Forge Exclusive

From SOC analyst to DFIR investigator.

14 modules. 40+ hours of theory, walkthroughs, and labs. An 8-image capstone with memory dumps. The same tools real DFIR consultants reach for. Built by a working practitioner.

Get Instant Access See what's inside ↓

Day 1 access on annual No job promises

By the numbers

Modules

40+

Hours of content

10+

Industry tools

8-image capstone

01 / The reality

A lot of companies don't have fancy security tooling. They don't even have the right audit policies in place.

So what happens when one of those companies gets compromised? How do you conduct an investigation when there is no centralized logging?

That's exactly why I built this course. To help you become the person who can step in when a company needs it most.

02 / How every module is built

Theory. Walkthrough. Lab.

Every single module follows the same rhythm. Every artifact covered in theory has a walkthrough. Nothing is skipped.

Theory

I cover the artifact, what it is, and why it matters. Without the theory, the rest doesn't stick.

Walkthrough

I generate the artifact live, run it through the common tools, and walk through how to read the output.

Lab

You parse the artifact yourself. Each lab adds to your investigation timeline. Piece by piece, the case comes together.

03 / The 14 modules

One investigation. Built across 14 modules.

As you progress, your timeline grows and the investigation comes together piece by piece. By the end, you've worked a full intrusion from initial phish to final report.

DFIR Foundations

Phishing & LNK Analysis

NTFS Artifacts

Evidence of Execution

Persistence

User Activity

Network Forensics

Lateral Movement

Linux Forensics

Azure & BEC

Memory Forensics

Timeline Analysis

Reporting + TEMPLATES

Enterprise IR (EDR)

Plus mini-labs throughout to give you extra reps on individual artifacts.

04 / The capstone

8 images. 8 memory dumps.

No hand-holding. No guided walkthrough.

You work it like a consultant would. Pull the artifacts. Build the timeline. Correlate across hosts. Write the report.

Walk into an interview and talk about a real end-to-end investigation that you ran yourself. Not a tutorial you watched. Not a lab you followed.

05 / The toolkit

The same tools real DFIR consultants reach for.

If you've seen the name in a DFIR job posting, it's probably in here.

$ tools --installed
→ volatility3 · memprocfs · kape
→ plaso · log2timeline · psort
→ eric_zimmerman_tools · sysinternals
→ wireshark · zeek · tcpdump
+ many more
    

06 / Who this is for

Be honest with yourself before you join.

This course works for one specific person. Make sure that's you.

YES - built for you if

You're a SOC analyst comfortable triaging alerts, you understand the basics of how a SOC operates, and you're ready to take the next step into actually investigating intrusions.

NOT for raw beginners

If you've never touched a SIEM, never triaged an alert, and you're still figuring out what a SOC analyst even does, start with the 90-Day SOC Accelerator first. It's also in the Forge.

NOT for seasoned IR consultants

If you're already five or ten years deep into incident response, you've probably seen most of this material. This is built for the analyst past the basics, ready to become an incident responder.

07 / Where the course lives

The DFIR course is Forge exclusive.

No standalone purchase. The course teaches the artifacts and tools. The Forge gives you the SOC Simulator, monthly challenges, Sunday calls, and the community of analysts running the same path.

08 / The price

Two ways into the Forge.

FASTEST ACCESS

Annual

$999 /year

Save $189 vs monthly

DFIR Course unlocked Day 1
Full 90-Day SOC Accelerator
SOC Simulator from Day 1
Monthly challenges + Sunday calls

Join the Forge (Annual)

Monthly

$99 /month

SOC Accelerator first, then DFIR

DFIR Course at Day 100
Accelerator drips daily
SOC Simulator from Day 1
Cancel anytime

Join the Forge (Monthly)

Already a Forge monthly member? Upgrade to annual →

09 / Common questions

Things people ask before they join.

Can I buy this course standalone?

No. The course is included with Forge membership. The community, simulator, and live calls are part of why it works.

Is this a quick course?

No. It's deep. It has to be, because DFIR is deep. If you want to actually do this work, the time you spend in the material is what makes the difference.

Do you guarantee a job?

No. We give you real artifact experience, a capstone you can talk through, and the working tools used in the field. Interviews are still up to you.

What if I cancel Forge after starting?

You lose access. Forge is a membership, not a one-time purchase. The standalone SOC Analyst Course at $499 is a different product if owning content matters more.

Stop reading about DFIR.
Start doing it.

Real artifacts. Real walkthroughs. Real tools. The work that takes you from triage to leading the investigation.

Get the Course With Forge Annual

$999/year · Day 1 access