Incident Response Training

The best offense is a good defense. To help organizations across the nation protect their IT enterprises and build their cyber talent, CISA offers Incident Response (IR) training courses free to government employees and contractors across federal, state, local, tribal and territorial government, educational and critical infrastructure partners, and the general public. This training addresses both an offensive and defensive view, providing not only the knowledge and tools needed to prepare an effective response if a cyber incident occurs, but also strategies to prevent incidents from happening in the first place.

The IR curriculum offers a range of trainings for beginner and intermediate cyber professionals encompassing basic cybersecurity awareness and best practices for organizations.

Sign up for trainings via the Upcoming Events sections below. To learn more about how CISA may assist potentially impacted entities after a cyber incident, visit the Cyber Incident Response page. 

Incident Response Training Privacy Act Statement

View Statement

Authority: 5 U.S.C. § 301 and 44 U.S.C. § 3101 authorize the collection of this information.

Purpose: The purpose of this collection is to provide individuals access to Cybersecurity and Infrastructure Security Agency (CISA) Incident Response Training and information using CISA Webex.

Routine Uses: This information  may be disclosed as generally permitted under 5 U.S.C. § 552a(b) of the Privacy Act of 1974, as amended. This includes using the information, as necessary and authorized by the routine uses published in DHS/ALL-002 - Department of Homeland Security (DHS) Mailing and Other Lists System November 25, 2008, 73 FR 71659.

Disclosure: Providing this information is voluntary; however, failure to provide this information may prevent DHS from contacting you in the event there are queries about your request or registration.

Awareness Webinars

Awareness webinars, also referred to as 100-level courses, are one-hour, entry-level virtual and instructor-led classes with cybersecurity topic overviews for a general audience, including managers and business leaders. These trainings provide core guidance and best practices to prevent incidents and prepare an effective response if an incident does occur. Previously recorded webinars are available on the CISA YouTube Channel Protect Your Network: Strengthen Your Cybersecurity with Our Incident Response Training and on CISA Learning. These webinars are intended for a non-technical audience and beginning incident responders.

Training Topics:

Defending Internet Accessible Systems (IR104)

Internet-accessible systems have become the backbone of modern business and communication infrastructure, from smartphones to web applications and the explosive growth of the “Internet of Things” (IoT). Each of these systems and devices, however, can be targeted by threat actors and used to conduct malicious activity if they are unsecure. Worse, these systems can leave vulnerabilities and sensitive information freely available for exploitation if they are not properly configured and maintained.

This webinar includes the following information and more:

• Common attacks and vulnerabilities: Understand common vulnerabilities of internet-accessible systems, how they are exploited by threat actors, and how to mitigate them to prevent attacks from succeeding.
• CISA guidance: Learn key guidance, resources, and best practices to address vulnerabilities and prepare effective incident response and recovery.
• Case studies: Examine the methods and impacts of real-life cyberattacks and learn how the targets responded and recovered.
• Knowledge check: The course concludes with a brief knowledge check section to reinforce key concepts and takeaways.

Preventing Web and Email Server Attacks (IR105)

Web and email servers are the workhorses of the Internet — we couldn't run government, businesses, or our personal lives without them! However, the information exchanged through web and email servers can offer a tempting target for cyber attackers.

This webinar includes the following information and more:

• Common attack methods: Hackers can target and decode victims' web and email traffic, compromise email security to make phishing attempts more likely to succeed or can even use botnets to shut down access to websites and conduct large-scale campaigns of malicious activity.
• Key guidance for organizations: CISA provides resources and best practices to help individuals and organizations secure their web and email infrastructure.
• Case studies: Explore the methods and impacts of real-life cyberattacks, and how the victims responded and recovered.
• Knowledge check: The course concludes with a brief knowledge check section to reinforce key concepts and takeaways.

