{"defaults":{"experience":"any","focused_node_id":"gsec","goal":"any","profile_id":"aspiring-dfir","role":"any"},"edges":[{"from":"gsec","id":"edge_gsec_gcih","label":"Move into incident handling","relationship":"progression","to":"gcih"},{"from":"gsec","id":"edge_gsec_gcfe","label":"Endpoint forensics track","relationship":"dfir_path","to":"gcfe"},{"from":"gsec","id":"edge_gsec_gicsp","label":"Industrial and OT foundations","relationship":"industrial_path","to":"gicsp"},{"from":"gcih","id":"edge_gcih_gmon","label":"Monitoring and operations branch","relationship":"monitoring_path","to":"gmon"},{"from":"gcih","id":"edge_gcih_gcia","label":"SOC / detection depth","relationship":"detection_path","to":"gcia"},{"from":"gmon","id":"edge_gmon_gcia","label":"Turn monitoring into analysis","relationship":"monitoring_path","to":"gcia"},{"from":"gime","id":"edge_gime_gasf","label":"Smartphone specialist depth","relationship":"platform_path","to":"gasf"},{"from":"gcfe","id":"edge_gcfe_gcfr","label":"Cloud investigation branch","relationship":"cloud_path","to":"gcfr"},{"from":"gcfe","id":"edge_gcfe_gcfa","label":"Deepen investigative capability","relationship":"progression","to":"gcfa"},{"from":"gcfr","id":"edge_gcfr_geir","label":"Cloud response into enterprise depth","relationship":"advanced_response","to":"geir"},{"from":"gcfa","id":"edge_gcfa_geir","label":"Enterprise incident depth","relationship":"advanced_response","to":"geir"},{"from":"gcfa","id":"edge_gcfa_grem","label":"Malware analysis specialisation","relationship":"specialist_path","to":"grem"},{"from":"gicsp","id":"edge_gicsp_grid","label":"OT detection and response depth","relationship":"industrial_path","to":"grid"},{"from":"gcih","id":"edge_gcih_gslc","label":"Leadership progression","relationship":"leadership_path","to":"gslc"},{"from":"gcfe","id":"edge_gcfe_gslc","label":"Forensics into leadership progression","relationship":"leadership_path","to":"gslc"},{"from":"gmon","id":"edge_gmon_gsom","label":"Lead the monitoring function","relationship":"leadership_path","to":"gsom"},{"from":"gsec","id":"edge_gsec_gsoc","label":"SOC operations baseline","relationship":"soc_path","to":"gsoc"},{"from":"gsoc","id":"edge_gsoc_gnfa","label":"Network forensics foundation","relationship":"soc_path","to":"gnfa"},{"from":"gsoc","id":"edge_gsoc_gmon","label":"Move into SIEM analytics","relationship":"soc_path","to":"gmon"},{"from":"gnfa","id":"edge_gnfa_gcia","label":"Move into SEC503 depth","relationship":"soc_path","to":"gcia"},{"from":"gmon","id":"edge_gmon_sec555","label":"SIEM tactical analytics","relationship":"soc_path","to":"gcda"},{"from":"gcda","id":"edge_sec555_sec530","label":"Architecture branch","relationship":"soc_branch","to":"gdsa"},{"from":"gcda","id":"edge_sec555_sec573","label":"Automation branch","relationship":"soc_branch","to":"gpyc"},{"from":"gcih","id":"edge_gcih_gcfa_direct","label":"Direct FOR508 branch from SEC504","relationship":"dfir_path","to":"gcfa"},{"from":"gcfa","id":"edge_gcfa_glir","label":"Linux IR branch","relationship":"dfir_branch","to":"glir"},{"from":"grem","id":"edge_grem_for710","label":"Advanced malware analysis","relationship":"dfir_branch","to":"for710"},{"from":"gcfa","id":"edge_gcfa_gcfr","label":"Cloud forensics branch","relationship":"dfir_branch","to":"gcfr"},{"from":"gcfa","id":"edge_gcfa_gime","label":"Apple/mobile forensics branch","relationship":"dfir_branch","to":"gime"},{"from":"gcfa","id":"edge_gcfa_gcti","label":"Threat intelligence branch","relationship":"dfir_branch","to":"gcti"},{"from":"gcfa","id":"edge_gcfa_gcia","label":"Move into SEC503 depth","relationship":"progression","to":"gcia"},{"from":"gcfe","id":"edge_gcfe_gnfa","label":"Network forensics crossover","relationship":"dfir_crossover","to":"gnfa"},{"from":"gsec","id":"edge_gsec_ldr414","label":"Leadership lane entry","relationship":"leadership_path","to":"cissp"},{"from":"cissp","id":"edge_ldr414_ldr419","label":"Strategic planning progression","relationship":"leadership_path","to":"ldr419"},{"from":"ldr419","id":"edge_ldr419_ldr512","label":"Program leadership progression","relationship":"leadership_path","to":"gslc"},{"from":"gslc","id":"edge_ldr512_ldr514","label":"Incident-ready team leadership","relationship":"leadership_path","to":"gstrt"},{"from":"gstrt","id":"edge_ldr514_ldr519","label":"Executive branch","relationship":"leadership_branch","to":"ldr519"},{"from":"gstrt","id":"edge_ldr514_gsom","label":"SOC leadership branch","relationship":"leadership_branch","to":"gsom"},{"from":"gstrt","id":"edge_ldr514_gcil","label":"Incident leadership branch","relationship":"leadership_branch","to":"gcil"},{"from":"grid","id":"edge_grid_ics612","label":"ICS engineering depth","relationship":"industrial_path","to":"ics612"},{"from":"gcih","id":"edge_gcih_gcfe","label":"Endpoint forensics track","relationship":"dfir_path","to":"gcfe"},{"from":"lab_foundations","id":"edge_lab_windows","label":"Make Windows behaviour familiar","relationship":"foundation","to":"windows_internals_basics"},{"from":"lab_foundations","id":"edge_lab_gsec","label":"Build the base first","relationship":"foundation","to":"gsec"},{"from":"windows_internals_basics","id":"edge_windows_gsec","label":"Turn systems depth into security fundamentals","relationship":"foundation","to":"gsec"},{"from":"windows_internals_basics","id":"edge_windows_gcfe","label":"Turn Windows context into endpoint-forensics depth","relationship":"dfir_path","to":"gcfe"},{"from":"gcih","id":"edge_gcih_packet_basics","label":"Learn to work packet-level questions","relationship":"monitoring_path","to":"packet_analysis_basics"},{"from":"packet_analysis_basics","id":"edge_packet_basics_gcia","label":"Turn packet fluency into deeper analysis","relationship":"detection_path","to":"gcia"},{"from":"gcih","id":"edge_gcih_case_notes","label":"Build note discipline early","relationship":"dfir_path","to":"case_note_writing"},{"from":"case_note_writing","id":"edge_case_notes_report","label":"Turn case notes into defensible writing","relationship":"investigation_practice","to":"report_writing"},{"from":"report_writing","id":"edge_report_gcfa","label":"Better reports support deeper investigations","relationship":"investigation_practice","to":"gcfa"},{"from":"gsom","id":"edge_gsom_plan_review","label":"Review the plan like it will be used","relationship":"readiness_path","to":"incident_response_plan_review"},{"from":"gcil","id":"edge_gcil_command","label":"Formalise command and coordination","relationship":"readiness_path","to":"incident_command_structure"},{"from":"incident_response_plan_review","id":"edge_plan_cmf","label":"Define the evidence the plan assumes","relationship":"readiness_path","to":"collection_management_framework"},{"from":"collection_management_framework","id":"edge_cmf_playbooks","label":"Make playbooks evidence-aware","relationship":"readiness_path","to":"playbooks_quality_check"},{"from":"playbooks_quality_check","id":"edge_playbooks_tabletop","label":"Exercise the playbooks under pressure","relationship":"readiness_path","to":"tabletop_exercise"},{"from":"incident_command_structure","id":"edge_command_tabletop","label":"Rehearse the command model","relationship":"readiness_path","to":"tabletop_exercise"},{"from":"playbooks_quality_check","id":"edge_playbooks_validation","label":"Pressure-test the playbooks in the wider capability","relationship":"readiness_path","to":"validation"},{"from":"tabletop_exercise","id":"edge_tabletop_validation","label":"Validate the wider response function","relationship":"readiness_path","to":"validation"},{"from":"gcil","id":"edge_gcil_validation","label":"Validate organisational capability","relationship":"readiness_path","to":"validation"},{"from":"ics612","id":"edge_ics612_plan_review","label":"Translate OT operations into plan reality","relationship":"readiness_bridge","to":"incident_response_plan_review"},{"from":"ldr519","id":"edge_ldr519_plan_review","label":"Executive leadership into plan quality","relationship":"readiness_bridge","to":"incident_response_plan_review"},{"from":"gstrt","id":"edge_gstrt_plan_review","label":"Team leadership into plan quality","relationship":"readiness_bridge","to":"incident_response_plan_review"},{"from":"gnfa","id":"edge_gnfa_plan_review","label":"Network forensics findings into planning","relationship":"readiness_bridge","to":"incident_response_plan_review"},{"from":"gcfa","id":"edge_gcfa_plan_review","label":"Enterprise investigations into planning","relationship":"readiness_bridge","to":"incident_response_plan_review"},{"from":"gcfr","id":"edge_gcfr_plan_review","label":"Cloud forensics into planning","relationship":"readiness_bridge","to":"incident_response_plan_review"},{"from":"gcia","id":"edge_gcia_plan_review","label":"Detection insights into planning","relationship":"readiness_bridge","to":"incident_response_plan_review"},{"from":"glir","id":"edge_glir_playbooks","label":"Linux IR lessons into playbooks","relationship":"readiness_bridge","to":"playbooks_quality_check"},{"from":"gcti","id":"edge_gcti_playbooks","label":"Threat intel findings into playbooks","relationship":"readiness_bridge","to":"playbooks_quality_check"},{"from":"gpyc","id":"edge_gpyc_playbooks","label":"Automation pathways into playbooks","relationship":"readiness_bridge","to":"playbooks_quality_check"},{"from":"geir","id":"edge_geir_validation","label":"Enterprise IR depth into capability validation","relationship":"readiness_bridge","to":"validation"},{"from":"grem","id":"edge_grem_validation","label":"Malware analysis insights into capability validation","relationship":"readiness_bridge","to":"validation"},{"from":"incident_response_plan_review","id":"edge_plan_command","label":"Align plan content with command model","relationship":"readiness_path","to":"incident_command_structure"},{"from":"incident_response_plan_review","id":"edge_plan_playbooks","label":"Convert plan intent into playbook quality","relationship":"readiness_path","to":"playbooks_quality_check"},{"from":"incident_command_structure","id":"edge_command_validation","label":"Validate command structure under pressure","relationship":"readiness_path","to":"validation"},{"from":"collection_management_framework","id":"edge_cmf_validation","label":"Validate evidence governance in execution","relationship":"readiness_path","to":"validation"},{"from":"gcfa","id":"edge_gcfa_validation","label":"Convert advanced investigation depth into capability validation","relationship":"readiness_bridge","to":"validation"},{"from":"gcil","id":"edge_gcil_tabletop","label":"Incident leadership into exercise design","relationship":"readiness_path","to":"tabletop_exercise"},{"from":"gsom","id":"edge_gsom_playbooks","label":"SOC operating patterns into playbook quality","relationship":"readiness_bridge","to":"playbooks_quality_check"},{"from":"gsom","id":"edge_gsom_validation","label":"SOC leadership outcomes into capability validation","relationship":"readiness_bridge","to":"validation"},{"from":"gsom","id":"edge_gsom_gcil","label":"Expand SOC leadership into incident command leadership","relationship":"leadership_bridge","to":"gcil"},{"from":"gcfa","id":"edge_gcfa_gslc","label":"DFIR leadership into programme leadership","relationship":"leadership_bridge","to":"gslc"},{"from":"gcfa","id":"edge_gcfa_gstrt","label":"DFIR