Incident Response Training

CISA has developed no-cost cybersecurity incident response training for government employees and contractors across Federal, State, Local, Tribal, and Territorial government, and is open to educational and critical infrastructure partners.  


Incident Response Training Banner


The Identify, Mitigate, and Recover (IMR) incident response curriculum provides a range of training offerings for beginner, intermediate, and advanced cyber professionals encompassing basic cybersecurity awareness and best practices for organizations, live red/blue team network defense demonstrations emulating real-time incident response scenarios, and hands- on cyber range training courses for incident response practitioners. Course types include: Awareness Webinars, Cyber Range Training, Cyber Range Challenges, and Observe the Attack. With four types of courses, there are valuable learning opportunities available for everyone from cyber newbies to veteran cybersecurity engineers. 


Visit the Cybersecurity Training Event Catalog to register for an event. 

Awareness Webinar Events

Awareness webinars are cybersecurity topic overviews for a general audience including managers and business leaders, providing core guidance and best practices to prevent incidents and prepare an effective response if an incident occurs. Additionally, these webinars will made available to the public at the Federal Virtual Training Environment (FedVTE). Topics include:

One-Hour Awareness Webinars

Topic Course Title
Ransomware Don’t Wake Up to a Ransomware Attack
Cloud-based Server Attacks Don’t Get Caught in the Storm
Business Email Compromise Preventing Business Email Attacks
Internet-Accessible System Vulnerabilities Don’t Let Cyber Criminals Steal Your Connections
Web and Email Server Attacks Securing Web and Email Servers 
DNS Infrastructure Tampering Don’t Get Caught in the Web 

Cyber Range Training Events

Cyber Range Training courses provide guided step-action labs for new to experienced incident response practitioners to practice hands-on investigation, remediation, and incident response skills. Topics include:   

Four-Hour Cyber Range Training Courses

Topic Course Title
Internet-Accessible System Security Defending Internet-Accessible Systems
Web and Email Server Attacks Defending Web and Email Servers
DNS Attacks Defending DNS Infrastructure

Cyber Range Challenges

Cyber Range Challenges are scenario-based experiential courses for experienced cybersecurity practitioners, with participants working in teams on the CISA Cyber Range to investigate and defend the network against a cyberattack. Topics include:   

Six-Hour Cyber Range Challenge Courses

Topic Course Title
Ransomware Ransomware Cyber Range Challenge
Cloud Leak Cloud Leak Cyber Range Challenge
Business Email Compromise Business Email Compromise Cyber Range Challenge

Observe the Attack Events

The Observe the Attack series gives participants a virtual front-row seat to a live red/blue team network defense exercise based around a specific cyberattack scenario. Expert cybersecurity engineers guide the class through the attack and defense strategy of each side, providing key insights and strategies that apply to coordinating an effective incident response in real time. Topics include:  

Two-Hour Observe the Attack Demonstrations

Topic Course Title
Ransomware      Observe the Attack: Ransomware
Cloud Leak Observe the Attack: Cloud Leak 
Business Email Compromise Observe the Attack: Business Email Compromise

Contact Information 

To ask a question or provide other feedback on the IMR series, contact

Frequently Asked Questions 

  • What is “incident response” training? Where can I learn more about it?
    • Based on the definition provided in NIST Special Publication 800-61, Computer Security Incident Handling Guide, cybersecurity incident response is a complex capability encompassing detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring IT services. 
    • The NICE Cybersecurity Workforce Framework outlines work roles for incident response professionals and tasks, skills, knowledge, and abilities required to be competent in an incident response role. Specifically, incident response is classified as a specialty area under the “Protect and Defend” category; however, the core skills taught apply beyond the scope of incident response activity. 
  • Which types of courses are relevant to me?
    • The Identify, Mitigate, and Recover (IMR) series is designed to provide incident response training and organizational guidance for Federal, State, Local, Tribal, and Territorial government staff, contractors, and stakeholders at all levels of incident response, from general organizational staff to experienced incident response specialists. 
    • Webinar courses provide an entry-level topic overview for those who know little about incident response in general, or a specific cybersecurity subject. They are recommended for anyone who works in or adjacent to network security and incident response, or anyone interested in learning more about personal or professional cybersecurity, organizational best practices for incident response, or specific attack types such as ransomware or business email compromise. 
    • The “Observe the Attack” series red/blue team demonstration events are ideal for those who supervise, manage, support, or facilitate incident or crisis response. If you are looking for a front-row seat to a real-time incident response scenario, these events are for you!
    • Cyber Range Training courses are hands-on labs designed to teach the basics of network investigation and defense. They are accessible to new cybersecurity workers who may lack hands-on skill practice, but some theoretical understanding of cybersecurity and incident response enhances the value of the instruction.
    • Cyber Range Challenges are hands-on incident response scenarios designed for experienced practitioners. Students are asked to complete class profiles to summarize their skill and experience, and teams are balanced so that newer incident responders can learn from and work with more experienced professionals. These are critical thinking and problem-solving challenges as much as they are a test of investigation and network defense skills. 
  • How do I participate in a training event?
    • To participate, you can sign up for open courses in the course catalog. Please note that courses may not open for registration until four weeks before the training date. When a course does open, an invite is distributed to interested stakeholders. If you would like to be included on future IMR training announcements, please email
  • Can I stream courses online?  
    • IMR Webinars are recorded, edited, and made available for public viewing on-demand through FedVTE. Stream webinars at your convenience and share them with your friends and colleagues!
    • Cyber Range Trainings and Cyber Range Challenges are not available on-demand, as they require hands-on participation in a cyber range environment. 
  • What course topics are available?
    • Below is a list of confirmed IMR course topics to be offered in FY21. This list may be updated as we expand the IMR curriculum:
      • Ransomware 
      • Cloud-based Server Attacks 
      • Cloud Leak
      • Business Email Compromise 
      • Internet-Accessible System Vulnerabilities 
      • Web and Email Server Attacks 
      • DNS Attacks
      • DNS Infrastructure Tampering 
  • Can I earn continuing education credits for these trainings? 
    • While acceptance may vary depending on your certification vendor, all IMR courses can be used to earn CPE credits.
      • Webinar: 1 credit hour
      • Observe the Attack: 2 credit hours
      • Cyber Range Training: 4 credit hours
      • Cyber Range Challenge: 6 credit hours


Privacy Act Statement

Authority: 5 U.S.C. § 301 and 44 U.S.C. § 3101 authorize the collection of this information.

Purpose: The information on this website is intended for government cybersecurity professionals who are participating in the Department of Homeland Security (DHS) Continuous Diagnostics and Mitigation (CDM) Program and for cybersecurity professionals who would like more information on implementing a continuous monitoring program. The primary purpose for the collection of this information is to allow the DHS to contact you about your registration using an approved version of Adobe Connect for the DHS CDM training program.

Routine Uses: The information collected may be disclosed as generally permitted under 5 U.S.C. § 552a(b) of the Privacy Act of 1974, as amended. This includes using the information as necessary and authorized by the routine uses published in DHS/ALL-002 - Department of Homeland Security (DHS) Mailing and Other Lists System November 25, 2008, 73 FR 71659.

Disclosure: Providing this information is voluntary. However, failure to provide this information will prevent DHS from contacting you in the event there are queries about your request or registration.

Was this webpage helpful?  Yes  |  Somewhat  |  No