Skip navigation

Investigation Theory

My name is Chris Sanders, and I’m a security analyst.

When I first started out, learning how to investigate threats was challenging because there was no formal training available. Even in modern security teams today, most training is centered around specific tools and centers too much around on the job training. It wasn’t hard to learn how to use the tools, but I struggled knowing when to use them and what to look for. It wasn’t that I didn’t have enough data…I was overwhelmed by it.

My investigations all followed a similar path.

After getting an alert I’d look in the obvious places — my go to’s that I would later realize were crutches:

  • Pull the packet capture
  • Look at the HTTP requests
  • Google the alert name to find more context

But then I'd become overwhelmed...

What data sources are available…….?
Can I find the host logs based on what information I already have…..?
Is this normal? How can I tell?

Worse yet, if I did find something interesting I was completely unorganized. I had a dozen browser tabs open, data spread across four terminal windows, and nonsensical notes that I’d wrote 5 minutes earlier and had already forgotten the meaning of.

I was paralyzed.

The longer this went on the more I became overwhelmed. I would eventually just stare at the screen hoping for a sudden moment of clarity and for everything to just click. It never happened.

What was I lacking? I knew plenty of people who were good at this — what skill did they possess that I did not?

I sought out a colleague I knew who is an experienced analyst at a big government agency. He was one of the most skilled members of their threat hunting team and spent his time tracking down nation-state level adversaries. I asked him how he learned to be a good analyst, and he told me, “Chris, being a good analyst isn’t really something you can learn. You’ve either got it, or you don’t. You can’t teach this stuff.”

I call malarky.

After I recoiled from the wave of smugness that had suddenly washed over me, I resolved to strive for something better. Chalking investigative ability exclusively up to natural born traits was an excuse, and that way of thinking had led me to believe things that forced me to make my own excuses.

3 Beliefs That Were Holding Me Back

This discussion was a critical moment in my career. It made me realize three ridiculous beliefs that were holding me back. When I figured this out, it changed the way I looked at everything.

I want to share them with you now.

Belief #1: You have to be born with some special sauce to be a good investigator.

WHAT I THOUGHT: Some people were born “naturals” or were simply much smarter than me.

MY EXCUSE: I’ll probably never figure this out because I’m simply not smart enough.

THE TRUTH: We all start in different places, but nearly anyone can achieve some level of success as a security analyst. Some people get it a little sooner than others and that naturally leads them to situations where they get more practice — more interesting data, a better job, etc. This accelerates their learning.

Belief 2: Being a great analyst is all about mastering your tools

WHAT I THOUGHT: I should spend most of my time learning tools. If I can write great Bro scripts or use IDA, then I’ll be able to find attackers on my network and see what they’re doing.

MY EXCUSE: I’m doing everything I can to learn the skills that are important for my job by focusing on the tools of the trade.

THE TRUTH: Knowing how to use your tools is helpful, but when and why to use them is critical. Tools do things like help us retrieve and manipulate data, but where most people get stuck is decided what data to query and how to manipulate it so that answers to important questions become clear.

Belief #3: Investigating security incidents is a completely new and unique concept

WHAT I THOUGHT: The skills involved in investigating alerts and threat hunting are entirely unique to our field.

MY EXCUSE: This knowledge is so specialized that only a small number of people will be able to really grasp it.

THE TRUTH: Investigating things isn’t unique to cybersecurity. Several fields involve some form of investigation — police officers, lawyers, and even doctors. We can leverage the knowledge of these fields and many more to become better blue teamers.

The problem of tacit knowledge

A major problem working in a new field is that much of the knowledge needed to perform the job is tacit — it isn’t written down. That’s why so much learning that happens on the job mostly focuses on just sitting and watching others do it. We can do better.

When security analysis finally began to “click” for me I resolved not just to be good at catching bad guys — I wanted to help others who are going down the same path by developing a course dedicated exclusively to both the theory and practice investigation process.



If you’re a security analyst responsible for investigating alerts, performing forensics, or responding to incidents then this is the course that will help you gain a deep understanding how to most effectively catch bad guys and kick them out of your network. Investigation Theory is designed to help you overcome the challenges commonly associated with finding and catching bad guys.

  • I’ve got so many alerts to investigate and I’m not sure how to get through them quickly
  • I keep getting overwhelmed by the amount of information I have to work with an investigation
  • I’m constantly running into dead ends and getting stuck. I’m afraid I’m missing something.
  • I want to get started threat hunting, but I’m not sure how.
  • I’m having trouble getting my management chain to understand why I need the tools I’m requesting to do my job better.
  • Some people just seem to “get” security, but it just doesn’t seem to click for me.

Investigation Theory will teach you how to conduct investigations regardless of the toolset by focusing on the mental models used by experts.

Course Format

Investigation Theory is not like any online security training you’ve taken. It is modeled like a college course and consists of lectures, labs, and exercises where you'll receive individualized feedback.  The course is delivered on-demand so you can proceed through it at your convenience. However, it’s recommended that you take a standard 10-week completion path or an accelerated 5-week path. Either way, there are ten modules in total, and each module typically consists of the following components:

  • Core Lectures: Theory and strategy are discussed in a series of video lectures. Each lecture builds on the previous one.
  • Bonus Lectures: Standalone content to address specific topics for those who want to dive deeper into a topic or apply the material in unique ways
  • Reading Recommendation: While not meant to be read on pace with the course, I’ve provided a curated reading list along with critical questions to consider to help develop your analyst mindset.
  • Formative Exercises: You'll participate in unique exercises that allow you to apply what you've learned and make it useful to you. By approaching concepts from multiple different perspectives, you'll better retain and apply what you're learning. I'll also provide you with feedback from to help coach you along the way.
  • Lab Exercises: The Investigation Ninja system is used to provide labs that simulate real investigations for you to practice your skills.

Investigation Ninja Lab Environment

Investigation Theory utilizes the Investigation Ninja web application to simulate real investigation scenarios. By taking a vendor agnostic approach, Investigation Ninja provides real-world inputs and allows you to query various data sources to uncover evil and decide if an incident has occurred, and what happened. You’ll look through real data and solve unique challenges that will test your newly learned investigation skills. A custom set of labs have been developed specifically for this course. No matter what toolset you use in your SOC, Investigation Ninja will prepare you to excel in investigations using a data-driven approach.


Get stuck in a lab? I’m just an e-mail away and can help point you in the right direction.

Evidence Overview Lessons

Expert analysts are skilled at collecting and manipulating diverse forms of digital evidence. In Investigation Theory, I provide a framework that will help you more quickly understand the capabilities of interpretation of evidence to accelerate how you gain experience in this area. Along with that framework, I created several evidence overview lessons that provide an introduction to the most common data sources from an analysts perspective. For each evidence source you'll learn which investigative questions it can be used to answer, how to interpret it, and see demos of common collection and analysis tools. I'll also provide a deliberate practice plans that you can use to continue experimenting with common evidence sources. These evidence overview lessons include topic areas such as Windows event logs, flow records, web proxy logs, email transaction logs, and more.

Instructor Q&A

This isn’t a typical online course where we just give you a bunch of videos and you’re on your own. The results of your progress, labs, and exercises are reviewed by me and I provide real-time feedback as you progress. I’m available as a resource to answer questions throughout the course. Whenever you are when you come to the course, I'm going to meet you there and help push you forward.


