Master proven and reliable skills to solve incidents and save the day

MCSI Certification

MDFIR - Certified DFIR Specialist

There are a few key skills required for cyber incident response and digital forensics. The first is a strong understanding of computer systems and networks. This includes an understanding of how systems work and how to troubleshoot issues. Incident responders also need to be able to quickly understand the data that is being analyzed, as well as any potential threats.

The second key skill is the ability to communicate effectively. Incident responders need to be able to effectively communicate with other members of their team as well as with clients or customers. They also need to be able to communicate clearly and concisely in writing.

The final key skill is the ability to stay organized. Incident responders often have to manage a large number of tasks simultaneously and need to be able to keep track of all of the data. They also need to be able to stay organized when working under pressure.

If you want to learn how to respond to computer incidents and conduct digital forensics investigations, the MCSI MDFIR course is the golden standard. Offered by the global leader in information security training, this course provides in-depth instruction on how to protect your organization from cyber attacks and respond to incidents when they occur.

MDFIR Professionals have the skills and abilities to excel in the digital forensics and incident response field. Earning MDFIR Certification from MCSI is your assurance that you have the competencies the industry is seeking. Our certification program has been developed with input from leading experts in the field, so you can be confident you are getting the most up-to-date and relevant training available. When it comes to finding a job in digital forensics and incident response, MDFIR Certification from MCSI can make all the difference.

Intermediate Level MCSI Certification Intermediate
ic-certificate Certification
ic-clock 600+ hours
cpe-points 206.5
ic-money $595
No Expiry, No Renewals

Course Overview

This course will teach you tried-and-true techniques and tactics for handling major cyber breaches. After completing your certification, you will be fully capable of conducting digital forensics investigations and dealing with cyber incidents.

"Digital forensics and incident response are the bedrock of modern cybersecurity operations. Without these capabilities, an organization is blind to attacks and unable to defend itself."

Incident response is the process of investigating and mitigating a security incident. This may include the identification of malicious activity, the collection and analysis of evidence, and the implementation of corrective actions.

Digital forensics is the process of collecting, analyzing and preserving evidence from a digital device. This evidence can be used in the criminal justice system to identify and prosecute criminals. Digital forensics is used to recover data from phones, computers and other digital devices. This data can be used to identify the people involved in a crime, as well as the methods and tools used to commit the crime.

The digital world is constantly changing, and with that comes new and innovative ways for criminals to commit crimes. As a result, the demand for digital forensics and incident response personnel is growing. This is great news if you are looking for a career opportunity in this field!

The MCSI Digital Forensics and Incident Response (MDFIR) certification will equip you with the skillset necessary to carry out the following tasks:

  • Perform digital forensics investigations on Windows systems
  • Use memory forensics to identify and analyze modern APT samples
  • Perform network forensics on PCAP files to investigate intrusions
  • Analyze files, executables and malware samples
  • Identify and track adversary infrastructure based on IOCs generated from an investigation

Cyber incident responders can earn a six-figure salary, and the demand for them is high. As businesses become increasingly reliant on technology, the need for qualified incident responders grows. Those with the necessary skills and experience can expect to be in high demand and can command a high salary.

Knowledge, Skills and Abilities You Will Acquire

MCSI is one of the most respected and trusted names in cyber security education and training. Our certifications teach critical skills, knowledge and abilities needed to advance a career in cyber security. Our courses are comprehensive and up-to-date, and our instructors are experienced professionals who are dedicated to helping students learn. MCSI provides the real-world skills and knowledge you need to protect any organization from cyber threats.

  • File Analysis

    File analysis is the process of inspecting a file for information that can be used to understand the file's contents and structure. This information can be used to recreate the file, or to extract data from the file. File analysis is often used in reverse engineering, where the goal is to understand the inner workings of a program or system.

    One of the ways malware analysts use to examine malware is to analyze the files the malware creates and uses. Malware authors often leave evidence of their activity in the files they create. This evidence can include strings containing text that reveals the purpose of the malware, file names that suggest the type of malicious activity the malware is engaged in.

    Some of the file types you will learn to analyse:

    • .exe
    • .msi
    • .a3x
    • .pdf
    • .doc
    • .lnk
    • .rtf
  • Windows Forensics

    Windows Forensics is the process of gathering, examining, and reporting on evidence found on a Microsoft Windows computer system. This type of digital evidence can include user activity logs, system files, and deleted files. Windows Forensics is used in many types of investigations, including civil, criminal, and internal corporate investigations.

    Windows Registry

    One of the most important aspects of Windows forensics is being able to properly analyze the Windows Registry. The Registry is a database that stores configuration information and settings for the operating system, applications, and users.

    The Registry can be used to answer questions about how a system was configured at the time of the forensic examination, as well as questions about how the system has been used and changed over time. The Registry can also be used to find evidence of user activity, software installations, and system changes.

