Investigation-Driven DFIR Training.

From SOC fundamentals to advanced incident response.
Structured tracks that build real investigation skills through hands-on training.

Compare Tracks Where Do I Start?

Compare Training Tracks

Each track builds on the last. Pick your starting point or get everything with the Hero Bundle.

Analyst Core Analyst I Analyst II Best Value
Hero Bundle
Focus SOC operations &
enterprise defense		 Windows disk &
memory forensics		 Advanced IR, ransomware,
enterprise-scale		 Complete analyst
progression
Course Enterprise Security
Operations		 Practical Windows
Forensics		 Advanced Enterprise
DFIR		 All three courses
Hands-on labs 39 labs 52 labs 58 labs 149 labs total
Investigations 4 × FOR200
forensic cases		 3 × IR300
DFIR cases		 All 7 scenarios
Certification PWFA (2 attempts) PWFA included
Bonus 12 months
Analyst Defense Labs
Lab environment Browser-based Persistent forensic VMs Persistent forensic VMs All environments
Access 365 days 365 days 365 days 365 days
Price $147
one-time		 $697
one-time		 $997
one-time		 $1,497
one-time · save $643
Learn More Learn More Learn More Get the Bundle →

* Payment plans available via PayPal · 100% money-back guarantee within 72 hours

Not Sure Where to Start?

Match your experience level to the right training path.

🚀
New to security or transitioning from IT
Start with our free DFIR Foundations course, then move into Analyst Core.
Start free →
🔍
SOC analyst wanting forensic depth
Windows forensics with disk images, memory analysis, and PWFA certification.
Analyst I →
Already doing IR, want enterprise-scale
Multi-host DFIR with ransomware, APTs, and SIEM correlation.
Analyst II →
🎯
Want everything at the best price
All three tracks + Analyst Defense Labs. Save $643.
Hero Bundle →
🔄
Ongoing SOC practice
Monthly investigation scenarios. No track required.
ADL → $29/mo

What Analysts Are Saying

From SOC analysts to senior DFIR engineers — real feedback from real defenders.

Analyst II · IR300

The practice labs are on another level compared to Analyst I. Way more data, way more artifacts to correlate. Proper timelines and IOC documentation suddenly become non-negotiable, exactly like in a real investigation. The IR300 lab with its fully simulated APT attacks was pure joy.

As someone who does DFIR for a living, spending my evenings on this does feel like “work after work.” But honestly? It’s pure fun. I get to examine new and old attacker techniques, experiment with rarely used tools, and actually feel my analytical skills getting sharper with every lab session. This is exactly the kind of “work” I’ll gladly stay up late for.

TC

Tim Coerlin

DFIR Engineer, Telekom Security

PWFA · With Distinction

Highly recommend this to anyone who wants to battle-test their forensic investigative methods. I came in already knowing a lot of the lecture material, but the 4 labs and final exam helped solidify my investigative processes. Building a timeline helped me create a cohesive story of what happened. Markus’s labs exceeded my expectations.

MC

Michael Cheng

Cybersecurity Analyst · GCFA · PWFA

PWFA Certification

The course was well structured, highly informative, and I recommend it to anyone interested in digital forensics. The virtual lab scenarios provided a very useful method of putting what you learn to practice — I only learn by doing. The exam was very challenging, exciting, and truly felt like I was in the middle of a real investigation.

GS

Griffin Stiens

Senior Analyst, CrowdStrike

PWFA Certification

This Windows-focused digital forensics certification simulated a real-world, week-long incident response scenario — really similar to one I recently handled in practice a few weeks ago. A great way to validate and strengthen my skills in Windows forensics and incident response.

LM

Luca M.

Cyber Security Specialist, CybergON

Ransomware Workshop

We simulated each phase of a ransomware attack, from initial infection to execution. This approach not only enhanced my understanding but also honed my practical skills in real-world scenarios. The blend of knowledge and hands-on practice was a career-enhancing experience.

GM

Glenn McDowell

Manager of Detection and Response

PWFA · With Distinction

I thoroughly enjoyed the training, scenarios, and exam. The investigative process felt like solving puzzles, following trails of evidence, and piecing them together to prove or disprove hypotheses. The exam was a challenging and highly practical experience.

MV

Menno van Veenendaal

PWFA — Passed with Distinction

PWFA · With Distinction

Just wrapped up one of the most solid forensic courses I’ve taken. Really glad to have gotten the award with distinction for scoring over 85%. It’s rare to find training that’s this focused and immediately useful. Here’s to more timelining and hunting!

SR

Seifer Rija Boado

DFIR / Security Analyst, Continent8

Blue Team Coaching

In November 2024 I began my DFIR journey with Markus and Blue Cape Security. Reflecting on the experience, I’m truly grateful for how much I’ve learned and how far I’ve come. This training has made me a better cybersecurity practitioner. I look forward to learning even more as I move to the next level.

DM

David Mendoza Jr.

Information Security Manager

Enterprise Security

Just in the first module I learned to manage Active Directory, Group Policy Objects, and deploy attack simulations. Markus’s experience shows in the course material. I can already foresee the course being a must for enterprise defenders.

CE

Carlos Espinoza

CIRT Senior Analyst

Windows Forensics

I’m only past a third of the content and I’m already feeling sad that it’s going to come to an end some day. That’s a feeling I don’t get a lot when doing these kind of courses.

M

Mathias

System Engineer

Windows Forensics

Markus Schober’s expertise shines through, making complex Windows forensics concepts not only understandable but also highly practical. His engaging teaching style and real-world examples make this course a must.

AL

Ayoub Labidi

Principal Information Security Consultant

Training Track

Analyst Core: Enterprise Security Operations

Build the foundational security knowledge every SOC analyst needs — threat behavior, critical log sources, system visibility, and analysis of attacker techniques through hands-on labs.

What’s Included

  • Enterprise Security Operations course
  • 9 domains, 28 video lessons
  • 39 hands-on labs
  • Browser-based lab environments
  • 365-day access

Who It’s For

  • Junior–intermediate SOC analysts
  • IT staff transitioning to security
  • Red teamers wanting defender fundamentals
  • System administrators
$147 one-time · 365 days
Training Track

Analyst I: Practical Windows Forensics

Investigate real Windows systems using core forensic artifacts, timelines, and evidence-based analysis. Build hands-on skill with disk images and memory dumps, then prove your readiness with the PWFA certification exam.

What’s Included

  • Practical Windows Forensics course
  • 8 domains, 17 video lessons, 52 labs
  • 4 investigation scenarios (FOR200)
  • PWFA certification exam (2 attempts)
  • Persistent forensic lab VMs
  • 365-day access

Who It’s For

  • SOC analysts
  • Incident responders
  • Digital forensic investigators
  • IT professionals with foundational security knowledge

FOR200 Investigation Scenarios

Scenario Type Level
FOR001: Disgruntled Manager’s ExodusInsider threat, data leakageIntermediate
FOR002: Suspicious Network ConnectionNetwork activity, host forensicsIntermediate
FOR003: Unauthorized AccessCredential misuse, lateral movementAdvanced
FOR004: Suspicious LogonsInsider threat, unauthorized accessBeginner

PWFA Certification

7-day hands-on forensic investigation exam. Analyze a compromised Windows system, reconstruct attacker activity, and deliver a professional DFIR report. Passing earns a lifetime-valid certification. Two exam attempts included.

$697 one-time · 365 days
Training Track

Analyst II: Advanced Enterprise DFIR

Enterprise-scale incident response. Investigate multi-host environments with memory forensics, SIEM log correlation, malware behavior analysis, and full ransomware attack reconstruction using Splunk, Velociraptor, and advanced forensic utilities.

What’s Included

  • Advanced Enterprise DFIR course
  • 7 domains, 30 video lessons, 58 labs
  • 3 investigation scenarios (IR300)
  • Persistent forensic lab VMs
  • 365-day access

Who It’s For

  • Intermediate–advanced SOC analysts
  • Threat hunters
  • Incident responders managing enterprise threats

IR300 Investigation Scenarios

Scenario Type Level
IR001: Operation Quiet TunnelReverse tunneling, exfiltration, ransomwareIntermediate
IR002: Operation Red EchoStealthy intrusion, credential theft, exfiltrationAdvanced
IR003: Stealthy Network BreachVPN compromise, privilege escalation, ransomwareAdvanced
$997 one-time · 365 days
Best Value

Hero Bundle: The Complete Analyst Training

Everything in one package — all three tracks plus 12 months of Analyst Defense Labs. The most cost-effective way to go from SOC fundamentals to advanced incident response.

Included tracks
✓ Analyst Core: Enterprise Security Ops
✓ Analyst I: Windows Forensics + PWFA
✓ Analyst II: Advanced Enterprise DFIR
By the numbers
149 hands-on labs
7 investigation scenarios
PWFA certification (2 attempts)
Persistent forensic VMs
Included bonus: 12 months Analyst Defense Labs — monthly SOC investigation scenarios (normally $299/yr — included free)
All three tracks + ADL separately: $2,140
$1,497
one-time payment · 365 days access · save $643
Start the Hero Bundle →
Payment plans via PayPal · 72-hour money-back guarantee
Ongoing Practice

Analyst Defense Labs

Monthly investigation scenarios for working SOC analysts. Each lab drops you into a realistic case with logs, artifacts, and a guided in-browser environment. New scenarios added regularly.

$29 /month
or
$299 /year
Explore Analyst Defense Labs →
Included free with
HERO BUNDLE
12 months full access
See the Hero Bundle →

Frequently Asked Questions

What tools or software do I need?
None. All labs run in your browser through our Cyber Lab Hero platform. No software installation, no VM setup — just log in and start investigating.
What’s the difference between the tracks?
Analyst Core covers SOC fundamentals and enterprise defense. Analyst I focuses on Windows disk and memory forensics with the PWFA certification. Analyst II is advanced enterprise DFIR with multi-host incident response investigations. The Hero Bundle includes all three plus Analyst Defense Labs.
Can I upgrade from one track to the Hero Bundle later?
Contact us and we’ll work out a fair upgrade path based on what you’ve already purchased.
Is there a payment plan?
Yes — payment plans are available via PayPal at checkout for all tracks and the Hero Bundle.
What is the PWFA certification?
The Practical Windows Forensics Analyst (PWFA) is a 7-day, hands-on forensic investigation exam. You analyze a compromised system, reconstruct the attack, and deliver a professional DFIR report. It’s included with Analyst I and the Hero Bundle, with two exam attempts.
How long do I have access?
All tracks include 365 days of access from the date of purchase. Access is non-auto-renewing — no surprise charges.
What’s your refund policy?
100% money-back guarantee within 72 hours of purchase. No questions asked.
What is Analyst Defense Labs?
ADL is a standalone subscription ($29/month or $299/year) offering monthly SOC investigation scenarios for working analysts. It’s included free for 12 months with the Hero Bundle. Learn more →
Scroll to Top

Training Waitlist

Join our waitlist and get notified when training becomes available.

Contact Information
Professional Experience
I'm interested in

*By submitting this form, you’re agreeing that we will contact you and to receive our free email newsletter. (You’ll never be spammed and you can unsubscribe at any time.) We do not share your information with third-parties.