Incident Response for Everyone

Instructor-led training course

Please contact us if you have any questions.

Course Description

This two-day course is designed to teach non-technical support staff how to respond to an incident and how to work with investigators during an incident response event. This course includes a series of hands-on exercises that highlight all phases of the investigation life cycle.

Participants will learn how to respond to a detected incident, describe the incident to stakeholders, differentiate among different evidence acquisition methods, understand how investigators conduct an investigation, evaluate different remediation methods, and review an investigative report. By the end of this course, participants will be able to actively provide non-technical support to an investigation by understanding the full scope of incident response processes and procedures.

The course is comprised of the following topics with exercises included throughout the course.

  • Incident Discovery: Incident Discovery, Notifying Stakeholders, Initial Documentation, Triggered Processes and Procedures
  • Incident Description: Describing the Incident, Evidence Collection for Trusted Partners
  • Evidence Acquisition: Evidence Collection Capabilities, Trusted Partner Evidence Collection, Evidence Preservation
  • Analysis: Planning for Analysis, Analysis Gaps, Analysis Methodologies Remediation: Remediation Plan Concepts, Remediation Plan Customizations, Remediation Timing
  • Reporting Results

Learning Objectives

After completing this course, learners should be able to:

  • Determine how to respond to an incident immediately after initial notification
  • Summarize an incident for relaying to a trusted partner
  • Choose an investigation plan most suited to investigate your organization’s incident
  • Choose a remediation plan most suited to investigate your organization’s incident
  • Evaluate an investigative report for quality
  • Summarize the events described in an incident report

Who should attend

The audience for this course includes all members of an organization that are commonly asked to work with or as part of an investigative team, such as personnel involved in information security (information security, information technology), counsel (general or third-party, cyber policy lawyers, breach coaches), or communications (internal or external communications).



Delivery method

In-classroom or virtual instructor-led training


  • 2 days (in-person delivery)
  • 3 days (virtual delivery)

What to bring

Students are required to bring their own laptop with an Internet connection and a modern browser. Learners will receive a lab book and all required class materials.