Sign Up for our Free One-Day SOC Summit Event March 25, 2026 Register Here

Workshop: Rapid Endpoint Investigations for Linux and Mac

Course Authored by .

Workshop: Rapid Endpoint Investigations for Linux and Mac

Together, through hands-on labs and demonstrations, we’ll walk through gathering artifacts from Linux and Mac endpoints using Velociraptor Offline Collectors, CatScale, and UAC (Unix-like artifact collector) scripts, rapidly searching and analyzing artifacts, and identifying indicators of compromise!

Live Training $25 - $300

Course Length: 4 Hours

Includes a Certificate of Completion



Enroll Now

Next scheduled date: May 1st, 2026 @ 12:00 PM EDT

Description

You’ve received a “true positive” security alert for a Linux or Mac endpoint. This is not a drill! This is war and you need to take rapid, decisive steps to determine:

  • Has the endpoint been compromised?

  • Have other systems been impacted?

  • What actions should come next?

Together, through hands-on labs and demonstrations, we’ll walk through gathering artifacts from Linux and Mac endpoints using Velociraptor Offline Collectors, CatScale, and UAC (Unix-like artifact collector) scripts, rapidly searching and analyzing artifacts, and identifying indicators of compromise!

Syllabus

Section 1: Introduction and Context

  • Class overview and schedule (lecture)

  • Investigative workflow context (lecture)

Section 2: Workflow Methodology

  • Artifact Selection (lecture)

  • Artifact Acquisition (lecture)

  • Analysis Workflow (lecture)

Section 3: Tools & Techniques

  • Endpoint investigation tools (lecture/demo)

  • Building an artifact “collector” (lab)

  • Deploying and executing UAC (lab)

  • Analyzing collected data (lecture/lab)

Section 4: Case Studies

  • Linux case study (lecture/demo)

  • Linux triage-data analysis (lab)

  • Mac case study (lecture/demo)

  • Mac triage-data analysis (lab)

Section 5: Conclusion

  • Workflow and tool review (lecture)

  • References and resources (lecture)

  • Q&A

FAQ

Labs:

All labs will be completed through cloud VM via web browser.

You will need to register via SkillBit (MetaCTF), to pay a small fee for Virtual Machine resource utilization (approx. $5 for a four-hour workshop), and a modern web browser to access the workshop Cloud VM.

Who should attend:

This workshop is intended for security analysts who review and respond to security alerts and perform endpoint investigations.

Audience skill level:

Beginner/Intermediate

To maximize the value of this workshop, attendees should be comfortable using Windows and have basic familiarity with Linux command line (shell).

Key takeaways:

  • Developing a rapid endpoint investigation workflow

  • Selecting the most useful investigative artifacts for Linux/Mac endpoint investigations

  • Building, deploying and executing triage collections on Linux/Mac endpoints

  • Understanding and analyzing key investigative artifacts

  • Analyzing MacOS unified log (UL) for investigations

  • Customizing rapid endpoint investigations for your environment

About the Instructor

Pixel splash background
Bio

Patterson Cake has worked in cybersecurity for more than two decades, specializing in the development of incident-response teams, programs, and processes. He is currently the Director of Incident Response for Black Hills Information Security, holds more than twenty-five industry certifications, is a former SANS instructor, teaches for Antisyphon, and has trained law enforcement, military, and national cybersecurity organizations on four continents. Patterson is the creator of the “Incident Response Capabilities Matrix Model,” developed “Rapid Triage Workflow” for IR investigations, is a prolific speaker, and is actively involved in the cybersecurity community.

Register for Upcoming

  • Filter by Product Date
  • Filter by Product Instructor
  • Filter by Product Type

Workshop: Rapid Endpoint Investigations for Linux and Mac

Pay What You Can - Complete Package

Live Training Patterson Cake

Virtual

Includes:
  • Virtual Ticket to WWHF
  • $100 off next AT class
  • 12 months Cyber Range Access
  • T-Shirt
  • The Future Is ****** comic
  • Sticker Pack
  • Certificate of completion
  • 6 months class recording access via Discord
  • Pay it forward to 6 students
  • Free ACE-T Core certification test

Pay What You Can

Live Training Patterson Cake

Virtual

Includes:
  • $50 off next AT class
  • 12 months Cyber Range Access
  • T-Shirt
  • The Future Is ****** comic
  • Sticker Pack
  • Certificate of completion
  • 6 months class recording access via Discord
  • Pay it forward to 3 students
  • Free ACE-T Core certification test

Pay What You Can

Live Training Patterson Cake

Virtual

Includes:
  • T-Shirt
  • The Future Is ****** comic
  • Sticker Pack
  • Certificate of completion
  • 6 months class recording access via Discord
  • Pay it forward to 1 student
  • Free ACE-T Core certification test

Pay What You Can

Live Training Patterson Cake

Virtual

Includes:
  • Certificate of completion
  • 6 months class recording access via Discord
  • Our appreciation for supporting PFWYC Training
  • Free ACE-T Core certification test

    For tuition assistance with this course please send an email to: [email protected]
Content is loading, please wait.
Content is loading, please wait.
$25 - $300
May 1st, 2026 12:00 PM EDT - 4:00 PM EDT

Registration End Date: 10:00 PM, EDT April 30th 2026

Related products

Shopping Cart

No products in the cart.