delivery into response team leadership","relationship":"leadership_bridge","to":"gstrt"},{"from":"gcfa","id":"edge_gcfa_gcda","label":"Investigation lessons into SOC analytics engineering","relationship":"soc_bridge","to":"gcda"},{"from":"ldr519","id":"edge_ldr519_validation","label":"Executive security leadership into capability validation","relationship":"readiness_path","to":"validation"}],"filters":{"experience_levels":[{"id":"any","label":"All levels"},{"id":"beginner","label":"Beginner"},{"id":"early_career","label":"Early career"},{"id":"mid_career","label":"Mid career"},{"id":"advanced","label":"Advanced"}],"goals":[{"id":"any","label":"All goals"},{"id":"build_foundations","label":"Build foundations"},{"id":"move_into_dfir","label":"Move into DFIR"},{"id":"improve_incident_handling","label":"Improve incident handling"},{"id":"deepen_forensic_capability","label":"Deepen forensic capability"},{"id":"move_toward_leadership","label":"Move toward leadership"},{"id":"improve_technical_breadth","label":"Improve technical breadth"}],"roles":[{"id":"any","label":"All roles"},{"id":"aspiring_professional","label":"Aspiring professional"},{"id":"soc_analyst","label":"SOC analyst"},{"id":"incident_responder","label":"Incident responder"},{"id":"dfir_practitioner","label":"DFIR practitioner"},{"id":"threat_hunter","label":"Threat hunter"},{"id":"security_engineer","label":"Security engineer"},{"id":"team_lead_manager","label":"Team lead / manager"}]},"fit_scoring":{"experience_level_bias":{"advanced":{"advanced":1.5,"foundational":-0.5,"intermediate":0.9},"beginner":{"advanced":-1.6,"foundational":1.5,"intermediate":0.3},"early_career":{"advanced":-0.7,"foundational":0.9,"intermediate":1},"mid_career":{"advanced":0.9,"foundational":0.2,"intermediate":1.1}},"goal_track_bias":{"build_foundations":{"foundations":2.8,"soc":1},"deepen_forensic_capability":{"dfir":2.8,"threat_hunting":1.4},"improve_incident_handling":{"dfir":1.5,"readiness":0.8,"soc":2.1},"improve_technical_breadth":{"dfir":1.5,"soc":1.5,"threat_hunting":1.4},"move_into_dfir":{"dfir":2.7,"foundations":0.9,"threat_hunting":0.7},"move_toward_leadership":{"leadership":2.6,"readiness":2}},"node_weights":{"certification_bonus":1,"experience_match":4,"goal_match":6,"horizontal_progression_bonus":0.25,"incoming_penalty":0.4,"role_match":5,"source_bonus":2},"path":{"max_hops":4,"minimum_node_score":1.5},"role_track_bias":{"aspiring_professional":{"foundations":2.2,"soc":1.2},"dfir_practitioner":{"dfir":2.7,"threat_hunting":1.1},"incident_responder":{"dfir":2,"readiness":0.8,"soc":1},"security_engineer":{"dfir":0.8,"readiness":1.1,"soc":1.4},"soc_analyst":{"soc":2.5,"threat_hunting":1.2},"team_lead_manager":{"leadership":2.4,"readiness":2},"threat_hunter":{"dfir":1.2,"soc":0.8,"threat_hunting":2.8}}},"groups":[{"description":"Learn to recognise attacker tradecraft, triage events, and move from alerts to investigative action.","height":80,"id":"incident_handling","label":"Digital Forensics \u0026 Incident Response (DFIR)","width":120,"x":40,"y":40},{"description":"Strengthen monitoring, network analysis, and detection engineering judgement for SOC and hunt-heavy work.","height":80,"id":"detection","label":"Detection and monitoring","width":120,"x":40,"y":40},{"description":"Move from handling incidents to building defensible endpoint, Apple/mobile, and cloud investigation capability.","height":80,"id":"forensics","label":"Endpoint, mobile, and cloud forensics","width":120,"x":40,"y":40},{"description":"Push into enterprise-scale incident response and specialist malware analysis once the core branches are already working for you.","height":80,"id":"advanced_response","label":"Advanced response and malware","width":120,"x":40,"y":40},{"description":"Apply security and response thinking to ICS and OT environments where reliability and safety matter as much as speed.","height":80,"id":"industrial","label":"Industrial and OT","width":120,"x":40,"y":40},{"description":"Certifications can sharpen judgement, but plans, command structure, playbooks, exercises, and validation determine whether the organisation can respond under pressure.","height":80,"id":"readiness","label":"Leadership and readiness","width":120,"x":40,"y":40},{"description":"Build systems depth, lab habits, and the baseline technical fluency that later incident work depends on.","height":80,"id":"foundation","label":"Foundations","width":120,"x":40,"y":40}],"layout":{"height":1500,"node_height":132,"node_width":200,"width":3560},"nodes":[{"best_for":"Career changers and early practitioners who need practical context before or alongside formal training.","cert_code":"Practice","column":"c1.1","common_misconception":"You can skip foundational practice if you buy enough training.","cost_tier":"low","description":"Build a small lab, spend time with operating systems and logs, and learn how systems behave before chasing cert acronyms. This is the difference between reciting content and recognising what normal and abnormal activity actually looks like.","difficulty":"low","focus_areas":["home lab","operating systems","evidence handling","practical troubleshooting"],"goals_supported":["build_foundations","move_into_dfir","improve_technical_breadth"],"group":"foundation","id":"lab_foundations","label":"Hands-on labs and systems basics","level":"foundational","link_label":"Read the lab-building guide","notes":"Use this as a forcing function to make the theory tactile.","official_url":"/create-a-personal-forensics-lab-part-1-the-primary-domain-controller/","order":0,"prerequisite_ids":[],"provider":"Self-guided practice","recommended_next_ids":["windows_internals_basics"],"recommended_prerequisite_ids":[],"related_links":{"career":[{"label":"Career coaching","url":"/career-coaching/"}],"reading":[{"label":"Create a Personal Forensics Lab","url":"/create-a-personal-forensics-lab-part-1-the-primary-domain-controller/"}]},"row":"foundations_a","short_label":"Labs + systems","signals_you_are_ready":["You need stronger practical context before spending heavily on certifications.","You can commit to regular lab time and basic evidence-handling habits.","You want fundamentals that carry across SOC, IR, and DFIR tracks."],"signals_you_should_wait":["You're looking for a shortcut and don't intend to practise.","You don't yet have any environment where you can test and break safely."],"suitable_experience_levels":["beginner","early_career"],"suitable_roles":["aspiring_professional","soc_analyst","incident_responder","dfir_practitioner","threat_hunter","security_engineer"],"time_commitment":"medium","tracks":["foundations"],"type":"practice","what_it_wont_solve":"Labs help you recognise patterns, but they don't replace production pressure, reporting discipline, or the judgement that comes from real cases.","x":260,"y":80},{"best_for":"People moving from general IT or adjacent roles into security, and analysts who need a broad baseline before specialising.","cert_code":"GSEC","column":"c1","common_misconception":"GSEC is too basic to be useful if you already work around technology.","cost_tier":"high","course_name":"Security Essentials: Network, Endpoint, and Cloud","description":"SEC401 is a practical foundations credential. It's a strong first SANS / GIAC step when you need broad security coverage before specialising into incident response, forensics, or detection work.","difficulty":"medium","focus_areas":["operating systems","networking","security fundamentals","baseline tooling"],"goals_supported":["build_foundations","improve_technical_breadth","improve_incident_handling"],"group":"foundation","id":"gsec","label":"GIAC Security Essentials","level":"foundational","link_label":"Official course page","notes":"This is usually the safest starting point when you're still building the base layer.","official_url":"https://www.sans.org/cyber-security-courses/security-essentials-network-endpoint-cloud/","order":1,"prerequisite_ids":[],"recommended_next_ids":["gcih","gicsp"],"recommended_prerequisite_ids":["lab_foundations"],"related_links":{"career":[{"label":"Unlocking the DFIR Job Market","url":"/unlocking-the-dfir-job-market-strategies-for-landing-your-dream-role/"},{"label":"Career Coaching","url":"https://sethenoka.com/career-coaching/"}],"reading":[{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"}]},"row":"foundations_a","short_label":"SEC401","signals_you_are_ready":["You already work around systems, networking, or endpoint administration and need a structured security baseline.","Core operating system and networking concepts are familiar enough that the material will attach to something real.","You're willing to pair the course with labs and note taking instead of treating it as passive reading."],"signals_you_should_wait":["Basic operating system, networking, or command-line concepts still feel unfamiliar.","You're picking it only because it's the biggest brand you know, not because you need broad fundamentals.","You expect the cert alone to replace hands-on practice."],"suitable_experience_levels":["beginner","early_career","mid_career"],"suitable_roles":["aspiring_professional","soc_analyst","incident_responder","security_engineer"],"time_commitment":"high","tracks":["foundations","soc"],"type":"certification","what_it_wont_solve":"It won't turn broad familiarity into investigative depth on its own. You still need labs, note taking, and incident exposure.","x":20,"y":80},{"best_for":"SOC analysts, responders, engineers, and early DFIR practitioners who need to think like handlers rather than only operators.","cert_code":"GCIH","column":"c3","common_misconception":"Passing GCIH means you're ready to run complex investigations independently.","cost_tier":"high","course_name":"Hacker Tools, Techniques, and Incident Handling","description":"SEC504 is the practical hinge point on this roadmap. It's where many practitioners move from broad security grounding into incident handling, adversary tradecraft, and more disciplined response workflows.","difficulty":"medium","focus_areas":["incident handling","attacker techniques","triage","containment"],"goals_supported":["move_into_dfir","improve_incident_handling","improve_technical_breadth","move_toward_leadership"],"group":"incident_handling","id":"gcih","label":"GIAC Certified Incident Handler","level":"intermediate","link_label":"Official course page","notes":"This is the central branching node for most blue-team and DFIR paths.","official_url":"https://www.sans.org/cyber-security-courses/hacker-techniques-incident-handling/","order":2,"prerequisite_ids":[],"recommended_next_ids":["packet_analysis_basics","gmon","gcia","gcfe","case_note_writing","gsom","gcil"],"recommended_prerequisite_ids":["gsec"],"related_links":{"reading":[{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"},{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"Windows Recycle Bin Forensics on Windows 10 and 11","url":"/windows-recycle-bin-forensics-on-windows-10-and-11/"},{"label":"ShellBags and User Navigation","url":"/shellbags-and-user-navigation-what-windows-remembers-about-exploration/"},{"label":"Alternate Data Streams","url":"/alternate-data-streams/"}]},"row":"soc_c","short_label":"SEC504","signals_you_are_ready":["You