Where every claim in SecProve
comes from.

Open-source digital forensics tools for disk image analysis. Industry standard for incident investigation and evidence collection.

Federal hub for ransomware prevention, mitigation, and recovery guidance. Joint advisories with FBI/MS-ISAC, no-cost CISA services, and the ransomware-specific recovery checklist.

Investigative journalism on cybercrime, breaches, and network security incidents. Good for real-world scenario questions grounded in actual events.

Detailed campaign analyses with TTPs mapped to ATT&CK. APT1, APT28/29, UNC groups. Primary source for threat-actor-specific IR questions. Not marketing — these are original threat research.

Annual IR data: dwell time trends, initial access vectors, detection sources. Empirical data from thousands of engagements. One of the few sources for real-world detection/response metrics.

Four phases: Preparation, Detection & Analysis, Containment/Eradication/Recovery, Post-Incident Activity. The canonical IR reference. Questions should test decision-making within phases, not just naming them.

Guide to integrating forensic techniques into incident response. Covers data collection, examination, analysis, and reporting.

Practitioner-oriented IR methodology. Six steps (Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned). Compare/contrast with NIST for methodology questions.

Annual analysis of real breach data. The gold standard for empirical questions about attack patterns, threat actor motivations, and time-to-detection. Updated annually.

Open-source memory forensics framework. Extracts digital artifacts from volatile memory (RAM) dumps.