Preventing DNS Infrastructure Tampering (IR106)

The Domain Name System, commonly known as DNS, is often referred to as the “phone book” of the internet. Every time we access the internet to visit our favorite websites, we depend on DNS infrastructure to securely route us to our intended destinations. While this shared infrastructure is incredibly useful, it also presents a rich attack surface. Threat actors have the ability to shut down websites and online services, replace legitimate website content with threats or extortion attempts, and even route traffic to a carbon copy of a legitimate website to steal information entered by users.

This webinar includes the following information and more:

• Common attacks and vulnerabilities: Learn how to identify a potential attack on DNS infrastructure.
• CISA guidance: CISA provides information on best practices to reduce the likelihood and impact of a successful DNS attack.
• Case studies: Examine the methods and impacts of real-life cyberattacks and learn how the targets responded and recovered.
• Knowledge checks: The course provides knowledge checks throughout the presentation to reinforce key concepts and takeaways.

Introduction to Network Diagramming (IR107)

To protect the confidentiality, integrity, and availability of an agency’s network and the data contained therein, cybersecurity professionals must be able to identify their network enterprise accurately and completely. Network diagrams are essential and serve to help visualize what is on the network, how the overall network is structured, and how all the devices on the network are connected. Every organization should build and maintain current and accurate network diagrams to help manage their network architecture and ultimately determine how to best mitigate potential or realized risks and vulnerabilities.

This webinar includes the following information and more:

• Importance of Network Diagrams: Students will learn the importance of creating and maintaining network topology diagrams. Students will also understand the importance of identifying data flows and storage, identifying remote access points and external connections, and using network segmentation for security.
• Key Guidance for Organizations: CISA provides guidance on what to include in network diagrams.
• Knowledge check: The course concludes with a brief knowledge check section to reinforce key concepts and takeaways.

Understanding Indicators of Compromise (IR108)

Indicators of compromise (IOCs) are the digital and informational “clues” that incident responders use to detect, diagnose, halt, and remediate malicious activity in their networks. This webinar provides an overview of IOCs for incident responders and those who work with them, introduces example scenarios and how IOCs can be used to trace activity and piece together a timeline of the threat, and discusses tools and frameworks to help incident responders use IOCs to detect, analyze, respond to, and report cyber threat activity.

This webinar includes the following information and more:

• Importance of IOCs: Defines IOCs and demonstrates why tracking, investigating, and reporting IOCs are crucial to enterprise cybersecurity. Students will understand how IOCs are used for threat hunting and incident response, study different types of indicators, and learn how to collect different categories of IOCs.
• Frameworks: Students will learn about the Cyber Kill Chain^® and MITRE ATT&CK^® Framework and how they support the analysis of IOCs.
• Knowledge checks: The course provides knowledge checks throughout the presentation to reinforce key concepts and takeaways.

Defend Against Ransomware Attacks (IR109)

Ransomware attacks hit a new target every 14 seconds—shutting down digital operations, stealing information, and exploiting businesses, essential services, and individuals alike. This one-hour webinar provides essential knowledge and reviews real-life examples of these attacks to help you and your organization mitigate and respond to the ever-evolving threat of ransomware.

This webinar includes the following information and more:

• Common attack methods: Learn the definition of ransomware, a summary of its large-scale impacts, and how these attacks have developed over time. The webinar will discuss common signs of a ransomware attack and how to respond if an attack is suspected.
• Key Guidance for Organizations: CISA provides guidance for how to mitigate the impact of ransomware attacks and recover in the event of an attack.
• Case studies: Explore the methods and impacts of real-life cyberattacks and learn how the victims responded and recovered.
• Knowledge check: The course concludes with a brief knowledge check section to reinforce key concepts and takeaways.

Introduction to Log Management (IR110)

Log files provide the data that are the bread and butter of incident response, enabling network analysts and incident responders to investigate and diagnose issues and suspicious activity from network perimeter to epicenter. CISA is proud to present this one-hour webinar introducing the fundamentals of investigating logs for incidents.

