Sign In
First Response

For Security Engineers, First Responders, and On-Call Engineers Who Must Classify, Preserve, and Contain Within 60 Minutes

Aligned to NIST SP 800-61ISO/IEC 27035MITRE ATT&CK

Incident Triage and First Response

Classify, preserve, and contain — the first 60 minutes that determine everything.

Triage security incidents across cloud, Windows, and Linux simultaneously — because real attacks cross environment boundaries. Classify severity accurately under time pressure, preserve volatile evidence before it disappears, execute initial containment that stops the damage without destroying the investigation, and hand off a complete scope assessment the IR team can act on immediately.

Start Free — No Account Needed See Full Curriculum + Pricing

Text-based · Persistent labs on your own hardware · 2 free modules available now · 36 CPE credits · Content last updated: May 2026

What you'll deploy
Complete triage-to-containment playbook for the initial 60 minutes
KAPE + Velociraptor rapid collection environment built and tested
Severity classification framework with escalation decision tree
First-responder runbooks for BEC, ransomware, and credential theft
Evidence preservation procedures that maintain chain of custody
Triage documentation templates for consistent case handoff
TRIAGE — FIRST 60 MINUTES T+0:00 Alert fires — AiTM credential phishing detected in Sentinel Source: Defender for Office 365 → KQL triage query pack T+0:08 Cloud triage — 5-query pack confirms active session hijack Tools: KQL, Graph PowerShell, Defender portal T+0:15 Windows triage — KAPE collection, EZ Tools parse, process tree Tools: KAPE, PECmd, EvtxECmd, Sysinternals, PowerShell T+0:25 Linux triage — auth.log, process analysis, LiME memory capture Tools: ps, ss, lsof, LiME, Volatility3, Bash triage script T+0:35 Cross-environment correlation — unified timeline, pivot points Entity mapping: UPN ↔ SAM ↔ Linux user, IP correlation across logs T+0:45 Synchronized containment — all 3 environments within 2 minutes Session revoke + endpoint isolate + iptables block → verify → report
View Pricing Download Lab Pack Take End of Course Exam → 36 CPE Credits

What you'll be able to do

Classify incident severity accurately under time pressure
Preserve volatile evidence across cloud, Windows, and Linux environments
Execute initial containment that stops damage without destroying the investigation
Triage multi-environment attacks that cross cloud-endpoint boundaries
Deliver structured handoff reports the IR team can act on immediately

Course Agenda

Free Phase 1 — Foundations (Free)

TR0
The Triage Problem
 TR1
Evidence Volatility and the Preservation Hierarchy

Phase 2 — Environment-Specific Triage

TR2
TR2 — Cloud Triage: M365 and Entra ID
 TR3
TR3 — Windows Triage: Endpoints and Active Directory
 TR4
TR4 — Linux Triage: Servers and Containers
 TR5
TR5 — Network and Perimeter Triage

Phase 3 — Cross-Environment Triage

TR6
TR6 — Multi-Environment Attack Triage
 TR7
TR7: Severity Classification and Escalation
 TR8
TR8: Containment Decision Framework

Phase 4 — Operational Mastery

TR9
TR9: Triage Automation and Tooling
 TR10
TR10: Communication During Triage
 TR11
TR11: Common Triage Scenarios
 TR12
TR12: Triage in Regulated Environments
 TR13
TR13: Triage Quality and Continuous Improvement
 TR14
TR14: Advanced Triage Techniques
 TR15
TR15: Capstone — Full Triage Exercise

Resources

Incident Triage — Operational Reference

Course at a glance

You start triaging alerts the way you were shown on your first day — checking the obvious, following your instinct, hoping you don't miss the one that matters. You finish with a triage methodology that works across every alert type and every environment — cloud, endpoint, identity, network — where you know exactly what to check, in what order, and when to escalate.

What you'll build: The triage decision framework that turns a 30-second glance into a structured assessment. Containment decisions you can justify. Evidence preservation habits that protect the investigation before it starts. The confidence to look at an unfamiliar alert and know how to work it — not because you've seen it before, but because the methodology handles what you haven't seen.

