Earlier this year, I published a post on the importance of security training for incident handlers. And while there were no major overhauls or a change of security training providers for incident handling, it’s still worthwhile to point out some alternatives that were left out in the original post.

Some listed trainings go beyond foundational incident handling and give you basic — and in some cases pretty advanced — knowledge of concepts such as Web application security, network security and penetration testing.

Community-Driven Trainings


To start, excellent material from the newly held FIRST Technical Colloquia (TC) was made available on the topics of:

  • Multivariate passive DNS for investigators;
  • Security analytics with ElasticSearch; and
  • Threat intelligence.

This year, the annual FIRST conference takes place in Seoul and includes introductory courses for organizations that wish to start a computer security incident response team (CSIRT). If you’re a newly hired incident handler or you have just started a new CSIRT yourself, then you should not miss out on this opportunity!


Security conference are a great way to learn from your peers. They’re a good opportunity to combine your conference attendance with a training participation. For example, Black Hat USA trainings offer a unique chance to learn about:

  • Metasploit;
  • Malware analysis;
  • OSINT techniques;
  • Penetration testing techniques;
  • Digital forensics and incident response; and
  • Incident response fundamentals.

Some courses have a profound focus on incident handling, while others provide excellent training on penetration testing and network security. These courses are highly technical, and you definitely need a basic to intermediary knowledge of computer and/or network security. The material is often only presented during conferences like Black Hat, and the teachers have a proven track record; sometimes they are the very same people who wrote the tool(s) that you use in your daily work. That type of insight is invaluable.

Next to Black Hat, you should also have a look at the trainings of HITBSecConf and BruCON. There aren’t as many options as the Black Hat conferences, but they are a viable alternative.

One special type of gathering is BSides, a community-driven framework for building events for and by information security community members. It’s an opportunity to practice your presentation skills and, most importantly, discuss, participate and learn from other participants.

BSides are organized across the world. If you can’t find one near you, then you can always attempt to organize an iteration yourself.

Online Providers

There are three online providers that are certainly worth checking out: OpenSecurityTraining.info, Cybrary and Coursera.


The material from OpenSecurityTraining.info is licensed with an open license, allowing anyone to use the material as long as they share modified works back to the community.

This training material allows you to increase your personal knowledge, but you can also use it to train others. It can act as a structured guideline to walk your students through the information. The classes, from beginner to advanced levels, cover topics such as:

  • Android forensics and security testing;
  • Flow analysis and network hunting;
  • Pcap analysis and network hunting; and
  • Keylogging on Windows.

The presentation of the information is not as slick compared to other providers, but there’s a wealth of useful information hidden behind the different links.


Cybrary has free cybersecurity trainings from beginner to advanced levels. These cover topics including:

  • Computer and hacking forensics;
  • Cryptography;
  • Penetration testing; and
  • Ethical hacking.

One of the things that makes Cybrary stand out from other providers is that it provides potential students with advice on the best path of study. The course paths help you choose tracks to increase your knowledge and bolster your career path.


If you’re eager to learn, Coursera should be no stranger to you. But did you know they also have courses on cybersecurity?

One of the major advantages of Coursera is that you can do the learning whenever it is most convenient for you. Lessons are free of charge except if you want to receive a grade, in which case you’ll have to pay a small fee. Some courses require you to submit assignments, but if you’re only interested in acquiring new knowledge, you can leave these aside.

The courses cover a very broad spectrum of topics. For example, you can learn about:

Coursera trainings probably aren’t going to immediately increase the technical side of your incident handling capabilities. However, they do provide security professionals extra expertise, knowledge and context.

General Training

Secure Coding Academy

Another provider of security training is Scademy. Its course portfolio is primarily aimed at secure coding. The philosophy is simple: By improving the quality of your code and implementing secure coding practices, you reduce the time needed for testing your software and potentially dealing with issues.

Although focused on software development, incident handlers will also benefit from the trainings that focus on broader topics like:

  • Web application security;
  • Advanced software security;
  • Network security; and
  • Secure communication.

The trainings are primarily given on-premises, generally over the course of two to five days. There’s lots of hands-on examples and real-life cases for students to exercise their skills.

NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE)

The CCDCOE is a NATO-accredited research and training facility in Tallinn, Estonia, dealing with education, consultation, lessons learned and research and development in cybersecurity.

They offer a number of technical courses that are reasonably cheap or free for participants from certain nations. These lessons are tailored toward people with a solid background in information technology.

For example, the CDMCS Module 3: Large-Scale Packet Capture Analysis Course focuses on packet capture and analysis. It’s a four-day course that uses Moloch to demonstrate network security monitoring for different scales. Being able to get the maximum out of these tools is indispensable for incident handlers, both during the pre- and post-incident phase.

The training catalog also contains courses and workshops covering digital forensics, as well as systems attacks and defense, which has a goal of understanding the tools used by attackers. These workshops in particular are ideal for improving your hands-on skills in virtual lab environments.


Fox-IT is a Dutch security company that also provides security training. Although the website listing the courses is only available in Dutch, all trainings are offered in English. Topics include forensic research and monitoring security analyst (for SOC operations) training.

The firm has specific courses for incident response handlers covering the triage and initial analysis stages. Additionally, there are incident response challenges you can use to find out where the weaknesses are in your response procedure.


Hopefully the training options listed in this post give you some good alternatives to those that were already listed. Don’t forget: Good security training is never out of reach. Community-driven efforts and online trainings provide a strong alternative to costly formal lessons.

Happy studying!

More from Incident Response

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Expert Insights on the X-Force Threat Intelligence Index

5 min read - Top insights are in from this year’s IBM Security X-Force Threat Intelligence Index, but what do they mean? Three IBM Security X-Force experts share their thoughts on the implications of the most pressing cybersecurity threats, and offer guidance for what organizations can do to better protect themselves. Moving Left of Boom: Early Backdoor Detection Andy Piazza, Global Head of Threat Intelligence at IBM Security X-Force, sat down with Security Intelligence to chat with us about the rise in the deployment…

5 min read

How Morris Worm Command and Control Changed Cybersecurity

4 min read - A successful cyberattack requires more than just gaining entry into a victim’s network. To truly reap the rewards, attackers must maintain a persistent presence within the system. After establishing communication with other compromised network devices, actors can stealthily extract valuable data. The key to all this is a well-developed Command and Control (C2 or C&C) infrastructure. The number of C2 servers used for launching cyberattacks increased by 30% in 2022. More than 17,000 of these servers were detected last year,…

4 min read