DFIR NetWars and Continuous

An incident simulator with forensic, malware analysis, threat hunting, and incident response case scenarios to help you expand your DFIR capabilities.

Challenge yourself before the enemy does!

Digital Forensics, Incident Response, and Threat Hunting scenarios demand practitioners to apply unique skills to accurately overcome their job's daily obstacles. Technology changes and intelligent adversaries require them to keep their skills sharp and ahead of the curve. Staying up-to-date with the latest challenges in their field demand analytical skills that cannot be gained by just reading a text book. Just like firemen could never learn the skills of how to fight a fire by just studying theory, incident responders, threat hunters, and digital forensic investigators can only obtain their needed proficiency when an incident occurs. Unfortunately, gaining this proficiency could have serious consequences as mistakes can potentially damage a whole investigation or place an organization at higher risk.

DFIR NetWars is an incident simulator packed with a vast amount of forensic, malware analysis, threat hunting, and incident response challenges designed to help you gain proficiency without the risk associated when working real life incidents. It is unique in that it provides time-limited challenges that can be used to test the skills you've mastered, and at the same time, help you identify the skills you are missing. It is designed to test and sharpen each participant's skills in an individual or team-based "firefights" setting which enables participants to:

  • Engage in interactive case scenarios that teach them effective ways to solve even the most complex challenges.
  • Obtain the latest hands-on training available from incident responders, threat hunters, and forensic analysts facing the most complex challenges in stopping data breaches and solving crimes.
  • Learn in a safe environment where they can discover possible mistakes, identify the skills they might be missing, and ultimately be prepared to apply their knowledge when a real incident occurs.

Topics Include:

  • Digital Forensics
  • Incident Response
  • Threat Hunting
  • Malware Analysis
  • Smartphone Forensics
  • Windows Forensics
  • MacOS and iOS Forensics
  • Network Forensics
  • Memory Forensics

DFIR NetWars allows you to:

  • Learn in a fun, interactive environment: Sharpen new skills with fun "game-like" scenarios. Each of these scenarios teaches you to apply the right skill at the right time, and under the right conditions to accurately solve critical challenges.
  • Build your skills regardless of your expertise level: Anybody can play! No matter if you are new to the field or a seasoned forensicator or threat hunter, DFIR NetWars features different levels to help you improve your skill set, or show you where you might need improvement.
  • Take hints to develop your skills faster: An innovated Automated Hint System helps you identify the most efficient way of solving challenges, or help you determine when you've found an even better way of conquering obstacles. Requesting a hint does not impact your score at all, but the number of hints you have taken will be displayed as a separate column on the scoreboard.
  • Free yourself from tool limitations: It is not the tool that makes a good forensicator, but being able to apply the tool or technique at the right time and under the right conditions to accurately solve critical challenges. Each level is designed to not only exercise your capabilities to solve a particular problem, but teach you proper analysis techniques regardless of the tool you use.
  • Evaluate and show your performance: Walk away with confidence in your abilities and a scorecard that illustrates the areas in which you have demonstrated deep skills and knowledge.
  • Apply what you learn immediately: Master real-world tactics and techniques that can be applied to real-live cases as soon as you learn them.

Scenarios & Levels

DFIR NetWars participants will navigate evidence from the various Digital Forensics and Incident Response disciplines, including Windows, Mac and Smartphone hosts, Network data, Memory Images, Malware samples, and more. The questions range between low level artifacts and high level behavioral observations across four different levels. While the first levels may seem straightforward, participants will soon realize the important of minute details. Later levels bring extensive and in-depth analysis tasks as well. In all, these questions represent real-world forensic and IR tasks that one might encounter in the field, reinforcing skills that will have an immediate payoff in the workplace!

Who Should Attend

  • Digital Forensic Analysts
  • Forensic Examiners
  • Malware Analysts
  • Incident Responders
  • Threat Hunters
  • Security Operations Center (SOC) staff members
  • Law Enforcement Officers, Federal Agents, or Detectives
  • Cyber Crime Investigators

Laptop Requirements


    • CPU: 64-bit Intel i5/i7 (4th generation+) - x64 bit 2.0+ GHz processor or more recent processor is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
    • It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.
    • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx". Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary. Test it!
    • 16 GB (Gigabytes) of RAM or higher is mandatory for this class (Important - Please Read: 16 GB of RAM or higher of RAM is mandatory and minimum.)
    • USB 3.0 Type-A port is required. At least one open and working USB 3.0 Type-A port is required. (A Type-C to Type-A adapter may be necessary for newer laptops.) (Note: Some endpoint protection software prevents the use of USB devices - test your system with a USB drive before class to ensure you can load the course data.)
    • 200 Gigabytes of Free Space on your System Hard Drive - Free Space on Hard Drive is critical to host the VMs and data sets we distribute
    • Local Administrator Access is required. This is absolutely required. Don't let your IT team tell you otherwise. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
    • Wireless 802.11 Capability - there are no wired networks in the classroom.


