First Incident Responder

Onsite IT professionals are the first responders to security breaches. They are the ones who detect anomalies on the network, discover indicators of attack and compromise, and act according to how they have understood the situation.

This course teaches IT professionals structured techniques and gives specific tools to investigate incidents and make the right decisions when breached. Our teachers also equip the students with a structured process to work with professional teams of incident responders and digital forensics investigators to ensure positive outcomes as achieved for organizations affected by security breaches.

Asking the ask the right questions, following the right procedures, investigating systems effectively and rapidly, and correctly documenting findings, are crucial activities that guarantee the success of responding to breaches. Any failure on the part of the IT team to correctly assess a threat or act inappropriately in response to a compromise can lead to the rest of the organization being unable to further respond appropriately to the breach. Very often, a failure from business executives and board members to properly manage a breach can be directly linked to a failure in investigation and communication from lower-level employees who received little to no training in handling security incidents.

Theoretical knowledge makes up 50% of the class, and the other 50% consists of tabletop exercises and wargames.

Course Outcome:
By attending this class, you will learn:
  • The attacker mindset and tradecraft, and how to use this to inform incident response activities
  • A structured analytic technique to rapidly investigate anomalies on the network
  • The top locations to discover indicators of compromise and attack on the network
  • How to acquire forensics evidence and share it with the incident response team
  • A model to analyse the extent of a security breach and how to anticipate future attacks
  • A model to rate the sophistication of adversaries and, thus inform the business of the threats they are facing
  • How to deal with adversaries that specialize in ransom, blackmail and extortion
  • How to monitor adversaries on the network whilst critical business decisions are being made
  • A process to remove adversaries from the network and prevent them from coming back
  • How to communicate effectively during a breach and work as a team

Intended Audience:
IT professionals and managers.

This course is taught by experienced Mossé Security’s instructors. Our instructors have over 10 years of experience delivering penetration testing, red teaming and incident response services for a multitude of industries that have involved complex and multi-faceted approaches. Our instructors each possess the right balance of corporate experience and are competently skilled in presenting and teaching to groups.
Beyond their technical abilities and years of professional experience, our instructors are also trained teachers and public speakers. Their manner of teaching easily conveys their passion for computer security to every one of our students.


Module 1: Understanding the Adversaries

In this module, you are introduced to the attacker mindset and the different attack kill-chains employed by adversaries. You are taught the importance of this knowledge when responding to breaches as it will inform many incident response decisions. We will review multiple case studies of organisations that responded inappropriately to breaches because of failures in understand the adversaries they were facing and offer examples of what they could have been done instead.

Module 2: Network and Endpoint Security Monitoring

When deploy across the network, Event logging and security monitoring greatly assist incident responders and forensics investigators detect, respond and counter cyberattacks. In this module, you will learn easy-to-use security tools that can be deployed across your endpoint fleet and network taps to capture all the security logs you’ll need to investigate security compromises. You will also be introduced to forensics tools to rapidly investigate whether a machine has been compromised, and how to do incident response in the cloud.

Module 3: Investigating Security Anomalies

In the third module you are taught structured analytics techniques to rapidly and thoroughly investigate and triage security anomalies. Organisations that do not employ those techniques often miscalculate the risk of security alerts and thus begin the incident response process when it’s already too late (e.g. after they receive an email blackmailing them, or when they are alerted that their data is on the black market being sold to the highest bidder).

Module 4: Consuming Threat Intelligence

Threat intelligence is a crucial tool meant to assist business decision makers understand the adversaries they are facing and the seriousness of early compromise events, and yet, it seems like almost no organization really knows how to consume it. In this module, you will learn how threat intelligence is meant to be used, and how to incorporate it into your organisation’s incident response process to significantly reduce the consequences of an attack against your organisation. The difference between an organisation that properly uses threat intelligence and one that does not is can amount in millions of dollars paid in blackmail or extortion that could otherwise have been avoided.

Module 5: Incident Management

Onsite IT professionals and third-party incident responders must work hand-in-hand to minimize the consequences of security breaches. In this module, you will learn a formal process to engage external incident responders, provide them with the information that they need to hit the ground running, and how to manage incidents from the customer perspective. You will also learn how to write state-of-the-art incident reports that can be shared with senior management and the board, customers, and third parties.


  • Standard: $2,000.00 AUD including GST.

8-9 October 2018 Melbourne, AU Enrol me!
Terms and Conditions
  • Payment methods are either booking online via Event Brite or contacting us for an invoice.
  • Payment is required at the time of booking.
  • Cancellation notifications after 14 days prior to course commencement date are not eligible for refund.
  • Cancellations received between 15 and 28 days prior to course commencement will be charged 50% of the course fee.
  • Students are allowed 1 reschedule per class. Transfers received between 15 – 28 days prior to course commencement will be charged a $300 (incl GST) administrative fee. The new session date must be given at the time of the reschedule notification and rescheduled classes must be taken within 6 months of original scheduled date.
  • Transfers received 14 days or less prior to course commencement will be charged 50% of the course fee. The new session date must be given at the time of the reschedule notification and rescheduled classes must be taken within 6 months of original scheduled date.
  • Payment must be made in full prior to any rescheduling.
  • Student substitutions can be made in writing 48 hours prior to a class start.
  • If a student does not attend a scheduled session, there will be no refund or reschedule given. Payment is forfeited. Mossé Security reserves the right to cancel a course and will endeavour to provide participants with as much notice as possible. Upon cancellation, any fees already paid by the participant will be refunded.


Software Requirement
Bring a laptop running the Windows or UNIX operating system with the OpenVPN or Tunnelblick client to connect into our training lab in the cloud.