Online Incident Response Training with Brian Carrier

Our online training courses focus on helping you improve the speed and comprehensiveness of your intrusion investigations. Brian designed the courses for everyone in DFIR: Beginners can learn the basics and experienced incident responders can improve their approach.

All courses provide a certificate of completion.

Intro to DFIR: The Divide & Conquer Process


A big challenge when learning about how to investigate endpoints and servers is keeping track of all of the artifacts that you need to consider. It’s a daunting list.

In our new incident response training course, you’ll learn Brian Carrier’s systematic approach to endpoint investigations and how to apply it: the “Divide & Conquer” process. This approach focuses on breaking down big, vague investigative questions, such as “is there malicious user activity” into smaller and smaller questions that can ultimately be answered by a category of artifacts, such as “Login Events.” The goal is to make a simple, mental model of the important questions and artifact categories.

In this free course, you’ll learn:

  • A framework for categorizing artifacts that may contain DFIR evidence

  • How to analyze those artifact categories

  • Benefits of an automated approach

The course is 3 hours, video-based, and on-demand. It’s also vendor agnostic, but Cyber Triage is used as a reference tool. Whether you’re new to this space or a vet, this course will help ensure you’re tackling your next endpoint investigation with state-of-the-art techniques.

Click Here to Register for the Course