Windows Incident Response
RCCE students will learn Windows endpoint security including OS hardening, Group Policy configuration, Windows Defender features, registry security, PowerShell security, and Windows logging architecture. RCCE students will learn to harden Windows operating systems following CIS Benchmarks and STIG guidelines, configure Group Policy for security enforcement, manage Windows Defender Antivirus, Firewall, and Exploit Guard, secure PowerShell execution environments, implement Windows event log collection for security monitoring, detect and investigate Windows-based attacks including credential theft, lateral movement, and persistence techniques, and manage Windows security updates and patch deployment. This incident response course prepares students to act decisively during security incidents with structured workflows and clear decision frameworks. At an expert level, RCCE students will learn containment, evidence collection, eradication, and recovery procedures specific to this domain. Students practice incident scenarios that build the composure, coordination, and documentation skills essential for effective incident handling.
- Endpoint Security Engineers and EDR Analysts
- Windows and macOS Administrators managing privileges
- Identity and Access Management Engineers
- IT Security Operations Leads reducing attack surface
- Professionals implementing Windows Incident Response
- Build detections and response workflows for privilege escalation
- Execute hands-on tasks for advanced cyber defense mastery
- Execute hands-on tasks for dominant attack surface
- Execute hands-on tasks for incident impact — covering Windows runs 75%+ enterprise endpoints, Ransomware median dwell: 5 days.
- Execute hands-on tasks for compliance requirements — covering OS hardening reduces attack surface 60%+.
- Execute hands-on tasks for structured ir cuts containment time — covering CIS Benchmarks & DISA STIGs required.
- Execute hands-on tasks for security incident
- Design a scalable privilege management architecture with policy and enforcement
- Execute hands-on tasks for application layer
- Execute hands-on tasks for defense services
- Integrate privilege controls with identity providers and SIEM telemetry
| Module 01 | Windows Incident Response |
| Module 02 | Advanced Cyber Defense Mastery |
| Module 03 | Dominant Attack Surface |
| Module 04 | Incident Impact |
| Module 05 | Compliance Requirements |
| Module 06 | Structured IR cuts containment time |
| Module 07 | Core Incident Response Definitions |
| Module 08 | Security Incident |
| Module 09 | Windows Endpoint Security Architecture |
| Module 10 | Application Layer |
| Module 11 | Defense Services |
| Module 12 | Identity & Access |
| Module 13 | Logging & Telemetry |
| Module 14 | Account Policies |
All hands-on labs run on Rocheston Rose X OS. Students practice windows incident response by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Build detections and response workflows for privilege escalation
- Lab 2: Execute hands-on tasks for advanced cyber defense mastery
- Lab 3: Execute hands-on tasks for dominant attack surface
- Lab 4: Execute hands-on tasks for incident impact
- Lab 5: Execute hands-on tasks for compliance requirements
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Windows Incident Response, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI