Skip to main content

Incident Handling Course

Enroll Now

About This Course

This course is designed for junior cybersecurity operators and incident handlers to learn the fundamentals of reaction to cybersecurity incidents. It introduces the CSIRT team structure and services their provide for the host organization.

The course attendee will learn the process of incident response from the initial report through all stages of incident lifecycle to a successful resolution. He will learn the common attack techniques used in real world and how to detect them from network traffic. He will learn the mitigation techniques to stop the incident or reduce its impacts on organization infrastructure. Finally, the non-technical aspects of incident response are covered to provide the attendee a guide for proper process and policy management and reporting to the organization upper management.

Meet your lecturer

Course Outline

  • Lesson 1 – CSIRT in an Organization
  • Lesson 2 – Basic Attack Techniques
  • Lesson 3 – Attack Detection, Sharing and Triage
  • Lesson 4 – Defense and Recommendations
  • Lesson 5 – Laws and Reporting


  • Knowledge of computer networking concepts and protocols, and network security methodologies.
  • Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).
  • Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.
  • Knowledge of the common networking and routing protocols (e.g. TCP/IP), services (e.g., web, mail, DNS), and how they interact to provide network communications.

Learning Outcomes

  • Track and document cybersecurity defense incidents from initial detection through final resolution.
  • Perform cybersecurity defense incident triage, to include determining scope, urgency, and potential impact; identify the specific vulnerability; and make recommendations that enable expeditious remediation.
  • Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts Coordinate and provide expert technical support to enterprise-wide cybersecurity defense technicians to resolve cybersecurity defense incidents.
  • Write and publish cybersecurity defense techniques, guidance, and reports on incident findings to appropriate constituencies.
  • Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
  • Creation of reports from the resolution of cybersecurity incidents and reporting to upper management.


  • M. West Brown [et al.], Handbook for Computer Security Incident Response Teams (CSIRTs). 2003.
  • FIRST, Computer Security Incident Response Team (CSIRT) Services Framework: Version 2.1.0. 2019.
  • ENISA, Good Practice Guide for Incident Management. 2010.


    Q: I have an issue with registration/logging in. Who can I contact?
    A: In this case, please contact our edX administrator —
    Q: Do I need some sort of special equipment for passing the course?
    A: No. You don't need any special equipment. You will just basically need a PC or a notebook with an internet connection for studying our course.
    Q: What's the difference between your course and other online courses that seem the same?
    A: Besides the course's theoretical background (during its self-study part), it is primarily focused on practical tasks with hands-on exercises, final an assignment, and one day workshop.
    Q: I have some experience in the field that your course covers. I just need to study topics I am not experienced with. Can I just skip those parts of the course I already know?
    A: The whole self-study part of the course is focused on your own learning process. It means you can study as fast or as slow as you can at the moment. It also includes the content itself — our course allows you to learn just those important parts. But it is crucial to accomplish all mandatory tasks to finish our course.
    Q: What are the conditions for successful completion of the course?
    A: You need to accomplish the course's final assignment and be present at the workshop (which will be followed after the self-study part of the course). The final assignment consists of two parts. They are connected to the workshop, so they are a crucial element of this course.
    Q: What if I find out that the course is not useful for me?
    A: Of course, this can happen. In the first place, we recommend you contact the course administrator to help you anyhow. Even after that, if you still feel that our course does not suit you, just stop studying and let us know.

Sub-project TN01000077/8 CSIRT BootCamp implemented within the project TN01000077 The National Center of Competence for Cybersecurity is solved with the financial support of TA ČR.