This webinar includes the following information and more:

• Common attack methods: Understand log analysis and its importance as a crucial component of incident response and network security.
• Key guidance for organizations: Introduce resources and tools that enable organizations and individuals to use log analysis to query for threat activity, including security information and event management (SIEM) and full packet capture (FPCAP) analysis, and using PowerShell and Active Directory to run scripts.
• Case studies: Explore the methods and impacts of real-life cyberattacks and learn how the victims responded and recovered.
• Knowledge check: The course concludes with a brief knowledge check section to reinforce key concepts and takeaways.

Using the CISA Incident Response Playbook at Your Organization (IR111)

Produced in accordance with Executive Order 14028, “Improving the Nation’s Cybersecurity,” CISA released the Federal Government Cybersecurity Incident and Vulnerability Response Playbooks that provide federal civilian agencies with a standard set of procedures to respond to vulnerabilities and incidents impacting Federal Civilian Executive Branch (FCEB) networks. This course introduces students to the Incident Response Playbook that describes the process FCEB agencies should follow for confirmed malicious cyber activity for which a major incident has been declared or not yet been reasonably ruled out. While the playbooks are intended for federal agencies, CISA encourages public and private sector partners to review them to help inform their own incident response practices.

This webinar includes the following information and more:

• Key guidance for organizations: Introduce the CISA Incident Response (IR) Playbook with an overview of the IR phases, key resources, standardizing shared practices, and the Incident Response Checklist. Learn about roles, responsibilities, and the importance of communication during an incident response.
• Lessons learned: This course also highlights lessons learned and common missteps when implementing an IR playbook.
• Knowledge check: The course concludes with a brief knowledge check section to reinforce key concepts and takeaways.

Implementing SaaS Security Guidelines (IR113)

With the increasing use of SaaS applications in Government agencies, and in response to Executive Order 14028 “Improving the Nation’s Cybersecurity”, “CISA in collaboration with the United States Digital Service (USDS) and FedRAMP, developed the Cloud Security Technical Reference Architecture (TRA). This guide will assist agencies as they securely transition to the cloud. In addition, CISA created the Secure Cloud Business Applications (SCuBA) project to provide guidance to address cybersecurity and visibility gaps in FCEB cloud business applications.  

  This webinar includes the following information and more:  

• Identify and Mitigate Vulnerabilities: Provide knowledge and skills to identify and address cybersecurity challenges in federal cloud business applications, emphasizing a Zero-Trust approach and the integration of various cloud security services.  

• Importance of SCuBA Technical Reference Architecture (TRA) and extensible Visibility Reference Framework (eVRF): Define the background and purpose of the SCuBA project and associated guidelines to secure cloud-based business applications.  

• MITRE ATT&CK Framework: Explain how the MITRE ATT&CK framework is used to characterize threat sources and Tactics, Techniques, and Procedures specific to cloud platforms.   

• Key Guidance for Organizations: Identify specific cloud security guidance and strategies for the implementation of security controls on a SaaS.  

• Knowledge Check: The course includes a brief knowledge check section to reinforce key concepts and takeaways.  

Instrumenting the Environment to Detect Suspicious and Malicious Activity (IR114)

Attackers are becoming more sophisticated – and efficient. The time it takes an attacker to begin moving laterally once they have a foothold in the network is 79 minutes, compared to 9 hours in 2019. Security teams require exceptional network visibility to keep pace with top-level threat actors as these breakout times shrink. Triage training and tools can help incident response teams reduce the time an attacker dwells undetected within a network, mitigating attacks before threat actors can accomplish their missions. This course provides best practices for organizations to strengthen their detection and initial response capabilities for more effective triaging.

This webinar includes the following information and more:

• Key guidance for organizations: Gain insights on enterprise instrumentation tools and methodologies that streamline incident response.
• Job Aid: Receive a triage checklist to assist incident responders in efficiently collecting endpoint data for timely, actionable intelligence.
• Case study: Explore a high-impact, global cyberattack, dissecting the tactics, techniques, and procedures that defined the incident.
• Knowledge check: Conclude your learning experience with a knowledge check designed to ensure readiness in applying these critical concepts in a real-world incident.

Webinar - Incident Response Triage: Initial Triage and Data Collection (IR115)

This course begins with a security incident related to an Advanced Persistent Threat (APT) that targets the financial sector.

