Cloud Incident Handling Track
An 8-week role-based path for analysts taking on incidents that span identity, workloads, and SaaS surfaces.
About this program
Cloud incidents fail differently. This track builds the muscle memory of investigating across identity providers, workload telemetry, and SaaS audit logs without losing the trail. You work three scenarios: an OAuth abuse incident, a misconfigured workload privilege escalation, and a credentialed insider scenario. Each ends with a containment decision you have to defend.
What is included
- Identity-first investigation method — start with auth, then pivot
- AWS, Azure, and GCP audit log triage parity
- SaaS audit-log scoping and gap recognition
- Containment decision drills with rollback considerations
- Cloud-specific after-action template
By the end of the program
- 01 Investigate an OAuth abuse incident without panicking
- 02 Decide between containment options when a workload is mid-pipeline
- 03 Write a cloud after-action that is useful 6 months later
Frequently asked questions
No, but solid familiarity with one provider helps. If your day job is on-prem only, expect a steep first two weeks. We do not guarantee a smooth onboarding for that profile.
From past cohorts
The OAuth abuse scenario was painfully accurate. I made the same wrong decision twice before the third try clicked.
Strong on identity-first methodology. Lighter on Azure than on AWS, which they were upfront about — they recommended supplementary reading.
My favourite track this year. The containment decision drills are the closest I have found to real on-call.
Ready to talk through fit?
We do a 30-minute scenario walkthrough with admissions before any paid intermediate or advanced track. We will tell you honestly if a different program — or no program — would serve you better right now.