The References You Reach for at 2 AM.

Investigation runbooks that walk you through incidents step by step. Triage scorecards that classify alerts in under 5 minutes. KQL queries you copy-paste into Sentinel during a live investigation. Forensic artifact references that tell you exactly where to look. Free, no account required, bookmark them now, use them when it matters.

Investigation & Response

Investigation & Response Tools

When an alert fires, you open these. The runbooks tell you what to check and in what order. The triage scorecard classifies the severity in under 5 minutes. The forensic references tell you exactly which artifact to examine and where to find it. The difference between "I need to think about this" and "I know the next step."

Toolkit
Open Source
VanGuard DFIR Toolkit
Velociraptor · Hayabusa · Chainsaw · Loki · YARA
Self-contained · Cross-platform · Air-gapped
  • Triage, hunt, collect, analyze from one binary
  • Runs from USB, no install, no internet
  • Free, Apache 2.0 License
View Toolkit →
Interactive
Free Tool
DFIR Investigation Runbooks
Identity · Malware · Lateral · BEC · Ransomware
From: Cloud Incident Response · Triage · Entra ID
  • 7 structured runbooks
  • 6 phases: triage → handoff
  • Free, No Account Required
View Runbooks →
Interactive
Free Tool
Incident Triage Scorecard
Identity · Endpoint · Email · Network
From: Incident Triage (TR0)
  • 8 classification questions
  • < 5 minutes per alert
  • Free, No Account Required
Use Scorecard →
Reference
Free Tool
Windows Forensic Artifacts
Persistence · Execution · Files · Network · USB
From: Cloud Incident Response · Triage
  • 25+ forensic artifacts
  • Registry paths + extraction tools
  • Free, No Account Required
Browse Artifacts →
Reference
Free Tool
Native Windows Forensic Commands
Processes · Network · Persistence · Event Logs
From: Cloud Incident Response · Windows Endpoint Investigation
  • Volatile-data capture, cmd + PowerShell
  • When KAPE + EZ Tools can't deploy
  • Free, No Account Required
Read the reference →
Reference
Free Tool
Windows Event ID Reference
Auth · Process · Sysmon · PowerShell · Defender
From: Cloud Incident Response · Endpoint Security
  • 40+ events, 12 categories
  • What each event means, where to find it
  • Free, No Account Required
Browse Events →

The Tools Give You the Reference. The Courses Teach the Methodology.

Every tool is extracted from a Ridgeline course. The courses add the judgment, context, and operational depth.

Browse All Courses Browse Courses