This webinar includes the following information and more: 

• Identifies and collects evidence from endpoints and other sources 

• Retrieves relevant information from logs, network captures, and system endpoints 

• Conducts email header analysis and assessments of external IP addresses 

• Reports and communicates initial triage findings to the Security Operations Center (SOC)  

Cyber Range Training

Cyber Range Trainings, also referred to as 200-level courses, are four-hour, interactive, virtual, and instructor-led classes with step-action labs in a realistic technical environment. These offerings are available for government employees and contractors across federal, state, local, tribal, and territorial government, educational partners, and critical infrastructure partners.

Cyber Range Training courses provide guided step-action labs for cybersecurity analysts to learn and practice investigation, remediation, and incident response skills. Students participate in short lectures followed by lab activities to identify incidents and harden systems in the cyber range environment. These are ideal for beginner and intermediate cybersecurity analysts who wish to learn technical incident response skills.

Training Topics:   

Defending Internet Accessible Systems (IR204)

Participants will be introduced to tactics and strategies that enable them to protect their organizations from attacks against internet-accessible system(s) (i.e., internet-accessible system attacks or IAS) through awareness of individual and organizational points of vulnerability.

Experience these benefits and more:

• Practice in a realistic environment: Define IAS vulnerabilities and their indicators.
• Learn how to implement CISA guidance: Course exercises include implementation of the recommendations in BOD 19-02.
• Identify and mitigate vulnerabilities in real time: Students will identify common methods of scanning for vulnerabilities, analyzing event logs, and modifying firewall rules.
• Expert facilitation and peer discussion: Throughout the course, expert cybersecurity engineers will moderate discussion and conduct a recovery debrief for the exercises. Participants are also encouraged to help one another and offer relevant input to address peers’ questions.

Preventing Web and Email Server Attacks (IR205)

Participants will be introduced to common web and email vulnerabilities, as well as the technologies of encryption and authentication to enhance web and email security. This course uses an active participation approach to facilitate realistic technical training and interaction opportunities for learners.

Experience these benefits and more:

• Practice in a realistic environment: Analyze network and host-based artifacts and implement remediation changes for the identified vulnerabilities.
• Learn how to implement CISA guidance: Course exercises include implementation of the recommendations in BOD 18-01.
• Identify and mitigate vulnerabilities in real time: Students identify common web and email vulnerabilities and mitigate them by reconfiguring the web server and Domain Name System (DNS) settings.
• Expert facilitation and peer discussion: Throughout the course, expert cybersecurity engineers moderate discussion and conduct a recovery debrief for the exercises. Participants are encouraged to help one another and address peer questions.

Preventing DNS Infrastructure Tampering (IR206)

DNS is one of the core foundations of the internet. However, it continues to be one of the mechanisms attackers use to perform malicious activities across the globe. In this course participants will learn about various concepts associated with DNS, become familiar with DNS tools and mapping information, be introduced to common DNS tampering techniques, and gain an understanding of DNS mitigation strategies to enhance security.

Experience these benefits and more:

• Practice in a realistic environment: Analyze network and host-based artifacts and implement remediation changes for the identified vulnerabilities.
• Learn how to implement remediations: Course exercises include remediating vulnerabilities.
• Identify and mitigate vulnerabilities in real time: Students identify DNS infrastructure tampering techniques and mitigate them.
• Expert facilitation and peer discussion: Throughout the course, expert cybersecurity engineers moderate discussion and conduct a recovery debrief for the exercises. Participants are encouraged to help one another and offer relevant input to address peers' questions.

Understanding Indicators of Compromise (IR208)

Cyberattacks have made headlines for years, and the pace of threat activity faced by government and private sector organizations is accelerating. Indicators of compromise (IOCs) are the digital and informational “clues” that incident responders use to detect, diagnose, halt, and remediate malicious activity in their networks. In this training, participants will be introduced to common IOCs and common protocols used to find them in their own systems.