already understand basic security and want to move from familiarity into real incident handling.","Alerts, triage, or containment decisions are part of your work or clearly about to be.","You can follow ordinary networking and system-admin concepts without getting lost."],"signals_you_should_wait":["Networking, operating systems, and basic security vocabulary still slow you down.","You want a shortcut to advanced DFIR status without building incident-handling judgement first.","You have little room to practise the material after the course."],"suitable_experience_levels":["early_career","mid_career","advanced"],"suitable_roles":["aspiring_professional","soc_analyst","incident_responder","dfir_practitioner","threat_hunter","security_engineer","team_lead_manager"],"time_commitment":"high","tracks":["soc","dfir"],"type":"certification","what_it_wont_solve":"It improves handling judgement, but it doesn't replace forensic depth, communication discipline, or command-and-control maturity in major incidents.","x":620,"y":430},{"best_for":"Practitioners moving toward incident response or DFIR who need better Windows depth before leaning too hard on tooling or certification content.","cert_code":"Practice","column":"c1.2","common_misconception":"You need a forensic certification before it's worth learning how Windows behaves.","cost_tier":"low","description":"Learn how Windows actually behaves before you try to interpret Windows evidence in anger. Process trees, event logs, registry behaviour, services, scheduled tasks, user context, and common artefact locations should feel familiar enough that later forensic work is interpretation rather than guesswork.","difficulty":"medium","focus_areas":["windows internals","event logs","registry","artefact context"],"goals_supported":["build_foundations","move_into_dfir","improve_incident_handling","improve_technical_breadth"],"group":"foundation","id":"windows_internals_basics","label":"Windows internals and artefact basics","level":"foundational","link_label":"Read the Windows artefacts guide","notes":"Treat this as the bridge between generic home lab practice and later Windows-heavy IR or DFIR work.","official_url":"/windows-artefacts/","order":2,"prerequisite_ids":["lab_foundations"],"provider":"Self-guided practice","recommended_next_ids":["gcfe"],"recommended_prerequisite_ids":[],"related_links":{"reading":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"Understanding Windows Artefacts as Evidence","url":"/understanding-windows-artefacts-as-evidence-not-indicators/"}]},"row":"foundations_a","short_label":"Windows internals","signals_you_are_ready":["You already spend time on Windows systems and want that familiarity to become more deliberate and investigative.","Windows logs, user activity, services, or common artefacts keep showing up in the cases or labs you work through.","You'd benefit more from better operating-system depth than from shopping for another badge right now."],"signals_you_should_wait":["Basic operating-system concepts still feel shaky enough that the internals won't stick yet.","You're looking for a shortcut around hands-on practice.","You don't currently have a lab or systems access where you can make the material concrete."],"suitable_experience_levels":["beginner","early_career","mid_career"],"suitable_roles":["aspiring_professional","soc_analyst","incident_responder","dfir_practitioner","security_engineer"],"time_commitment":"medium","tracks":["foundations","dfir"],"type":"practice","what_it_wont_solve":"Windows depth helps you recognise what evidence means, but it still won't give you incident judgement, good note taking, or a defensible case narrative by itself.","x":500,"y":80},{"best_for":"SOC analysts, responders, and engineers who need stronger monitoring judgement and a better operations baseline before deeper analysis or leadership work.","cert_code":"GMON","column":"c5","common_misconception":"Better monitoring tooling automatically produces better investigations.","cost_tier":"high","course_name":"Cybersecurity Engineering: Advanced Threat Detection and Monitoring","description":"SEC511 fits the practitioners who need to move from generic monitoring and tool familiarity into a more deliberate security operations model. It's useful when the problem isn't just seeing alerts, but structuring monitoring, triage, and telemetry in a way that supports investigations.","difficulty":"medium","focus_areas":["continuous monitoring","soc operations","telemetry strategy","triage workflows"],"goals_supported":["improve_incident_handling","improve_technical_breadth","move_toward_leadership"],"group":"detection","id":"gmon","label":"GIAC Continuous Monitoring Certification","level":"intermediate","link_label":"Official course page","notes":"Strong fit when you need the monitoring layer to become more disciplined before chasing deeper specialist depth.","official_url":"https://www.sans.org/cyber-security-courses/continuous-monitoring-security-operations/","order":3,"prerequisite_ids":[],"recommended_next_ids":["gcia","gsom"],"recommended_prerequisite_ids":["gcih"],"related_links":{"organisation":[{"label":"Incident Response Playbooks","url":"https://lykosdefence.com/playbooks/"}],"reading":[{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"}]},"row":"soc_a","short_label":"SEC511","signals_you_are_ready":["You already touch SIEM, alert queues, or monitoring workflows and need better operational structure.","You care about tuning monitoring and triage, not just buying or configuring another tool.","You can already work through ordinary alert investigations."],"signals_you_should_wait":["You haven't yet built baseline incident-handling judgement.","You're hoping monitoring content alone will fix a weak SOC operating model.","You don't have telemetry or workflows where you can apply the material."],"suitable_experience_levels":["early_career","mid_career","advanced"],"suitable_roles":["soc_analyst","incident_responder","security_engineer","team_lead_manager"],"time_commitment":"high","tracks":["soc","threat_hunting"],"type":"certification","what_it_wont_solve":"It won't fix weak escalation logic, poor case ownership, or a SOC that lacks a usable operating model.","x":1360,"y":285},{"best_for":"SOC analysts, hunters, and responders who want stronger detection and network-centric investigative skill.","cert_code":"GCIA","column":"c6","common_misconception":"GCIA is only useful for people who live inside packet captures all day.","cost_tier":"high","course_name":"Network Monitoring and Threat Detection In-Depth","description":"SEC503 deepens network visibility and detection judgement. It fits people who need to move from alert handling into packet-level reasoning, better detection, and stronger analytical depth in SOC or hunt-heavy roles.","difficulty":"high","focus_areas":["intrusion analysis","packet analysis","detection engineering","network telemetry"],"goals_supported":["improve_incident_handling","improve_technical_breadth"],"group":"detection","id":"gcia","label":"GIAC Certified Intrusion Analyst","level":"advanced","link_label":"Official course page","notes":"Strong fit when the question is detection depth rather than endpoint forensics first.","official_url":"https://www.sans.org/cyber-security-courses/network-monitoring-threat-detection","order":4,"prerequisite_ids":[],"recommended_next_ids":["gmon"],"recommended_prerequisite_ids":["gnfa","gcfa"],"related_links":{"reading":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"Windows Recycle Bin Forensics on Windows 10 and 11","url":"/windows-recycle-bin-forensics-on-windows-10-and-11/"},{"label":"ShellBags and User Navigation","url":"/shellbags-and-user-navigation-what-windows-remembers-about-exploration/"},{"label":"Alternate Data Streams","url":"/alternate-data-streams/"},{"label":"Build Your Own Forensics Go-Bag","url":"/build-your-own-forensics-go-bag/"}]},"row":"soc_c","short_label":"SEC503","signals_you_are_ready":["You already investigate network activity or detections and want deeper analytical depth.","Packet analysis and protocol behaviour are starting to matter in your real cases.","You can already handle baseline alerts without needing the course to teach first principles."],"signals_you_should_wait":["You're still building core incident-handling judgement.","Packets, protocols, and network telemetry still feel foreign.","You really need a general blue-team foundation rather than a deeper network branch."],"suitable_experience_levels":["early_career","mid_career","advanced"],"suitable_roles":["soc_analyst","incident_responder","threat_hunter","security_engineer"],"time_commitment":"high","tracks":["soc","threat_hunting"],"type":"certification","what_it_wont_solve":"It won't teach disciplined Windows artefact interpretation or give you leadership readiness. It's a depth move, not a complete operating model.","x":1620,"y":430},{"best_for":"Analysts, hunters, and responders who already work in network telemetry and want deeper network forensics and investigation skill.","cert_code":"GNFA","column":"c5","common_misconception":"GNFA is just GCIA with a different badge attached.","cost_tier":"high","course_name":"Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response","description":"GNFA is the point where network-centric monitoring and hunting become more forensic and hypothesis-driven. It makes sense when packet analysis, network telemetry, and response work already matter in your day job and you need stronger network investigation depth.","difficulty":"high","focus_areas":["network forensics","packet analysis","threat hunting","investigative pivots"],"goals_supported":["improve_incident_handling","improve_technical_breadth","deepen_forensic_capability"],"group":"detection","id":"gnfa","label":"GIAC Network Forensic Analyst","level":"advanced","link_label":"Official course page","notes":"Use this when the hunt or response problem keeps pulling you back to network evidence and deeper packet-level reasoning.","official_url":"https://www.sans.org/cyber-security-courses/advanced-network-forensics-threat-hunting-incident-response","order":5,"prerequisite_ids":[],"recommended_next_ids":["gcfa","geir"],"recommended_prerequisite_ids":["gcia"],"related_links":{"reading":[{"label":"Build Your Own Forensics Go-Bag","url":"/build-your-own-forensics-go-bag/"},{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"}]},"row":"threat_hunting_b","short_label":"FOR572","signals_you_are_ready":["Network evidence is already central to your investigations or hunts.","You can work through packet- and protocol-level questions without starting from zero.","You need stronger network forensics, not just better alert triage."],"signals_you_should_wait":["You haven't yet done the analytical work that makes network forensics useful.","You're treating it as a shortcut around endpoint or enterprise investigation fundamentals.","You rarely use packet or network telemetry in real cases."],"suitable_experience_levels":["mid_career","advanced"],"suitable_roles":["soc_analyst","incident_responder","dfir_practitioner","threat_hunter","security_engineer"],"time_commitment":"high","tracks":["soc","threat_hunting","dfir"],"type":"certification","what_it_wont_solve":"It