    • Host Operating System: Latest version of Windows 10 or macOS 10.15.x
    • On Windows hosts, VMware products cannot coexist with the Hyper-V hypervisor. Disable Hyper-V and ensure VMware can boot a virtual machine. Disabling Hyper-V, Device Guard, and Credential Guard can be accomplished using these instructions.
    • Please note: It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices.
    • Linux hosts cannot be supported in the classroom due to their numerous variations. Students that wish to use Linux hosts must be experienced users or administrators, and must also be able to access ExFAT partitions using the appropriate kernel and/or FUSE modules.

Frequently Asked Questions

Q: How does the program work?

A: Each player signs into the DFIR NetWars environment where they face multiple levels of questions regarding an incident. Each player is presented with multiple evidence files from which they need to answer questions from - system, network, memory, and malware samples:

  • When the players answer the questions correctly, they earn points towards on the DFIR NetWars Tournament scoreboard.
  • If the players answer a question wrong, points will get deducted from their score after the second incorrect answer on the same question.
  • If the players don't know where to start or need a refresher, they can request a series of hints to guide your analysis without affecting their score.
  • Each player can observe their ranking compared to other players. The player with the highest score at the end of DFIR NetWars Tournament wins.

Q: How do I "level up" in a DFIR NetWars Tournament?

A: Players progress through the levels by answering questions and earning points. The next level will unlock after a number of points is obtained. The points are cumulative across all levels. The better a player does on one level, the quicker the next level will open up.

There are currently five levels in DFIR NetWars Tournament. Levels 1 and 2 are designed to be approachable by those completely new to forensics and include hints that will not only help answer the questions, but teach the players specific techniques as they progress. The upper levels are meant to challenge you and expose where your skills need more work.

Q: What tools can be utilized to solve the challenges?

A: The program is designed to test the skills of the analyst and not their ability to navigate a specific toolset. Challenge answers should not change regardless of the tool used to solve them. Participants are allowed to bring any toolset or capability to the tournament. If players don't bring their own tools, they will be provided with the SIFT WorkStation, a free collection of tools that can be utilized to solve every challenge in the game.


DFIR NetWars Tournament Schedule

All scheduled ranges and tournaments will run virtually.
DFIR Continuous (OnDemand)--Ongoing

4-Month Continuous Subscription Cyber Range, for All Skill Levels

Register here

DFIR NetWarsOct. 7-86:30 pm - 9:30 pm CEST

Complimentary with DFIR Europe 2021 4-6 day courses

DFIR NetWarsOct. 28-29

6:30 pm - 9:30 pm CET

Complimentary with SANS Cyber Safari, SEC588 Europe Online, and SANS Stockholm October 2021 4-6 day courses
DFIR NetWars

Oct. 28-29

6:30 pm - 9:30 pm EST

Complimentary with SANS DFIRCON East: In-Person and Virtual Editions 2021 4-6 day courses
DFIR NetWarsNov. 18-19

6:30 pm - 9:30 pm CET

Complimentary with SANS Europe Online November 2021, SANS FOR585 In Italian Rome 2021, SANS FOR508 In Italian Online 2021, SANS Paris November 2021, SANS Munich November 2021 4-6 day courses
DFIR NetWarsDec. 16-17

6:30 pm - 9:30 pm EST

Complimentary with SANS Cyber Defense Initiative 2021 4-6 day courses

DFIR NetWars Continuous

DFIR NetWars Continuous

Learn how to solve unique, in-depth challenges through interactive case scenarios designed to help you gradually build your DFIR skillset, right from home.


NetWars is challenging for all levels of expertise, has great hints if you get stuck, and promotes continuous education.
Jon-Michael Lacek
- Wegmans Food Markets
Core NetWars was challenging but not frustrating for newbies. This is my first time doing NetWars and it has been a blast.
Rachael Murray
- Northwestern Mutual
Having participated in NetWars Continuous and in the NetWars Tournament, I can honestly say that they were the most intellectually challenging and enjoyable tests of technical skills in which I have participated.
Kees Leune
- Adelphi University