Cybersecurity, learned like a practitioner .

Forensic Timeline Reconstruction with Plaso

Why this module exists. An investigation has a hundred sources: event logs from five hosts, bash history, filesystem mtimes, audit logs, EDR alerts, NetFlow, cloud audit trail. Each has its own format and clock. The timeline is what merges them into one story. Without it, the investigation is fragments; with it, the investigation is a […]

Linux Forensics — Auditd, journalctl, Containers

Why this module exists. Linux IR responders often default to “tar up /var/log and call it done.” Modern Linux estates — especially in Indian cloud-native shops — have far richer artefacts available if you know to capture them. This module is the structured walkthrough. The first-response capture — what to grab in 5 minutes If […]

Memory Forensics with Volatility 3

Why this module exists. Half the modern malware ecosystem never writes a payload to disk — it lives in memory, injected into legitimate processes, and dies at reboot. Without memory forensics you are flying blind on that whole class. This module is the practitioner workflow. Acquisition — get the memory before you lose it Memory […]

Windows Event Log Forensics — The IR Reference

Why this module exists. The defender’s biggest leverage in any Windows IR is the event log. The attacker’s biggest leverage in the same IR is knowing which events to clear. This module gives you the canonical event IDs, the queries that surface attacker activity, and the gaps that tell you something was cleaned. The seven […]

Disk Imaging — Forensically Sound Acquisition

Why this module exists. “We made a copy of the disk” is not the same as “we forensically imaged the disk.” The difference matters for evidence admissibility, chain of custody, and for the analyst three weeks later trying to reproduce a finding. This module is the practitioner-level disk imaging guide. What forensically sound actually means […]

Security Policy Architecture — Policy, Standard, Procedure, Baseline

Why this module exists. Auditors ask for “the policy.” Engineers want “the rule.” Both are right; they are asking different questions of different layers. A coherent policy architecture answers both without contradiction. This module is the four-layer model and the operational guidance for building each layer. The four-layer model Layer What it states Approval level […]

Security Maturity Models — NIST CSF, ISO 27001, SAMM, CIS in Practice

Why this module exists. Every Indian enterprise we audit has a “maturity assessment” somewhere on file. Few have one that has been refreshed in the last 18 months; fewer still use it to drive funding decisions. The pattern is the same: a one-time scoring exercise that produced a slide, the slide got presented to the […]

Risk Appetite Statement — Writing One That Drives Decisions

Why this module exists. Risk appetite is where governance meets engineering reality. Without a stated appetite, every risk decision becomes ad hoc — defended by whoever speaks loudest in the room. With a clear appetite stated in measurable terms, the same decision becomes mechanical: “this exceeds the stated threshold, escalation triggered.” This module walks the […]

First 90 Days as a Security Leader — The Practitioner Playbook

Why this module exists. CISO and security-leader transitions in Indian enterprises follow a predictable failure mode. The new leader arrives, the board asks for an “assessment”, a 60-slide deck lands six weeks later, and the operational programme drifts for the entire honeymoon period. The disciplined version instead spends the first 90 days establishing five concrete […]

Board Reporting for Security — Metrics, Narrative, Cadence

Why this module exists. The board is not your peer audience. They are not security practitioners. The report that wins your peers’ approval — a 40-slide dive into MITRE ATT&CK coverage — is the report that loses the board. This module is the operational pattern for the inverse: the report that lets a non-technical decision-maker […]