won't replace endpoint evidence work or compensate for low-fidelity telemetry and weak case review habits.","x":1360,"y":870},{"best_for":"Responders and analysts moving from incident handling into Windows-focused forensic work.","cert_code":"GCFE","column":"c3.1","common_misconception":"GCFE is redundant if your end goal is GCFA anyway.","cost_tier":"high","course_name":"Windows Forensic Analysis","description":"FOR500 is a practical entry point into Windows forensic analysis. It's often the better first forensics move before FOR508 because it gives you a more stable endpoint evidence foundation.","difficulty":"medium","focus_areas":["windows forensics","evidence interpretation","endpoint artefacts"],"goals_supported":["move_into_dfir","deepen_forensic_capability"],"group":null,"id":"gcfe","label":"GIAC Certified Forensic Examiner","level":"intermediate","link_label":"Official course page","notes":"Usually the cleaner first forensic step unless you already do substantial investigative work.","official_url":"https://www.sans.org/cyber-security-courses/windows-forensic-analysis/","order":6,"prerequisite_ids":[],"recommended_next_ids":["gcfa","gime","gcfr"],"recommended_prerequisite_ids":["gcih"],"related_links":{"organisation":[{"label":"Incident Response Capability Validation","url":"https://lykosdefence.com/validation/"}],"reading":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"Windows Recycle Bin Forensics on Windows 10 and 11","url":"/windows-recycle-bin-forensics-on-windows-10-and-11/"},{"label":"ShellBags and User Navigation","url":"/shellbags-and-user-navigation-what-windows-remembers-about-exploration/"},{"label":"Alternate Data Streams","url":"/alternate-data-streams/"}]},"row":"dfir_a","short_label":"FOR500","signals_you_are_ready":["You already handle incidents and now need firmer endpoint evidence interpretation.","Windows artefacts, timelines, and host evidence are becoming part of your cases.","You want a steadier DFIR base before jumping to GCFA-level depth."],"signals_you_should_wait":["You're still learning what normal incident handling looks like.","You expect it to teach general response command rather than endpoint evidence work.","You have no realistic way to practise host analysis after the course."],"suitable_experience_levels":["early_career","mid_career"],"suitable_roles":["incident_responder","dfir_practitioner","threat_hunter","security_engineer"],"time_commitment":"high","tracks":["dfir"],"type":"certification","what_it_wont_solve":"It sharpens endpoint evidence work, but it doesn't replace enterprise incident experience or broader command during live response.","x":970,"y":570},{"best_for":"DFIR practitioners and responders who need credible macOS and iPhone/iPad evidence handling rather than only Windows depth.","cert_code":"GIME","column":"c8","common_misconception":"Apple-focused investigations are just a smaller version of Windows forensics.","cost_tier":"high","course_name":"Mac and iOS Forensic Analysis and Incident Response","description":"GIME is useful when your investigations regularly touch Apple endpoints and mobile devices and you need platform-specific depth instead of assuming Windows habits transfer cleanly. It widens a forensic practitioner's coverage without pretending every host leaves the same traces.","difficulty":"medium","focus_areas":["macos forensics","ios forensics","endpoint collection","platform-specific artefacts"],"goals_supported":["deepen_forensic_capability","improve_technical_breadth","move_into_dfir"],"group":null,"id":"gime","label":"GIAC iOS and macOS Examiner","level":"intermediate","link_label":"Official course page","notes":"This is a platform-breadth move for practitioners who don't want Apple evidence to stay a blind spot.","official_url":"https://www.sans.org/cyber-security-courses/mac-and-ios-forensic-analysis-and-incident-response/","order":7,"prerequisite_ids":["gcfe"],"recommended_next_ids":["gasf"],"recommended_prerequisite_ids":["gcih"],"related_links":{"reading":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"Understanding Windows Artefacts as Evidence","url":"/understanding-windows-artefacts-as-evidence-not-indicators/"}]},"row":"dfir_a","short_label":"FOR518","signals_you_are_ready":["Apple endpoints or iOS devices are part of the investigations you actually do.","You already have a baseline forensic workflow and need platform-specific depth.","You know why Windows habits do not cleanly transfer to macOS or iOS evidence."],"signals_you_should_wait":["Apple evidence is still hypothetical rather than part of your real cases.","You're using it to avoid building a core endpoint-forensics base first.","You don't yet have a collection and analysis workflow for device work."],"suitable_experience_levels":["mid_career","advanced"],"suitable_roles":["incident_responder","dfir_practitioner","threat_hunter","security_engineer"],"time_commitment":"high","tracks":["dfir"],"type":"certification","what_it_wont_solve":"It won't remove the need to validate collection methods, write carefully, or correlate Apple evidence with the rest of the case.","x":2140,"y":570},{"best_for":"Experienced forensic practitioners who need deeper Android and iOS device evidence work rather than another general-purpose DFIR credential.","cert_code":"GASF","column":"c9","common_misconception":"Mobile forensics is just a niche add-on once you know desktop artefacts.","cost_tier":"high","course_name":"Smartphone Forensic Analysis In-Depth","description":"GASF is a specialist move for people who already know they need deeper mobile device examination capability. It belongs later in the roadmap because smartphone work is its own discipline, with its own acquisition constraints, artefact interpretation problems, and reporting traps.","difficulty":"high","focus_areas":["smartphone forensics","mobile artefacts","acquisition methods","device examination"],"goals_supported":["deepen_forensic_capability","improve_technical_breadth"],"group":null,"id":"gasf","label":"GIAC Advanced Smartphone Forensics","level":"advanced","link_label":"Official course page","notes":"Treat this as a specialist branch, not a default next step for every DFIR practitioner.","official_url":"https://www.sans.org/cyber-security-courses/advanced-smartphone-mobile-device-forensics","order":8,"prerequisite_ids":["gime"],"recommended_next_ids":[],"recommended_prerequisite_ids":["gcfe"],"related_links":{"reading":[{"label":"Understanding Windows Artefacts as Evidence","url":"/understanding-windows-artefacts-as-evidence-not-indicators/"},{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"}]},"row":"dfir_a","short_label":"FOR585","signals_you_are_ready":["Mobile-device evidence is a real requirement in your work, not just an interesting niche.","You already have basic forensic discipline and need deeper phone-focused depth.","You understand acquisition constraints and why device exams are their own specialist track."],"signals_you_should_wait":["You still need general endpoint-forensics fundamentals more than mobile specialisation.","Mobile evidence is rare enough in your environment that the skill won't get exercised.","You expect the course to remove legal or collection constraints around devices."],"suitable_experience_levels":["mid_career","advanced"],"suitable_roles":["incident_responder","dfir_practitioner"],"time_commitment":"high","tracks":["dfir"],"type":"certification","what_it_wont_solve":"It won't replace legal, procedural, or collection constraints that often determine what mobile evidence you can actually get.","x":2400,"y":570},{"best_for":"SOC analysts, responders, and hunters who need a practical network-analysis base before deeper detection or network-forensics training.","cert_code":"Practice","column":"c5","common_misconception":"You need GCIA-level depth before it's worth opening a packet capture.","cost_tier":"low","description":"Before you chase advanced network-analysis depth, get comfortable opening packet captures, following conversations, reading common protocols, and linking network observations back to a real investigative question. This is where network visibility stops being abstract and starts becoming useful.","difficulty":"medium","focus_areas":["packet captures","protocol behaviour","network telemetry","investigation pivots"],"goals_supported":["improve_incident_handling","improve_technical_breadth"],"group":"incident_handling","id":"packet_analysis_basics","label":"Packet analysis and network telemetry basics","level":"foundational","notes":"This is the practical network-analysis bridge between incident handling and the deeper detection branch.","order":8,"prerequisite_ids":[],"provider":"Self-guided practice","recommended_next_ids":["gcia","gnfa"],"recommended_prerequisite_ids":["gcih"],"related_links":{"reading":[{"label":"Build Your Own Forensics Go-Bag","url":"/build-your-own-forensics-go-bag/"},{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"}]},"row":"foundations_a","short_label":"Packet analysis","signals_you_are_ready":["Network captures or network telemetry are already showing up in your triage or investigation work.","You want a stronger practical bridge into GCIA-style depth instead of jumping straight to the advanced badge.","You can already handle basic incident workflow and now need better network evidence fluency."],"signals_you_should_wait":["You still need broad incident-handling fundamentals more than packet depth.","Packets and protocols feel so unfamiliar that you'd benefit from more baseline networking first.","You don't have a way to practise with captures or network evidence after the course or lab session."],"suitable_experience_levels":["early_career","mid_career"],"suitable_roles":["soc_analyst","incident_responder","threat_hunter","security_engineer"],"time_commitment":"medium","tracks":["soc","threat_hunting"],"type":"practice","what_it_wont_solve":"Packet familiarity is useful, but it won't replace detection engineering, endpoint evidence, or broader incident-handling judgement.","x":1360,"y":80},{"best_for":"Responders, analysts, and forensic practitioners who need to investigate cloud incidents rather than treat cloud as a logging afterthought.","cert_code":"GCFR","column":"c7","common_misconception":"Cloud investigations are just host investigations with different vendor names.","cost_tier":"high","course_name":"Enterprise Cloud Forensics and Incident Response","description":"FOR509 becomes relevant when investigations increasingly live in AWS, Azure, and GCP rather than on a single endpoint. It's a practical way to adapt forensic and IR thinking to cloud-native evidence sources, logging, and collection constraints.","difficulty":"medium","focus_areas":["cloud forensics","cloud logging","cloud incident response","evidence collection"],"goals_supported":["improve_incident_handling","improve_technical_breadth","deepen_forensic_capability"],"group":null,"id":"gcfr","label":"GIAC Cloud Forensics Responder","level":"intermediate","link_label":"Official course page","notes":"Useful when your incidents increasingly span endpoints and cloud control planes at the same