Incident Response Edition – Documentation


What is “Incident Response Edition”?

Incident Response Edition is a training package with plenty of practical opportunities prepared for those who want to pursue a career in the field of incident response and those who want to improve their current skills.

How Should I Use It?

You can progress in the most efficient way by completing the courses in the training area first, and then solving the cases on the “Monitoring” page.


We have a training module on how to run the incident response process on Windows and Linux systems.

What needs to be done here is to follow the topics in accordance with the order, to read the theoretical information thoroughly and then to practice in the “Hands-On Practice” and “Questions” areas just below. In order to answer the questions, you need to connect to the “Hands-On Practice” system and perform the required analysis.


There are 2 different roles on LetsDefend. Security Analyst and Incident Responder roles. You can use the button at the top right of the page to change your role.

Security Analyst vs Incident Responder

A user with the “Incident Responder” role has all the resources that “Security Analysts” can access. In addition, it has the following features:

  • It has more complicated cases on its “Monitoring” page. All of these different cases have official write-ups.
  • It has more playbooks.
  • It can directly connect to other systems and conduct analyses on the live system through the Endpoint Security.
  • It has access to exclusive Incident Response Training content.


A user with the Incident Responder role will encounter more different and complex alarms on the monitoring page.

Additional playbooks have been prepared to solve these cases.

They can access the official write-ups after the alarm is turned off.

I have completed the Incident Responder Alerts

You can access other alerts by switching your role to Security Analyst.

Endpoint Security

When the existing logs are not sufficient or when memory analysis is desired those who want to perform different controls on the live system can directly connect to the Linux / Windows operating systems by pressing the “Connect” button on the hostname they chose and perform the analysis. The preparation time of the machine takes an average of 1-3 minutes for Linux and 2-5 minutes for Windows.

Problems may occur from time to time while Windows is trying to connect to the system, for example, when the machine is ready but not visible on the screen, you need to refresh the page. If the same problem occurs again, you need to try again after about 1 minute. This is an issue we are aware of, it will be fixed in the next update.

Frequently asked Questions

  1. How can I change my role?

There are 2 different roles on LetsDefend. Security Analyst and Incident Responder roles. You can use the button at the top right of the page to change your role.

  1. Where can I find Official Write Ups??

Official write-ups can be accessed after the alert is closed.

  1. Why am I seeing only 10 alerts?

You can see only 10 alerts at a time on the monitoring page. New alerts will continue to populate as you close the alerts.

  1. I can’t see the “Connect” button in Endpoint Security.

Currently, there is not connectivity for all the systems included in Endpoint Security. If you think the device needs to be connected, please contact us.

  1. I have problems connecting to the machine.

You can share the error you received with us with a screenshot via or on our Discord channel ( to get a faster response.

  1. I have completed all the alerts, now, what should I do?

When you finish all Security Analyst and Incident Responder alerts, you can continue to improve yourself from DFIR and Malware Analysis cases under “Additional” on the left navigation panel.

Share on social media