    Windows Event Logs

    Windows Event Logs are a system of logs that Windows maintains to record significant events on the system. These logs can include login attempts, application crashes, and other system events. They can be used to help troubleshoot problems on the system, or to track down malicious activity.

    • Account Usage
    • Application Crashes
    • Networking Information
    • Program Execution

    Windows Prefetch

    Windows Prefetch is a file system feature that was introduced in Windows XP. The Prefetch file is a database that stores information about the files that are used on the system. The information includes the file name, the path to the file, and the time that the file was last used. When a user opens a file, Windows will look in the Prefetch file to see if the file was previously opened. If it was, Windows will open the file from the cache instead of opening it from the disk. This can improve performance by reducing the amount of time that it takes to open a file.

    Windows ShimCache, AppCompatCache and AmCache

    Windows Application Compatibility Database is a valuable artefact for forensic investigators. By default, the feature is enabled on all Windows systems and preserves information about recently executed programs. This information can be used to help determine which programs were run on a system and when they were run.

  • Memory Forensics

    Memory forensics is a process of collecting digital evidence from a computer's RAM. This type of evidence is often used in investigations to determine what actions a user has taken on a computer, as well as to find out information about other users who have access to the computer. The evidence collected from memory can also be used to identify malware and other security threats.

    Volatility Framework

    Volatility is a framework for memory forensics. It is open source and allows for the examination of volatile memory images in order to extract information about the running system. Volatility can be used to detect malicious code, investigate system crashes and user activity, and recover deleted files.

    This is the memory forensics tool you will learn how to use in this course.

    Topics Covered

    • Retrieving and analyzing artefacts from the Windows Registry
    • Listing running processes and loaded DLLs to identify malicious programs
    • Retrieve the memory sections of a process to recover malicious code
    • Identifying and listing kernel objects to manually investigate a compromised system
    • Recovering networking information and discovering suspicious network connections
    • Listing GUI information to identify open desktop programs
    • Discovering code injection attacks
    • Developing and running YARA rules on memory dumps
  • Application Forensics

    User application forensics is the process of examining user applications and the data they create in order to extract evidence for use in investigations. This type of digital evidence can be used to help determine what actions a user took on their device, what files they accessed, and who they communicated with. This information can be used to support or disprove alibis, identify potential suspects, and build criminal cases.

    Browser Forensics

    Browser Forensics is the process of collecting digital evidence from a web browser. This evidence can be used in investigations to determine how a person interacted with a website, what they clicked on, and what data they entered.

    Email Forensics

    Email Forensics is the process of extracting evidence from email communications. This evidence can be used in investigations to help identify suspects, gather evidence, and prove or disprove alibis. Email Forensics can extract information such as the sender and recipient of an email, the date and time it was sent, and the contents of the email. This information can be used to help identify individuals involved in criminal activity, or to prove that an email was not sent as claimed.

    Microsoft Office Forensics

    Microsoft Office Forensics is the practice of collecting, examining, and preserving digital evidence from Microsoft Office files. The type of evidence collected can include metadata, user interactions, and document content. Microsoft Office Forensics can be used in investigations to determine how a document was created and modified, who authored it, and what it contains.

    Web Server Logs Analysis

    Logs are the bread and butter of a web server forensics investigation. By analyzing the logs, investigators can gain a clear understanding of how the server was used and abused. The logs can provide information on user activity, system performance, file access, and more. This information can be used to help identify the perpetrators of an attack, and to prove or disprove hypotheses about an incident.

    Database Logs Analysis

    Database logs can be used to investigate data breaches. In order to do this, the database administrator must first ensure that the logs are properly configured and maintained. The logs can then be used to track user activity and identify any unauthorized access or changes to data. This information can be used to help trace the source of the data breach and to determine the extent of the damage.

  • Network Forensics

    Network forensics is the practice of collecting and analyzing data that passes through a computer network. Network forensics tools can be used to track the activities of users on a network and to investigate cyber crimes.

    PCAP Files Analysis

    PCAP files are a type of digital evidence that can be used in digital forensics investigations. They are collected by network sniffers and can contain a record of all network traffic that passes through a particular network interface. This can include email, chat logs, website visits, and more. PCAP files can be used to help identify the source of a cyberattack, or to reconstruct activity that has taken place on a network.

    Netflow Files Analysis

    Netflow files are a type of digital evidence that can be used in digital forensics investigations. They are generated by network devices such as routers and switches, and collect information about network traffic including IP addresses, ports, and packet sizes. This information can be used to help identify network congestion and security issues, as well as track user activity and investigate cybercrime.

    Detecting DGA Algorithms

    Domain Generation Algorithms (DGA) are a type of algorithm used by malware to generate a large number of possible domains for use in communication with a C&C server. This allows the malware to evade detection by security products that rely on blacklisting known malicious domains. Malware can also use DGAs to create a pool of decoy domains that can be used to distract and mislead investigators.