16 modules across 4 phases · 36 CPE credits · Self-paced at ~5 hrs/week

Typical pace: ~5-10 weeks at 5 hrs/week

Hands-on labs: 26 structured (browse all →)

MITRE ATT&CK coverage: 89 techniques mapped

Built by Ridgeline Cyber

Ridgeline Cyber Defence builds security operations training grounded in practical and operational experience. The team behind this course runs CSOC operations across on-prem, Splunk, and Microsoft 365 security stacks, Cisco and Palo Alto networks, and managed SOC partnerships.

Experience spans incident triage, detection engineering, incident response, and DFIR investigation across on-prem, M365, and Linux environments — including leading cyber incident response engagements and operating the triage methodologies taught in this course in production environments.

The triage procedures, tool workflows, and containment sequences in this course are drawn from that operational work — adapted for training but grounded in real incident response.

The outcome

You start closing alerts. You finish triaging incidents.

Structured triage methodology — severity assessment, scope determination, evidence collection, escalation decision.

Time-pressured decision making — the first 60 minutes, with incomplete information, under real constraints.

Handoff documentation — triage reports that IR practitioners can act on immediately.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may deploy triage scripts, query packs, and playbooks from this course in your organization's production environment. You may not redistribute course content, share account credentials, or republish course materials.

Triage tools and scripts: All PowerShell, Bash, and KQL artifacts are provided as-is for deployment in your environment. Test every script against your environment before using in production incidents. Containment actions have business impact — verify blast radius before execution. Ridgeline Cyber Defence is not responsible for operational impact from deployed scripts or containment actions.

Fictional environment: All scenarios use the fictional Northgate Engineering environment. Any resemblance to real organizations, incidents, or individuals is coincidental. IP addresses use RFC 5737 documentation ranges.

Lab Pack — Hands-On Triage Practice

This course includes a downloadable lab pack that generates realistic-volume evidence across all four environments. Attack indicators are buried in hundreds of lines of legitimate noise — the same needle-in-haystack challenge you face in production. Both PowerShell and bash generators are included so you can run it on any OS.

Evidence generated: Cloud sign-in logs (~250 entries with AiTM buried in 7 days of legitimate logins), cloud audit logs (~200 entries), Windows process list (~120 entries with 5 suspicious among legitimate system processes), Windows security events (~400 entries), Windows network connections (~50 entries), Linux auth.log (~800 lines with brute force buried in CRON/SSH noise), firewall log (~300 entries), DNS queries (~300 entries), plus 8 JSON alerts, unified timeline, entity map, and triage templates.

26 structured labs: Alert prioritization, sign-in analysis, audit log triage, process tree analysis, security event timeline, SSH brute force scoping, cross-environment correlation, severity scoring, containment execution, and the 15-minute triage report.

Evidence analysis: Open CSV files in Timeline Explorer by Eric Zimmerman — purpose-built for DFIR evidence analysis with column filtering, sorting, and color-coding.

Master Incident Triage Lab Pack
26 labs · 4 environments · ~2,000 evidence entries · PowerShell + bash generators
Download Lab Pack (.zip)

Version and changelog

Current version: 2.0  |  Last updated: April 2026

April 2026 — v2.0: Lab pack rebuilt with realistic-volume evidence across all four environments (~2,000 total evidence entries with attack indicators buried in legitimate noise). PowerShell and bash generators included. 26 structured labs. Inclusive audience statement added. Prerequisites updated for advanced positioning. Course page redesigned with Timeline Explorer recommendation.

2026 — v1.0: Course launch. 16 modules (TR0–TR15) across 4 phases. Cloud, Windows, Linux, and network triage with full tool coverage. 4 NE attack chain scenarios. Interactive labs.

This course is actively maintained. Triage procedures are updated as the Microsoft security platform evolves and new attack techniques emerge.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
2scenarios
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.