time.","official_url":"https://www.sans.org/cyber-security-courses/enterprise-cloud-forensics-incident-response","order":9,"prerequisite_ids":[],"recommended_next_ids":["geir","gcfa"],"recommended_prerequisite_ids":["gcih","gcfe"],"related_links":{"reading":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"Windows Recycle Bin Forensics on Windows 10 and 11","url":"/windows-recycle-bin-forensics-on-windows-10-and-11/"},{"label":"ShellBags and User Navigation","url":"/shellbags-and-user-navigation-what-windows-remembers-about-exploration/"},{"label":"Alternate Data Streams","url":"/alternate-data-streams/"}]},"row":"dfir_b","short_label":"FOR509","signals_you_are_ready":["Cloud logs, control plane events, or cloud-resident evidence already show up in your incidents.","You need to investigate across AWS, Azure, or GCP rather than only on hosts.","You already understand incident response and want cloud-specific depth."],"signals_you_should_wait":["Your current work is still mostly host-centric and you lack cloud ownership context.","You're using cloud IR as a substitute for core response fundamentals.","Your organisation has little logging, retention, or access in cloud environments."],"suitable_experience_levels":["mid_career","advanced"],"suitable_roles":["soc_analyst","incident_responder","dfir_practitioner","threat_hunter","security_engineer"],"time_commitment":"high","tracks":["dfir","threat_hunting"],"type":"certification","what_it_wont_solve":"It won't fix missing log retention, poor cloud visibility, or the organisational reality that many teams still don't know who owns cloud response.","x":1880,"y":640},{"best_for":"DFIR practitioners, experienced responders, and hunters who need deeper investigative capability across enterprise incidents.","cert_code":"GCFA","column":"c5","common_misconception":"GCFA should be your first serious DFIR certification because it's the prestigious one.","cost_tier":"high","course_name":"Advanced Incident Response, Threat Hunting, and Digital Forensics","description":"FOR508 is where the roadmap shifts into deeper enterprise incident response, large-scale investigations, and more advanced hunt-oriented reasoning. It rewards practitioners who already have core incident handling or endpoint forensic experience.","difficulty":"high","focus_areas":["enterprise investigations","advanced incident response","threat hunting","timeline correlation"],"goals_supported":["deepen_forensic_capability","improve_technical_breadth","move_into_dfir"],"group":null,"id":"gcfa","label":"GIAC Certified Forensic Analyst","level":"advanced","link_label":"Official course page","notes":"A strong next step when your cases are getting larger, noisier, and more hypothesis-driven.","official_url":"https://www.sans.org/cyber-security-courses/advanced-incident-response-threat-hunting-training/","order":10,"prerequisite_ids":[],"recommended_next_ids":["geir","grem","validation"],"recommended_prerequisite_ids":["gcfe","gcih"],"related_links":{"organisation":[{"label":"DFIR Training","url":"https://lykosdefence.com/dfir-training/"},{"label":"Incident Response Capability Validation","url":"https://lykosdefence.com/validation/"}],"reading":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"Windows Recycle Bin Forensics on Windows 10 and 11","url":"/windows-recycle-bin-forensics-on-windows-10-and-11/"},{"label":"ShellBags and User Navigation","url":"/shellbags-and-user-navigation-what-windows-remembers-about-exploration/"},{"label":"Alternate Data Streams","url":"/alternate-data-streams/"}]},"row":"dfir_c","short_label":"FOR508","signals_you_are_ready":["You already do incident handling or endpoint analysis and need larger-enterprise investigative depth.","Correlating multiple evidence sources and building stronger hypotheses is becoming normal work.","You want deeper investigation, not a prestige badge to skip the middle steps."],"signals_you_should_wait":["You still need GCFE- or GCIH-level foundation more than advanced enterprise cases.","You're reaching for the name value before you can reliably interpret endpoint evidence.","You don't yet write or defend findings from real investigations."],"suitable_experience_levels":["mid_career","advanced"],"suitable_roles":["incident_responder","dfir_practitioner","threat_hunter"],"time_commitment":"high","tracks":["dfir","threat_hunting"],"type":"certification","what_it_wont_solve":"It doesn't remove the need for disciplined evidence handling, writing, or organisational coordination under pressure.","x":1360,"y":732},{"best_for":"Senior responders, DFIR practitioners, and hunters dealing with larger enterprise incidents and more complex response coordination.","cert_code":"GEIR","column":"c10","common_misconception":"FOR509 replaces the need for earlier platform depth and baseline investigative habits.","cost_tier":"high","course_name":"Enterprise-Class Incident Response and Threat Hunting","description":"FOR509 belongs later on the roadmap, once incident handling and at least one investigative branch already do real work for you. It fits practitioners who need stronger enterprise-scale response judgement, threat hunting, and cross-environment investigation rather than another introductory handling course.","difficulty":"high","focus_areas":["enterprise incident response","threat hunting","large-scale investigations","response coordination"],"goals_supported":["improve_incident_handling","improve_technical_breadth","deepen_forensic_capability","move_toward_leadership"],"group":"advanced_response","id":"geir","label":"GIAC Enterprise Incident Response","level":"advanced","link_label":"Official course page","notes":"Treat this as an advanced consolidation step once incident handling and at least one evidence branch are already established.","official_url":"https://www.sans.org/cyber-security-courses/enterprise-class-incident-response-threat-hunting/","order":11,"prerequisite_ids":[],"recommended_next_ids":["gcil","validation"],"recommended_prerequisite_ids":["gcfa","gcfr","gnfa"],"related_links":{"organisation":[{"label":"Incident Response Capability Validation","url":"https://lykosdefence.com/validation/"}],"reading":[{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"}]},"row":"dfir_b","short_label":"FOR608","signals_you_are_ready":["You already handle serious incidents and need stronger enterprise-scale response and hunt depth.","Complex, multi-system investigations are part of your actual role.","You can already lean on at least one solid evidence branch such as endpoint, cloud, or network analysis."],"signals_you_should_wait":["Core handling, endpoint, or cloud fundamentals are still shaky.","You're choosing it because it sounds senior rather than because the work demands it.","You don't yet operate in incidents complex enough to use the material."],"suitable_experience_levels":["advanced"],"suitable_roles":["incident_responder","dfir_practitioner","threat_hunter","security_engineer","team_lead_manager"],"time_commitment":"high","tracks":["dfir","threat_hunting"],"type":"certification","what_it_wont_solve":"It won't rescue weak collection discipline, poor case writing, or an organisation that hasn't clarified roles and decision paths during incidents.","x":2750,"y":640},{"best_for":"Responders and early DFIR practitioners who need stronger investigative discipline rather than more tooling.","cert_code":"Practice","column":"c2.1","common_misconception":"Good investigators can reconstruct the case later from memory, screenshots, and whatever the tooling saved.","cost_tier":"low","description":"Good incident notes aren't admin overhead; they're the difference between a vague recollection and a defensible account of what you saw, when you saw it, why you believed it, and what changed next. Build the habit before your cases get big enough that weak notes become a real liability.","difficulty":"medium","focus_areas":["case notes","evidence tracking","timeline discipline","hypothesis logging"],"goals_supported":["improve_incident_handling","move_into_dfir","deepen_forensic_capability"],"group":"forensics","id":"case_note_writing","label":"Case note writing and evidence tracking","level":"foundational","link_label":"Read the evidence-writing guide","notes":"This is the discipline node that keeps later forensic and enterprise cases from becoming undocumented guesswork.","official_url":"/understanding-windows-artefacts-as-evidence-not-indicators/","order":12,"prerequisite_ids":[],"provider":"Self-guided practice","recommended_next_ids":["report_writing","gcfa"],"recommended_prerequisite_ids":["gcih"],"related_links":{"reading":[{"label":"Understanding Windows Artefacts as Evidence","url":"/understanding-windows-artefacts-as-evidence-not-indicators/"},{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"}]},"row":"foundations_a","short_label":"Case notes","signals_you_are_ready":["Your cases are getting messy enough that you can feel the cost of weak notes.","You already investigate events but want a more defensible and repeatable record of what you did.","You're ready to treat note taking as part of the investigation, not as admin to do afterwards."],"signals_you_should_wait":["You're still trying to understand the basic flow of an incident and have too much cognitive load already.","You expect note-taking templates alone to fix unclear thinking.","You don't yet have a stable enough workflow to make note habits stick."],"suitable_experience_levels":["early_career","mid_career","advanced"],"suitable_roles":["soc_analyst","incident_responder","dfir_practitioner","threat_hunter","security_engineer"],"time_commitment":"medium","tracks":["dfir"],"type":"practice","what_it_wont_solve":"Better notes won't compensate for weak scoping, poor evidence collection, or bad judgement. They make good investigative work easier to defend; they don't create it for you.","x":860,"y":80},{"best_for":"Experienced responders, hunters, and malware-focused practitioners who need stronger reverse engineering capability.","cert_code":"GREM","column":"c10","common_misconception":"Reverse engineering is the natural next badge for every advanced DFIR practitioner.","cost_tier":"high","course_name":"Reverse-Engineering Malware: Malware Analysis Tools and Techniques","description":"FOR610 is a specialist path for practitioners who need to look inside malicious code rather than stopping at behavioural analysis and containment. It's not a default next step for everyone in DFIR; it matters when malware understanding is genuinely part of your investigations or defensive work.","difficulty":"high","focus_areas":["malware analysis","reverse engineering","code analysis","malicious tooling"],"goals_supported":["deepen_forensic_capability","improve_technical_breadth"],"group":"advanced_response","id":"grem","label":"GIAC Reverse Engineering Malware","level":"advanced","link_label":"Official course page","notes":"Specialist branch for cases where understanding the malware itself changes the quality of the investigation.","official_url":"https://www.sans.org/cyber-security-courses/reverse-engineering-malware-malware-analysis-tools-techniques/","order":12,"prerequisite_ids":[],"recommended_next_ids":[],"recommended_prerequisite_ids":["gcfa"],"related_links":{"reading":[{"label":"Build Your Own Forensics