Incident Response & Forensics
IR playbooks, memory/disk/network forensics, chain of custody, malware analysis.
What is Incident Response & Forensics?
Incident Response (IR) and Digital Forensics are the disciplines of detecting, containing, investigating, and recovering from cybersecurity incidents. When a breach occurs — whether ransomware, data exfiltration, insider threat, or supply chain compromise — the IR team's speed and effectiveness determine the difference between a contained event and a catastrophic business failure.
Incident response follows structured frameworks (NIST SP 800-61, SANS PICERL) through phases: preparation, identification, containment, eradication, recovery, and lessons learned. IR playbooks codify response procedures for common scenarios — phishing, malware, unauthorized access, DDoS — ensuring consistent, rapid action under pressure. Tabletop exercises and purple team simulations test and refine these playbooks before real incidents occur.
Digital forensics provides the investigative backbone of incident response. Memory forensics (using tools like Volatility) captures running processes, network connections, and injected code that disappear when a system is powered down. Disk forensics examines file systems, registry hives, event logs, and deleted files to reconstruct attacker activity. Network forensics analyzes packet captures and flow data to trace lateral movement and data exfiltration. Throughout the process, chain of custody procedures ensure evidence is admissible in legal proceedings and regulatory investigations.
Why it matters
Every organization will face a security incident. The difference between a manageable event and a business-ending disaster is the quality of preparation, speed of response, and rigor of investigation. IR readiness is not optional — it is existential.
Incident response and forensics is the domain that activates when all other defenses fail. It depends on detection engineering for alerts, threat intelligence for context, and network/endpoint security for telemetry, while feeding lessons learned back into every defensive domain.
Detect, Test & Respond
Watch, hunt, attack ethically, analyse, and respond — classical and AI.
Other domains in this layer
Key topics
Standards and frameworks
Curated resources
Authoritative sources we ground Incident Response & Forensics questions in — frameworks, research, guides, and tools.
CISA #StopRansomware
Federal hub for ransomware prevention, mitigation, and recovery guidance. Joint advisories with FBI/MS-ISAC, no-cost CISA services, and the ransomware-specific recovery checklist.
Mandiant APT Reports
Detailed campaign analyses with TTPs mapped to ATT&CK. APT1, APT28/29, UNC groups. Primary source for threat-actor-specific IR questions. Not marketing — these are original threat research.
Verizon Data Breach Investigations Report (DBIR)
Annual analysis of real breach data. The gold standard for empirical questions about attack patterns, threat actor motivations, and time-to-detection. Updated annually.
Mandiant M-Trends Report
Annual IR data: dwell time trends, initial access vectors, detection sources. Empirical data from thousands of engagements. One of the few sources for real-world detection/response metrics.
Krebs, B. — KrebsOnSecurity
Investigative journalism on cybercrime, breaches, and network security incidents. Good for real-world scenario questions grounded in actual events.
NIST SP 800-61 Rev. 2 — Computer Security Incident Handling Guide
Four phases: Preparation, Detection & Analysis, Containment/Eradication/Recovery, Post-Incident Activity. The canonical IR reference. Questions should test decision-making within phases, not just naming them.
SANS Incident Handler's Handbook
Practitioner-oriented IR methodology. Six steps (Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned). Compare/contrast with NIST for methodology questions.
NIST SP 800-86 — Forensics Guide
Guide to integrating forensic techniques into incident response. Covers data collection, examination, analysis, and reporting.
The Sleuth Kit (TSK) & Autopsy
Open-source digital forensics tools for disk image analysis. Industry standard for incident investigation and evidence collection.
Volatility Framework
Open-source memory forensics framework. Extracts digital artifacts from volatile memory (RAM) dumps.
Certifications that signal this domain
Credentials whose blueprint meaningfully covers this domain. Core means centrally covered; also touched means present in the blueprint but not the primary focus.
