Investigation Theory Training

My name is Chris Sanders, and I’m a security analyst.

When I first started out, learning how to investigate threats was challenging because there was no formal training available. Even in modern security teams today, most training is centered around specific tools and centers too much around on the job training. It wasn’t hard to learn how to use the tools, but I struggled knowing when to use them and what to look for. It wasn’t that I didn’t have enough data…I was overwhelmed by it.

My investigations all followed a similar path.

After getting an alert I’d look in the obvious places — my go to’s that I would later realize were crutches:

  • Pull the packet capture
  • Look at the HTTP requests
  • Google the alert name to find more context

….but then I’d get overwhelmed.

“What data sources are available?”

“Can I find the host logs based on what information I already have?”

“Is this normal? How can I tell?”

Worse yet, if I did find something interesting I was completely unorganized. I had a dozen browser tabs open, data spread across four terminal windows, and nonsensical notes that I’d wrote 5 minutes earlier and had already forgotten the meaning of.

I was paralyzed.

The longer this went on the more I became overwhelmed. I would eventually just stare at the screen hoping for a sudden moment of clarity and for everything to just click. It never happened.

What was I lacking? I knew plenty of people who were good at this — what skill did they possess that I did not?

I sought out a colleague I knew who is an experienced analyst at a big government agency. He was one of the most skilled members of their threat hunting team and spent his time tracking down nation-state level adversaries. I asked him how he learned to be a good analyst, and he told me, “Chris, being a good analyst isn’t really something you can learn. You’ve either got it, or you don’t. You can’t teach this stuff.”

I call malarky.

After I recoiled from the wave of smugness that had suddenly washed over me, I resolved to strive for something better. Chalking investigative ability exclusively up to natural born traits was an excuse, and I that way of thinking had led me to believe things that forced me to make my own excuses.

3 beliefs that were holding me back

This discussion was a critical moment in my career. It made me realize three ridiculous beliefs that were holding me back. When I figured this out, it changed the way I looked at everything.

I want to share them with you now.

Belief #1: You have to be born with some special sauce to be a good investigator.

WHAT I THOUGHT: Some people were born “naturals” or were simply much smarter than me.

MY EXCUSE: I’ll probably never figure this out because I’m simply not smart enough.

THE TRUTH: We all start in different places, but nearly anyone can achieve some level of success as a security analyst. Some people get it a little sooner than others and that naturally leads them to situations where they get more practice — more interesting data, a better job, etc. This accelerates their learning.

Belief 2: Being a great analyst is all about mastering your tools

WHAT I THOUGHT: I should spend most of my time learning tools. If I can write great Bro scripts or use IDA, then I’ll be able to find attackers on my network and see what they’re doing.

MY EXCUSE: I’m doing everything I can to learn the skills that are important for my job by focusing on the tools of the trade.

THE TRUTH: Knowing how to use your tools is helpful, but when and why to use them is critical. Tools do things like help us retrieve and manipulate data, but where most people get stuck is decided what data to query and how to manipulate it so that answers to important questions become clear.

Belief #3: Investigating security incidents is a completely new and unique concept

WHAT I THOUGHT: The skills involved in investigating alerts and threat hunting are entirely unique to our field.

MY EXCUSE: This knowledge is so specialized that only a small number of people will be able to really grasp it.

THE TRUTH: Investigating things isn’t unique to cybersecurity. Several fields involve some form of investigation — police officers, lawyers, and even doctors. We can leverage the knowledge of these fields and many more to become better blue teamers.

The problem of tacit knowledge

A major problem working in a new field is that much of the knowledge needed to perform the job is tacit — it isn’t written down. That’s why so much learning that happens on the job mostly focuses on just sitting and watching others do it. We can do better.

When security analysis finally began to “click” for me I resolved not just to be good at catching bad guys — I wanted to help others who are going down the same path by developing a course dedicated exclusively to both the theory and practice investigation process.