    Detecting DNS Tunnelling

    DNS tunnelling is a technique used by malware to disguise their communications as DNS traffic. This allows them to bypass security measures that are in place to block malicious traffic. DNS tunnelling can also be used to send data to and from infected computers without being detected.

    Detecting Domain Fronting

    Domain fronting is a technique that allows a malware to communicate with a command and control (C&C) server while appearing as if it is communicating with a legitimate website. This is accomplished by using a domain that is hosted on a different domain name server than the C&C server. By doing this, the malware can disguise its communications and avoid detection.

    Detecting Pass-the-hash Attacks

    A pass-the-hash (PTH) attack is a technique that allows an attacker to use a stolen password hash to sign in to a target account. Password hashes are created by hashing a password with a cryptographic algorithm. When a user logs in, the login process converts the user's input into a hash and compares it to the hash stored in the database. If the hashes match, the user is authenticated.

    Threat actors use PTH attacks because they are quick and easy to execute. They can also be successful even if the target user has a strong password. PTH attacks work because of a Windows feature.

    Detecting Remote Code Execution Attacks

    Remote code execution (RCE) is a type of software vulnerability that allows an attacker to execute code on a remote system, without needing any authentication credentials. This can be done by exploiting a flaw in the system's software, or by taking advantage of a flaw in the way that the system is configured.

    Detecting RCE vulnerabilities can be difficult, as they can often be hidden inside complex code. However, by using network forensics tools, it is possible to identify abnormal activity that may indicate an RCE exploit is being used. Examples of such activity may include large amounts of network traffic from a single source, or signs of shellcode in network packets, or packets that are being sent to unusual destinations.

  • Malware Analysis

    Malware analysis is the study of malware, which is any type of software that can be used to harm or disable computers. This might include viruses, ransomware, spyware, adware, and other types of malicious software. Malware analysis is used to determine how a particular piece of malware works and how it can be neutralized. It also helps to identify the individuals or organizations behind the malware.

    Binary classification

    Binary classification is the process of classifying a piece of malware as either malicious or benign. This is done by examining the malware's code and behavior and comparing it to known malicious and benign malware.

    Malicious and benign malware can be distinguished by their code, behavior, and other characteristics. For example, malicious malware often contains code that exploits vulnerabilities in the operating system or other software, while benign malware does not.

    Behavioural analysis

    Behavioural analysis is a technique used in malware analysis to identify and characterize the behaviour of malware. This involves studying the behaviour of the malware in a controlled environment, such as a virtual machine, and identifying any patterns in its behaviour. This can help to identify any malicious activity that the malware is carrying out, as well as any changes in its behaviour that may indicate that it has been modified or updated.

    Static Analysis

    Static Analysis is the process of analyzing a program or malicious code without executing it. This can be done through a variety of methods such as decompiling the code, disassembling it, or simply viewing the code in a text editor. Static Analysis allows analysts to understand how the code works and look for potential malicious behavior. It can also be used to identify potential vulnerabilities in the code that could be exploited by malware.

    Indicators of Compromise (IOCs) Extraction

    One of the most important steps in analyzing malware is extracting indicators of compromise (IOCs). These are specific pieces of data that can help you identify and track infections. They may include file names, registry keys, IP addresses, or other pieces of information. Extracting IOCs can help you quickly determine how widespread an infection is and how to best address it.

    Developing YARA Rules

    The purpose of YARA is to allow analysts to create descriptions of malware samples that are both useful and concise. These rules can then be used to quickly identify similar malware samples.

  • Enterprise Investigations

    An enterprise investigation in digital forensics and incident response is a process where a team of experts work together to identify and resolve a security incident within a large organization. The team typically includes members from the information security, legal, and human resources departments, as well as outside experts from the forensic investigations and computer security industries. The goal of the investigation is to identify the cause of the security incident, contain the damage, and prevent future incidents from occurring.

    Capturing and Indexing Forensics Artefacts

    The first and most important step in any forensic investigation is the collection of all relevant evidence. In order to do this effectively, it is necessary to have a process in place for capturing and indexing forensic artefacts. This allows investigators to quickly and easily locate any relevant evidence, which can be crucial in solving a case.

    Baselining the Enterprise Network

    Baselining the network is important in digital forensics and incident response because it can help you to better understand how the network is supposed to look and function. This information can be helpful when investigating incidents or trying to determine how an attacker may have compromised the network. Additionally, baselining the network can help you to quickly identify any changes that may have occurred since the last baseline was created, which could indicate an incident or attack.

    Performing Memory Forensics at Scale

    When it comes to performing memory forensics on a large scale in an enterprise setting, there are several reasons why it's important. Memory forensics can provide a great deal of information about what happened on a system in the past. By analyzing the contents of system memory, investigators can often get a clear picture of what programs were running, what files were accessed, and even what passwords were typed. This information can be crucial in helping to determine the cause of an incident.

