Sign In
First Response

For Security Engineers, First Responders, and On-Call Engineers Who Must Classify, Preserve, and Contain Within 60 Minutes

Aligned to NIST SP 800-61ISO/IEC 27035MITRE ATT&CK

Incident Triage and First Response

Classify, preserve, and contain — the first 60 minutes that determine everything.

Triage security incidents across cloud, Windows, and Linux simultaneously — because real attacks cross environment boundaries. Classify severity accurately under time pressure, preserve volatile evidence before it disappears, execute initial containment that stops the damage without destroying the investigation, and hand off a complete scope assessment the IR team can act on immediately.

Start Free — No Account Needed See Pricing
What you'll deploy
Complete triage-to-containment playbook for cloud, Windows, and Linux
Severity classification scorecard with defensible escalation criteria
Evidence preservation procedures that maintain chain of custody
First-responder runbooks for BEC, ransomware, and credential theft
TRIAGE — FIRST 60 MINUTES T+0:00 Alert fires — AiTM credential phishing detected in Sentinel Source: Defender for Office 365 → KQL triage query pack T+0:08 Cloud triage — 5-query pack confirms active session hijack Tools: KQL, Graph PowerShell, Defender portal T+0:15 Windows triage — KAPE collection, EZ Tools parse, process tree Tools: KAPE, PECmd, EvtxECmd, Sysinternals, PowerShell T+0:25 Linux triage — auth.log, process analysis, LiME memory capture Tools: ps, ss, lsof, LiME, Volatility3, Bash triage script T+0:35 Cross-environment correlation — unified timeline, pivot points Entity mapping: UPN ↔ SAM ↔ Linux user, IP correlation across logs T+0:45 Synchronized containment — all 3 environments within 2 minutes Session revoke + endpoint isolate + iptables block → verify → report
View Pricing Download Lab Pack Take End of Course Exam → 36 CPE Credits

What you'll be able to do

Classify incident severity accurately under time pressure
Preserve volatile evidence across cloud, Windows, and Linux environments
Execute initial containment that stops damage without destroying the investigation
Triage multi-environment attacks that cross cloud-endpoint boundaries
Deliver structured handoff reports the IR team can act on immediately
Premium tier | 16 modules across 4 phases | 36–40 hours at your own pace | 36 CPE credits | 2 free modules — no account needed | Updated May 2026
Course Agenda View all 17 modules

Free Phase 1 — Foundations (Free)

TR0
The Triage Problem
 TR1
Evidence Volatility and the Preservation Hierarchy

Phase 2 — Environment-Specific Triage

TR2
TR2 — Cloud Triage: M365 and Entra ID
 TR3
TR3 — Windows Triage: Endpoints and Active Directory
 TR4
TR4 — Linux Triage: Servers and Containers
 TR5
TR5 — Network and Perimeter Triage

Phase 3 — Cross-Environment Triage

TR6
TR6 — Multi-Environment Attack Triage
 TR7
TR7: Severity Classification and Escalation
 TR8
TR8: Containment Decision Framework

Phase 4 — Operational Mastery

TR9
TR9: Triage Automation and Tooling
 TR10
TR10: Communication During Triage
 TR11
TR11: Common Triage Scenarios
 TR12
TR12: Triage in Regulated Environments
 TR13
TR13: Triage Quality and Continuous Improvement
 TR14
TR14: Advanced Triage Techniques
 TR15
TR15: Capstone — Full Triage Exercise

Resources

Incident Triage — Operational Reference

Who this course is for

“An alert fires and I’m not sure if it’s real or how bad it is.” You stare at the Sentinel incident for five minutes trying to decide whether to escalate or close it. The 8-question severity scorecard gives you a defensible classification in 90 seconds — not instinct, not guesswork, a structured assessment you can explain to anyone who asks why you escalated.

“I’ve escalated incidents that turned out to be nothing — and missed ones that were real.” Both mistakes cost the same thing: your team’s trust in your judgment. This course builds the classification methodology that eliminates both failure modes — false escalations that waste senior analyst time and missed true positives that let attacks progress.

“By the time I start investigating, the volatile evidence is gone.” Process trees, network connections, memory state — they disappear within minutes of containment. This course teaches you to capture volatile evidence across cloud, Windows, and Linux before you do anything else. The evidence preservation order is the first thing you learn.

“The attack crossed from cloud into on-prem and I couldn’t follow it.” The attacker phished a credential in M365, used the token to access SharePoint, pivoted to a Windows endpoint via RDP, and moved to a Linux server. You need to triage all three environments in parallel and build the cross-environment timeline. This course teaches that correlation.

“I contained the account but I’m not sure I contained the right things.” You revoked the user’s sessions. But did you check for OAuth persistence? Did you isolate the endpoint they pivoted to? Did you block the C2 IP on the Linux firewall? This course teaches synchronized containment across all three environments — so you stop the attack, not just one piece of it.

“I hand incidents to the IR team and they ask me questions I can’t answer.” “What’s the scope?” “What evidence did you preserve?” “What containment actions did you take?” This course builds the triage report that answers every question before they ask it — scope assessment, evidence inventory, containment log, and outstanding questions. The IR team acts on your handoff, not re-triages from scratch.

Whatever your background — if the subject interests you and you’re willing to put in the work, this course is for you.

Before and after this course

Before

A high-severity alert fires at 2 AM and you spend 20 minutes deciding whether to wake up the senior analyst. You escalate. It’s a false positive. The next one is real and you hesitate too long.

You revoke the user’s sessions and reset their password. Containment complete — except the attacker created an OAuth app with Mail.ReadWrite, and it’s still reading email 48 hours later because nobody checked for application persistence.