Experience these benefits and more:

• Importance of IOCs: Define IOCs and why tracking, investigating, and reporting IOCs are crucial to enterprise cybersecurity. Students will understand how IOCs are used for threat hunting and incident response, different types of indicators, and how to collect different categories of IOCs.
• Practice in a realistic environment: Learn about the MITRE ATT&CK^® Framework and how it supports the analysis of IOCs, potential threat actors related to the activity, and their associated tactics, techniques, and procedures (TTPs). Perform lab activities to detect IOCs using the MITRE ATT&CKFramework.
• Expert facilitation and peer discussion: Throughout the course, expert cybersecurity engineers moderate discussion and conduct a recovery debrief for the exercises. Participants are encouraged to help one another and offer relevant input to address peers' questions.

Defend Against Ransomware Attacks (IR209)

Ransomware is the fastest growing malware threat targeting home, business, and government networks. Anyone with a computer connected to the internet is a target. Ransomware infection is one computer, one person, one click away from penetrating a network’s defense. If just one computer becomes infected with ransomware, infection could quickly spread all over the network, which is why ransomware protection is critical. Ransomware incidents have become increasingly prevalent and pose an enormous risk to you and your organization’s critical infrastructure. In this training, participants will be introduced to common applications and processes that harden network defenses, as well as key concepts used in the prevention of ransomware attacks.

Experience these benefits and more:

• Common attack methods: Define ransomware and identify best practices and preventive measures to mitigate the impact of ransomware attacks.
• Practice in a realistic environment: Learn how to apply specific tools to configure and back up Active Directory policies, reset Kerberos Ticket Granting Ticket (KRBTGT) account passwords, and create application allow-listing policies.
• Identify and mitigate vulnerabilities in real time: Students identify malicious domains and mitigate them by establishing a sinkhole and by blocking the malicious domain.
• Expert facilitation and peer discussion: Throughout the course, expert cybersecurity engineers moderate discussions and conduct a recovery debrief for the exercises. Participants are encouraged to help one another and offer relevant input to address peers' questions.

Introduction to Log Management (IR210)

Log files provide the data that are the bread and butter of incident response, enabling network analysts and incident responders to investigate and diagnose issues and suspicious activity from network perimeter to epicenter. Participants will be introduced to basic principles of log management and configuration. Federal compliance regulations of log configuration and management, including OMB Memorandum 21-31, will also be introduced.

Experience these benefits and more:

• Common attack methods: Understand the importance of the configuration, management, and analysis of logs for incident response and identify key processes of log management.
• Practice in a realistic environment: Investigate and analyze log data for suspicious activity. Detect and correlate possible IOCs or malicious activity with threat intel. Exercises include configuring a DNS server, network device firewall, an operating system and more for proper logging.
• Expert facilitation and peer discussion: Throughout the course, expert cybersecurity engineers moderate discussions and conduct a recovery debrief for the exercises. Participants are encouraged to help one another and offer relevant input to address peers’ questions.

Using the CISA Incident Response Playbook at your Organization (IR211)

Produced in accordance with Executive Order 14028, “Improving the Nation’s Cybersecurity,” CISA released the Federal Government Cybersecurity Incident and Vulnerability Response Playbooks that provide federal civilian agencies with a standard set of procedures to respond to vulnerabilities and incidents impacting Federal Civilian Executive Branch (FCEB) networks.  This course introduces students to the Incident Response Playbook that describes the process FCEB agencies should follow for confirmed malicious cyber activity for which a major incident has been declared or not yet been reasonably ruled out. The course will include a tabletop discussion format that follows a simulated IR event/scenario and guides students through the CISA IR checklist and IR phases. While the playbooks are intended for federal agencies, CISA encourages public and private sector partners to review them to help inform their own incident response practices.

Experience these benefits and more:

• Key guidance for organizations: Introduce the CISA Incident Response (IR) Playbook with an overview of the IR phases, key resources, standardizing shared practices, and the Incident Response Checklist. Learn about roles, responsibilities, and the importance of communication during an incident response.
• Lessons learned: This course also highlights lessons learned and common missteps when implementing an IR playbook.
• Peer activity and discussion: A guided incident response tabletop scenario and discussion where students will be required to follow the IR process using the CISA IR checklist. The tabletop discussion will help students to better comprehend and apply critical thinking throughout the NIST/CISA IR process.

