Master the skills to navigate the Falcon console, analyze and triage detections, dive deep into data analysis, and integrate the MITRE ATT&CK® framework into your workflow.

Gain hands-on experience handling real-world incidents, including triaging IOCs and responding to complex threats. By the end of this bootcamp, you'll be fully prepared to ace your next interview and demonstrate your expertise in advanced incident response and reporting—setting you apart as a standout candidate in any SOC team.

Roadmap

Unit 1: Falcon Foundations & Console Navigation (Day One)

Goal: Access CrowdStrike, explore the console, and understand how detections work.

• What is CrowdStrike Falcon and how it works (cloud-native, lightweight agent)

• Falcon Sensor: deployment basics & verifying installation

• Console overview: Activity, Hosts, Configuration, RTR

• Understanding detections: severity, confidence, alert types

• MITRE ATT&CK & Execution (TA0002): T1059, T1204, T1559, T1053

• Preview: “Suspicious Process Created” detection walkthrough

Unit 2: Detection Procedure: Investigating Process Execution

Goal: Teach structured detection triage and analysis of malware or suspicious process execution.

• Step-by-step walkthrough of CrowdStrike Detection Procedure

  • Triage: Who, what, where, when

  • Context: Host info, user behavior, timeline review

  • Process Tree: Parent/child analysis, command-line arguments

  • File and hash reputation: checks (VT, CrowdStrike Intel)

  • Network connections: IPs/domains, reputation lookups

  • Persistence checks: Run keys, scheduled tasks

• Real-world alert examples (Falcon Insight)

• Practical: Investigate and document a real detection

Unit 3: Host Timeline & Behavioral Context Analysis

Goal: Pivot from detection into timeline and understand endpoint/user behavior.

• Deep dive into the Falcon Host Timeline

• Finding precursor activity

• Behavioral analysis: Was this typical for this user or system?

• Building a timeline of execution steps

• Practical exercise: Host activity chain analysis

Unit 4: Real Time Response (RTR) for Investigation & Threat Hunting

Goal: Use RTR to dig deeper into suspicious endpoints.

• Falcon RTR interface and permissions

• Common commands: netstat, ps, reg query, getfile

• Retrieving suspicious files, logs, autoruns

• Identifying persistence & memory artifacts

• Use case: Hunting encoded PowerShell or scheduled task

Unit 5: Analyzing Network, C2, and Lateral Movement Indicators

Goal: Analyze outbound communication and signs of internal spread.

• Network indicators in detections

• Identifying C2 traffic (domains, ports, geolocation)

• OSINT: IP/domain enrichment using threat intel tools

• Evidence of lateral movement or internal reconnaissance

• Practical: Correlate detection with suspicious network behavior

Unit 6: Escalation to L2 SOC & Incident Response

Goal: Teach when and how to escalate a detection to L2/IR teams.

• Escalation criteria: persistence, malware, lateral movement

• What L2/IR expects: IOC summary, detection context, ticketing info

• Drafting a clear escalation summary (Jira, email)

• L2/IR actions:

  • Reinvestigate in Falcon

  • Use RTR to isolate host, collect memory, remove persistence

• Simulated escalation walk-through

Unit 7: Threat Categories & MITRE ATT&CK Mapping

Goal: Classify detections by attack type and lifecycle stage.

• Review: Initial Access → Execution → Persistence → Lateral Movement

• Mapping Falcon detections to MITRE techniques

• Common threats: Phishing, LOLBins, fileless attacks

• Falcon detection naming patterns for different phases

• Practical: Tag detections to MITRE matrix

Unit 8 – Incident Scoping, Containment, and Remediation

Goal: Determine impact and perform real-world remediation actions.

• How to assess scope: one host or more?

• Containment: isolate host, kill process, quarantine file

• Evidence collection: logs, memory, KAPE snapshot

• Cleanup: remove persistence, confirm resolution

• Document actions for SOC/IR records

Unit 9 – Capstone Scenario: Full Detection & Response Simulation

Goal: Apply all skills to investigate and respond to a real-world scenario.

• Scenario: Macro → PowerShell → C2 → Persistence

• Students will:

  • Investigate detection

  • Perform RTR investigation

  • Draft an escalation ticket

  • Contain the endpoint

  • Complete Falcon Detection Report

• Peer review and instructor feedback

Unit 10 – Resume Building & LinkedIn Optimization

• Build a job-ready cybersecurity resume

• Translate bootcamp skills into real job experience

• LinkedIn keywords and profile visibility tips

Unit 11 – Mock Interview & SOC Analyst Role Play

• SOC analyst mock interview session

• Scenario-based detection response questions

• Behavioral interview coaching

• Role-play: L1 vs L2 SOC escalation drill