The Need for Training

Information technology, and especially information security, is a quickly evolving playing field. Those working in incident handling and incident response always need to stay on top of what’s new and what is trending in their area of expertise.

By attending quality security training, you can stay knowledgeable on what is going on and react quickly to new threats and dangers. Additionally, by potentially getting certified, you prove to your constituency and customers that you have acquired more applicable knowledge.

The type of training that you want to attend depends strongly on the environment that you are working in or the goal that you want to achieve. There are several kinds of training that you may want to consider.

Vendor-Specific Security Training

Vendor-specific training can be very useful if you want to focus on one specific product or environment. They are sometimes more beneficial for security operations center (SOC) activities but are also useful for CERT activities.


For example, if you are working primarily in a Windows environment, then you should definitely have a look at the Microsoft Virtual Academy. Microsoft provides guidance for using Sysinternals (a set of tools for analyzing Windows systems) and Powershell. Powershell is a popular tool to automate incident handling tasks on Windows systems. There are also courses for basic and advanced Windows security, system forensics and for setting up a secure Azure environment.


Similarly, people working at ISPs, network environments or in data centers can benefit from the material that is provided by Cisco in its training and certifications program.


IBM offers a broad set of authorized training programs that cover cloud, security services and development tracks. Among the material is a training path for:

  • Security intelligence via QRadar;
  • QRadar Incident Forensics configuration and usage; and
  • Log management and security information and event management (SIEM) foundations.

General Training

There are also the more generic trainings offered by commercial partners. These sessions provide a broader view on a topic and will often include some sort of methodology to be used when applying the newly acquired knowledge.

Some courses are also offered through an online- or remote-learning portal, giving access to anyone interested.


Some of the most well-known trainings are the SANS courses. Most of these classes consist of an intensive five- or six-day course. SANS training can be expensive, and consequently, the target audience mostly consists of employer-paid students.

SANS has specific training for general incident handling via “Hacker Tools, Techniques, Exploits and Incident Handling” but also provides in-depth content if you want to explore more regarding:

SANS courses can be completed with a certification track called Global Information Assurance Certification (GIAC). The exams are strongly focused on understanding the methodologies and gaining insight into security events. You can bring along all your printed material; there’s no need to learn all the configuration switches for a specific tool by heart, but you do have to understand how and when to use the tool.

SANS Events

The SANS courses are often organized at locations where other sessions take place at the same time. This allows you to connect with fellow students also working in the security field. These events or summits sometimes include bonus sessions covering new trending topics or the implementation of tools.

Offensive Security

If you do incident handling or incident response, it is important that you understand how attackers work and get more insight into what type of methodologies are being applied and the tools they use. If you want to become more knowledgeable on the offensive side, then the trainings from Offensive Security are very well-fitted.

The intense live courses focus on Windows and Web exploitation. The online courses get you up to speed using Kali for penetration testing. Offensive Security also offers in-house sessions for organizations, consisting of an intensive five-day training with two trainers.


The EC-Council offers a broad set of training both for the offensive side (e.g., penetration testing) and defensive side (e.g., forensics ad incident handling). Some courses last a couple days and are online, on-site or via self-learning. Note that “EC” does not stand for European Commission.

Community-Driven Trainings

Building trust and getting to know your peers is important in the security community. This is especially true in incident handling because you will have to rely on other people and organizations to cooperate when dealing with an incident. There’s no better way to do this than by meeting people in real life. You have this opportunity not only during conferences, but also during community-driven trainings.

The Forum of Incident Response and Security Team (FIRST) is well-known for its yearly conference. It is often preceded by a couple short, one-day or half-day trainings.

If you want to dive into information that is immediately useful for your team, you should attend a FIRST Technical Colloquia (TC). These TCs are very cheap — or sometimes even free if you are a member — and are organized by people working in the field. They provide a discussion forum to share information about vulnerabilities, incidents, tools and all other issues that affect security operations.

The colloquia are sometimes also held jointly with other organizations such as TF-CSIRT or a sectoral ISAC. Topics covered include things like building a national CERT, incident handling case studies, using volatility and the use of STIX and CybOX.


The TRANSITS trainings are the result of a European Commission-funded project to help CERTs train their staff members. They take place at least twice a year in Europe and are ideal for bringing new staff up to speed on how to work within a CERT (TRANSITS I) or to extend the knowledge of more experienced team members (TRANSITS II).

The basic TRANSITS I course focuses on organizational, technical, operational and legal aspects of working within a CERT. Because most people attending the basic training are newly hired staff members, it’s a great opportunity for getting to know future peers.

The advanced TRANSITS II course is for more experienced incident handlers and covers netflow analysis, forensics, communication and real-life exercises. A testimonial from one of the participants is a good way to check if this workshop is right for you.


The European Union Agency for Network and Information Security (ENISA) organizes a number of workshops and trainings that cover topics such as inner CERT workings and how to collaborate with law enforcement agencies.

ENISA has online training material available, as well, encompassing:

  • Artifact analysis for mobile threats and incident handling;
  • Identification and handling of electronic evidence;
  • Triage and basic incident handling; and
  • Incident handling procedure testing.

You can request the live training of ENISA via your national or governmental CERT.


Training for incident handling and incident response can sometimes be expensive, but most of the time the sessions give you good value for the money. Do not forget that a lot of the training material is sometimes available online. This allows you to get a preview of the content and judge if it fits your needs.

The community-driven events have an additional benefit: You get to know your peers in real life. It is a good occasion for talking to people working in the field and learning from their experiences. Because of the community focus, it might also help you to introduce your peers to a topic on which you are very knowledgeable.

More from Incident Response

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Breaking Down a Cyberattack, One Kill Chain Step at a Time

In today’s wildly unpredictable threat landscape, the modern enterprise should be familiar with the cyber kill chain concept. A cyber kill chain describes the various stages of a cyberattack pertaining to network security. Lockheed Martin developed the cyber kill chain framework to help organizations identify and prevent cyber intrusions. The steps in a kill chain trace the typical stages of an attack from early reconnaissance to completion. Analysts use the framework to detect and prevent advanced persistent threats (APT). Organizations…

Defining the Cobalt Strike Reflective Loader

The Challenge with Using Cobalt Strike for Advanced Red Team Exercises While next-generation AI and machine-learning components of security solutions continue to enhance behavioral-based detection capabilities, at their core many still rely on signature-based detections. Cobalt Strike being a popular red team Command and Control (C2) framework used by both threat actors and red teams since its debut, continues to be heavily signatured by security solutions. To continue Cobalt Strikes operational usage in the past, we on the IBM X-Force…

What is a Red Teamer? All You Need to Know

A red teamer is a cybersecurity professional that works to help companies improve IT security frameworks by attacking and undermining those same frameworks, often without notice. The term “red teaming” is often used interchangeably with penetration testing. While the terms are similar, however, there are key distinctions. First and foremost is the lack of notice from red teams. Pen testing may be scheduled in advance to assess the ability of specific security measures to handle a simulated attack; red team…