The IR team arrives and asks for the evidence. You point them at the Sentinel incident. They need process trees, memory state, and network connections that no longer exist because the endpoint was rebooted during containment.

Your triage notes say “investigated and contained.” The IR team has no scope assessment, no evidence inventory, no timeline. They start the investigation from scratch.

After

The alert fires at 2 AM and you run the 8-question scorecard. Score 6/8: high severity, confirmed compromise, lateral movement indicators. You escalate with the classification and the evidence. The senior analyst confirms your assessment in two minutes.

You contain across all three environments simultaneously: session revocation, endpoint isolation, OAuth app revocation, and Linux firewall rules. Every containment action verified. Every persistence mechanism checked before you declare containment complete.

Volatile evidence was captured before containment started. KAPE collection on Windows, cloud sign-in export, Linux process snapshot and memory capture. Chain of custody documented. The IR team has everything they need from the first 60 minutes.

Your triage report has scope assessment, cross-environment timeline, evidence inventory with hash verification, containment actions with timestamps, and outstanding questions. The IR team picks up where you left off — they don’t re-triage.

How the course works

Four phases build from triage methodology through environment-specific skills to cross-environment incident response:

Phase 1
Triage Methodology

The triage problem, severity classification scorecard, evidence volatility order, containment decision framework, and the structured handoff document. The methodology you apply to every incident regardless of type.

Phase 2
Cloud Triage

M365 and Entra ID triage: sign-in log analysis, KQL query packs, audit log investigation, session token assessment, OAuth app review, and cloud containment actions. The cloud environment produces the first evidence in most incidents.

Phase 3
Endpoint & Linux Triage

Windows triage with KAPE and EZ Tools: process trees, security events, network connections, registry analysis. Linux triage: auth.log, process enumeration, LiME memory capture, Volatility3. Evidence preservation before containment.

Phase 4
Cross-Environment Response

Unified timeline construction, entity correlation across environments, synchronized containment, the complete triage report, and real incident scenarios: BEC, ransomware pre-encryption, credential theft with lateral movement.

What the content looks like

This is a real triage report excerpt from the cross-environment module. After 45 minutes of triage across cloud, Windows, and Linux, this is what you hand to the IR team — a structured document they can act on immediately:

Triage Report — From Module 14: Cross-Environment Incident Response

Incident: INC-2026-0847 — AiTM credential phishing with lateral movement to Linux infrastructure

Classification: Severity 1 — Scorecard 7/8. Confirmed compromise, active lateral movement, crown jewel system accessed.

Scope: 1 user (t.ashworth@ne.com), 1 Windows endpoint (NE-WS-0142), 1 Linux server (ne-web-prod-02). Cloud → endpoint → Linux pivot confirmed.

Containment: Sessions revoked (T+12min). Endpoint isolated via MDE (T+18min). Linux iptables block on C2 IP 198.51.100.47 (T+28min). OAuth app “SharePoint Sync” revoked (T+32min). All verified.

Evidence preserved: Cloud sign-in export (7d), KAPE collection (NE-WS-0142), Linux memory capture (LiME), auth.log snapshot, process listing. SHA-256 hashes documented. Chain of custody log attached.

Outstanding: Full disk forensics on NE-WS-0142 pending. Second user (p.sharma) has anomalous sign-ins during same window — needs investigation. Credential rotation for all NE-WS-0142 cached credentials recommended.

The IR team reads this and knows exactly what happened, what was contained, what evidence is available, and what questions remain. They don’t re-triage. They investigate. Every module teaches at this level — the methodology, the tools, the documentation, and the handoff that makes the first 60 minutes count.

Lab Pack — Hands-On Triage Practice

Downloadable lab pack with realistic-volume evidence across all four environments. Attack indicators buried in hundreds of lines of legitimate noise — the same needle-in-haystack challenge you face in production.

Evidence generated: Cloud sign-in logs (~250 entries with AiTM buried in 7 days of legitimate logins), cloud audit logs (~200 entries), Windows process list (~120 entries with 5 suspicious among legitimate processes), Windows security events (~400 entries), Linux auth.log (~800 lines with brute force buried in CRON/SSH noise), firewall log (~300 entries), DNS queries (~300 entries), plus 8 JSON alerts, unified timeline, entity map, and triage templates.

26 structured labs: Alert prioritization, sign-in analysis, audit log triage, process tree analysis, security event timeline, SSH brute force scoping, cross-environment correlation, severity scoring, containment execution, and the 15-minute triage report.

Master Incident Triage Lab Pack
26 labs · 4 environments · ~2,000 evidence entries · PowerShell + Bash generators
Download Lab Pack (.zip)

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may deploy triage scripts, query packs, and playbooks from this course in your organization’s production environment. You may not redistribute course content, share account credentials, or republish course materials.

Triage tools and scripts: All PowerShell, Bash, and KQL artifacts are provided as-is. Test every script against your environment before using in production incidents. Containment actions have business impact — verify blast radius before execution.

Fictional environment: All scenarios use the fictional Northgate Engineering environment. Any resemblance to real organizations is coincidental.

Version and changelog

Current version: 2.0  |  Last updated: May 2026

May 2026 — v2.0: Course page restructured. Lab pack with realistic-volume evidence across 4 environments, 26 structured labs.

2026 — v1.0: Course launch. 16 modules (TR0–TR15) across 4 phases. Cloud, Windows, Linux, and network triage with full tool coverage.

This course is actively maintained. Triage procedures are updated as the Microsoft security platform evolves and new attack techniques emerge.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
2scenarios
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.