Implementing SaaS Security Guidelines (IR213)

With the increasing use of SaaS applications in Government agencies, and in response to Executive Order 14028 “Improving the Nation’s Cybersecurity,” CISA in collaboration with the United States Digital Service (USDS) and FedRAMP, developed the Cloud Security Technical Reference Architecture (TRA). This guide will assist agencies as they securely transition to the cloud. In addition, CISA created the Secure Cloud Business Applications (SCuBA) project to provide guidance to address cybersecurity and visibility gaps in FCEB cloud business applications.

Experience these benefits and more: 

• Identify and Mitigate Vulnerabilities: Provide knowledge and skills to identify and address cybersecurity challenges in federal cloud business applications, emphasizing a Zero-Trust approach and the integration of various cloud security services.  

• Importance of SCuBA Technical Reference Architecture (TRA) and extensible Visibility Reference Framework (eVRF): Define the background and purpose of the SCuBA project and associated guidelines to secure cloud-based business applications.  

• MITRE ATT&CK Framework: Explain how the MITRE ATT&CK framework is used to characterize threat sources and Tactics, Techniques, and Procedures specific to cloud platforms.   

• Key Guidance for Organizations: Identify specific cloud security guidance and strategies for the implementation of security controls on a SaaS.  

• Identify cloud-based business applications security baselines and apply recommended configurations for password complexity and multifactor authentication to cloud business applications  

• Scan cloud based M365 software applications to evaluate alignment with recommended security baselines using SCuBAGear Software  

• Knowledge Check: The course includes a brief knowledge check section to reinforce key concepts and takeaways.  

Instrumenting the Environment to Detect Suspicious and Malicious Activity (IR214)

Attackers are becoming more sophisticated – and efficient. The time it takes an attacker to begin moving laterally once they have a foothold in the network is 79 minutes, compared to 9 hours in 2019. Security teams require exceptional network visibility to keep pace with top-level threat actors as these breakout times shrink. Triage training and tools can help incident response teams reduce the time an attacker dwells undetected within a network, mitigating attacks before threat actors can accomplish their missions.

This 4-hour skills development cyber range training provides best practices for organizations to strengthen their detection and initial response capabilities for more effective triaging. Through case studies, presentations by expert facilitators, demonstrations, and lab exercises participants will explore the tools and techniques necessary to identify suspicious and malicious activity in an enterprise environment.

Experience these benefits and more:

• Key guidance for organizations: Gain insights on enterprise instrumentation tools and methodologies that streamline incident response.
• Job Aid: Receive a triage checklist to assist incident responders in efficiently collecting endpoint data for timely, actionable intelligence.
• Case study: Explore a high-impact, global cyberattack, dissecting the tactics, techniques, and procedures that defined the incident.
• Knowledge check: Conclude your learning experience with a knowledge check designed to ensure readiness in applying these critical concepts in a real-world incident.

Cyber Range Skills Development Incident Response Triage: Initial Triage and Data Collection (IR215)

This four-hour cyber range training focuses on enhancing detection and initial response capabilities for more efficient triaging. Participants will delve into best practices through hands-on lab exercises, case studies, presentations led by expert facilitators, and demonstrations. They will acquire the necessary tools and techniques to identify suspicious and malicious activities within enterprise environments. 

Experience these benefits and more: 

• Practice initial response tactics to Advanced Persistent Threats (APTs), including ransomware attacks, emphasizing the crucial elements of speed and accuracy in data collection from logs, systems, and network traffic. 

• Utilize automated tools for initial data gathering and manual evidence collection. 

Frequently Asked Questions

What is “incident response” training? Where can I learn more about it?