Core coverage
ASIS Professional Certified Investigator
ASIS Professional Certified Investigator
Security Blue Team Level 1
The BTL1 is one of the most practical entry-level certifications in the defensive area of cybersecurity. The exam is a complete 24-hour incident response scenario in a real lab environment – not a multiple-choice test. For career changers and entry-level professionals, it is a credible proof of competency that offers employers more meaningful value than many purely knowledge-based certificates. The course covers phishing analysis, SIEM, digital forensics, threat intelligence, and incident response. The certificate never expires, making it attractive long-term.
Security Blue Team Level 2
Security Blue Team Level 2
IACIS Certified Advanced Windows Forensic Examiner
IACIS Certified Advanced Windows Forensic Examiner
IACIS Certified Forensic Computer Examiner
IACIS Certified Forensic Computer Examiner
EC Council Computer Hacking Forensics Investigator
EC Council Computer Hacking Forensics Investigator
Certified Information Security Manager
Security program management, risk, governance, and incident governance. The manager / CISO-track signal.
CREST Practitioner Intrusion Analyst
CREST Practitioner Intrusion Analyst
CREST Registered Intrusion Analyst
CREST Registered Intrusion Analyst
CrowdStrike Certified Falcon Administrator
Day-to-day administration of the market-leading EDR platform — sensor deployment, policy authoring, and detection triage in Falcon.
CSIAC CyberSecurity Forensic Analyst
CSIAC CyberSecurity Forensic Analyst
ISACA Cybersecurity Practitioner
ISACA Cybersecurity Practitioner
EC Council Certified Incident Handler
EC Council Certified Incident Handler
EC Council Disaster Recovery Professional
EC Council Disaster Recovery Professional
OpenText EnCase Certified Examiner
OpenText EnCase Certified Examiner
GIAC Certified Forensic Analyst
Advanced host forensics, memory analysis, timeline reconstruction.
GIAC Certified Forensic Examiner
Windows host forensics and digital investigation.
GIAC Certified Incident Handler
Incident handling methodology and lifecycle.
GIAC Reverse Engineering Malware
Static + dynamic malware analysis, unpacking, custom RE tooling.
GIAC Response and Industrial Defense
Active defense and incident response for ICS environments.
GIAC Security Expert
The GIAC Security Expert (GSE) is the highest distinction in the GIAC certification system and was fundamentally reformed in 2023/2024: Instead of a single exam, it is now awarded as a portfolio certification. Those who demonstrate six Practitioner and four Applied Knowledge certifications (hands-on, proctored lab exams) automatically receive GSE status. The model enforces genuine breadth and depth – which increases credibility compared to earlier pure knowledge tests. However, the effort (cost, time, multiple exams) is considerable; the GSE is therefore clearly aimed at experienced experts pursuing SANS/GIAC as a career path. In Europe, awareness outside the SANS community is still limited.
GIAC Security Operations Certified
SOC operations, alert triage, metrics, SOAR.
Hack the Box Certified Defensive Security Analyst
Hack the Box Certified Defensive Security Analyst
Information Systems Security Management Professional
ISC2 specialization for security management. Requires CISSP. Focus on Leadership, Risk Management, Security Operations, and Compliance Management. For CISOs and senior security executives.
Offensive Security Defense Analyst
Offensive Security Defense Analyst
Also touched
Certified Information Systems Security Professional
Breadth across security engineering, architecture, operations, and governance at senior-IC / manager level. The default senior-generalist signal.
CompTIA Cybersecurity Analyst+
SOC analyst skills: triage, log analysis, vulnerability management basics.
Global Industrial Cyber Security Professional
IT + engineering overlap for industrial control systems.
Splunk Enterprise Security Certified Admin
Operates and tunes Splunk Enterprise Security — content, correlation searches, notable events, and risk-based alerting.
Browse all certifications → — pick a cert on the interactive map to highlight every domain it covers.
Education and certifications
More in Cybersecurity
Test what you know about Incident Response & Forensics
44 questions available. Beginner to expert questions, scored against the global leaderboard.