Evidence Incident Response
RCCE students will learn audit evidence collection, management, and presentation including evidence types, collection methodologies, evidence repositories, and evidence lifecycle management. RCCE students will learn to identify the types of evidence required for various compliance frameworks, develop evidence collection procedures that produce consistent and reliable results, configure automated evidence collection from security tools and systems, manage evidence repositories with proper access controls and versioning, validate evidence quality and completeness, present evidence packages to internal and external auditors, and maintain evidence retention schedules that meet regulatory requirements. This incident response course prepares students to act decisively during security incidents with structured workflows and clear decision frameworks. At an expert level, RCCE students will learn containment, evidence collection, eradication, and recovery procedures specific to this domain. Students practice incident scenarios that build the composure, coordination, and documentation skills essential for effective incident handling.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing Evidence Incident Response
- Build detections and response workflows for privilege escalation
- Explain Executive Overview fundamentals
- Monitor and audit privilege usage; detect escalation attempts
- Build detections and response workflows for privilege escalation, including Collection, custody, and presentation of, and Structured containment and eradication.
- Execute hands-on tasks for strategic importance
- Execute hands-on tasks for legal defensibility
- Execute hands-on tasks for incident velocity
- Execute hands-on tasks for core definitions & terminology
- Execute hands-on tasks for evidence repository
| Module 01 | Evidence & Incident Response |
| Module 02 | Executive Overview |
| Module 03 | Audit Evidence Management |
| Module 04 | Incident Response Operations |
| Module 05 | Strategic Importance |
| Module 06 | Audit Readiness |
| Module 07 | Legal Defensibility |
| Module 08 | Incident Velocity |
| Module 09 | Core Definitions & Terminology |
| Module 10 | Audit Evidence |
| Module 11 | Incident Response |
| Module 12 | Evidence Repository |
| Module 13 | Key Evidence Types |
| Module 14 | Control Basis |
All hands-on labs run on Rocheston Rose X OS. Students practice evidence incident response by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Build detections and response workflows for privilege escalation
- Lab 2: Explain Executive Overview fundamentals
- Lab 3: Monitor and audit privilege usage; detect escalation attempts
- Lab 4: Build detections and response workflows for privilege escalation
- Lab 5: Execute hands-on tasks for strategic importance
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Evidence Incident Response, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI