20 seats left.
Register by Monday, June 9, 2025.

Event details

Mandiant Academy Training Event

  • Course: Linux Enterprise Incident Response
  • Date: Monday, June 16, 2025 – Thursday, June 19, 2025
  • Time: 8:00 AM–2:30 PM, daily
  • Time Zone: (UTC+00:00) London, Edinburgh
  • Cost: $4,000 USD or 4 EOD units
  • Delivery Method: Instructor-led, virtual delivery
  • Location: Google Meet

At a glance

This course is designed to teach the fundamental investigative techniques to respond to today’s sophisticated threat actors and their intrusion methods. This course includes a series of hands-on labs that highlight all phases of a targeted attack lifecycle, critical sources of attacker evidence, and the forensic analysis required to conduct effective analysis. Students can learn how to conduct rapid triage to determine system compromise, uncover evidence of initial attack vectors, recognize persistence mechanisms, and develop indicators of compromise (IOCs) to further scope an incident.

Course goals

After completing this course, learners should be able to:

  • Understand the stages of an effective incident response process, including preparation, detection and analysis, and remediation
  • Recognize common forms, benefits, and limitations of endpoint forensic evidence collection, including forensic imaging and live response acquisition
  • Identify and use critical sources of evidence to investigate and analyze a compromised Linux system, including EXT3/EXT4 file systems, syslog, audit logs, memory, VPN, and web shells
  • Audit common Linux applications for databases and web servers, including Oracle, MySQL, PostgreSQL, Apache, and nginx
  • Know how attackers move from system to system in a compromised Linux environment through their use of data, including credentials, logons, remote command execution, and shell artifacts
  • Investigate a full environment, at-scale, for signs of compromise with the use of proactive hunting
  • Analyze web logs to recognize and interpret common attacker techniques, including obfuscation and encoding methods
  • Improve logging visibility, prevent evidence tampering, and reduce the attack surface by identifying common configuration parameters and logged events that aid effective investigations

Who this course helps

Linux system administrators, incident responders, threat hunters, and SOC analysts who need to understand the process involved in performing effective enterprise incident response for Linux systems.

What to bring

Students are required to bring their own laptop that meets the following specs:

  • Windows 7+ and MacOS 10.11+
  • VMware or VirtualBox installed on system with 2 GB of memory and 2 CPU cores dedicated for the VM (hypervisor software will be provided for students)
  • 50 GB of free HDD space reserved for the VM
  • Microsoft Office installed (recommended)
  • Admin/install rights
  • Wireless connectivity (recommended)

Course materials

Students will receive a lab book and access to all required class materials and tools.