Complexity is the enemy of security. This is especially true in crisis. When responding to a cybersecurity incident, you need a simple, effective, repeatable plan. In this course, we’ll discuss the three primary threat vectors, outline the two most important IR playbooks, and review the two most critical IT assets: identity and endpoint.

Live Training $295.00

Course Length: 8 Hours

Includes a Certificate of Completion

Enroll Now

Next scheduled date: April 3rd, 2026 @ 10:00 AM EDT

Description

Complexity is the enemy of security. This is especially true in crisis. When responding to a cybersecurity incident, you need a simple, effective, repeatable plan.

In this course, we’ll discuss the three primary threat vectors, outline the two most important IR playbooks, and review the two most critical IT assets: identity and endpoint. Then we’ll roll up our sleeves and practice identity and endpoint investigations, including forensic-artifact selection and acquisition, rapid processing, and prioritized investigative workflow in the context of a real-world business compromise.

We’ll discuss Active Directory and M365 Identity; Windows; and Linux OS “attack surface;” and get hands-on experience performing rapid endpoint investigations using PowerShell, Velociraptor offline collector, KAPE, and csv/xlsx output analysis.

System Requirements
- A computer with a web browser. All lab VMs are cloud-hosted.

Syllabus

Developing a Tactical IR Plan

· The Three Threat Vectors

· The Two Most Important IR Playbooks

· Asking the Right Incident-Response Questions

Identity Attack Surface

· Identity: Your Most Critical IT Asset

· M365 Identity Overview

· Active Directory for IR Overview

Endpoint Attack Surface

· Understanding How Threat-Actors/Malware Impact Endpoints

· Windows Attack Surface

· Linux Attack Surface

Rapid Endpoint Investigations Methodology

· Endpoint Artifact Selection

· Endpoint Artifact Acquisition

· Investigative Workflow

Rapid Endpoint Investigations Tools & Techniques

· Tools & Techniques Overview

· Building an Artifact Collector (lab)

· Parsing Triage Data (lab)

Case Study: Business Compromise Investigation

· Reviewing Identity Indicators (lab)

· Investigating Endpoint Artifacts (lab)

· Deriving Actionable Intelligence (lab)

· Answering the Right Incident-Response Questions

Conclusion

· Workflow and Tooling Review

· Reference and Additional Resources

FAQ

Who Should Attend

The course content is designed to help IT/Security Analysts develop and/or improve their tactical incident-response process and capabilities.

Audience Skill Level

Intermediate

Prerequisites

Basic understanding of Identity, Windows, and Linux security concepts.

Key Takeaways

· Creating a tactical IR plan

· Simplifying an incident-response workflow

· Prioritizing operating system artifact collection and review

· Using “rapid triage workflow” scripts, Velociraptor offline collector, and KAPE for rapid endpoint investigations

· Investigating a real-world business compromise case

About the Instructor

Patterson Cake

Bio

Patterson Cake has worked in cybersecurity for more than two decades, specializing in the development of incident-response teams, programs, and processes. He is currently the Director of Incident Response for Black Hills Information Security, holds more than twenty-five industry certifications, is a former SANS instructor, teaches for Antisyphon, and has trained law enforcement, military, and national cybersecurity organizations on four continents. Patterson is the creator of the “Incident Response Capabilities Matrix Model,” developed “Rapid Triage Workflow” for IR investigations, is a prolific speaker, and is actively involved in the cybersecurity community.

Register for Upcoming

Filter by Product Date
- 04/03/2026 10:00 AM EDT
Filter by Product Instructor
- Patterson Cake
Filter by Product Type
- Live Training

This event is part of the SOC Summit