  • The Investigation Process: Diagnostic Inquiry -- The first lesson will introduce the concepts we'll use to develop your analysis skills. I'll describe our first two mental models, the attack timeline and the diagnostic inquiry model of investigations. These models will define how you approach and utilize evidence and represent attacks. You'll also learn about the power of metacognition.
  • Evidence: Knowing Where to Look When You Hear Hoofbeats -- Before you can ask the right questions, you must understand the realm of possibilities represented by available evidence. I'll describe mental models for organizing evidence and understanding the nuance inherent to using it. I'll also provide frameworks for documenting and learning about your evidence.
  • Questions: A Question Well Stated is a Problem Half-Solved -- The thing that sets expert analysts apart more than anything else is the ability to ask the right question at the right time. This lesson will describe several mental models and techniques asking better investigative questions.
  • Decisions: Making Meaning from Data -- Analysts thrive on the ability to derive meaning from evidence. In this lesson, you'll learn different techniques for finding meaning in data and how your observations represent cues that lead to decisions.
  • Transforming Data: Finding Answers in Evidence -- Even if you know where to look, many of the answers you seek won't just jump right out at you. This lesson will describe the techniques used to investigate evidence: graphs, aggregations, pivots, statistics, and search.
  • Investigation Playbooks: How to Use Inductive Reasoning to Predict Questions and Gain Efficiency -- Some of the investigation inputs you'll encounter will lend themselves to predictable questions. These make up the basis for playbooks. This lesson will show you how to create simple, but effective investigation playbooks building on what you've learned so far.
  • Threat and Open Source Intel: Understanding the Unknown -- You must be able to leverage collective intelligence to understand the context of the events you investigate. This lesson provides a framework for pursuing open source intelligence data for researching external threats.
  • The Curious Hunter: Finding Investigation Leads without Alerts -- Threat hunting is a form of investigation where the responsibility of finding the initial detection lead falls on the human analyst. This lesson introduces two mental models for practically approaching hunting, how to develop hunting skills, and pitfalls associated with these investigations.
  • Your Own Worst Enemy: Recognizing and Limiting Bias -- Bias is inherent to the human condition and it is both a good and bad thing. This lesson discusses the nature of bias and the numerous ways it can affect your investigations. I'll also describe mental models for helping identify and diminish the negative affects of bias.
  • Reporting: Effective Communication of Breaches and False Alarms -- Your investigative work doesn't matter if you can't effective express your findings. This lesson will teach you how to use storytelling to better express your findings and provides metrics for measuring investigation success.

Plus, several bonus lectures on topics like alert triage strategy, specific analytic techniques, and the concept of "mise en place" to master your analysis environment.

You can view the detailed course syllabus here.

Investigation Theory includes:

  • Over 30 hours of demonstration videos. These videos will provide the theoretical foundations of the investigation process, mental models for effective investigations, and SOC best practices to tie these to your workflow.
  • Hands-on labs to help you develop and test your skills. You’ll complete lab exercises in the Investigation Ninja tool. Review network security alerts and investigate them using actual data. These labs are designed to challenge you and force you to think through the process of building an intrusion timeline and asking the right questions.
  • Participation in our student charitable profit sharing program. A few times a year we designate a portion of our proceeds for charitable causes. AND students get to take part in nominating charities that are important to them to receive these donations.
  • 6 months access to course video lectures and lab exercises with the Investigation Ninja tool. You can extend access later if you need more time.
  • Access to Chris Sanders online “office hours” held periodically
  • A Certification of Completion
  • 30 Continuing Education Credits (CPEs/CEUs)

Student Testimonials

“Investigation Theory is a course that focuses on purposeful, self-aware, and objective approaches to investigation. It can help a novice springboard their start into security analysis and can give the veteran threat hunter new approaches to most efficiently guide an investigation from triage to resolution. I would consider this mandatory training for any Security Analyst, whether fresh or seasoned. I was surprised by how immediately applicable a lot of the lessons are. I work for a large enterprise, but every module here had lessons that both helped me as an individual and also allowed me to bring some efficiencies and improvements to the business. This was a fantastic course that has allowed me to improve in a very short time. It’s not every day that you get a master of their craft breaking down the discipline into its respective parts, to allow concrete practice for a discipline that often gets mired in illusions of what it means to “know security”. Thank you!” – Michael Kuchera

“Investigation Theory is the course that you want to take to learn how to be or improve on being an analyst. I would consider this course a MUST have before focusing on tools. Wish I would have had this course when I started down this whole analyst path. This is the only course that have come across that actually focuses on the whys and whens and not just a bunch of tools and how to use them. Hands down one of the best if not the best course I have taken. It made me think and work through my thoughts in such a way that feel like I own the material learned. Thank you for leading this horse to water. ” – James Ducroiset

“This should be a pre-requisite for kickstarting your SOC career or internal blue team position.” – Haydn Johnson

“TAKE THIS COURSE! Coming into a job as a new security analyst is largely overwhelming and fast paced. You need to be quick and this course helps you learn what to expect in order to quickly dive into the workload. I really like the metacognition and idea of thinking about thinking. In this field, you always have to be thinking like an attacker. What’s next, where else could an intruder go? You have to ask yourselves these types of questions when covering an investigation to account for the entire scope.” – Mike Cusack

“Investigation Theory provides a solid foundation for those transitioning into an analyst role for the first time, but even the experienced analyst will gain something from it. It’s one of the few courses that doesn’t focus as much on technical details and more on approaches.” – James Dietman