    Data Science with Python Pandas

    Python pandas are often used in enterprise digital forensics and incident response investigations for data analysis. Pandas can be used to read in data from a variety of sources, including files, databases, and web scraping. Pandas can also be used to clean, process, and transform the data for analysis. Additionally, pandas provide a number of functions for statistical analysis and data visualization. This makes pandas an essential tool for data-driven investigations.

  • Threat Intelligence

    Digital forensics and incident response (DFIR) teams use their findings to produce threat intelligence. Threat intelligence is a critical part of any organization's security strategy, as it allows organizations to understand the threats they face and take steps to mitigate those threats. Threat intelligence is also used to help organizations respond to attacks and incidents.

    DFIR teams gather information about threats in several ways. They may collect data from open sources, such as the internet or social media. They may also collect data from closed sources, such as live breaches!

    Pivot Analysis

    Pivot analysis is a technique that is used in incident response to help identify and track malicious activity. Pivot analysis allows investigators to move laterally from the initial compromised system to other systems on the network in order to gather more information about the incident. This technique can be used to identify additional systems that have been compromised, to determine the scope of the breach, and to identify the perpetrators of the attack.

    Open-Source Intelligence Collection

    Open-source intelligence (OSINT) is a method of gathering intelligence from publicly available sources. OSINT collectors can use a variety of methods to gather this information, including social media, search engines, and public databases.

    OSINT is often used in incident response. Incident responders can use OSINT to gather information about the incident, including the type of attack and the attacker's identity.

  • Write professional malware analysis reports

    Executive Summary

    An executive summary might briefly describe the findings of a malware analysis report. The executive summary might describe what type of malware was found, how it works, and what impact it could have on a system. The executive summary might also include recommendations for mitigating the threat.

    Tags and Keywords

    The tags and keywords section of a malware analysis report is used to categorize the malware and its capabilities. This section is important for identifying the purpose of the malware and its potential for harm. The tags and keywords also help to determine how the malware should be handled and mitigated.

    Sensitivity Classification

    A malware analysis report's Sensitivity Classification section designates the confidentiality, integrity, and availability (CIA) impact of the malware. For each CIA category, the section describes how the malware could potentially exploit the system to cause harm. For instance, a piece of malware might be able to delete critical files, resulting in a loss of availability. Alternatively, it might be able to eavesdrop on sensitive communications, violating the confidentiality of the system. Finally, it might be able to tamper with data, jeopardizing the integrity of the system. By understanding the CIA impact of malware, analysts can better assess the risks posed by a given piece of malware and take steps to mitigate those risks.


    The hashes section of a malware analysis report includes the MD5, SHA-1, and CRC32 hashes of the malware sample. These hashes can be used to identify the sample and determine if it is the same as a sample that has been previously analyzed. The hashes can also be used to check for malicious content in files that have been downloaded from the Internet.


    A malware analysis report's methodology section is critical for ensuring that the study is completed correctly and completely. This part should include a full account of how the analysis was carried out, including the tools utilized and the procedures used to reach the final results. This part should be presented in a clear and straightforward manner so that readers can simply follow along and comprehend the procedure.


    A malware analysis report's limitations section is used to identify any locations where the study' scope was constrained. Time constraints, restricted access to resources, or a lack of expertise of the infection can all contribute to this. It's critical to be open about any constraints in order to verify that the analysis' results are correct.

    Identification and Classification of Sample(s)

    Identify the type of malware that was discovered and provide information about its classification. This section includes a description of the sample, its unique identification number, and the date and time it was collected. It also includes information about the source of the sample and how it was classified.


    A malware analysis report should have a section that explains the features of the malware that was analyzed. This section should describe what the malware does, how it works, and what it is designed to do. This information is important for understanding how the malware works and what it is capable of doing.


    The dependencies section of a malware analysis report lists all of the files that the malware depends on in order to run. This includes any libraries that the malware uses, as well as any other files that it needs in order to function. This information is important for understanding how the malware works, and what it would take to disable it.

    Conclusions of Code Analysis and Observed Behavior

    The conclusion section of a malware analysis report should provide a brief summary of your findings and recommendations. It should also state whether the malware is still active and, if so, how to remove it.

  • Write digital forensics and incident response reports and briefings


    The timeline section of digital forensics and incident response reports is important in order to understand the order of events that occurred during an incident. This information can be used to help determine the cause of the incident and who is responsible.

    Incident Statements

    An incident statement is a short, clear summary of an incident that occurred. It should include who was involved, what happened, when it happened, and where it happened. Incident statements are often used in digital forensics and incident response reports to help readers understand the events that took place.

    Hypothesis generation and testing

    The hypothesis generation and testing section of digital forensics and incident response reports is used to generate possible explanations for an observed event and to test those explanations against the evidence. This process is important in order to rule out false positives and to ensure that the most likely explanation is supported by the evidence.

