Deploying a Velociraptor Server (Lecture)

        • Local deployment on WSL

        • Cloud deployment options (AWS, self-hosted)

    • Deploying Velociraptor Clients (Lecture)

        • Methods for deploying endpoint agents (EXE vs. MSI)

        • Automating agent deployment at scale

    • Introduction to the Velociraptor GUI (Lecture)

        • Navigating the interface

        • Executing queries and analyzing results

🔬 Lab 1.0 – Deploying Local Velociraptor Server on WSL
🔬 Lab 1.0b (Optional) – Deploying Cloud Hosted Velociraptor Server
🔬 Lab 1.1 – Prepare to Collect Volatile Data
🔬 Lab 1.2 – Build and Deploy Client MSI
🔬 Lab 1.3 (Optional) – Building Custom MSIs

Section 2: Working with Artifacts and Notebooks

    • Understanding Velociraptor Artifacts (Lecture)

        • Client vs. Server artifacts

        • How artifacts facilitate data collection and automation

    • Using Notebooks for Analysis (Lecture)

        • Creating and modifying notebooks

        • Automating data correlation with VQL

Section 3: Advanced Data Collection & Threat Hunting

    • Manual and Automated Binary Deployments (Lecture)

        • Deploying security tools (Sysmon, EDR) via Velociraptor

        • Automating deployments with hunts and real-time monitoring

    • Real-time Eventing & Telemetry Streaming (Lecture)

        • Leveraging event-based artifacts for proactive monitoring

        • Using Windows ETW and Sysmon forwarding

    • Scheduling Hunts and Automating Detection (Lecture)

        • Setting up scheduled hunts for continuous monitoring

        • Integrating Velociraptor with existing security workflows

    • Auto-labeling Systems for Efficient Investigations (Lecture)

        • Automating endpoint classification based on behavioral data

🔬 Lab 3.1 – Deploy Sysmon
🔬 Lab 3.2 – Enable Eventing & Telemetry Streaming
🔬 Lab 3.3 (Optional, Recommended) – Deploy LimaCharlie EDR
🔬 Lab 3.4 (Optional) – Critical Service Deployment & Monitoring
🔬 Lab 3.5 (Optional) – Scheduled Hunts
🔬 Lab 3.6 (Optional) – Pushing Client Data to a CMDB
🔬 Lab 3.7 – Auto Labeling Systems

Section 4: Incident Response and Forensic Analysis

    • Stacking Analysis & Baselining Systems (Lecture)

        • Identifying anomalies in processes, network connections, and services

    • Real-time Event & Telemetry Analysis (Lecture)

        • Analyzing Sysmon logs, ETW events, and DNS queries in real-time

    • Analyzing Event Logs with Sigma (Lecture)

        • Running Sigma rules for historical and real-time threat detection

    • Scoping an Intrusion (Lecture)

        • Using artifacts to identify compromised hosts

        • Correlating known indicators of compromise (IOCs)

    • Deep Forensic Investigation (Lecture)

        • Analyzing process execution timelines

        • Identifying persistence mechanisms

        • Uncovering untrusted binaries and malware

    • Hunting Covert C2 Beacons (Lecture)

        • Using YARA rules for in-memory malware detection

    • Eradication & Remediation (Lecture)

        • Removing persistence mechanisms and active threats

        • Ensuring complete containment and recovery

🔬 Lab 4.1 – Stacking Analysis with Notebooks
🔬 Lab 4.2 – Real-time Event & Telemetry Analysis
🔬 Lab 4.3 – Analyzing Event Logs with Sigma
🔬 Lab 4.4 – Initial Scoping
🔬 Lab 4.5 – Process & Network Analysis
🔬 Lab 4.6 – Binary Presence & Evidence of Execution
🔬 Lab 4.7 – Finding Persistence
🔬 Lab 4.8 – Malware Discovery
🔬 Lab 4.9 (Optional) – Identifying Initial Access
🔬 Lab 4.10 – Hunting Covert C2 Beacons
🔬 Lab 4.11 – Eradication

Section 5: Additional Considerations & Deprovisioning

    • Hardening Velociraptor Deployments (Lecture)

        • Implementing authentication, encryption, and secure configurations

    • Deprovisioning & Cleanup (Lecture)

        • Removing lab infrastructure (optional for cloud users)

🔬 Lab 5.0 (Optional) – Deprovision Cloud Resources

FAQ

Who Should Attend

This course goes beyond basic tool usage, focusing on practical application and mastery of Velociraptor in the context of threat hunting and incident response. By the end of this training, you will have a solid understanding of how to deploy Velociraptor effectively in your security operations, allowing you to respond to incidents swiftly and accurately. Whether you are a seasoned security professional or looking to enhance your incident response capabilities, this course will provide you with valuable insights and hands-on experience.

