Sign In

The References You Reach for at 2 AM.

Investigation runbooks that walk you through incidents step by step. Triage scorecards that classify alerts in under 5 minutes. KQL queries you copy-paste into Sentinel during a live investigation. Forensic artifact references that tell you exactly where to look. Free, no account required — bookmark them now, use them when it matters.

Investigation & Response

Investigation & Response Tools

When an alert fires, you open these. The runbooks tell you what to check and in what order. The triage scorecard classifies the severity in under 5 minutes. The forensic references tell you exactly which artifact to examine and where to find it. The difference between "I need to think about this" and "I know the next step."

Toolkit
Open Source
VanGuard DFIR Toolkit
Velociraptor · Hayabusa · Chainsaw · Loki · YARA
Self-contained · Cross-platform · Air-gapped
  • Triage, hunt, collect, analyse from one binary
  • Runs from USB, no install, no internet
  • Free — Apache 2.0 License
View Toolkit →
Interactive
Free Tool
DFIR Investigation Runbooks
Identity · Malware · Lateral · BEC · Ransomware
From: Practical IR · Triage · Entra ID
  • 7 structured runbooks
  • 6 phases: triage → handoff
  • Free — No Account Required
View Runbooks →
Interactive
Free Tool
Incident Triage Scorecard
Identity · Endpoint · Email · Network
From: Incident Triage (TR0)
  • 8 classification questions
  • < 5 minutes per alert
  • Free — No Account Required
Use Scorecard →
Reference
Free Tool
Windows Forensic Artifacts
Persistence · Execution · Files · Network · USB
From: Practical IR · Triage
  • 25+ forensic artifacts
  • Registry paths + extraction tools
  • Free — No Account Required
Browse Artifacts →
Reference
Free Tool
Windows Event ID Reference
Auth · Process · Sysmon · PowerShell · Defender
From: Practical IR · Endpoint Security
  • 40+ events, 12 categories
  • What each event means, where to find it
  • Free — No Account Required
Browse Events →
Detection & Endpoint

Detection & Endpoint Tools

When you need a KQL query that answers a specific question, an ASR rule deployment guide that won't break production, or a PowerShell one-liner for live response — these are the references that save you from writing it from scratch under pressure.

Reference
Free Tool
KQL Query Reference
Sentinel · Defender XDR · ATT&CK-mapped
From: Detection Eng · Endpoint · Hunting · KQL
  • 35+ production queries
  • Searchable by ATT&CK tactic
  • Free — No Account Required
Browse Queries →
Reference
Free Tool
ASR Rules Reference
Safe · Careful · High-Risk · FP Analysis
From: Endpoint Security (ES4)
  • 18 rules, deployment-risk categorised
  • ATT&CK mapping + FP guidance
  • Free — No Account Required
View ASR Guide →
Reference
Free Tool
PowerShell for SecOps
Discovery · Persistence · Lateral · Containment
From: Practical IR · Triage · Endpoint Security
  • 25+ commands by ATT&CK tactic
  • Triage-ready one-liners
  • Free — No Account Required
Browse Commands →
Guide
Subscriber
Lab Setup Guide
VMware · Win 11 + AD · Ubuntu · M365 · Sentinel
Supports all 16 courses
  • Complete home-lab build
  • 3–5 hours from start to ready
  • Total cost: free
Read Guide →

The Tools Give You the Reference. The Courses Teach the Methodology.

Every tool is extracted from a Ridgeline course. The courses add the judgment, context, and operational depth.

Browse All Courses Start a Free Module