Earlier this year, I published a post on the importance of security training for incident handlers. And while there were no major overhauls or a change of security training providers for incident handling, it’s still worthwhile to point out some alternatives that were left out in the original post.

Some listed trainings go beyond foundational incident handling and give you basic — and in some cases pretty advanced — knowledge of concepts such as Web application security, network security and penetration testing.

Community-Driven Trainings


To start, excellent material from the newly held FIRST Technical Colloquia (TC) was made available on the topics of:

  • Multivariate passive DNS for investigators;
  • Security analytics with ElasticSearch; and
  • Threat intelligence.

This year, the annual FIRST conference takes place in Seoul and includes introductory courses for organizations that wish to start a computer security incident response team (CSIRT). If you’re a newly hired incident handler or you have just started a new CSIRT yourself, then you should not miss out on this opportunity!


Security conference are a great way to learn from your peers. They’re a good opportunity to combine your conference attendance with a training participation. For example, Black Hat USA trainings offer a unique chance to learn about:

  • Metasploit;
  • Malware analysis;
  • OSINT techniques;
  • Penetration testing techniques;
  • Digital forensics and incident response; and
  • Incident response fundamentals.

Some courses have a profound focus on incident handling, while others provide excellent training on penetration testing and network security. These courses are highly technical, and you definitely need a basic to intermediary knowledge of computer and/or network security. The material is often only presented during conferences like Black Hat, and the teachers have a proven track record; sometimes they are the very same people who wrote the tool(s) that you use in your daily work. That type of insight is invaluable.

Next to Black Hat, you should also have a look at the trainings of HITBSecConf and BruCON. There aren’t as many options as the Black Hat conferences, but they are a viable alternative.

One special type of gathering is BSides, a community-driven framework for building events for and by information security community members. It’s an opportunity to practice your presentation skills and, most importantly, discuss, participate and learn from other participants.

BSides are organized across the world. If you can’t find one near you, then you can always attempt to organize an iteration yourself.

Online Providers

There are three online providers that are certainly worth checking out: OpenSecurityTraining.info, Cybrary and Coursera.


The material from OpenSecurityTraining.info is licensed with an open license, allowing anyone to use the material as long as they share modified works back to the community.

This training material allows you to increase your personal knowledge, but you can also use it to train others. It can act as a structured guideline to walk your students through the information. The classes, from beginner to advanced levels, cover topics such as:

  • Android forensics and security testing;
  • Flow analysis and network hunting;
  • Pcap analysis and network hunting; and
  • Keylogging on Windows.

The presentation of the information is not as slick compared to other providers, but there’s a wealth of useful information hidden behind the different links.


Cybrary has free cybersecurity trainings from beginner to advanced levels. These cover topics including:

  • Computer and hacking forensics;
  • Cryptography;
  • Penetration testing; and
  • Ethical hacking.

One of the things that makes Cybrary stand out from other providers is that it provides potential students with advice on the best path of study. The course paths help you choose tracks to increase your knowledge and bolster your career path.


If you’re eager to learn, Coursera should be no stranger to you. But did you know they also have courses on cybersecurity?

One of the major advantages of Coursera is that you can do the learning whenever it is most convenient for you. Lessons are free of charge except if you want to receive a grade, in which case you’ll have to pay a small fee. Some courses require you to submit assignments, but if you’re only interested in acquiring new knowledge, you can leave these aside.

The courses cover a very broad spectrum of topics. For example, you can learn about:

Coursera trainings probably aren’t going to immediately increase the technical side of your incident handling capabilities. However, they do provide security professionals extra expertise, knowledge and context.

General Training

Secure Coding Academy

Another provider of security training is Scademy. Its course portfolio is primarily aimed at secure coding. The philosophy is simple: By improving the quality of your code and implementing secure coding practices, you reduce the time needed for testing your software and potentially dealing with issues.

Although focused on software development, incident handlers will also benefit from the trainings that focus on broader topics like:

  • Web application security;
  • Advanced software security;
  • Network security; and
  • Secure communication.

The trainings are primarily given on-premises, generally over the course of two to five days. There’s lots of hands-on examples and real-life cases for students to exercise their skills.

NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE)

The CCDCOE is a NATO-accredited research and training facility in Tallinn, Estonia, dealing with education, consultation, lessons learned and research and development in cybersecurity.

They offer a number of technical courses that are reasonably cheap or free for participants from certain nations. These lessons are tailored toward people with a solid background in information technology.

For example, the CDMCS Module 3: Large-Scale Packet Capture Analysis Course focuses on packet capture and analysis. It’s a four-day course that uses Moloch to demonstrate network security monitoring for different scales. Being able to get the maximum out of these tools is indispensable for incident handlers, both during the pre- and post-incident phase.

The training catalog also contains courses and workshops covering digital forensics, as well as systems attacks and defense, which has a goal of understanding the tools used by attackers. These workshops in particular are ideal for improving your hands-on skills in virtual lab environments.


Fox-IT is a Dutch security company that also provides security training. Although the website listing the courses is only available in Dutch, all trainings are offered in English. Topics include forensic research and monitoring security analyst (for SOC operations) training.

The firm has specific courses for incident response handlers covering the triage and initial analysis stages. Additionally, there are incident response challenges you can use to find out where the weaknesses are in your response procedure.


Hopefully the training options listed in this post give you some good alternatives to those that were already listed. Don’t forget: Good security training is never out of reach. Community-driven efforts and online trainings provide a strong alternative to costly formal lessons.

Happy studying!

More from Incident Response

How the Mac OS X Trojan Flashback Changed Cybersecurity

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…

What Hurricane Preparedness Can Teach Us About Ransomware

Each year between June and November, many parts of the U.S. become potential targets for hurricanes. In October 2022, we had Hurricane Ian devastate Florida. To prepare for natural disasters like hurricanes, organizations are encouraged to build out and test business continuity, disaster recovery, and crisis management plans to use in the response efforts. Millions of dollars each year are spent on natural disaster preparation, but natural disasters are not the only disruption businesses face. While we can’t equate the…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…

A Day in the Life: Working in Cyber Incident Response

As a cybersecurity incident responder, your life can go from zero to 100 in a heartbeat. One moment you are sipping a beverage reading the latest threat intelligence or getting the kids ready for bed; the next, you may be lunging for your "go bag" because you cannot remote in to the breached system. It's all part of the game. Seasoned incident responders can handle this jab: "Why would you want a job like this? Are you crazy?" The truth…