Key Takeaways

Introduction to Velociraptor

Get an overview of Velociraptor’s architecture and capabilities. Learn how to set up and configure Velociraptor in various environments to maximize its effectiveness.
Effective Threat Hunting Techniques

Discover how to proactively search for indicators of compromise using Velociraptor. Learn how to craft and execute custom queries to detect suspicious activity across multiple endpoints.
Incident Response Workflow

Develop a comprehensive incident response strategy leveraging Velociraptor’s powerful features. Learn to quickly triage and isolate compromised systems, collect critical forensic data, and contain active threats.
Advanced Features and Customization

Explore the latest enhancements to Velociraptor that nearly double its potential as an IR tool. Understand how to customize and extend Velociraptor to fit your specific organizational needs.
Real-World Scenarios and Hands-On Labs

Engage in practical exercises that simulate real-world attacks. Apply what you’ve learned to identify, analyze, and respond to complex threats using Velociraptor in a controlled environment.

Applicable Business Skills

Participants will leave this course with immediately applicable skills in advanced threat hunting, forensic investigation, and incident response using Velociraptor. They will develop expertise in crafting and executing custom queries, automating data collection and analysis, and rapidly identifying and containing threats across enterprise environments. This training also emphasizes methodical investigation techniques, efficient triage workflows, and real-world incident response strategies that can be seamlessly integrated into security operations. By mastering Velociraptor’s advanced features and customization, attendees will enhance their organization’s ability to detect, analyze, and respond to security incidents faster and more effectively.

Audience Skill Level

Intermediate

Knowledge Requirements

This course is designed for security practitioners with a foundational understanding of incident response, digital forensics, or threat hunting. While no prior experience with Velociraptor is required, familiarity with command-line interfaces (Windows CMD, PowerShell, Linux terminal) will be beneficial.

Recommended Prerequisites

Basic understanding of endpoint security concepts, system logs, and forensic artifacts
Familiarity with cybersecurity fundamentals such as the MITRE ATT&CK framework and common attack techniques
Experience with SIEMs, EDR tools, or forensic analysis platforms is helpful but not required
Some exposure to YARA, Sigma, or query-based data analysis is useful but will be covered in class

Optional Pre-Class Materials:
To get the most out of this course, students can explore:

The Velociraptor Documentation (docs.velociraptor.app) for an overview of its capabilities
Introduction to Velociraptor Query Language (VQL) from the official Velociraptor resources for those wanting a head start on custom queries

This course provides everything needed to learn Velociraptor from the ground up, but having the above knowledge will help students maximize their learning experience.

Do I need to set up my own Velociraptor server before the course?

No, we provide pre-configured lab environments, but we will guide you through deploying your own Velociraptor server during the course.

Do I need prior experience with Velociraptor to take this course?

No prior experience is required. We start with the fundamentals and progressively move into advanced use cases.

Is programming or scripting knowledge necessary?

Basic familiarity with command-line usage is helpful, but no programming or scripting experience is required. We will cover Velociraptor Query Language (VQL), but prior knowledge is not assumed.

What operating systems will we work with?

The course covers Velociraptor deployment and investigations across Windows, Linux, and macOS environments.

Will I need a cloud account to follow along?

No, but an optional lab includes cloud deployment steps if you want to set up your own cloud-hosted Velociraptor server.

Can I take what I learn and apply it to my organization's environment immediately?

Yes, everything covered in this course is designed to be practical and directly applicable to real-world incident response and threat hunting.

Will we cover live incident response scenarios?

Yes, we include hands-on labs with real-world attack simulations, allowing you to apply what you’ve learned in a realistic environment.

About the Instructors

Pixel splash background
Bio

Eric Capuano is a Director at LimaCharlie and a SANS DFIR Instructor with over a decade of experience in Security Operations, Digital Forensics, and Incident Response. He began his Information Security career as a Tactics Developer for the United States Air Force, later transitioning to Cyber Warfare Operations. After his military service, Eric led cybersecurity operations across private and government sectors, including serving as CTO of Recon Infosec, a company he founded to deliver enterprise-grade security to organizations of all sizes. In 2016, he developed OpenSOC, a blue team CTF that has trained thousands of SOC and IR professionals worldwide. Eric also managed the Security Operations Center for the Texas Department of Public Safety, where he established the agency’s first CSIRT. In his spare time, Eric shares technical training labs on his blog at
https://blog.ecapuano.com

His certifications include GIAC, GCFE, GCFA, CEH, Security+, Linux+, LPIC-1, PCNSE, and A+.

Pixel splash background
Bio

Whitney is the lead solutions architect at LimaCharlie and a co-founder and former lead architect of Recon InfoSec. She is a seasoned security architect and engineer with over 15 years of experience in designing and automating large-scale security infrastructure. She began her journey as a web and flash developer and sysadmin in the 90s and early 2000s, and after college became a security analyst for the Navy. Her work spans across building advanced security platforms, managing complex multi-environment deployments, and architecting comprehensive solutions that integrate cutting-edge tools and technologies. This includes building, automating, and maintaining the range environments and platforms used to drive and support our trainings. With extensive experience in both the private and public sectors, she excels at automating and orchestrating massive environments and streamlining security operations. Whitney’s passion for security and infrastructure drives her to continuously innovate and enhance the efficiency of security teams and operations. Her certifications include RHCA, RHCE, RHCVA, CISSP, CEH, Security+, Linux+, among others.

Related products

Shopping Cart

No products in the cart.