Velociraptor for Endpoint Investigation

Deploy Velociraptor and hunt your whole fleet from one console.

Deploy Velociraptor for remote endpoint investigation at scale. From installation through VQL fluency, single-endpoint collection, fleet-wide hunting, and result analysis, 8 hours to operational capability.

Short Course | Premium tier | 8 hours at your own pace | Updated May 2026

The problem this solves

Velociraptor is the tool that turns every connected endpoint into an evidence source you can reach in seconds. No imaging, no physical access, no waiting for someone to ship you a drive. Deploy the agent, and any machine on the network is one click from a targeted artifact collection or a fleet-wide hunt.

Most practitioners know Velociraptor exists. Few have deployed it themselves, written VQL queries, or built custom artifacts. This skill builds the deployment, the query language, the collection workflow, the hunting workflow, and, critically, how to read and interpret what comes back.

What you will be able to do

1. Deploy a Velociraptor server on Windows or Linux, connect endpoints, and verify the deployment is working end-to-end.

2. Write VQL queries that extract the evidence you need, processes, event logs, registry keys, network connections, filesystem metadata, without relying on pre-built artifacts alone.

3. Run targeted collections against a single endpoint and interpret the results across artifact types, prefetch, event logs, registry, amcache, network connections.

4. Hunt across your entire fleet, triage results using stacking and outlier detection, and pivot from fleet-wide anomalies to targeted single-endpoint investigation.

5. Write custom VQL artifacts for detection needs specific to your environment, test them against a single client, and deploy them as fleet-wide hunts.

Skill at a glance

Format: Ridgeline Skill, focused, practical, one topic

Sections: 9 content sections + guided lab + summary

Estimated time: 8 hours (self-paced)

Tier: Premium subscription

Prerequisites: Investigation experience. The Cloud Incident Response course gives you the methodology this skill assumes. The KAPE and EZ Tools skill gives you the artifact collection context that makes Velociraptor's value immediately clear. Neither is required.

Typical pace: 1-2 weeks at a few hours per week

What you leave with

Working deployment: A Velociraptor server with connected endpoints, ready for use in your lab or during an engagement.

VQL query library: Tested investigation queries for processes, event logs, registry, network connections, and filesystem artifacts, all annotated and reusable.

Custom artifact: A VQL artifact you wrote, tested, and deployed as a hunt, the template for every future detection you build in Velociraptor.

Analysis method: The notebook-based workflow for turning raw collection output into investigation findings, including stacking, outlier detection, and multi-host timeline correlation.

Sections

Nine focused sections plus a guided investigation lab. Every section runs against the Northgate Engineering environment, realistic data, realistic scale, realistic investigation scenarios.

VR0.1
Velociraptor Architecture and DeploymentServer-client architecture, the three server components (Frontend, GUI, API), persistent client connections. Full deployment walkthrough on both Ubuntu and Windows, config generation, service installation, client deployment, first-connection verification. You finish this section with a working server and at least one connected endpoint.
VR0.2
The GUI, Client Management, and the Virtual FilesystemClient search and filtering, labels, the client overview panel. The Virtual Filesystem browser, navigating a remote endpoint's disk without imaging. VFS accessors (ntfs, registry, file). Collections and notebooks orientation. Every panel shown with annotated expected output.
VR0.3
VQL Fundamentals for InvestigatorsThe Velociraptor Query Language as a practitioner uses it. SELECT ... FROM plugin() WHERE ..., key plugins (info(), glob(), parse_mft(), parse_evtx(), pslist(), connections()), LET expressions, foreach, output formatting. Six worked query examples against Northgate Engineering endpoints, each annotated line-by-line with expected output.
VR0.4
Artifact Collection: Single-Endpoint Evidence GatheringBuilt-in artifact packs: Windows.KapeFiles.Targets, Windows.EventLogs.Evtx, Windows.Registry.NTUser, Windows.Forensics.Prefetch, Windows.Forensics.Amcache, and more. Parameter configuration, time-bounded collection, result review, file download. NE scenario: five targeted collections on DESKTOP-NGE001 during incident response, alert to evidence in under 15 minutes.
VR0.5
Hunts: Fleet-Wide Collection and TriageCreating hunts, scoping by label and OS, resource limits, monitoring progress. Post-processing hunt results in notebooks. The fleet triage workflow: hunt → notebook query → identify anomalous endpoints → pivot to targeted collection. NE scenario: hunt 50 endpoints for lateral movement evidence after initial compromise.
VR0.6
Analysing Single-Endpoint ResultsNotebook analysis workflow for collection output. Reading results by artifact type: prefetch execution evidence, event log logon reconstruction, registry persistence detection, amcache cross-referencing, network connection C2 identification. Exporting results for Timeline Explorer and SIEM import. Documenting findings in notebooks as the contemporaneous investigation record.
VR0.7
Fleet-Wide Analysis and StackingThe stacking technique that makes 50-endpoint analysis practical: aggregate, count, find outliers. Worked stacking examples across scheduled tasks, prefetch, autoruns, and services. Pivot from hunt anomalies to targeted collection. Baselining and differential analysis. Multi-host timeline correlation. False positive management, distinguishing attacker outliers from operational noise.
VR0.8
Writing Custom VQL ArtifactsArtifact YAML structure: name, parameters, sources, queries. Full development cycle: identify the detection need, write the VQL, wrap in artifact YAML, test on one client, deploy as a hunt, refine based on results. Importing and reviewing community artifacts from the Artifact Exchange. NE scenario: build an artifact that detects the attacker's specific persistence mechanism.
Lab
Guided Lab: Investigate and Hunt Across Northgate EngineeringFull investigation scenario using the five-question framework. SOC alert fires → targeted collection → notebook analysis → lateral movement detection → fleet-wide hunt → triage results → identify 3 compromised hosts → export evidence → produce triage summary. Expected output at every step. 90–120 minutes.
Summary
Module SummaryThe complete Velociraptor workflow from deployment through analysis. How Velociraptor fits alongside KAPE, Sentinel, and Defender XDR in the investigation toolkit. Where to go next.

Related courses

Cloud Incident ResponseThe investigation methodology that Velociraptor accelerates. IR uses Velociraptor for remote collection; this skill goes deep on the tool itself.

KAPE and EZ Tools MasteryThe offline collection and parsing counterpart. KAPE collects from imaged or local systems; Velociraptor collects from live remote endpoints. Together they cover every collection scenario.

Windows Endpoint InvestigationThe artifact-level forensics that Velociraptor collections enable. WF11 covers Velociraptor for fleet collection; this skill covers the full tool from deployment through custom artifacts.

About Ridgeline Skills

Skills build one capability, 4–8 hours of practitioner-written content with the same depth standard as full Ridgeline courses. Some skills don't need 15 modules. These are the skills that do need proper treatment but don't warrant a full course.

Included with every Premium and Specialist subscription.