• Incident responders, SOC analysts, security operations engineers
• Digital forensic practitioners, blue team engineers
• Network, systems, or security administrators who want formal incident handling competency
• Security practitioners preparing to take the ECIH (Exam 212-89) certification
• Mid-level cybersecurity professionals (many providers recommend ~1 year of security experience)

• Some familiarity with security concepts, networks, operating systems
• Ideally 1 year or more in cybersecurity or IT roles NICCS+2New Horizons+2
• Basic understanding of malware, threat vectors, logs, evidence, and security frameworks

• Define and apply incident handling frameworks, policies, and procedures
• Develop an incident response strategy and align it with security governance
• Execute each phase of the incident handling process: from preparation through post-incident review
• Gather, preserve, analyze, and handle digital evidence under procedural and legal constraints
• Handle malware, email, network, web application, cloud, insider, and endpoint incidents in a structured manner
• Use forensic readiness techniques, counter anti-forensics, and respond to evolving threats
• Coordinate containment, eradication, and recovery actions while minimizing business impact
• Integrate automation and orchestration in incident response workflows
• Report incidents to stakeholders, propose remediation, and feed lessons learned into security programs
• Be prepared to take and pass the ECIH (Exam 212-89) certification exam

Threats, attack vectors, incident definitions, security frameworks, compliance, laws & policies

Preparation, recording & assignment, triage, notification, containment, evidence gathering, eradication, recovery, post-incident actions

Investigation preparation, securing/ documenting crime scenes, evidence collection, packaging & transport, volatile vs static memory, anti-forensics

Preparation, detection, containment, malware analysis, eradication, recovery, best practices

Handling phishing, spoofing, malicious attachments, incident analysis and recovery steps

Unauthorized access, misuse, DoS, wireless incidents, detection, validation, containment, recovery

Web attacks (e.g. SQLi, XSS), detection, containment, eradication, recovery

Cloud models, incident response in AWS/Azure/GCP, handling breach in cloud environment

Threat actor types, detection, containment, analysis, recovery

Incidents on endpoints, mobile devices, IoT/OT devices; device compromise, recovery, containment

Hands-on labs using tools across OSs (Windows, Linux), incident simulations, forensic tasks