Go-Bag","url":"/build-your-own-forensics-go-bag/"},{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"}]},"row":"threat_hunting_b","short_label":"FOR610","signals_you_are_ready":["You have real cases where understanding malicious code changes the quality of the response.","You already have strong investigative discipline and want a malware-analysis branch.","You're comfortable with lower-level technical detail and patient analysis."],"signals_you_should_wait":["You still need stronger handling or forensic fundamentals more than reverse engineering.","You expect malware analysis to fix ordinary triage or scoping weaknesses.","You rarely touch cases where code-level insight materially changes the outcome."],"suitable_experience_levels":["advanced"],"suitable_roles":["incident_responder","dfir_practitioner","threat_hunter","security_engineer"],"time_commitment":"high","tracks":["dfir","threat_hunting"],"type":"certification","what_it_wont_solve":"It won't make you faster at ordinary incident handling if the real bottleneck is triage, writing, containment, or evidence correlation.","x":2750,"y":870},{"best_for":"Engineers, responders, and leaders moving into industrial control system and operational technology security work.","cert_code":"GICSP","column":"c2","common_misconception":"ICS security is just enterprise security with different device names.","cost_tier":"high","course_name":"ICS/SCADA Security Essentials","description":"ICS410 is the right branch when your work touches ICS and OT environments and you need a real operating technology security baseline instead of assuming enterprise IT lessons port across cleanly. It's a context shift as much as a technical one.","difficulty":"medium","focus_areas":["ics security","ot systems","safety and reliability","industrial risk"],"goals_supported":["build_foundations","improve_technical_breadth","improve_incident_handling"],"group":"industrial","id":"gicsp","label":"Global Industrial Cyber Security Professional","level":"foundational","link_label":"Official course page","notes":"This is the OT branch for people who need to stop treating industrial environments like ordinary IT estates.","official_url":"https://www.sans.org/cyber-security-courses/ics-scada-cyber-security-essentials/","order":13,"prerequisite_ids":[],"recommended_next_ids":["grid"],"recommended_prerequisite_ids":["gsec"],"related_links":{"career":[{"label":"Career Coaching","url":"/career-coaching/"}],"organisation":[{"label":"Incident Response Capability Validation","url":"https://lykosdefence.com/validation/"},{"label":"Incident Response Plans and Playbooks","url":"https://lykosdefence.com/playbooks/"},{"label":"Tabletop Exercises","url":"https://lykosdefence.com/tabletop-exercises/"}],"reading":[{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"}]},"row":"readiness_a","short_label":"ICS410","signals_you_are_ready":["Your work touches ICS or OT environments and you need industrial context, not just enterprise security knowledge.","You understand basic security concepts and now need to adapt them to operational constraints.","You're prepared to think about reliability, safety, and engineering realities alongside cyber risk."],"signals_you_should_wait":["OT or ICS work is still theoretical for you.","You're treating industrial security as a simple extension of enterprise IT.","You still need broad security fundamentals before branching into a specialised domain."],"suitable_experience_levels":["early_career","mid_career","advanced"],"suitable_roles":["incident_responder","security_engineer","team_lead_manager"],"time_commitment":"high","tracks":["foundations","readiness"],"type":"certification","what_it_wont_solve":"It won't give you plant context, engineering authority, or an incident process that has been validated against real operational constraints.","x":380,"y":1340},{"best_for":"Practitioners whose findings need to be read, challenged, or acted on by leaders, clients, or the wider response team.","cert_code":"Practice","column":"c4","common_misconception":"Strong technical work automatically turns into a strong report once the case is over.","cost_tier":"low","description":"Report writing is where technical work becomes useful to someone else. Clear scope, bounded findings, evidence-backed claims, and honest uncertainty matter more than sounding impressive. Strong reporting usually becomes the bottleneck before technical depth does.","difficulty":"medium","focus_areas":["report structure","findings language","bounded conclusions","stakeholder communication"],"goals_supported":["improve_incident_handling","deepen_forensic_capability","move_toward_leadership"],"group":"forensics","id":"report_writing","label":"Investigation report writing","level":"intermediate","notes":"This is the communication discipline node that makes later advanced investigations and leadership tracks more useful in practice.","order":13,"prerequisite_ids":["case_note_writing"],"provider":"Self-guided practice","recommended_next_ids":["gcfa","geir"],"recommended_prerequisite_ids":[],"related_links":{"career":[{"label":"Career coaching","url":"/career-coaching/"}],"reading":[{"label":"ShellBags and User Navigation","url":"/shellbags-and-user-navigation-what-windows-remembers-about-exploration/"},{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"}]},"row":"foundations_a","short_label":"Report writing","signals_you_are_ready":["You already produce findings or summaries and know the communication quality needs to improve.","Other people need to understand, review, or act on your investigative output.","You're ready to spend time improving clarity, scope control, and evidence-backed language."],"signals_you_should_wait":["You still need to build basic investigative discipline and case notes first.","You're looking for report polish to hide uncertainty you haven't actually resolved.","Your work rarely gets written up in a way that someone else must rely on."],"suitable_experience_levels":["mid_career","advanced"],"suitable_roles":["incident_responder","dfir_practitioner","threat_hunter","security_engineer"],"time_commitment":"medium","tracks":["dfir","leadership"],"type":"practice","what_it_wont_solve":"Better writing won't fix weak evidence, unclear ownership, or decisions that were never documented in the first place.","x":1090,"y":80},{"best_for":"OT defenders, engineers, and responders who need deeper industrial visibility, detection, and response skill.","cert_code":"GRID","column":"c4","common_misconception":"OT response can follow enterprise response playbooks unchanged.","cost_tier":"high","course_name":"ICS Visibility, Detection, and Response","description":"ICS515 deepens the OT branch into visibility, detection, and response work inside industrial environments. It's valuable once the ICS/OT context is already familiar and you need stronger industrial detection and response capability rather than generic enterprise guidance.","difficulty":"high","focus_areas":["ics visibility","industrial detection","ot incident response","active defence"],"goals_supported":["improve_incident_handling","improve_technical_breadth"],"group":"industrial","id":"grid","label":"GIAC Response and Industrial Defense","level":"advanced","link_label":"Official course page","notes":"Use this when industrial detection and response is part of the real job, not just an adjacent curiosity.","official_url":"https://www.sans.org/cyber-security-courses/ics-visibility-detection-response/","order":14,"prerequisite_ids":["gicsp"],"recommended_next_ids":[],"recommended_prerequisite_ids":[],"related_links":{"career":[{"label":"Career Coaching","url":"/career-coaching/"}],"organisation":[{"label":"Incident Response Capability Validation","url":"https://lykosdefence.com/validation/"}],"reading":[{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"}]},"row":"readiness_a","short_label":"ICS515","signals_you_are_ready":["You already understand the OT or ICS context and now need stronger industrial detection and response depth.","Visibility, monitoring, and response in industrial environments are part of the real job.","You can already distinguish operational constraints from ordinary enterprise assumptions."],"signals_you_should_wait":["You're still building your first OT or ICS baseline.","You want an industrial specialist course without regular exposure to industrial systems.","The environment around you isn't ready to support OT detection and response practice."],"suitable_experience_levels":["mid_career","advanced"],"suitable_roles":["incident_responder","security_engineer","team_lead_manager"],"time_commitment":"high","tracks":["readiness"],"type":"certification","what_it_wont_solve":"It will not remove the need to align cyber actions with engineering, safety, and operational decision-making.","x":1090,"y":1340},{"best_for":"SOC leads, managers, and senior practitioners responsible for building or improving a security operations function.","cert_code":"GSOM","column":"c7","common_misconception":"GSOM is just GCIL with more management language.","cost_tier":"high","course_name":"Building and Leading Security Operations Centers","description":"LDR551 is a useful branch when your responsibility is shifting from doing the work to structuring the work. It focuses on running a SOC and building an operations function that can support real incident response instead of just accumulating analysts and tooling.","difficulty":"medium","focus_areas":["soc leadership","operating model","workflow design","team management"],"goals_supported":["improve_incident_handling","move_toward_leadership"],"group":"readiness","id":"gsom","label":"GIAC Security Operations Manager","level":"intermediate","link_label":"Official course page","notes":"Useful when the challenge is operating the function well, not just strengthening one analyst's technique.","official_url":"https://www.sans.org/cyber-security-courses/building-leading-security-operations-centers/","order":15,"prerequisite_ids":[],"recommended_next_ids":["incident_response_plan_review","playbooks_quality_check","gcil","validation"],"recommended_prerequisite_ids":["gmon","gcih"],"related_links":{"organisation":[{"label":"Incident Response Playbooks","url":"https://lykosdefence.com/playbooks/"},{"label":"Incident Response Capability Validation","url":"https://lykosdefence.com/validation/"}]},"row":"leadership_a","short_label":"LDR551","signals_you_are_ready":["You're responsible for how a SOC operates, not just for your own analyst output.","Staffing, workflow, handoff quality, and operating model questions are becoming your problem.","You want to improve how the function runs rather than only deepen one technical niche."],"signals_you_should_wait":["You're still earlier in the journey and need stronger analyst or handler fundamentals.","You expect a management course to fix unclear authority, bad process ownership, or missing validation by itself.","You don't yet influence the operating model of a SOC or response team."],"suitable_experience_levels":["mid_career","advanced"],"suitable_roles":["soc_analyst","incident_responder","security_engineer","team_lead_manager"],"time_commitment":"medium","tracks":["leadership","readiness"],"type":"certification","what_it_wont_solve":"It won't prove the SOC is