Quick start: pick a goal
- Contain a host from a C2 alert → C2 alert to containment
- Investigate suspicious persistence → Suspicious scheduled tasks
- Remove unauthorized privilege → Rogue local admin accounts
- Validate a detection → Atomic Red Team validation
- Run response actions → Endpoint response actions
- Memory forensics / malware hunting → Volatility 3 malware hunting
Capsules by category
What each capsule includes
- What you’re trying to accomplish
- When to use it (what kind of alert/context)
- Prerequisites (data sources + access)
- Step-by-step procedure
- Validation (“what good looks like”)
- Safety notes (containment vs evidence preservation)
- Video link