March 10, 2016 By Koen Van Impe 5 min read

The Need for Training

Information technology, and especially information security, is a quickly evolving playing field. Those working in incident handling and incident response always need to stay on top of what’s new and what is trending in their area of expertise.

By attending quality security training, you can stay knowledgeable on what is going on and react quickly to new threats and dangers. Additionally, by potentially getting certified, you prove to your constituency and customers that you have acquired more applicable knowledge.

The type of training that you want to attend depends strongly on the environment that you are working in or the goal that you want to achieve. There are several kinds of training that you may want to consider.

Vendor-Specific Security Training

Vendor-specific training can be very useful if you want to focus on one specific product or environment. They are sometimes more beneficial for security operations center (SOC) activities but are also useful for CERT activities.


For example, if you are working primarily in a Windows environment, then you should definitely have a look at the Microsoft Virtual Academy. Microsoft provides guidance for using Sysinternals (a set of tools for analyzing Windows systems) and Powershell. Powershell is a popular tool to automate incident handling tasks on Windows systems. There are also courses for basic and advanced Windows security, system forensics and for setting up a secure Azure environment.


Similarly, people working at ISPs, network environments or in data centers can benefit from the material that is provided by Cisco in its training and certifications program.


IBM offers a broad set of authorized training programs that cover cloud, security services and development tracks. Among the material is a training path for:

  • Security intelligence via QRadar;
  • QRadar Incident Forensics configuration and usage; and
  • Log management and security information and event management (SIEM) foundations.

General Training

There are also the more generic trainings offered by commercial partners. These sessions provide a broader view on a topic and will often include some sort of methodology to be used when applying the newly acquired knowledge.

Some courses are also offered through an online- or remote-learning portal, giving access to anyone interested.


Some of the most well-known trainings are the SANS courses. Most of these classes consist of an intensive five- or six-day course. SANS training can be expensive, and consequently, the target audience mostly consists of employer-paid students.

SANS has specific training for general incident handling via “Hacker Tools, Techniques, Exploits and Incident Handling” but also provides in-depth content if you want to explore more regarding:

SANS courses can be completed with a certification track called Global Information Assurance Certification (GIAC). The exams are strongly focused on understanding the methodologies and gaining insight into security events. You can bring along all your printed material; there’s no need to learn all the configuration switches for a specific tool by heart, but you do have to understand how and when to use the tool.

SANS Events

The SANS courses are often organized at locations where other sessions take place at the same time. This allows you to connect with fellow students also working in the security field. These events or summits sometimes include bonus sessions covering new trending topics or the implementation of tools.

Offensive Security

If you do incident handling or incident response, it is important that you understand how attackers work and get more insight into what type of methodologies are being applied and the tools they use. If you want to become more knowledgeable on the offensive side, then the trainings from Offensive Security are very well-fitted.

The intense live courses focus on Windows and Web exploitation. The online courses get you up to speed using Kali for penetration testing. Offensive Security also offers in-house sessions for organizations, consisting of an intensive five-day training with two trainers.


The EC-Council offers a broad set of training both for the offensive side (e.g., penetration testing) and defensive side (e.g., forensics ad incident handling). Some courses last a couple days and are online, on-site or via self-learning. Note that “EC” does not stand for European Commission.

Community-Driven Trainings

Building trust and getting to know your peers is important in the security community. This is especially true in incident handling because you will have to rely on other people and organizations to cooperate when dealing with an incident. There’s no better way to do this than by meeting people in real life. You have this opportunity not only during conferences, but also during community-driven trainings.

The Forum of Incident Response and Security Team (FIRST) is well-known for its yearly conference. It is often preceded by a couple short, one-day or half-day trainings.

If you want to dive into information that is immediately useful for your team, you should attend a FIRST Technical Colloquia (TC). These TCs are very cheap — or sometimes even free if you are a member — and are organized by people working in the field. They provide a discussion forum to share information about vulnerabilities, incidents, tools and all other issues that affect security operations.

The colloquia are sometimes also held jointly with other organizations such as TF-CSIRT or a sectoral ISAC. Topics covered include things like building a national CERT, incident handling case studies, using volatility and the use of STIX and CybOX.


The TRANSITS trainings are the result of a European Commission-funded project to help CERTs train their staff members. They take place at least twice a year in Europe and are ideal for bringing new staff up to speed on how to work within a CERT (TRANSITS I) or to extend the knowledge of more experienced team members (TRANSITS II).

The basic TRANSITS I course focuses on organizational, technical, operational and legal aspects of working within a CERT. Because most people attending the basic training are newly hired staff members, it’s a great opportunity for getting to know future peers.

The advanced TRANSITS II course is for more experienced incident handlers and covers netflow analysis, forensics, communication and real-life exercises. A testimonial from one of the participants is a good way to check if this workshop is right for you.


The European Union Agency for Network and Information Security (ENISA) organizes a number of workshops and trainings that cover topics such as inner CERT workings and how to collaborate with law enforcement agencies.

ENISA has online training material available, as well, encompassing:

  • Artifact analysis for mobile threats and incident handling;
  • Identification and handling of electronic evidence;
  • Triage and basic incident handling; and
  • Incident handling procedure testing.

You can request the live training of ENISA via your national or governmental CERT.


Training for incident handling and incident response can sometimes be expensive, but most of the time the sessions give you good value for the money. Do not forget that a lot of the training material is sometimes available online. This allows you to get a preview of the content and judge if it fits your needs.

The community-driven events have an additional benefit: You get to know your peers in real life. It is a good occasion for talking to people working in the field and learning from their experiences. Because of the community focus, it might also help you to introduce your peers to a topic on which you are very knowledgeable.

More from Incident Response

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today