staffed correctly, the workflows are executable, or the surrounding response organisation can function under pressure.","x":1880,"y":1050},{"best_for":"Leads and senior responders who need better incident coordination and leadership framing rather than another purely technical badge.","cert_code":"GCIL","column":"c8","common_misconception":"A leadership cert closes readiness gaps by itself.","cost_tier":"high","course_name":"Cyber Incident Management","description":"LDR553 is the most relevant node here when your responsibility includes coordination, decision-making, and incident leadership across people, process, and time pressure. It is not a substitute for exercising the function you lead.","difficulty":"medium","focus_areas":["incident command","decision making","coordination","leadership"],"goals_supported":["move_toward_leadership","improve_incident_handling"],"group":"readiness","id":"gcil","label":"GIAC Cyber Incident Leader","level":"advanced","link_label":"Official course page","notes":"This is where the roadmap becomes explicitly organisational, not just individual.","official_url":"https://www.sans.org/cyber-security-courses/cyber-incident-management-training/","order":16,"prerequisite_ids":[],"recommended_next_ids":["incident_command_structure","tabletop_exercise","validation"],"recommended_prerequisite_ids":["gcih","gstrt"],"related_links":{"career":[{"label":"Career Coaching","url":"/career-coaching/"}],"organisation":[{"label":"Incident Response Capability Validation","url":"https://lykosdefence.com/validation/"},{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"reading":[{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"}]},"row":"leadership_b","short_label":"LDR553","signals_you_are_ready":["You already influence or lead incidents and need a better coordination framework under pressure.","Decision-making, communication, and command clarity are active responsibilities in your work.","The gap you feel is leadership and coordination, not another purely technical branch."],"signals_you_should_wait":["You still need stronger incident-handling fundamentals more than leadership framing.","You're using leadership content to avoid building technical credibility first.","You don't yet have opportunities to exercise coordination and decision-making in incidents."],"suitable_experience_levels":["mid_career","advanced"],"suitable_roles":["incident_responder","team_lead_manager","security_engineer"],"time_commitment":"medium","tracks":["leadership","readiness"],"type":"certification","what_it_wont_solve":"It won't prove your team can execute under stress. Plans, playbooks, exercises, and validation still matter.","x":2140,"y":1160},{"best_for":"Early-career analysts and defenders moving from general security knowledge into hands-on operational roles within a SOC or detection-focused team.","cert_code":"GSOC","column":"c2","common_misconception":"Blue team fundamentals are optional once you have a baseline certification like GSEC.","cost_tier":"high","course_name":"SOC Analyst Training – Applied Skills for Cyber Defense Operations","description":"SEC450 focuses on the practical workflow of security operations, turning foundational knowledge into repeatable triage, investigation, and escalation habits within a SOC environment.","difficulty":"medium","focus_areas":["soc operations","triage workflow","alert analysis","investigation fundamentals","escalation discipline"],"goals_supported":["improve_incident_handling","improve_technical_breadth"],"group":"detection","id":"gsoc","label":"GIAC Security Operations Certified","level":"foundational","link_label":"Official course page","notes":"This is where theory becomes workflow. It builds the habits that later certifications assume you already have.","official_url":"https://www.sans.org/cyber-security-courses/soc-analyst-training-applied-skills-cyber-defense-operations","order":17,"prerequisite_ids":["gsec"],"recommended_next_ids":["gnfa"],"recommended_prerequisite_ids":[],"related_links":{"career":[{"label":"Career Coaching","url":"/career-coaching/"}],"organisation":[{"label":"Incident Response Capability Validation","url":"https://lykosdefence.com/validation/"}],"reading":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"Windows Recycle Bin Forensics on Windows 10 and 11","url":"/windows-recycle-bin-forensics-on-windows-10-and-11/"},{"label":"ShellBags and User Navigation","url":"/shellbags-and-user-navigation-what-windows-remembers-about-exploration/"},{"label":"Alternate Data Streams","url":"/alternate-data-streams/"},{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"}]},"row":"soc_a","short_label":"SEC450","signals_you_are_ready":["You're moving into a SOC or detection-focused role and need structured triage and investigation habits.","You understand basic security concepts but need to apply them consistently to alerts and events.","You want to move from “understanding tools” to “working cases.”"],"signals_you_should_wait":["You still need core security foundations (e.g. networking, operating systems, basic security concepts).","You're not yet working with alerts, logs, or detection workflows in any meaningful way.","You're looking for advanced detection or forensics depth before building operational fundamentals."],"suitable_experience_levels":["beginner","early_career","mid_career"],"suitable_roles":["soc_analyst","incident_responder","security_engineer"],"time_commitment":"high","tracks":["foundations","soc"],"type":"certification","what_it_wont_solve":"It won't create strong analysts without repeated exposure to real alerts, structured case review, and feedback loops on decision quality.","x":380,"y":285},{"best_for":"SOC analysts, detection engineers, and security engineers responsible for creating, tuning, and scaling detection across SIEM or telemetry platforms.","cert_code":"GCDA","column":"c7","common_misconception":"Improving SIEM content alone will fix SOC maturity or detection quality.","cost_tier":"high","course_name":"Detection Engineering and SIEM Analytics","description":"SEC555 focuses on building and improving detection capability through structured analytics, SIEM engineering, and detection content design. It shifts practitioners from consuming alerts to designing how detection works across an environment.","difficulty":"high","focus_areas":["detection engineering","siem analytics","detection content design","telemetry correlation","alert quality improvement"],"goals_supported":["improve_incident_handling","improve_technical_breadth"],"group":"detection","id":"gcda","label":"GIAC Certified Detection Analyst","level":"advanced","link_label":"Official course page","notes":"This is the pivot from “working alerts” to “building detection capability.” It's most valuable once you understand how investigations actually use the alerts you create.","official_url":"https://www.sans.org/cyber-security-courses/detection-engineering-siem-analytics","order":18,"prerequisite_ids":["gmon"],"recommended_next_ids":["gdsa","gpyc"],"recommended_prerequisite_ids":["gcih","gcia"],"row":"soc_a","short_label":"SEC555","signals_you_are_ready":["You're already working with alerts, logs, or SIEM platforms and need to improve how detection actually works.","You're tuning rules, writing queries, or trying to reduce noise and improve signal quality.","You want to move from reacting to alerts to shaping what gets detected in the first place."],"signals_you_should_wait":["You don't yet have baseline monitoring or triage discipline.","You're still learning how to investigate alerts rather than how to design them.","You have limited exposure to how detection quality affects investigations and response outcomes."],"suitable_experience_levels":["mid_career","advanced"],"suitable_roles":["soc_analyst","security_engineer","threat_hunter"],"time_commitment":"high","tracks":["soc"],"type":"certification","what_it_wont_solve":"It won't fix weak incident ownership, poor escalation discipline, or a lack of structured investigation workflows around the alerts it produces.","x":1880,"y":285},{"best_for":"Security engineers, senior defenders, and technical leads who are moving from day-to-day operations into architecture, control design, and security decision-making at a system level.","cert_code":"GDSA","column":"c8","common_misconception":"Architecture maturity comes from diagrams, frameworks, or zero trust language alone rather than proving that controls, trust boundaries, and operating assumptions work in practice.","cost_tier":"high","course_name":"Defensible Security Architecture and Engineering: Implementing Zero Trust for the Hybrid Enterprise","description":"SEC530 focuses on designing defensible enterprise security architectures, especially in hybrid environments where identity, segmentation, cloud, and control placement need to work together under real operational constraints. It's a move from operating controls to designing how those controls should fit together.","difficulty":"high","focus_areas":["architecture","engineering","defensible design","zero trust","hybrid enterprise security"],"goals_supported":["improve_technical_breadth","move_toward_leadership"],"group":"detection","id":"gdsa","label":"GDSA","level":"advanced","link_label":"Official course page","notes":"This is an engineering and architecture depth branch. It's most valuable once you already understand how detection, response, and control failures play out in the real world.","official_url":"https://www.sans.org/cyber-security-courses/defensible-security-architecture-and-engineering","order":19,"prerequisite_ids":["gcda"],"recommended_next_ids":[],"recommended_prerequisite_ids":["gmon","gcih"],"row":"soc_a","short_label":"SEC530","signals_you_are_ready":["You already influence design and control decisions, not just day-to-day operational work.","You need to make security architecture choices that balance usability, resilience, and detection value.","Your role increasingly involves asking where controls should live, how systems should trust each other, and what assumptions will still hold during incidents."],"signals_you_should_wait":["You still need stronger operational detection grounding.","You have limited experience seeing how architecture decisions affect investigations, alert quality, or response friction.","You're looking for architecture as a substitute for hands-on operational depth rather than as a layer built on top of it."],"suitable_experience_levels":["mid_career","advanced"],"suitable_roles":["security_engineer","team_lead_manager","incident_responder"],"time_commitment":"high","tracks":["soc","leadership"],"type":"certification","what_it_wont_solve":"It won't replace operational testing, incident-informed design review, or the need to validate whether architecture assumptions hold up during real investigations and response activity.","x":2140,"y":285},{"best_for":"Analysts and engineers responsible for improving efficiency, consistency, and scale in detection, investigation, and response workflows.","cert_code":"GPYC","column":"c9","common_misconception":"Automation removes the need for analyst judgement rather than amplifying it.","cost_tier":"high","course_name":"AI-Powered Security Automation: Building Tools with Python, LLMs, and