• Based on the definition provided in NIST Special Publication 800-61, Computer Security Incident Handling Guide, cybersecurity incident response is a complex capability encompassing detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring IT services.
• The NICE Cybersecurity Workforce Framework outlines work roles for incident response analysts and tasks, skills, knowledge, and abilities required to be competent in an incident response role. Specifically, incident response is classified as a specialty area under the “Protect and Defend” category; however, the core skills taught apply beyond the scope of incident response activity.
• When cyber incidents occur, the Department of Homeland Security (DHS) provides assistance to potentially impacted entities, analyzes the potential impact across critical infrastructure, investigates those responsible in conjunction with law enforcement partners, and coordinates the national response to significant cyber incidents. The Department works in close coordination with other agencies with complementary cyber missions, as well as private sector and other non-federal owners and operators of critical infrastructure, to ensure greater unity of effort and a whole-of-nation response to cyber incidents. To learn more, visit the Cyber Incident Response page.

Which types of courses are relevant to me?

• The Incident Response Training series is designed to provide incident response training and organizational guidance.
• Webinar courses provide an entry-level topic overview for those who know little about incident response in general, or a specific cybersecurity subject. They are recommended for anyone who works in or adjacent to network security and incident response, or anyone interested in learning more about personal or professional cybersecurity, organizational best practices for incident response, or specific attack types such as ransomware or business email compromise.
• Cyber Range Training courses have lab exercises designed to teach the basics of network investigation and defense. They are accessible to new cybersecurity workers who may lack real-world skill practice, but some theoretical understanding of cybersecurity and incident response enhances the value of the instruction.

Who can register for the courses?

• The Awareness Webinars are open to a general audience.
• The Cyber Range Training courses are available for government employees and contractors across Federal, State, Local, Tribal, and Territorial government, educational partners, and critical infrastructure partners. Please use your corporate, government, military, or education email addresses when registering as personal email addresses will not be approved for class attendance.

How do I participate in a training event?

• To participate, visit the upcoming event sections on the webpage above to sign up for open courses. Please note that courses may not open for registration until approximately four weeks before the training date.

How can I be notified of upcoming courses?

• When a course does open, an invitation to register is distributed to interested stakeholders. If you would like to be included on future IR training announcements, please email CyberInsights@cisa.dhs.gov and indicate which course type you would like to be notified about. 

Can I stream courses online?

• Previous Awareness Webinars are made available for public viewing on-demand through CISA Learning. Stream webinars at your convenience and share them with your friends and colleagues!
• Previously recorded webinars are also available on the CISA YouTube Channel Protect Your Network: Strengthen Your Cybersecurity with Our Incident Response Training Playlist.
• Cyber Range Trainings are not available on-demand, as they require participation in a cyber range environment.

What course topics are available?

• Below is a list of confirmed IR course topics to be offered in Fiscal Year 2022. This list may be updated as we expand the IR curriculum:
  • Ransomware
  • Indicators of compromise
  • Internet-accessible system vulnerabilities
  • Web and email server attacks
  • Domain Name System (DNS) infrastructure tampering
  • Log management
  • Network diagramming

Can I earn continuing education credits for these trainings? 

• While acceptance may vary depending on your certification vendor, all IR courses can be used to earn CPE credits.
  • Webinar: 1 credit hour
  • Cyber Range Training: 4 credit hours

What about the previous types of courses CISA offered in the IR Training series?

• In Fiscal Year 2021 CISA offered the following IR courses in addition to the ones described previously.
  • Course Types
    • Observe the Attack: 2 credit hours. The “Observe the Attack” series red/blue team demonstration events are ideal for those who supervise, manage, support, or facilitate incident or crisis response. If you are looking for a front-row seat to a real-time incident response scenario, these events are for you!
    • Cyber Range Challenge: 6 credit hours. Cyber Range Challenges are incident response scenarios designed for experienced practitioners. Students are asked to complete class profiles to summarize their skill and experience, and teams are balanced so that newer incident responders can learn from and work with more experienced professionals. These are critical thinking and problem-solving challenges as much as they are a test of investigation and network defense skills.
  • Course topics that were discontinued after 2021:
    • Cloud-based server attacks
    • Cloud leak
    • Business email compromise