Network Detection and Forensics
Master Network Detection and Forensics
See what others miss. Master network investigation methodology to detect, analyse, and reconstruct attacks using PCAPs, Zeek, Suricata, and network telemetry; turning raw network traffic into clear evidence and high-fidelity detections.
What you'll be able to do
Course overview
The Network Detection and Forensics course teaches practical Network Investigation Methodology specifically for SOC Analysts, Incident Response Practitioners, and Detection Engineers working with PCAP, Zeek, and Suricata. You'll gain hands-on expertise to:
By the end, you'll have the skills and methodology to confidently investigate network activity, uncover hidden attacker behaviour, and strengthen your organisation's network detection and response capabilities.
Who this course is for
You're a SOC Analyst, Incident Response Practitioner, or Detection Engineer who works with network traffic and wants to master network-level investigation and detection. This course is built for you if you want to:
In short: if you're ready to become highly effective at network detection and forensics, this course is for you.
What you'll learn
By the end of this Network Detection and Forensics course you will be able to:
Key course takeaways
Things you need to know
What are the prerequisites for this course?
There are no prerequisites. The course teaches network investigation from first principles. Familiarity with TCP/IP fundamentals and basic command-line usage will help you move faster, but neither is required. Every protocol, tool, and technique is explained at first use.
What are the device requirements?
A device with a modern browser. For hands-on practice, a Linux VM (or WSL) with Zeek, Suricata, and Wireshark installed. The course walks you through setup and provides PCAP datasets for all exercises.
How will the course benefit your career?
Network forensics is one of the most in-demand and least common skills in security operations. Most analysts investigate from endpoint and identity logs. This course gives you the network perspective that completes the picture, the ability to detect C2, prove exfiltration, and reconstruct attacks from network evidence when endpoint data is unavailable or compromised.
Network investigation capability is a differentiator for senior IR, detection engineering, and SOC roles.
Usage rights and disclaimer
Course materials: Licensed for individual professional development. You may deploy detection rules, Suricata signatures, and analysis workflows in your production environment. You may not redistribute course content or share account credentials.
PCAP files: All packet captures contain fictional data from the Northgate Engineering environment. No real network traffic. All IP addresses use RFC 5737 documentation ranges.
Version and changelog
Current version: 2.0 | Last updated: June 2026
June 2026, v2.0: Course page restructured. 15 modules across 4 phases. Protocol analysis, detection and hunting, investigation scenarios complete.
v1.0: Initial release. NF0–NF4 (5 modules).
This course is actively maintained.
End of Course Exam
Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.
Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.