    The first step in hypothesis generation is to examine the evidence and identify any patterns or anomalies. Once these have been identified, possible explanations for them can be generated. These explanations are then tested against the evidence to see if they are supported. If they are not, they are rejected and new explanations are generated. This process is repeated until a satisfactory explanation is found.

    Key assumptions check

    The "key assumptions check" section is an important part of digital forensics and incident response reports. This section is used to verify that the digital evidence and incident response findings are accurate and complete. The key assumptions check ensures that the report is based on valid and reliable information.

  • Disk and filesystem forensics
  • Develop standard operating procedures and templates

Student Testimonial

Career Outcomes

This certification thoroughly prepares you for the following roles:

  • Digital Forensics Analyst
  • Incident Responder
  • Security Operations Centre (SOC) Analyst
Certification Detail

MCSI certifications are highly respected and sought-after credentials in the industry. Earning an MCSI certification is a testament to your knowledge and skillset, and demonstrates your commitment to excellence. The content is cutting-edge, uniquely-designed, and hands-on. Our exercises teach in-demand skills that are immediately applicable in the field.

The certifications are valid indefinitely and do not require any renewal fees. The training is accessible without any time limits.


Training Modules

This course provides you with multiple training modules, each of which is designed to teach you practical skills that can help you solve important cyber problems. Each module offers exercises that will help you build your skills and capabilities.

  • MDFIR-QS-001: Quickstarter: Lab Setup - 3 exercises
  • MDFIR-QS-002: Quickstarter: Digital Forensics - 9 exercises
  • MDFIR-001: Lab setup - 4 exercises
  • MDFIR-002: Fundamental Capabilities - 7 exercises
  • MDFIR-003: Pandas Fundamentals - 9 exercises
  • MDFIR-101: File Analysis - 5 exercises
  • MDFIR-102: Disk and Filesystem Forensics - 3 exercises
  • MDFIR-103: Executable Analysis - 8 exercises
  • MDFIR-201: Windows Forensics - 8 exercises
  • MDFIR-202: Windows 10 Forensics - 2 exercises
  • MDFIR-301: Memory Forensics - 9 exercises
  • MDFIR-302: Malware Analysis - 11 exercises
  • MDFIR-303: Enterprise Investigations - 6 exercises
  • MDFIR-304: Threat Intelligence - 4 exercises
  • MDFIR-401: Incident Response Challenges - 9 exercises
  • MDFIR-402: Network Forensics Challenges - 6 exercises
  • MDFIR-403: Memory Forensics Challenges - 3 exercises
  • MDFIR-404: Incident Response Playbooks - 5 exercises
  • MDFIR-501: Documentation and Procedures - 4 exercises


Cyber professionals must be ready for everything. The typical security training strategy, which focuses on individual skills and tools, is insufficient. You must be able to operate as part of a team, see the big picture, and respond swiftly and effectively to unforeseen circumstances. That's why, as part of our training, we use replays of whole cyber missions. Our scenarios help you prepare for the demands of the job and give you confidence in your ability to work professionally.

  • MDFIR-SC-01: Business Email Compromise Investigation - 10 exercises
  • MDFIR-SC-02: Ransomware Investigation - 7 exercises
  • MDFIR-SC-03: Android Mobile Forensics Investigation - 10 exercises

Enroll now with lifetime access for $595


MCSI Industry Certifications are important for you to earn because they signify that you have the skills required to work in a cybersecurity. Certificates of Completion are also important to earn because they signify that you have completed an exercise. Earning Certificates of Completion and Industry Certifications demonstrates that you are willing to put in the extra work to be successful.




Obtain CPE points by solving exercises


Achieve multiple certifications


Receive help from instructors online

MCSI's MDFIR certification provides you with the required skills and knowledge aligned to the Australian Signals Directorate's Cyber Skills Framework . Upon reaching each level, you will earn a certificate of achievement. Click here to learn more about our multi-credentialed approach.

Certificate Level Curriculum Completion Requirement Scenarios Completion Requirement
MCSI DFIR Learner Level 1 0% 0%
MCSI Novice DFIR Practitioner Level 2 20% 0%
MCSI DFIR Practitioner Level 3 50% 25%
MCSI Senior DFIR Practitioner Level 4 70% 50%
MCSI Certified Principal DFIR Practitioner Level 5 80% 75%
MCSI Certified Expert DFIR Practitioner Level 6 95% 100%

In a single course, MCSI offers multiple industry certifications. You will save time and money with us because you will receive several accredited levels of competencies with a single purchase rather than having to buy multiple courses. Our goal is to provide you with a course that will take you from beginner to expert.

Career Pathways

This certification aligns with the following career pathways:

Certifications are important tools to validate your skills and knowledge. They can provide you with the credentials you need to get ahead in your career.

There are many reasons why a person should select certifications that teach practical skills over an open-book theory exam. Hands-on experience is crucial in many industries, and theory exams cannot replace the real-world application of skills. Furthermore, practical skills are often more marketable than theoretical knowledge, and can help a person secure a job in their desired field. Finally, practical skills can provide a foundation for further learning, while theory exams may only teach limited information. In conclusion, selecting a certification that teaches practical skills is the best way to ensure success in today's competitive job market.

