Incident Triage and First Response
Master Incident Triage and First Response
Respond with speed and confidence when every minute counts. Learn to rapidly classify incidents, preserve critical evidence, contain threats, and make correct first decisions; all within the critical first 60 minutes of an alert or breach.
What you'll be able to do
“Coming from an admin background, the incident triage course forced me to think a little when things are hitting the fan. Appreciate the platform and what you guys are trying to do. So far, it's worth my subscription.”
Course overview
The Incident Triage and First Response course is built specifically for Security Engineers, First Responders, and On-Call Engineers who must classify, preserve, and contain incidents within 60 minutes. You'll gain practical, hands-on expertise to:
By the end, you'll have the structured processes, decision frameworks, and confidence to handle high-pressure incidents effectively, reducing damage, protecting evidence, and becoming a reliable first responder in your organisation's security program.
Who this course is for
You're a Security Engineer, First Responder, or On-Call Engineer who is responsible for triaging alerts and handling the critical first phase of security incidents. This course is built for you if you want to:
In short: if you're on the front lines and need to classify, preserve, and contain incidents fast and correctly, this course is for you.
What you'll learn
By the end of this Incident Triage and First Response course you will be able to:
Key course takeaways
Lab Pack, Hands-On Triage Practice
Downloadable lab pack with realistic-volume evidence across identity, endpoint, cloud, and network. Attack indicators buried in hundreds of lines of legitimate noise, the same needle-in-haystack challenge you face in production.
Evidence generated: Cloud sign-in logs (~250 entries with AiTM buried in 7 days of legitimate logins), cloud audit logs (~200 entries), endpoint process list (~120 entries with 5 suspicious among legitimate processes), endpoint security events (~400 entries), Linux auth.log (~800 lines with brute force buried in CRON/SSH noise), firewall log (~300 entries), DNS queries (~300 entries), plus 8 JSON alerts, unified timeline, entity map, and triage templates.
26 structured labs: Alert prioritization, sign-in analysis, audit log triage, process tree analysis, security event timeline, SSH brute force scoping, cross-environment correlation, severity scoring, containment execution, and the 15-minute triage report.
Things you need to know
What are the prerequisites for this course?
There are no prerequisites. The course teaches incident triage from first principles. Familiarity with security alerts, Microsoft Sentinel, or endpoint tools will help you move faster, but neither is required. Every concept and tool is explained at first use.
What are the device requirements?
A device with a modern browser. The lab pack provides all evidence data you need. For hands-on tool practice, access to a Microsoft 365 E5 developer tenant and a Windows/Linux lab environment is recommended. The course walks you through setup.
How will the course benefit your career?
First response is the highest-leverage phase of any incident. The decisions made in the first 60 minutes determine whether evidence is preserved or destroyed, whether containment limits the blast radius or the attacker moves laterally, and whether the investigation team receives a structured handoff or starts from scratch.
Organisations need people who can triage accurately under pressure. This course gives you the frameworks, tool proficiency, and decision-making skills to be that person.
Usage rights and disclaimer
Course materials: Licensed for individual professional development. You may deploy triage scripts, query packs, and playbooks in your production environment. You may not redistribute course content or share account credentials.
Triage tools and scripts: All PowerShell, Bash, and KQL artifacts are provided as-is. Test every script against your environment before using in production incidents. Containment actions have business impact.
Fictional environment: All scenarios use Northgate Engineering. Any resemblance to real organizations is coincidental.
Version and changelog
Current version: 2.0 | Last updated: June 2026
June 2026, v2.0: Full redesign. Rebuilt to 11 modules teaching triage as a vendor-neutral, identity-first discipline, with evidence-first labs and runnable SPL against the lab corpus.
2026, v1.0: Course launch.
This course is actively maintained.
End of Course Exam
Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.
Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.