Course Introduction

0.1 What is incident response

Incident response is the discipline of investigating, containing, and recovering from security compromises. Not monitoring — that's SOC operations. Not building detection rules — that's detection engineering. Not hardening — that's security engineering. Incident response is what happens after the alert validates as a real compromise: determining what the attacker did, how far they got, what they took, how to stop them, and how to prevent the same attack from succeeding again.

The discipline matters because the attack surface has changed. A Microsoft-stack incident in 2026 does not stay in one environment. The attacker starts in email, pivots to identity within minutes, crosses to the endpoint within the hour, and moves laterally before your triage is complete. An investigation that covers only the cloud side or only the endpoint side produces a containment plan that leaves half the attacker in place. The incident recurs. The post-mortem blames incomplete remediation when the real failure was incomplete investigation.

This course teaches the unified investigation — cloud and endpoint together, because the attacker operates as a unified adversary. Twenty modules take you from this introduction through Windows endpoint forensics (IR2-IR7), Microsoft 365 cloud investigation (IR8-IR12), four complete investigation scenarios (IR13-IR16), and reporting, readiness, and capstone (IR17-IR19).

This module — IR0 — establishes the mental model the rest of the course applies. What modern incidents look like end to end, how experienced investigators think through evidence, the NIST framework you report against, and the toolkit that covers every evidence type across every environment.

0.2 What you will learn

Four sections establish the foundations that every subsequent module builds on.

Section 0.1 — How real incidents actually unfold. A complete Microsoft-stack incident walked minute by minute: AiTM credential phishing to BEC to endpoint compromise to lateral movement to data exfiltration. Four environments (Exchange Online, Entra ID, the endpoint, the network), ninety minutes, one attacker. You see what a one-sided investigation misses and why the unified investigation is the only investigation that produces complete containment.

Section 0.2 — How investigators think. The five-step reasoning chain that separates investigators from tool operators: Hypothesis, Evidence, Extract, Interpret, Next Step. Applied to every artifact type in the course. The three-statement discipline (what this proves, what it doesn't prove, what the next step is) that keeps investigations honest. You learn the pattern that makes every subsequent module's analysis coherent.

Section 0.3 — The framework you report against. NIST SP 800-61 Revision 3, published April 2025. What changed from Revision 2 and why. The six CSF 2.0 Functions (Govern, Identify, Protect, Detect, Respond, Recover) as applied to incident response. The vocabulary you use when writing reports for auditors, regulators, and insurers. Practical mapping from operational language to framework language.

Section 0.4 — The toolkit and what comes next. Six categories of tools covering every evidence type a Microsoft-stack incident produces: collection, endpoint analysis, memory forensics, cloud investigation, correlation, and native response. Every tool is free. Then, because IR is one discipline in a longer pipeline: detection engineering, threat hunting, deep memory forensics, network forensics, and IR program leadership — which to build next and why, based on your current role.

0.3 How to get the best from this module

Read the four sections in order. Each builds on the previous:

Section 0.1 shows you what a modern incident looks like — the shape of the problem the course solves. Section 0.2 teaches the reasoning pattern you'll apply to every piece of evidence in every module. Section 0.3 gives you the framework vocabulary for reports and audit conversations. Section 0.4 maps the toolkit to the evidence types and helps you decide what to build after the course.

The five-step reasoning chain in Section 0.2 is the most important concept in the module. It's the mental model every subsequent module applies. If you read one section carefully, make it that one.

Estimated time: 4 to 5 hours across all four sections. Section 0.1 (the incident walkthrough) is the longest at approximately 90 minutes.

0.4 Module structure

• Section 0.1 — How real incidents actually unfold
• Section 0.2 — How investigators think
• Section 0.3 — The framework you report against
• Section 0.4 — The toolkit and what comes next
• Summary — Module recap
• Check My Knowledge — Scenario-based assessment

Prerequisites

None for this module. If you work in security — triaging alerts, administering M365, investigating incidents, or leading a team that does — you have enough context to start here. The course assumes KQL familiarity from IR2 onward; this module requires none.

Go to Section 0.1 — How Real Incidents Actually Unfold to begin.