Sample Exercises

Three exercises from the MDFIR - Certified DFIR Specialist training are listed below. These exercises are meant to help you enhance your DFIR abilities. This course includes over 100 practical training exercises in total.

Dump The RAM Of A Windows Machine (Novice)


Analyse Malware From A Memory Dump Using The Volatility Framework (Advanced Beginner)


Perform Memory Forensics Of A Machine Compromised With Poweliks (Competent)


Our Instructors

Student exercises are reviewed and graded by multiple instructors. This one-of-a-kind approach allows you to get highly personalized input from a number of successful professionals.

MCSI's teachers bring real-world experience and knowledge to the classroom, ensuring that students have the skills they need to excel in the field of information security. Due to their extensive experience in penetration testing, vulnerability assessment, reverse engineering, incident response, digital forensics, and exploit development, students will understand the most up-to-date defensive and offensive cybersecurity strategies and procedures.

Our instructors are passionate about information security and are always looking to further their own knowledge. Students who attend an MCSI course can be confident that they are learning from some of the best in the business. They can adapt their teaching approaches to match the demands of any student, regardless of their degree of expertise.

The MCSI team strives to provide the most comprehensive and up-to-date cybersecurity training available. Whether you are a seasoned security professional or new to the field, MCSI has a course that will meet your needs.

Receive personalized feedback from cybersecurity experts:

  • Overcome challenges and hurdles preventing you from advancing your skills
  • Receive guidance on how to focus your training efforts and avoid wasting time
  • Learn how to meet the industry's quality standards and produce high-quality work
  • When you're stuck, go to a support forum or ask inquiries to the instructors right on the platform

Help and Support

24/7 Discord Community

If you're looking for additional support during your studies, consider joining our Discord server. Our community of fellow students and instructors is always available to provide help and answer any questions you may have.

Personalized Support

Your submissions will be reviewed by MCSI instructors, who will provide you with personalized feedback. This input is critical since it can assist you in identifying the areas where you need to enhance your skills. The instructor's feedback will also tell you how well you did an exercise and what you can do to improve your performance even further.

Click here to see an example of personalized feedback.

Our personalized support will take your skills to the next level. Read what a student says about it:

Quick Questions

If you have any questions or need clarification on any of the exercises, MCSI offers a Quick Questions section on each exercise where you can ask for help. This is a great resource to use if you need assistance. This feature is only available for paid courses.

Actively Maintained Course

This course is actively maintained to ensure that it is current and error-free. We want to ensure that you have the best possible experience while taking this course, which includes having access to accurate and current information. This course is also tested for flaws on a regular basis, so you can be sure you're getting a high-quality product.

This course is constantly updated with the support of trustworthy industry peers to ensure that students are acquiring the most up-to-date information and skills. This dedication to staying ahead of the curve is what distinguishes this course as one of the greatest in the market.


Training Laptop Requirement

This course can be completed on a standard training laptop. To ensure you have the necessary hardware to complete the course, your machine should meet the following specifications:

  • 64-bit Intel i5/i7 2.0+ GHz processor or equivalent
  • 8GB of RAM
  • Ability to run at least (1) virtual machine using Virtual Box, or an equivalent virtualization software
  • Windows 10 or later, macOS 10 or later, or Linux
  • Local administrator privileges
Do you support older operating systems?

Yes. Many of the exercises can be completed on older OS versions. A few of our students are successfully using older equipment to learn cyber security.

Proficiency in the English language

You must have the ability to comfortably read and understand IT documentation written in English. Ideally, they have an IELTS score of 6.5 with no band less than 6 (or equivalent).

Note: You can register for this course without having undertaken an English test.

Prerequisite Skills

  • Using command line utilities and tools
  • Operating virtual machines
  • Troubleshooting and resolving software errors
  • Scripting in Python and PowerShell

Required Knowledge

  • Knowledge of cyber threats and vulnerabilities
  • Knowledge of server and client operating systems
  • Knowledge of which system files (e.g., log files, registry files, configuration files) contain relevant information and where to find those system files
  • Knowledge of cyber attackers (e.g., script kiddies, insider threat, non-nation state sponsored, and nation sponsored)
  • Knowledge of cyber attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks)
  • Knowledge of the common networking and routing protocols (e.g. TCP/IP), services (e.g., web, mail, DNS), and how they interact to provide network communications

Lab Environment

This course teaches you how to setup and configure your own cybersecurity lab.

There are numerous advantages to creating your own cybersecurity lab rather than paying for one. The cost savings are perhaps the most evident benefit. When compared to the expense of licensing a pre-built lab, creating your own lab can save you thousands of dollars. You also have the option of customizing the lab environment to meet your specific requirements. You can, for example, select the hardware and software that will be used in your lab.

