search menu icon-carat-right cmu-wordmark

Advanced Incident Handling

This five-day course, designed for computer security incident response team (CSIRT) technical personnel with several months of incident handling experience, addresses techniques for detecting and responding to current and emerging computer security threats and attacks that are targeted at a variety of operating systems and architectures.

Building on the methods and tools discussed in the Fundamentals of Incident Handling course, this course provides guidance that incident handlers can use in responding to system compromises at the privileged (root or administrator) level. Through interactive instruction, facilitated discussions, and group exercises, instructors help participants identify and analyze a set of events and then propose appropriate response strategies.

Participants work as a team throughout the week to handle a series of escalating incidents that are presented as part of an ongoing scenario. Work includes team analysis of information and presentation of findings and response strategies. Participants also review broader aspects of CSIRT work such as computer forensics, artifact analysis; vulnerability handling; and the development of advisories, alerts, and management briefings.

This CERT incident handling course, which provides a well-rounded understanding of incident handling practices and functions, can be used to prepare for the CERT-Certified Incident Handler Certification. Before registering for this course, participants are encouraged to attend the companion course, Fundamentals of Incident Handling.


  • current computer security incident response team (CSIRT) technical staff with three to six months incident handling experience
  • system and network administrators responsible for identifying and responding to security incidents


This course will help participants to

  • detect and characterize various attack types
  • understand the complexity of and effectively respond to privileged and major events and incidents within your CSIRT
  • gain a practical understanding of various methods for analyzing artifacts left on a compromised system
  • explore new developments in the area of computer forensics
  • obtain practical experience in the analysis of vulnerabilities and the coordination of vulnerability handling tasks
  • formulate effective advisories, alerts, and management briefings


  • understanding issues and challenges in handling privilege compromise incidents
  • detecting, analyzing, and responding to various types of malicious activity such as the use of rootkits, botnets, and distributed denial of service attacks
  • responding to insider threats and attacks
  • handling major computer security events and incidents
  • understanding the role of computer forensic analysis in incident handling
  • performing artifact analysis
  • understanding the fundamental causes of vulnerabilities
  • analyzing and coordinating response to reported vulnerabilities
  • publishing effective CSIRT information


Participants will receive a course notebook and a downloadable copy of course materials.


Before registering for this course, it is recommended that participants attend the Fundamentals of Incident Handling course. It is also recommended that participants have the following:

  • at least three to six months of incident handling experience
  • an understanding of Internet services and protocols
  • experience with the administration of Windows and Unix systems
  • an understanding of basic programming concepts
  • experience with various types of computer security attacks, response strategies, incident handling tools

It is recommended but not required that participants also have experience programming in C, Perl, Java, or similar languages.

Dates Offered

Course Fees [USD]

  • International: $6,000.00
  • Industry: $3,000.00
  • Govt/Academic: $2,400.00


This five-day course meets at the following times:

Days 1-4, 8:30 a.m.-4:30 p.m.
Day 5, 8:30 a.m.-2:30 p.m.

This course may be offered by special arrangement at customer sites. For details, please email or telephone at +1 412-268-7622.

Course Questions?

Phone: 412-268-7388
FAX: 412-268-7401

Related Courses

  • Creating a Computer Security Incident Response Team

    1 - Day Course

    This one-day course is designed for managers and project leaders who have been tasked with implementing a computer security incident response team (CSIRT). This course provides a high-level overview of the key issues and decisions that must be addressed in establishing a CSIRT. As part of the course, attendees will develop an action plan that can...

    Learn More
  • Fundamentals of Incident Handling

    5 - Day Course

    This five-day course is for computer security incident response team (CSIRT) technical staff who have little or no incident handling experience. It provides a basic introduction to the main incident handling tasks and critical thinking skills that will help an incident handler perform their daily work. It is recommended to those new to incident...

    Learn More
  • Information Security for Technical Staff

    5 - Day Course

    This five-day course is designed to provide participants with practical techniques for protecting the security of an organization's information assets and resources, beginning with concepts and proceeding on to technical implementations. The course focuses on understanding and applying the concept of survivability through the effective management...

    Learn More
  • Managing Computer Security Incident Response Teams

    3 - Day Course

    This three-day course provides current and future managers of computer security incident response teams (CSIRTs) with a pragmatic view of the issues that they will face in operating an effective team. The course provides insight into the work that CSIRT staff may be expected to handle. The course also provides prospective or current managers with...

    Learn More

Training courses provided by the SEI are not academic courses for academic credit toward a degree. Any certificates provided are evidence of the completion of the courses and are not official academic credentials. For more information about SEI training courses, see Registration Terms and Conditions and Confidentiality of Course Records.