Advanced Endpoint Investigations w/ Alissa Torres

Advanced Endpoint Investigations w/ Alissa Torres
16 Hours

Instructors: Alissa Torres

Includes: Live presentation, PDF copy of all of the slides, hands-on labs, exemplar evidence files for analysis, six months of complimentary access to the BHIS Antisyphon Cyber Range, certificate of participation

For most security teams, high operational tempo (measured in dumpster fire lumens) incentivizes analysts to stick to well-tailored playbooks that prioritize remediation at the expense of proper incident scoping and root cause analysis. Though modern endpoint security products have significantly improved host visibility, most critical incidents will require the acquisition and analysis of additional endpoint data. This course focuses on four core investigative competencies: endpoint data collection, investigative triage, incident response pivots, and root cause analysis.
After learning about key endpoint artifact and memory analysis techniques for Windows and Linux, attendees will work through real-world scenarios in hands-on labs. We’ll pivot from initial detection into host triage analysis to discern attackers’ discovery, defense evasion and lateral movement techniques. Attendees will learn to identify key indicators for the generation of high-fidelity detections.


  • Gain fundamental knowledge of modern Windows and Linux host artifacts.
  • Explain logical investigative workflows for host pivoting, data collection, and analysis.
  • Develop an understanding of use cases for incident response host pivots and root cause analysis.


  • Develop host triage collection and analysis skills for effective investigations of Windows and Linux systems.
  • Properly identify file system, OS, and memory artifacts to support timeline creation and attack path reconstruction.
  • Build deductive reasoning and investigative prowess through hands-on exercises built around real-world scenarios.


  • Security Operations/Incident Response analysts
  • Threat Hunters
  • Tactical Threat Intel analysts
  • Digital Forensics investigators
  • Red teamers who want to perfect their operational discipline


  • Basic understanding of Windows and/or Linux OS fundamentals
  • Familiarity with attack path models, threat actor frameworks, and hunt methodologies
  • 1-2 years of experience in security operations, incident response, or threat hunting


  • A computer with minimum specifications of 8GB RAM, 120GB free disk space.
  • System must be able to run a Windows 10 VM with the following minimum specs: 4GB RAM, 80GB disk space, 2 vCPUs.
  • System must be able to connect to wireless network for Internet access.


Attendees will receive a copy of course slides and notes along with a hands-on lab guide detailing step-by-step exercise instructions. In addition, attendees will receive an analyst VM that includes exemplar evidence files from compromised systems.

Alissa Torres is passionate about security operations and empowering analysts to succeed in blue team ops. Her professional experience in various security roles over her career includes forensic investigations, enterprise incident response and threat hunting, security services consulting, and incident response management. Alissa currently serves as the Threat Intel manager at Cigna. Having taught as principal faculty for several pivotal cybersecurity training institutions over the last decade, Alissa has engaged hundreds of skilled professionals around the world, growing a legion of artifact hunters who share a common affinity for adversary tracking. An investigator at heart, she frequently shares accounts of her research discoveries and tales from the trenches at industry conferences.



Tue, September 21, 2021 9:00 AM – 5:00 PM MT

Wed, September 22, 2021 9:00 AM – 5:00 PM MT

Training Type: Virtual

Event: Deadwood 2021

Register to attend this course virtually in September

Mon, November 16, 2022 11:00 AM – 4:00 PM ET

Tue, November 17, 2022 12:00 PM – 4:00 PM ET

Wed, November 18, 2022 12:00 PM – 4:00 PM ET

Thu, November 19, 2022 12:00 PM – 4:00 PM ET

Register to attend this course virtually in November

Join the Wild West Hackin’ Fest Discord server to stay updated on future training and webcasts: Join Our Server!