Network Detection and Forensics

Master Network Detection and Forensics

See what others miss. Master network investigation methodology to detect, analyse, and reconstruct attacks using PCAPs, Zeek, Suricata, and network telemetry; turning raw network traffic into clear evidence and high-fidelity detections.

View Pricing Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Apply a structured network investigation methodology to rapidly analyse suspicious network activity
Capture, dissect, and forensically examine PCAP files to reconstruct attacker sessions and actions
Deploy, configure, and tune Zeek and Suricata to generate high-value network logs and detections
Identify stealthy network-based threats including C2 communications, lateral movement, and data exfiltration
Correlate network artefacts with endpoint and cloud data to build complete attack timelines
Build and implement high-fidelity network detections and hunting queries for your SOC
FOR403 | Premium tier | 15 modules across 4 phases | 36–40 hours at your own pace | 40 CPE credits | 2 free preview - no account needed | Updated June 2026
Course Agenda View all 14 modules

Course overview

The Network Detection and Forensics course teaches practical Network Investigation Methodology specifically for SOC Analysts, Incident Response Practitioners, and Detection Engineers working with PCAP, Zeek, and Suricata. You'll gain hands-on expertise to:

Capture, analyse, and interpret network traffic for threat detection and investigation
Use Zeek and Suricata to generate powerful network logs and detections
Perform deep forensic analysis on PCAP files to reconstruct attacker activity
Build network-based detections and hunting queries that identify stealthy threats

By the end, you'll have the skills and methodology to confidently investigate network activity, uncover hidden attacker behaviour, and strengthen your organisation's network detection and response capabilities.

Who this course is for

You're a SOC Analyst, Incident Response Practitioner, or Detection Engineer who works with network traffic and wants to master network-level investigation and detection. This course is built for you if you want to:

Move beyond basic log review to professional-grade network forensics and detection
Gain deep expertise working with PCAP, Zeek, and Suricata
Learn a repeatable network investigation methodology you can use under pressure
Uncover attacker activity that endpoint tools alone cannot see

In short: if you're ready to become highly effective at network detection and forensics, this course is for you.

What you'll learn

By the end of this Network Detection and Forensics course you will be able to:

Execute a proven network investigation methodology for efficient and thorough analysis
Capture and analyse PCAP files to extract artefacts, sessions, and attacker behaviour
Deploy and optimise Zeek for rich network logging and intelligence
Configure and tune Suricata for high-performance network intrusion detection
Identify common and advanced attacker techniques in network traffic (C2, tunnelling, exfiltration, etc.)
Build network-based detections, hunting queries, and correlation rules for Microsoft Sentinel and other SIEMs

Key course takeaways

Master a repeatable, professional network investigation methodology you can apply immediately
Confidently analyse PCAPs, Zeek logs, and Suricata alerts to uncover hidden threats
Build and tune high-value network detections that improve your overall detection posture
Significantly enhance your ability to reconstruct attacks and reduce dwell time
Bridge the gap between network telemetry and endpoint/cloud data for complete visibility
Become the go-to network detection and forensics expert on your team

Things you need to know

What are the prerequisites for this course?

There are no prerequisites. The course teaches network investigation from first principles. Familiarity with TCP/IP fundamentals and basic command-line usage will help you move faster, but neither is required. Every protocol, tool, and technique is explained at first use.

What are the device requirements?

A device with a modern browser. For hands-on practice, a Linux VM (or WSL) with Zeek, Suricata, and Wireshark installed. The course walks you through setup and provides PCAP datasets for all exercises.

How will the course benefit your career?

Network forensics is one of the most in-demand and least common skills in security operations. Most analysts investigate from endpoint and identity logs. This course gives you the network perspective that completes the picture, the ability to detect C2, prove exfiltration, and reconstruct attacks from network evidence when endpoint data is unavailable or compromised.

Network investigation capability is a differentiator for senior IR, detection engineering, and SOC roles.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may deploy detection rules, Suricata signatures, and analysis workflows in your production environment. You may not redistribute course content or share account credentials.

PCAP files: All packet captures contain fictional data from the Northgate Engineering environment. No real network traffic. All IP addresses use RFC 5737 documentation ranges.

Version and changelog

Current version: 2.0  |  Last updated: June 2026

June 2026, v2.0: Course page restructured. 15 modules across 4 phases. Protocol analysis, detection and hunting, investigation scenarios complete.

v1.0: Initial release. NF0–NF4 (5 modules).

This course is actively maintained.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
1scenario
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.