Incident Response & Recovery

Detect → contain → eradicate → recover. Prove control under pressure.

Overview

Incident response is the discipline of identifying threats, containing damage, restoring operations, and
learning from incidents to prevent recurrence. Cloud IR relies heavily on identity logs, telemetry,
automation, and rapid containment. This pillar covers foundational Security+ threat analysis labs,
packet capture and forensics, and cloud-native response workflows for Microsoft and AWS.

Completed Labs

No completed labs yet — this pillar is currently being built.

In Progress Labs

Lab 06

Vulnerability Checks with OpenVAS

Scope · scan · validate · report

Lab 08

NIDS/HIDS Alert Analysis

Host & network intrusion signals

Lab 22

Packet Capture & Traffic Analysis

PCAP workflow · evidence extraction

Lab 23

Incident Response Procedures

Containment → eradication → recovery

Lab 25

Forensic Analysis with Autopsy

Disk triage · deleted file recovery

Advanced Incident Response Labs

Cloud-native response, containment, and recovery workflows.

Advanced

Intune Conditional Wipe / Retire

Rapid containment for compromised devices

Advanced

Backup & Restore — VM/DB Recovery

Snapshots · RPO/RTO validation

Advanced

Microsoft Sentinel — Incident → Response

Rule → alert → incident → automation

Advanced

AWS GuardDuty — Containment Runbook

Instance isolation · key rotation · revoke creds