Another advantage of setting up your own cybersecurity lab is that it allows you to learn new skills. Building a lab from the ground up necessitates knowledge of networking, system administration, and other technical subjects. This experience is invaluable in your career as a cybersecurity professional.

We frequently see students who can complete a task in a pre-built lab but cannot complete the same task at work. This is because these labs are meant to lessen work complexity, thereby creating an illusion of personal capabilities. It's also worth noting that you'll be expected to set up your own lab to test tools and techniques in the workplace. Employers may give you the resources to set up virtual computers and networks, but it will be up to you to manage the lab environment and maintain your tools.

Finally, you should know that pre-built labs are not commonly licensed by top cybersecurity professionals. They've realized that setting up a lab is simple, efficient, adaptable, cost-effective, and that it sparks creativity. It also nullifies risk of performing unauthorized actions against systems provisioned by a third-party.

Aptitude Test (Optional)

This is an intermediate course. It includes exercises for novices but assumes that they have competent IT skills and a strong understanding of cybersecurity concepts.

Aptitude Test:

If you're not sure if you'll be able to fully enjoy this course, then contact us via email to organize a free aptitude test. This test will determine whether you meet the course's basic baseline criteria. If you've never studied with us before, it will also introduce you to the MCSI Method™.

Easier Courses:

If you are convinced that this course is too difficult for you, then you should start with something easier. We recommend checking out the following courses:

You won't need to complete all of these easier courses in their entirety. Most likely, you already have adequate skills and only need to fine-tune them before taking an intermediate course like this one. Choose a route, follow it, enhance your skills, and then return to this course in a few months!

Free Study Materials

We place a major emphasis on teaching practical skills. Our students learn best when they can put what they've learned into practice. In addition, we believe that many significant thoughts and ideas should be publicly accessible to anyone. We believe that knowledge that is already available in the public domain should not be subject to price.

Purchasing a course is a significant investment. It's critical to know what the course entails and what you intend to get out of it. If you're on the fence about whether or not to buy this course, you might want to check out our library for more information. Concepts, terminology, and essential principles are all taught in our library. This will give you more details about the topics that will be addressed in the course.

🔥 Click here to read more articles from our online library.


Why MCSI's DFIR Certification is World Class

why MCSI MDFIR certification

Comprehensive, Effective, Exceeds Standards

Holders of the DFIR Certification have completed 100 practical online exercises thus demonstrating that they have the skills and knowledge in the following areas: file analysis, disk and filesystem forensics, executable analysis, Windows forensics, memory forensics, threat intelligence and enterprise investigations.

why MCSI MDFIR certification

Internals Focused

Students who have obtained this Certification have demonstrated that they have a full understanding of the Windows operating system's internals for digital forensics, incident response and malware analysis purposes.

why MCSI MDFIR certification

Practical, Field-Based

Students must complete dozens of practical digital forensics and incident response challenges that have been inspired from real-life investigations.

Enrollment and Fees



Terms and Conditions

  • No discounts
  • No refunds
  • No transfers
  • No renewal fees
  • No hidden fees
  • No time limits
  • Exercises must be completed on MCSI's Online Learning Platform
  • You'll also be charged GST if you live in Australia

Cooling-Off Policy

Received a full refund if you changed your mind about a purchase within 24 hours. No questions asked. Read the full details here.

Don't Buy This Course

Don't buy this course if you think learning cyber security is simple, that it will only take a few hours, that remembering a few concepts from videos and books would be enough, or, that you should be provided with walkthroughs and solutions to practical problems instead of thinking critically for yourself.

Our competitors are misleading you by claiming that their video courses and open-book theoretical certificates will teach you everything you need to know about cyber security. We recommend that you stay away from our courses until you've realized that cybersecurity requires hundreds of hours of training against difficult challenges under the watchful eye of experts encouraging you to improve your weaknesses. Only then will you understand the value of this course and the benefits that the MCSI Method™ can bring to your career. We only want satisfied customers.

When purchasing a course, you acknowledge that you understand and agree with our 100% practical MCSI Method™: no solutions, no walkthroughs, and you're expected to use critical thinking and research to solve the exercises. If you're not sure how this work, try our free version before buying.

How does MCSI Compare?

If you are looking for a certification that will give you an edge in the job market, look no further than MCSI certifications. Thanks to our innovative approach, cybersecurity training is more affordable and effective than traditional methods.

MCSI Certifications Traditional Vendors Industry Conferences Conference Workshop Cybersecurity Bootcamps Cyber Ranges
Cost $595 $5,000+ $900+ $4,000+ $10,000+ $3,000+
Hours of training 600+ hours 40-48 10+ 16-40 450 40-100
Certifications 5 1 0 0 1 0
Online Yes Some No No No Yes
practical 100% 50% 0% 50% 50% 100%
Maintenance Level High Low Low Low Low Low
free trial Yes No No No No No
Access to instructors Yes Some No Yes Yes Some

Our pricing is more affordable than our competitors because we have reinvented how cyber training is done online. Our innovative Online Learning Platform is highly effective at teaching cyber security. The platform provides a more engaging and interactive learning experience than traditional methods, which helps students learn and retain skills better. Try the free version and see for yourself.

