Windows Enterprise Incident Response


Attacks against computer systems continue to increase in frequency and sophistication.

If you have any additional questions, send us an email. Thank you.

mandiant academy


In order to effectively defend data and intellectual property, organizations must have the ability to rapidly detect and respond to threats. This intensive online course is designed to teach the fundamental investigative techniques needed to respond to today's threats. This class is built upon a series of hands-on labs that highlight the phases of a targeted attack, key sources of evidence, and the forensic analysis know-how required to analyze them. Students will learn how to conduct rapid triage on a system to determine if it is compromised, uncover evidence of initial attack vectors, recognize persistence mechanisms, investigate an incident throughout the enterprise, and much more.


  • LOCATION: Online
  • START DATE: November 29, 2021 
  • END DATE: December 2, 2021 
  • TIME: 8:00am–2:30pm Singapore Time, daily
    • UTC 0:00-06:30
    • 11:00am–5:30pm AEDT
  • COST: US$4,000 or 4 EOD units
Expertise on Demand (EOD) units will be accepted.


The course is comprised of the following modules, with labs included throughout the instruction

  • The Incident Response Process – An introduction to the threat landscape, targeted attack life-cycle, initial attack vectors used by different threat actors, and the phases of an effective incident response process.
  • Single System Analysis – This module includes in-depth information about the most common forms of endpoint forensic evidence collection and the benefits and limitations of each. A deep dive will be taken into file system metadata, registry, event logs, services, common persistence mechanisms, and artifacts of execution. Students will be taught to answer the key questions about what transpired.
    • File System Metadata
    • Event Logs
    • Registry
    • Memory Analysis
  • Enterprise Investigations – How to apply the lessons-learned from the previous modules to proactively investigate an entire environment, at-scale, for signs of compromise. An in-depth analysis of how attackers move from system-to-system in a compromised Windows environment, the distinctions between network logons and interactive access, and the resulting sources of evidence on disk, in logs, and in the registry.
  • Investigation Management – Managing and effectively recording information related to ongoing investigations and incidents is crucial for success. This module will cover the best practices and some approaches to information management which enrich the investigative process and bolster the enterprise security program.
  • Remediation – The remediation phase of an enterprise investigation is an important part of the incident response process. Discussion on the containment and remediation of a security incident will bridge short-term immediate actions taken during a live incident, to longer term strategic posturing to improve the resiliency of the organization as a whole.
  • Threat Hunting – Threat hunting is a critical component of an effective enterprise security program. Hunting using threat intelligence, anomaly detection and known threat actor techniques, tactics and procedures (TTPs). Applying the lessons learned from the previous modules to proactively investigate an entire environment, at-scale, for signs of compromise.


Day One
  • Incident Response Process
  • Single System Analysis
    • Non-volatile sources
    • Volatile sources    
Day Two
  • Enterprise Investigations
Day Three
  • Investigation Management
  • Remediation
Day Four
  • Hunting
  • Question & Answer Session


This is a fast-paced technical course that is designed to provide hands-on experience with investigating targeted attacks and the analysis steps required to triage compromised systems. The content and pace is intended for students with some background in conducting forensic analysis, network traffic analysis, log analysis, security assessments, and penetration testing, or even security architecture and system administration duties. It is also well suited for those managing CIRT / incident response teams or in roles that require oversight of forensic analysis and other investigative tasks.


Students must have a working understanding of the Windows operating system, file system, registry, and use of the command-line. Familiarity with Active Directory and basic Windows security controls and common network protocols will also be beneficial.


Students are required to bring their own laptop that meets the following specs:

  • Windows 7+
  • Core i5 or equivalent processor
  • 6 GB (preferably 8 GB) of RAM
  • 25 GB free HDD space
  • Virtual machines are acceptable provided at least 4 GB or RAM can be allocated
  • Microsoft Office installed outside the VM 
  • Admin/install rights 


Students will receive a lab book and access to all required class materials and tools.

Additional Education Services

Mandiant offers numerous training services, including teacher-led and web-based training. The full catalog is available on the Mandiant Academy site.