SANS Online Training Special: Get an iPad Mini, Chromebook Flip, or $250 Off until 10/30! 

NetWars: DFIR Tournament

Challenge yourself before the enemy does!

Digital Forensics, Incident Response, and Threat Hunting scenarios demand practitioners to apply unique skills to accurately overcome their job's daily obstacles. Technology changes and intelligent adversaries require them to keep their skills sharp and ahead of the curve. Staying up-to-date with the latest challenges in their field demand analytical skills that cannot be gained by just reading a text book. Just like firemen could never learn the skills of how to fight a fire by just studying theory, incident responders, threat hunters, and digital forensic investigators can only obtain their needed proficiency when an incident occurs. Unfortunately, gaining this proficiency could have serious consequences as mistakes can potentially damage a whole investigation or place an organization at higher risk.

DFIR NetWars is an incident simulator packed with a vast amount of forensic, malware analysis, threat hunting, and incident response challenges designed to help you gain proficiency without the risk associated when working real life incidents. It is unique in that it provides time-limited challenges that can be used to test the skills you've mastered, and at the same time, help you identify the skills you are missing. It is designed to test and sharpen each participant's skills in an individual or team-based "firefights" setting which enables participants to:

  • Engage in interactive case scenarios that teach them effective ways to solve even the most complex challenges.
  • Obtain the latest hands-on training available from incident responders, threat hunters, and forensic analysts facing the most complex challenges in stopping data breaches and solving crimes.
  • Learn in a safe environment where they can discover possible mistakes, identify the skills they might be missing, and ultimately be prepared to apply their knowledge when a real incident occurs.
DFIR NetWars Topics Who Should Take the Program?
  • Digital Forensics
  • Incident Response
  • Threat Hunting
  • Malware Analysis
  • Smartphone Forensics
  • Windows Forensics
  • MacOS and iOS Forensics
  • Network Forensics
  • Memory Forensics
  • Digital Forensic Analysts
  • Forensic Examiners
  • Malware Analysts
  • Incident Responders
  • Threat Hunters
  • Security Operations Center (SOC) staff members
  • Law Enforcement Officers, Federal Agents, or Detectives
  • Cyber Crime Investigators

DFIR NetWars Tournament Room

DFIR NetWars allows you to:

  • Learn in a fun, interactive environment: Sharpen new skills with fun "game-like" scenarios. Each of these scenarios teaches you to apply the right skill at the right time, and under the right conditions to accurately solve critical challenges.
  • Build your skills regardless of your expertise level: Anybody can play! No matter if you are new to the field or a seasoned forensicator or threat hunter, DFIR NetWars features different levels to help you improve your skill set, or show you where you might need improvement.
  • Take hints to develop your skills faster: An innovated Automated Hint System helps you identify the most efficient way of solving challenges, or help you determine when you've found an even better way of conquering obstacles. Requesting a hint does not impact your score at all, but the number of hints you have taken will be displayed as a separate column on the scoreboard.
  • Free yourself from tool limitations: It is not the tool that makes a good forensicator, but being able to apply the tool or technique at the right time and under the right conditions to accurately solve critical challenges. Each level is designed to not only exercise your capabilities to solve a particular problem, but teach you proper analysis techniques regardless of the tool you use.
  • Evaluate and show your performance: Walk away with confidence in your abilities and a scorecard that illustrates the areas in which you have demonstrated deep skills and knowledge.
  • Apply what you learn immediately: Master real-world tactics and techniques that can be applied to real-live cases as soon as you learn them.

Want to work on your skills right from home? You can with DFIR NetWars Continuous

DFIR NetWars Continuous delivers the same interactive learning program as DFIR NetWars but over a four-month period. DFIR Netwars Continuous is fully executed online so you can learn at your own pace, and includes automated hints and support from the SANS NetWars team to ensure that you have the most rewarding experience possible. The program also delivers twice as many CPE credits (12) as a live DFIR NetWars Tournament (6), and the cost of participation is less than a standard SANS course.

DFIR Netwars Continuous allows you to:

  • Learn anytime, anywhere: Over the course of four months and five levels, you will progress through multiple skill levels of increasing difficulty, learning first-hand how to solve key challenges at your own pace, and wherever you might be.
  • Test your skills with more in-depth challenges: NetWars Continuous offers a completely separate set of challenges from the DFIR NetWars Tournament. Although it is organized into the same five levels, there are more in-depth challenges in DFIR NetWars Continuous, given its four-month timespan.

For more information about DFIR NetWars Continuous email us at


How does the program work?

Each player signs into the DFIR NetWars environment where they face multiple levels of questions regarding an incident. Each player is presented with multiple evidence files from which they need to answer questions from - system, network, memory, and malware samples:

  • When the players answer the questions correctly, they earn points towards on the DFIR NetWars Tournament scoreboard.
  • If the players answer a question wrong, points will get deducted from their score after the second incorrect answer on the same question.
  • If the players don't know where to start or need a refresher, they can request a series of hints to guide your analysis without affecting their score.
  • Each player can observe their ranking compared to other players. The player with the highest score at the end of DFIR NetWars Tournament wins.

DFIR NetWars Tournament Sample Questions - Level 1

How do I "level up" in a DFIR NetWars Tournament?

Players progress through the levels by answering questions and earning points. The next level will unlock after a number of points is obtained. The points are cumulative across all levels. The better a player does on one level, the quicker the next level will open up.

There are currently five levels in DFIR NetWars Tournament. Levels 1 and 2 are designed to be approachable by those completely new to forensics and include hints that will not only help answer the questions, but teach the players specific techniques as they progress. The upper levels are meant to challenge you and expose where your skills need more work.

DFIR NetWars Tournament Sample Questions - Level 3

What tools can be utilized to solve the challenges?

The DFIR NetWars Tournament Scoreboard

The program is designed to test the skills of the analyst and not their ability to navigate a specific toolset. Challenge answers should not change regardless of the tool used to solve them. Participants are allowed to bring any toolset or capability to the tournament. If players don't bring their own tools, they will be provided with the SIFT WorkStation, a free collection of tools that can be utilized to solve every challenge in the game.

Upcoming Events
Event Location Dates
SANS DFIRCON 2019 Coral Gables, FL November 7, 2019 -
November 8, 2019
SANS Gulf Region 2019 Dubai, November 19, 2019 -
November 27, 2019
SANS Munich November 2019 Munich, November 21, 2019 -
November 22, 2019
SANS Cyber Defense Initiative 2019 Washington, DC December 15, 2019 -
December 16, 2019
SANS Threat Hunting & IR Europe Summit & Training 2020 London, January 17, 2020 -
January 18, 2020
Cyber Threat Intelligence Summit & Training 2020 Arlington, VA January 25, 2020 -
January 26, 2020
SANS Security East 2020 New Orleans, LA February 6, 2020 -
February 7, 2020
SANS London February 2020 London, February 13, 2020 -
February 14, 2020
SANS Secure Japan 2020 Tokyo, March 12, 2020 -
March 13, 2020
SANS Secure Singapore 2020 Singapore, March 26, 2020 -
March 27, 2020
SANS London March 2020 London, March 19, 2020 -
March 20, 2020
SANS 2020 Orlando, FL April 8, 2020 -
April 9, 2020
SANSFIRE 2020 Washington, DC June 18, 2020 -
June 19, 2020