Sign In
In this section

Build a Triage Lab

1-2 hours · Module 0

Why build a lab at all

You can read this course and learn the method. You will learn it far better if you run the queries yourself, against real data, and see the output before the sub reveals it. There is a real gap between recognising a token-replay pattern on a page and spotting it in your own log output at speed, and the gap only closes by doing. The lab is where predict-then-reveal stops being a reading habit and becomes a working one, because the data in front of you is data you produced and have to actually read.

The platform has one shared home lab that every technical course uses, so you build it once and it serves this course and the rest. There is nothing triage-specific to stand up separately.

The build guide

Build Your Security Operations Home Lab

The full step-by-step guide, VMs, a free cloud tenant, Sentinel, and the toolchain, lives in the platform resources. Build it once, use it across every technical course.

Open the lab setup guide

What triage specifically needs, in priority order

The full lab covers every course on the platform. Triage does not need all of it before you start, and the order you build matters, because the course front-loads the environments where today's incidents actually land. Build in this order and you can begin after the first step.

1. Identity and SIEM Free cloud tenant feeding sign-in and audit logs into a SIEM. ~30 min. Enough to start. START HERE 2. A Windows endpoint with EDR One Windows VM with endpoint telemetry, for the endpoint-triage modules. 3. A Linux server One Linux VM for the server-side modules, where the only evidence is the system's own logs.

Build top to bottom. Step one unlocks the identity and cloud modules, which carry most of the course's weight, so you can start the moment it is up.

The order is not arbitrary. Identity and cloud are where the bulk of modern triage happens and where this course spends most of its time, so the identity-and-SIEM step alone unlocks a large part of the syllabus. Add the Windows endpoint when you reach the modules that work endpoint evidence, and the Linux server when you reach the server-side modules. There is no value in building all three before you begin.

Start cloud-only, and start today

You do not need the whole lab before you begin. The identity-and-SIEM step is roughly a thirty-minute build: stand up a free tenant, turn on sign-in and audit logging, point it at a free-tier SIEM. That is enough to follow the opening modules, which is exactly where the course front-loads the highest-value material. Build that, start the course, and add the VMs as the later modules call for them.

A thirty-minute step unlocks most of the course Step one: ~30 minutes free tenant, sign-in + audit logging, free-tier SIEM unlocks the identity + cloud modules Added later, when needed a Windows endpoint for endpoint modules, a Linux server for server-side modules no need to build them up front start the moment step one is up; with no lab at all, the course still works as a read via predict-then-reveal

The course front-loads the highest-value material into the modules step one unlocks, so the barrier to starting is half an hour, not a full lab.

If you cannot build a lab at all, a locked-down work machine, no spare hardware, the course still works as a read. Every query shows its output, and predict-then-reveal lets you practise the reasoning without running anything: you commit to what the result will show, then check yourself against the revealed output. The lab makes that sharper because the data is yours, but it is not a barrier to entry. You can complete this course and learn the method either way.

One practical note on data. A fresh tenant contains no attacks, so there is nothing to triage in it on day one. Where it matters, the course tells you how to generate the signal you need yourself: a test sign-in through a VPN to produce an impossible-travel pattern, a benign script execution to produce process telemetry. The evidence you then triage is real evidence you produced, not a screenshot, which is the whole point of building rather than only reading.

The last orientation sub introduces the three instruments you will use in almost every triage from here on, so you recognise them when they start doing real work.

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.
← Previous Next →