May 31, 2016 By Koen Van Impe 4 min read

Earlier this year, I published a post on the importance of security training for incident handlers. And while there were no major overhauls or a change of security training providers for incident handling, it’s still worthwhile to point out some alternatives that were left out in the original post.

Some listed trainings go beyond foundational incident handling and give you basic — and in some cases pretty advanced — knowledge of concepts such as Web application security, network security and penetration testing.

Community-Driven Trainings


To start, excellent material from the newly held FIRST Technical Colloquia (TC) was made available on the topics of:

  • Multivariate passive DNS for investigators;
  • Security analytics with ElasticSearch; and
  • Threat intelligence.

This year, the annual FIRST conference takes place in Seoul and includes introductory courses for organizations that wish to start a computer security incident response team (CSIRT). If you’re a newly hired incident handler or you have just started a new CSIRT yourself, then you should not miss out on this opportunity!


Security conference are a great way to learn from your peers. They’re a good opportunity to combine your conference attendance with a training participation. For example, Black Hat USA trainings offer a unique chance to learn about:

  • Metasploit;
  • Malware analysis;
  • OSINT techniques;
  • Penetration testing techniques;
  • Digital forensics and incident response; and
  • Incident response fundamentals.

Some courses have a profound focus on incident handling, while others provide excellent training on penetration testing and network security. These courses are highly technical, and you definitely need a basic to intermediary knowledge of computer and/or network security. The material is often only presented during conferences like Black Hat, and the teachers have a proven track record; sometimes they are the very same people who wrote the tool(s) that you use in your daily work. That type of insight is invaluable.

Next to Black Hat, you should also have a look at the trainings of HITBSecConf and BruCON. There aren’t as many options as the Black Hat conferences, but they are a viable alternative.

One special type of gathering is BSides, a community-driven framework for building events for and by information security community members. It’s an opportunity to practice your presentation skills and, most importantly, discuss, participate and learn from other participants.

BSides are organized across the world. If you can’t find one near you, then you can always attempt to organize an iteration yourself.

Online Providers

There are three online providers that are certainly worth checking out:, Cybrary and Coursera.

The material from is licensed with an open license, allowing anyone to use the material as long as they share modified works back to the community.

This training material allows you to increase your personal knowledge, but you can also use it to train others. It can act as a structured guideline to walk your students through the information. The classes, from beginner to advanced levels, cover topics such as:

  • Android forensics and security testing;
  • Flow analysis and network hunting;
  • Pcap analysis and network hunting; and
  • Keylogging on Windows.

The presentation of the information is not as slick compared to other providers, but there’s a wealth of useful information hidden behind the different links.


Cybrary has free cybersecurity trainings from beginner to advanced levels. These cover topics including:

  • Computer and hacking forensics;
  • Cryptography;
  • Penetration testing; and
  • Ethical hacking.

One of the things that makes Cybrary stand out from other providers is that it provides potential students with advice on the best path of study. The course paths help you choose tracks to increase your knowledge and bolster your career path.


If you’re eager to learn, Coursera should be no stranger to you. But did you know they also have courses on cybersecurity?

One of the major advantages of Coursera is that you can do the learning whenever it is most convenient for you. Lessons are free of charge except if you want to receive a grade, in which case you’ll have to pay a small fee. Some courses require you to submit assignments, but if you’re only interested in acquiring new knowledge, you can leave these aside.

The courses cover a very broad spectrum of topics. For example, you can learn about:

Coursera trainings probably aren’t going to immediately increase the technical side of your incident handling capabilities. However, they do provide security professionals extra expertise, knowledge and context.

General Training

Secure Coding Academy

Another provider of security training is Scademy. Its course portfolio is primarily aimed at secure coding. The philosophy is simple: By improving the quality of your code and implementing secure coding practices, you reduce the time needed for testing your software and potentially dealing with issues.

Although focused on software development, incident handlers will also benefit from the trainings that focus on broader topics like:

  • Web application security;
  • Advanced software security;
  • Network security; and
  • Secure communication.

The trainings are primarily given on-premises, generally over the course of two to five days. There’s lots of hands-on examples and real-life cases for students to exercise their skills.

NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE)

The CCDCOE is a NATO-accredited research and training facility in Tallinn, Estonia, dealing with education, consultation, lessons learned and research and development in cybersecurity.

They offer a number of technical courses that are reasonably cheap or free for participants from certain nations. These lessons are tailored toward people with a solid background in information technology.

For example, the CDMCS Module 3: Large-Scale Packet Capture Analysis Course focuses on packet capture and analysis. It’s a four-day course that uses Moloch to demonstrate network security monitoring for different scales. Being able to get the maximum out of these tools is indispensable for incident handlers, both during the pre- and post-incident phase.

The training catalog also contains courses and workshops covering digital forensics, as well as systems attacks and defense, which has a goal of understanding the tools used by attackers. These workshops in particular are ideal for improving your hands-on skills in virtual lab environments.


Fox-IT is a Dutch security company that also provides security training. Although the website listing the courses is only available in Dutch, all trainings are offered in English. Topics include forensic research and monitoring security analyst (for SOC operations) training.

The firm has specific courses for incident response handlers covering the triage and initial analysis stages. Additionally, there are incident response challenges you can use to find out where the weaknesses are in your response procedure.


Hopefully the training options listed in this post give you some good alternatives to those that were already listed. Don’t forget: Good security training is never out of reach. Community-driven efforts and online trainings provide a strong alternative to costly formal lessons.

Happy studying!

More from Incident Response

3 recommendations for adopting generative AI for cyber defense

3 min read - In the past eighteen months, generative AI (gen AI) has gone from being the source of jaw-dropping demos to a top strategic priority in nearly every industry. A majority of CEOs report feeling under pressure to invest in gen AI. Product teams are now scrambling to build gen AI into their solutions and services. The EU and US are beginning to put new regulatory frameworks in place to manage AI risks.Amid all this commotion, hackers and other cybercriminals are hardly…

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today