If you’re a security analyst responsible for investigating alerts, performing forensics, or responding to incidents then this is the course that will help you gain a deep understanding how to most effectively catch bad guys and kick them out of your network. Investigation Theory is designed to help you overcome the challenges commonly associated finding and catching bad guys.

  • I’ve got so many alerts to investigate and I’m not sure how to get through them quickly.
  • I keep getting overwhelmed by the amount of information I have to work with an investigation.
  • I’m constantly running into dead ends and getting stuck. I’m afraid I’m missing something.
  • I want to get started threat hunting, but I’m not sure how.
  • I’m having trouble getting my management chain to understand why I need the tools I’m requesting to do my job better.
  • Some people just seem to “get” security, but it just doesn’t seem to click for me.

Investigation Theory will teach you how to conduct investigations regardless of the toolset. 

Course Format

Investigation Theory is not like any online security training you’ve taken. It is modeled like a college course and consists of two parts: lecture and lab.  The course is delivered on-demand so you can proceed through it at your convenience. However, it’s recommended that you take a standard 10-week completion path or an accelerated 5-week path. Either way, there are ten modules in total, and each module typically consists of the following components:

  • 1 Core Lecture: Theory and strategy are discussed in a series of video lectures. Each lecture builds on the previous one.
  • 1 Bonus Lecture: Standalone content to address specific topics is provided in every other module.
  • 1 Reading Recommendation: While not meant to be read on pace with the course, I’ve provided a curated reading list along with critical questions to consider to help develop your analyst mindset.
  • 1 Quiz: The quiz isn’t meant to test your knowledge, but rather, to give you an opportunity to apply it to reinforce learning through critical thinking and knowledge retrieval.
  • 1 Lab Exercise: The Investigation Ninja system is used to provide labs that simulate real investigations for you to practice your skills.

Investigation Ninja Lab Environment

Investigation Theory utilizes the Investigation Ninja web application to simulate real investigation scenarios. By taking a vendor agnostic approach, Investigation Ninja provides real-world inputs and allows you to query various data sources to uncover evil and decide if an incident has occurred, and what happened. You’ll look through real data and solve unique challenges that will test your newly learned investigation skills. A custom set of labs have been developed specifically for this course. No matter what toolset you use in your SOC, Investigation Ninja will prepare you to excel in investigations using a data-driven approach.

Get stuck in a lab? I’m just an e-mail away and can help point you in the right direction.

Instructor Q&A

This isn’t a typical online course where we just give you a bunch of videos and you’re on your own. The results of your progress, quizzes, and labs are reviewed by me and I provide real-time feedback as you progress. I’m available as a resource to answer questions throughout the course.


  1. Metacognition: How to Approach an Investigation
  2. Evidence: Planning Visibility with a Compromise in Mind
  3. Investigation Playbooks: How to Analyze IPs, Domains, and Files
  4. Open Source Intel: Understanding the Unknown
  5. Mise en Place: Mastering Your Environment with Any Toolset
  6. The Timeline: Tracking the Investigation Process
  7. The Curious Hunter: Finding Investigation Leads without Alerts
  8. Your Own Worst Enemy: Recognizing and Limiting Bias
  9. Reporting: Effective Communication of Breaches and False Alarms
  10. Case Studies in Thinking Like an Analyst

Plus, several bonus lectures!


The course and lab access are $647 for a single user license. Discounts are available for multiple user licenses where at least 10 seats are purchased (please contact me to discuss payment). A portion of the purchase price will go to support multiple charities including the Rural Technology Fund and others.

You’ll receive:

  • 6-mo Access to Course Videos and Content
  • 6-mo Access to Investigation Ninja
  • Access to Chris Sanders online “office hours” held periodically
  • A Certification of Course Completion
  • Continuing Education Credits (CPEs/CEUs)

Register Now for Just $647


Contact Me for On-Site Inquiries (2-Day Course + Online Access):