“I needed an orientation kind of course to start my journey into this domain. Although I had exposure and knew the content I wanted an experienced person like Chris to walk me through the domain and the craft. Was not disappointed. I would highly recommend this for any beginner or somebody who knows a lot but is confused as to whether he/she is on the correct path or not, happens with the deluge of information we have today on the internet.” – Vikrant Navalgund

“The course is valuable for new and experienced individuals. For the new, it provides a good baseline into an investigation. For the experienced it provides a refresher and potential expansion of already attained skills.” – Marcus

“This is a well structured course that covers many of the topics concerning those who work in a SOC, the most important one being how to approach an investigation in a tool agnostic manner. Many times we do go throughout our alerts without bringing up the right questions and the course does an excellent job of re- enforcing those ideas. Again, most importantly it shows that though tools may change, the concepts are not.” – Matias, SOC Analyst

“The labs were cool. When you hear simulation, sometimes you think of those boring government simulations you have to complete to check off some box for compliance. But you could tell that the instructor really took his time to make the labs enjoyable and instructive.” – Pushkar, SOC Analyst

“The course re-ignited my passion for doing stuff at home and actually gave me direction in figuring out what I wanted to learn next. It helped give me a framework for handling situations and, it gave me a confidence I didn’t have before… that’s probably the most valuable part of this.” – David, Security Manager

“I learned the thought patterns of Security Analysts and that their duties are vastly different than that of a system admin. The course has given me the ability to create “a space” using a wiki, the hive and visjs that allows my management team to look into what I’m doing. They have a way to see what I’m doing and the value I provide.” – Brook, New to Infosec

“I would highly recommend this course to seasoned Blue Team Veterans and newbies alike. This course teaches one how to think like an analyst and think critically when it comes to responding to security incidents.” – Tony Robinson, Security Analyst

“I finally understand what all the fuss is about playbooks and I can support this exercise from now on. It’s not about step by step instructions which I feared trapped non innovative analysts into routines. It’s about providing that suggested next step for them to think on their own.” – Mike, Consultant

“The investigation theory course is probably one of the best course that I have taken, the content is very handy for noobs and experimented investigators, Chris shows the right path to be a better investigator. I learned the right way to deal with investigations, I think that the labs are the perfect tool to learn and practice.” – Daniel Rodriguez

“I could find many courses that taught tool usage, but none cover the steps in an investigation. Some only mention them with nothing to explain how to move through an investigation. This course focuses on a subject that isn’t taught in any other courses I have found – how to successfully refine your thought process to move through an investigation, not just how to use the tools. The questioning procedure really helps focus on what is important and what resource to use next. I loved the lab setup as well. I have asked past instructors about how to create home labs and most gave answers that were not helpful. As a group, we need to get better at helping others with different thought processes.” – Marsha Miller

“This course teaches you how to think like an analyst. It trains you to understand the why of what you do, not just the job itself. In developing repeated patterns of increasing knowledge, you better yourself as an analyst. The development of the mind to hands-on work correlated very well. You learn how to think then go right into a lab to apply what you just learned. Well written.” – Joshua Coppola

“Whether you are at the beginning of your InfoSec journey or an experienced Analyst, the topics covered in the Investigative Theory course will improve you as an Analyst and Incident Responder.” – Rylan

“I would recommend this course to anyone who wants to be an analyst (of any area) or people who want to improve their way of thinking” –  Meng-Hsun Chung

“It is of paramount importance to think about how you think, how you approach investigations and formulate questions and hypotheses. This course tells you ways to do exactly that, or at least be cognizant.” – Chris Wilhelm

“It’s a great course. Whether you’re a beginner trying to find your footing or whether an expert the structure and content that is laid out is incredibly useful.” – Alejandro

“This was great! If you already have a good technical background and you are interested in better understanding the theory and process of conducting investigations, this is the class for you. I hope you produce many more courses similar to this one on other related topics. ” – W. David Winslow

“All parts of the course provide valuable information to help with investigations and metacognition. Even if you think you know everything this course has something for you.” – Justin Trejo

Join Investigation Theory Now for Just $647

This course is also offered as a two-day on-site class taught at your organization. This includes access to the online course material for all attendees. Contact Us for On-Site Inquiries (2-Day Course + Online Access)

Bulk discounts are available for organizations that want to purchase multiple licenses for this Investigation Theory training course. Please contact us to discuss payment and pricing.