SANS Cyber Defense Initiative® 2020 Live Online: 30+ Interactive Courses | Virtual NetWars Tournaments. Save $300 thru 11/18

NetWars: DFIR Tournament

Challenge yourself before the enemy does!

Digital Forensics, Incident Response, and Threat Hunting scenarios demand practitioners to apply unique skills to accurately overcome their job's daily obstacles. Technology changes and intelligent adversaries require them to keep their skills sharp and ahead of the curve. Staying up-to-date with the latest challenges in their field demand analytical skills that cannot be gained by just reading a text book. Just like firemen could never learn the skills of how to fight a fire by just studying theory, incident responders, threat hunters, and digital forensic investigators can only obtain their needed proficiency when an incident occurs. Unfortunately, gaining this proficiency could have serious consequences as mistakes can potentially damage a whole investigation or place an organization at higher risk.

DFIR NetWars is an incident simulator packed with a vast amount of forensic, malware analysis, threat hunting, and incident response challenges designed to help you gain proficiency without the risk associated when working real life incidents. It is unique in that it provides time-limited challenges that can be used to test the skills you've mastered, and at the same time, help you identify the skills you are missing. It is designed to test and sharpen each participant's skills in an individual or team-based "firefights" setting which enables participants to:

  • Engage in interactive case scenarios that teach them effective ways to solve even the most complex challenges.
  • Obtain the latest hands-on training available from incident responders, threat hunters, and forensic analysts facing the most complex challenges in stopping data breaches and solving crimes.
  • Learn in a safe environment where they can discover possible mistakes, identify the skills they might be missing, and ultimately be prepared to apply their knowledge when a real incident occurs.
DFIR NetWars Topics Who Should Take the Program?
  • Digital Forensics
  • Incident Response
  • Threat Hunting
  • Malware Analysis
  • Smartphone Forensics
  • Windows Forensics
  • MacOS and iOS Forensics
  • Network Forensics
  • Memory Forensics
  • Digital Forensic Analysts
  • Forensic Examiners
  • Malware Analysts
  • Incident Responders
  • Threat Hunters
  • Security Operations Center (SOC) staff members
  • Law Enforcement Officers, Federal Agents, or Detectives
  • Cyber Crime Investigators

DFIR NetWars Tournament Room

DFIR NetWars allows you to:

  • Learn in a fun, interactive environment: Sharpen new skills with fun "game-like" scenarios. Each of these scenarios teaches you to apply the right skill at the right time, and under the right conditions to accurately solve critical challenges.
  • Build your skills regardless of your expertise level: Anybody can play! No matter if you are new to the field or a seasoned forensicator or threat hunter, DFIR NetWars features different levels to help you improve your skill set, or show you where you might need improvement.
  • Take hints to develop your skills faster: An innovated Automated Hint System helps you identify the most efficient way of solving challenges, or help you determine when you've found an even better way of conquering obstacles. Requesting a hint does not impact your score at all, but the number of hints you have taken will be displayed as a separate column on the scoreboard.
  • Free yourself from tool limitations: It is not the tool that makes a good forensicator, but being able to apply the tool or technique at the right time and under the right conditions to accurately solve critical challenges. Each level is designed to not only exercise your capabilities to solve a particular problem, but teach you proper analysis techniques regardless of the tool you use.
  • Evaluate and show your performance: Walk away with confidence in your abilities and a scorecard that illustrates the areas in which you have demonstrated deep skills and knowledge.
  • Apply what you learn immediately: Master real-world tactics and techniques that can be applied to real-live cases as soon as you learn them.

Want to work on your skills right from home? You can with DFIR NetWars Continuous

DFIR NetWars Continuous delivers the same interactive learning program as DFIR NetWars but over a four-month period. DFIR Netwars Continuous is fully executed online so you can learn at your own pace, and includes automated hints and support from the SANS NetWars team to ensure that you have the most rewarding experience possible. The program also delivers twice as many CPE credits (12) as a live DFIR NetWars Tournament (6), and the cost of participation is less than a standard SANS course.

DFIR Netwars Continuous allows you to:

  • Learn anytime, anywhere: Over the course of four months and five levels, you will progress through multiple skill levels of increasing difficulty, learning first-hand how to solve key challenges at your own pace, and wherever you might be.
  • Test your skills with more in-depth challenges: NetWars Continuous offers a completely separate set of challenges from the DFIR NetWars Tournament. Although it is organized into the same five levels, there are more in-depth challenges in DFIR NetWars Continuous, given its four-month timespan.

For more information about DFIR NetWars Continuous email us at


How does the program work?

Each player signs into the DFIR NetWars environment where they face multiple levels of questions regarding an incident. Each player is presented with multiple evidence files from which they need to answer questions from - system, network, memory, and malware samples:

  • When the players answer the questions correctly, they earn points towards on the DFIR NetWars Tournament scoreboard.
  • If the players answer a question wrong, points will get deducted from their score after the second incorrect answer on the same question.
  • If the players don't know where to start or need a refresher, they can request a series of hints to guide your analysis without affecting their score.
  • Each player can observe their ranking compared to other players. The player with the highest score at the end of DFIR NetWars Tournament wins.

DFIR NetWars Tournament Sample Questions - Level 1

How do I "level up" in a DFIR NetWars Tournament?

Players progress through the levels by answering questions and earning points. The next level will unlock after a number of points is obtained. The points are cumulative across all levels. The better a player does on one level, the quicker the next level will open up.

There are currently five levels in DFIR NetWars Tournament. Levels 1 and 2 are designed to be approachable by those completely new to forensics and include hints that will not only help answer the questions, but teach the players specific techniques as they progress. The upper levels are meant to challenge you and expose where your skills need more work.

DFIR NetWars Tournament Sample Questions - Level 3

What tools can be utilized to solve the challenges?

The DFIR NetWars Tournament Scoreboard

The program is designed to test the skills of the analyst and not their ability to navigate a specific toolset. Challenge answers should not change regardless of the tool used to solve them. Participants are allowed to bring any toolset or capability to the tournament. If players don't bring their own tools, they will be provided with the SIFT WorkStation, a free collection of tools that can be utilized to solve every challenge in the game.

Upcoming Events
Event Location Dates
SANS DFIRCON 2020 Miami, FL November 5, 2020 -
November 6, 2020
SANS Munich November 2020 November 19, 2020 -
November 20, 2020
SANS Amsterdam November 2020 November 19, 2020 -
November 20, 2020
SANS London December 2020 December 10, 2020 -
December 11, 2020
SANS Cyber Defense Initiative 2020 Washington, DC December 17, 2020 -
December 18, 2020
Cyber Threat Intelligence Summit & Training 2021 Virtual - US Eastern, January 28, 2021 -
January 29, 2021