Enroll now with lifetime access for $595

Bloom's Taxonomy

Bloom's Taxonomy is a system for categorizing distinct stages of intellectual growth. It is used in education to assist students comprehend and learn material more effectively. MCSI teaches students how to apply, analyze, evaluate, and create at the highest levels of the taxonomy. The majority of our competitors are simply concerned with getting you to remember concepts.

The intellectual developments outlined in Bloom's Taxonomy are directly tied to your capacity to advance in your cyber security career. Employers look for people who can solve challenges that are worth paying for. With us, you'll learn practical skills that are in demand and applicable to a wide range of cyber occupations.

Industry Recognized Skills

MCSI credentials are well-respected around the world, and organisations searching for people with real cyber security abilities seek them out. Obtaining an MCSI certification verifies your understanding of critical cyber security topics as well as your ability to provide real-world results.

The ability of MCSI's training programme to give students with real-world, hands-on experience is unrivalled. Students must conduct their own research and develop their own answers in order to complete our practical exercises, which are meant to give them the skills they need to be successful in the field.

With MCSI, you will build a comprehensive cybersecurity portfolio of your skills as you complete exercises. This portfolio is a powerful tool for displaying your cybersecurity knowledge and abilities. A portfolio, as opposed to typical resumes and paper-based credentials, presents a more thorough summary of your skills and accomplishments.

Students Feedback

Here's what students say about the MCSI Method™ and our Online Learning Platform:

Student Testimonials

Information Security Professionals made a median salary of $103,590 in 2020. Cybersecurity roles are regularly ranked #1 jobs in the United States.

If you are looking to increase your earning potential, this course will put you on track for jobs that offer a salary of $75,000 to $150,000 per year. Why spend tens of thousands of dollars on degrees or theoretical certifications when you can develop in-demand practical skills in a shorter amount of time?

Enroll now with lifetime access for $595

Frequently Asked Questions

What is the MCSI Method™?

Common Questions

  • Are solutions included in certifications and bundles?
    • No. Our method of teaching cyber security consists of challenging you with real-world problem statements that you're expected to research and solve by doing your own research. This is how you'll be expected to work in the field. When you fail an exercise, we provide you with constructive feedback to improve and try again.
  • Do bundles, training content, or certificates ever expire? Am I expected to buy again in the future?
    • Upon purchase, bundles and certificates are permanently unlocked with no recurring or ongoing fees.
  • Do I need to buy the training and the certification separately?
    • No. The price provided covers both. You only pay once.
  • Do you offer any special offers and discounts?
    • We understand that many of our customers may be looking for discounts, and we would love to be able to offer them. However, we do not provide discounts because we believe that our prices are fair and reasonable. We work hard to keep our prices low, and we feel that discounts would be unfair to our other customers. We hope you understand.
  • If I can't solve the exercise where do I go for help?
  • Who reviews and marks exercises?
    • Trained cyber security instructors that work for Mossé Cyber Security Institute.
    • MCSI instructors are highly qualified and experienced professionals who are able to teach a variety of topics related to information security. They have the ability to tailor their teaching methods to meet the needs of each student, regardless of their experience level. In addition, they are always up-to-date on the latest trends and developments in information security, which enables them to provide students with the most relevant and current information.
  • We can't pay via credit card. Can you raise an invoice for wire payment instead?
    • Yes. Send us the list of bundles and certifications you want to purchase at [email protected]
  • Can I access a trial/demo the certification programmes prior to enrolling?
    • We provide a free curriculum with 100+ hours practical exercises you can try.
    • The Free Curriculum teaches Security Tools, Penetration Testing, Red Teaming, Threat Hunting, Cyber Defence, GRC and Windows Internals.
    • Try the Free Curriculum
  • Do you provide Continuing Professional Education (CPE) credits?
    • Yes. Every single exercise offers CPE credits. The number of credits earned depends on the difficulty of the exercise completed. Below are the CPE Credits achieve for an exercise in each difficulty:
    • Novice exercises = 1 CPE credits
    • Advanced Beginner exercises = 2 CPE credits
    • Competent exercises = 5 CPE credits
  • Do I need to complete an exam to receive MCSI Certification?
    • No. MCSI Certifications are completed by solving practical cybersecurity exercises.
  • Do I need to purchase cybersecurity tools or subscriptions?
    • No. Only free or trial versions are used in our exercises. You do not require making any purchases.

More Kind Words from Students

Enroll now with lifetime access for $595


We'll respond within 24 hours

Visit our Frequently Asked Questions (FAQ) page for answers to the most common questions we receive.

Ready to learn hands-on cyber security skills online?

Try 100 hours for free