Ridgeline Skill

For DFIR Practitioners, SOC Analysts, and Threat Hunters

Aligned to MITRE ATT&CKVelociraptor VQL reference

Velociraptor for Endpoint Investigation

Focused skills. One thing, learned properly.

Learn to deploy Velociraptor and use it for endpoint investigation at scale. From installation through VQL fluency, single-endpoint collection, fleet-wide hunting, and result analysis — 8 hours to operational capability.

Start Skill View Pricing

Content last updated: April 2026

Why take this course

For IR practitioners and threat hunters working at enterprise scale. You finish able to hunt, collect, and triage across thousands of endpoints with Velociraptor — the free-tool capability that lets small teams do what FOR508 teaches with F-Response Enterprise.

What this skill teaches

Velociraptor is the tool that turns every connected endpoint into an evidence source you can reach in seconds. No imaging, no physical access, no waiting for someone to ship you a drive. Deploy the agent, and any machine on the network is one click from a targeted artifact collection or a fleet-wide hunt.

Most practitioners know Velociraptor exists. Few have deployed it themselves, written VQL queries, or built custom artifacts. This skill teaches the deployment, the query language, the collection workflow, the hunting workflow, and — critically — how to read and interpret what comes back.

What you will be able to do

1. Deploy a Velociraptor server on Windows or Linux, connect endpoints, and verify the deployment is working end-to-end.

2. Write VQL queries that extract the evidence you need — processes, event logs, registry keys, network connections, filesystem metadata — without relying on pre-built artifacts alone.

3. Run targeted collections against a single endpoint and interpret the results across artifact types — prefetch, event logs, registry, amcache, network connections.

4. Hunt across your entire fleet, triage results using stacking and outlier detection, and pivot from fleet-wide anomalies to targeted single-endpoint investigation.

5. Write custom VQL artifacts for detection needs specific to your environment, test them against a single client, and deploy them as fleet-wide hunts.

Skill at a glance

Format: Ridgeline Skill — focused, practical, one topic

Sections: 9 content sections + guided lab + summary

Estimated time: 8 hours (self-paced)

Tier: Premium subscription

Prerequisites: Investigation experience. The Practical IR course gives you the methodology this skill assumes. The KAPE and EZ Tools skill gives you the artifact collection context that makes Velociraptor's value immediately clear. Neither is required.

Typical pace: 1-2 weeks at a few hours per week

What you leave with

Working deployment: A Velociraptor server with connected endpoints, ready for use in your lab or during an engagement.

VQL query library: Tested investigation queries for processes, event logs, registry, network connections, and filesystem artifacts — all annotated and reusable.

Custom artifact: A VQL artifact you wrote, tested, and deployed as a hunt — the template for every future detection you build in Velociraptor.

Analysis method: The notebook-based workflow for turning raw collection output into investigation findings, including stacking, outlier detection, and multi-host timeline correlation.

What this course does NOT cover

Deliberate scope boundaries. If any of these is your primary need, the sibling course is the better fit.

KAPE-based artifact collection — see KAPE and EZ Tools Mastery
Memory forensics with Volatility — see Applied Memory Forensics

Sections

Nine focused sections plus a guided investigation lab. Every section runs against the Northgate Engineering environment — realistic data, realistic scale, realistic investigation scenarios.

VR0.1

Velociraptor Architecture and Deployment — Server-client architecture, the three server components (Frontend, GUI, API), persistent client connections. Full deployment walkthrough on both Ubuntu and Windows — config generation, service installation, client deployment, first-connection verification. You finish this section with a working server and at least one connected endpoint.

VR0.2

The GUI, Client Management, and the Virtual Filesystem — Client search and filtering, labels, the client overview panel. The Virtual Filesystem browser — navigating a remote endpoint's disk without imaging. VFS accessors (ntfs, registry, file). Collections and notebooks orientation. Every panel shown with annotated expected output.

VR0.3

VQL Fundamentals for Investigators — The Velociraptor Query Language as a practitioner uses it. SELECT ... FROM plugin() WHERE ..., key plugins (info(), glob(), parse_mft(), parse_evtx(), pslist(), connections()), LET expressions, foreach, output formatting. Six worked query examples against Northgate Engineering endpoints, each annotated line-by-line with expected output.

VR0.4

Artifact Collection: Single-Endpoint Evidence Gathering — Built-in artifact packs: Windows.KapeFiles.Targets, Windows.EventLogs.Evtx, Windows.Registry.NTUser, Windows.Forensics.Prefetch, Windows.Forensics.Amcache, and more. Parameter configuration, time-bounded collection, result review, file download. NE scenario: five targeted collections on DESKTOP-NGE001 during incident response — alert to evidence in under 15 minutes.

VR0.5

Hunts: Fleet-Wide Collection and Triage — Creating hunts, scoping by label and OS, resource limits, monitoring progress. Post-processing hunt results in notebooks. The fleet triage workflow: hunt → notebook query → identify anomalous endpoints → pivot to targeted collection. NE scenario: hunt 50 endpoints for lateral movement evidence after initial compromise.

VR0.6

Analysing Single-Endpoint Results — Notebook analysis workflow for collection output. Reading results by artifact type: prefetch execution evidence, event log logon reconstruction, registry persistence detection, amcache cross-referencing, network connection C2 identification. Exporting results for Timeline Explorer and SIEM import. Documenting findings in notebooks as the contemporaneous investigation record.

VR0.7

Fleet-Wide Analysis and Stacking — The stacking technique that makes 50-endpoint analysis practical: aggregate, count, find outliers. Worked stacking examples across scheduled tasks, prefetch, autoruns, and services. Pivot from hunt anomalies to targeted collection. Baselining and differential analysis. Multi-host timeline correlation. False positive management — distinguishing attacker outliers from operational noise.

VR0.8

Writing Custom VQL Artifacts — Artifact YAML structure: name, parameters, sources, queries. Full development cycle: identify the detection need, write the VQL, wrap in artifact YAML, test on one client, deploy as a hunt, refine based on results. Importing and reviewing community artifacts from the Artifact Exchange. NE scenario: build an artifact that detects the attacker's specific persistence mechanism.

Lab

Guided Lab: Investigate and Hunt Across Northgate Engineering — Full investigation scenario using the five-question framework. SOC alert fires → targeted collection → notebook analysis → lateral movement detection → fleet-wide hunt → triage results → identify 3 compromised hosts → export evidence → produce triage summary. Expected output at every step. 90–120 minutes.

Summary

Module Summary — The complete Velociraptor workflow from deployment through analysis. How Velociraptor fits alongside KAPE, Sentinel, and Defender XDR in the investigation toolkit. Where to go next.

Related courses

Practical Incident Response — The investigation methodology that Velociraptor accelerates. IR uses Velociraptor for remote collection; this skill goes deep on the tool itself.

KAPE and EZ Tools Mastery — The offline collection and parsing counterpart. KAPE collects from imaged or local systems; Velociraptor collects from live remote endpoints. Together they cover every collection scenario.

Advanced Windows Forensic Analysis — The artifact-level forensics that Velociraptor collections enable. WF11 covers Velociraptor for fleet collection; this skill covers the full tool from deployment through custom artifacts.

About Ridgeline Skills

Skills are focused training on a single capability — 4–8 hours of practitioner-written content with the same depth standard as full Ridgeline courses. Some skills don't need 15 modules. These are the skills that do need proper treatment but don't warrant a full course.

Included with every Premium and Specialist subscription.