MCP","description":"SEC573 focuses on building automation that improves and scales security workflows. It moves practitioners from manually executing tasks to designing systems that perform triage, enrichment, and response actions consistently and at scale.","difficulty":"high","focus_areas":["automation","python","workflow engineering","orchestration","scaling defensive operations"],"goals_supported":["improve_technical_breadth"],"group":"detection","id":"gpyc","label":"GIAC Python Coder","level":"advanced","link_label":"Official course page","notes":"This is a force multiplier. It's most valuable once you understand the workflow you are trying to scale and can distinguish between what should be automated and what requires human judgement.","official_url":"https://www.sans.org/cyber-security-courses/ai-powered-security-automation","order":20,"prerequisite_ids":["gcda"],"recommended_next_ids":[],"recommended_prerequisite_ids":["gmon","gcih"],"row":"soc_b","short_label":"SEC573","signals_you_are_ready":["You're repeatedly performing the same enrichment, triage, or response steps.","You're bottlenecked by manual processes rather than lack of knowledge.","You want to improve consistency and reduce variability in how work is performed.","You understand the workflow well enough to define what “good” looks like before automating it."],"signals_you_should_wait":["You need stable operational workflows first.","You're still learning how to triage and investigate alerts manually.","You're trying to use automation to compensate for unclear processes or weak detection quality."],"suitable_experience_levels":["mid_career","advanced"],"suitable_roles":["soc_analyst","security_engineer","threat_hunter"],"time_commitment":"high","tracks":["soc"],"type":"certification","what_it_wont_solve":"It won't fix poor process design, unclear ownership, or inconsistent decision-making. Automating a weak process typically makes the outcome worse, faster.","x":2400,"y":360},{"best_for":"DFIR practitioners, responders, and hunters working in environments where Linux systems, cloud workloads, or containerised infrastructure form a meaningful part of incident scope.","cert_code":"GLIR","column":"c9","common_misconception":"Linux incident response is just a variation of Windows DFIR with different commands and tooling.","cost_tier":"high","course_name":"LINUX Incident Response and Threat Hunting","description":"FOR577 builds Linux-focused incident response and hunting capability for environments where Linux systems aren't peripheral but central to investigations. It emphasises host-based analysis, attacker behaviour on Linux systems, and the practical realities of investigating across mixed or cloud-heavy estates.","difficulty":"high","focus_areas":["linux ir","host-based analysis","threat hunting","cloud and container context","attacker tradecraft on linux"],"goals_supported":["deepen_forensic_capability","improve_technical_breadth"],"group":null,"id":"glir","label":"GIAC Linux Incident Responder","level":"advanced","link_label":"Official course page","notes":"Best treated as a depth branch once Linux systems materially affect your investigative scope. Particularly relevant for cloud-heavy or hybrid estates.","official_url":"https://www.sans.org/cyber-security-courses/linux-threat-hunting-incident-response/","order":21,"prerequisite_ids":["gcfa"],"recommended_next_ids":[],"recommended_prerequisite_ids":["gcih"],"row":"dfir_c","short_label":"FOR577","signals_you_are_ready":["Linux systems are central to your incidents.","You're already handling enterprise incidents and need deeper visibility into Linux hosts, cloud workloads, or hybrid environments.","You're comfortable investigating Windows or mixed environments and want equivalent depth on Linux systems."],"signals_you_should_wait":["You still need baseline enterprise IR depth first.","You rarely investigate Linux systems in real incidents.","You're still building core endpoint or enterprise investigation skills and would benefit more from broader DFIR experience first."],"suitable_experience_levels":["mid_career","advanced"],"suitable_roles":["incident_responder","dfir_practitioner","threat_hunter"],"time_commitment":"high","tracks":["dfir","threat_hunting"],"type":"certification","what_it_wont_solve":"It won't compensate for weak investigative fundamentals, poor collection practices, or limited experience correlating activity across systems. Linux depth adds value only when core incident handling and forensic reasoning are already strong.","x":2400,"y":732},{"best_for":"Senior malware-focused practitioners and advanced threat hunting teams.","cert_code":"N/A","column":"c12","common_misconception":"Advanced malware depth is a default next step for all DFIR paths.","cost_tier":"high","course_name":"Reverse-Engineering Malware: Advanced Code Analysis","description":"Deep malware analysis specialisation after strong incident and reverse-engineering foundations.","difficulty":"high","focus_areas":["malware analysis","reverse engineering","advanced ir"],"goals_supported":["deepen_forensic_capability"],"group":"advanced_response","id":"for710","label":"FOR710 Advanced Malware Analysis","level":"advanced","link_label":"Official course page","notes":"Advanced malware specialisation.","official_url":"https://www.sans.org/cyber-security-courses/reverse-engineering-malware-advanced-code-analysis","order":22,"prerequisite_ids":["grem"],"recommended_next_ids":[],"recommended_prerequisite_ids":["geir"],"row":"threat_hunting_b","short_label":"FOR710","signals_you_are_ready":["You already perform sustained malware analysis.","You are comfortable reversing moderately complex binaries without step-by-step guidance.","You can explain attacker behaviour from artefacts, not just identify indicators."],"signals_you_should_wait":["You still need broader incident and forensic fundamentals.","You struggle to interpret endpoint or memory artefacts without tooling doing the heavy lifting.","You have limited experience scoping incidents beyond single hosts or isolated samples."],"suitable_experience_levels":["advanced"],"suitable_roles":["dfir_practitioner","threat_hunter","incident_responder"],"time_commitment":"high","tracks":["dfir","threat_hunting"],"type":"certification","what_it_wont_solve":"It won't help without clear operational use-cases and consistent RE requirements.","x":3180,"y":870},{"best_for":"Mid-career and advanced responders, threat hunters, and DFIR practitioners who already investigate incidents and want to integrate CTI into scoping, hypothesis development, and investigative decision-making.","cert_code":"GCTI","column":"c9","common_misconception":"CTI maturity comes from buying more feeds or collecting more reporting, rather than improving how intelligence is evaluated, contextualised, and turned into decisions.","cost_tier":"high","course_name":"Cyber Threat Intelligence","description":"FOR578 is a strong branch for practitioners who want to turn adversary reporting, intrusion patterns, and external intelligence into something operationally useful during investigations, hunting, and detection improvement.","difficulty":"high","focus_areas":["cti","adversary mapping","investigative context","threat-informed analysis","collection planning"],"goals_supported":["improve_technical_breadth","deepen_forensic_capability"],"group":"threat_hunting","id":"gcti","label":"GIAC Cyber Threat Intelligence","level":"advanced","link_label":"Official course page","notes":"Stronger as a branch after core handling and investigative depth are already in place. Best treated as an operational enrichment path, not a substitute for DFIR or response fundamentals.","official_url":"https://www.sans.org/cyber-security-courses/cyber-threat-intelligence","order":23,"prerequisite_ids":["gcfa"],"recommended_next_ids":[],"recommended_prerequisite_ids":["gcih"],"row":"threat_hunting_b","short_label":"FOR578","signals_you_are_ready":["You can already turn intel into investigative pivots.","You regularly map observed activity to adversary behaviour, hypotheses, or likely follow-on actions.","You want to improve how threat context informs scoping, hunting, and detection decisions rather than just consume intel passively."],"signals_you_should_wait":["You still need baseline incident handling maturity.","You're still learning how to scope incidents, interpret artefacts, or build defensible findings from evidence.","You mostly want better feeds, better dashboards, or more reporting rather than better analytical judgement."],"suitable_experience_levels":["mid_career","advanced"],"suitable_roles":["threat_hunter","incident_responder","dfir_practitioner"],"time_commitment":"high","tracks":["dfir","threat_hunting"],"type":"certification","what_it_wont_solve":"It won't fix weak incident handling, poor collection discipline, or shallow investigative reasoning. Intelligence only helps when your team can already scope incidents, interpret evidence, and act on what they learn.","x":2400,"y":870},{"best_for":"Security engineers, OT defenders, and technical leads responsible for designing, improving, or validating security across industrial or critical infrastructure environments.","cert_code":"N/A","column":"c7","common_misconception":"OT/ICS security maturity is primarily a tooling or monitoring problem.","cost_tier":"high","course_name":"ICS Cybersecurity In-Depth","description":"ICS612 focuses on building and defending real-world OT/ICS environments, emphasising system architecture, defensive engineering, and operational resilience. It moves beyond awareness into how industrial systems actually function, fail, and are secured under real constraints.","difficulty":"high","focus_areas":["ics defence","ot architecture","industrial protocols","operational resilience","safety and availability constraints"],"goals_supported":["improve_technical_breadth","improve_incident_handling"],"group":"industrial","id":"ics612","label":"ICS612 ICS Cybersecurity In-Depth","level":"advanced","link_label":"Official course page","notes":"This is a depth move into industrial environments. Treat it as a separate domain with different constraints, not just an extension of IT security.","official_url":"https://www.sans.org/cyber-security-courses/ics-cyber-security-in-depth","order":25,"prerequisite_ids":["grid"],"recommended_next_ids":[],"recommended_prerequisite_ids":["gicsp"],"row":"readiness_a","short_label":"ICS612","signals_you_are_ready":["You're responsible for sustained OT/ICS security capability, not just exposure to it.","You need to understand how industrial systems actually operate to design or defend them effectively.","You're working in, or moving into, environments where safety, uptime, and physical process integrity are critical constraints."],"signals_you_should_wait":["You still need foundational ICS visibility, terminology, and response patterns.","Your current role has limited interaction with OT/ICS environments.","You're still building core incident response or security engineering fundamentals outside of OT."],"suitable_experience_levels":["mid_career","advanced"],"suitable_roles":["security_engineer","team_lead_manager","incident_responder"],"time_commitment":"medium","tracks":["readiness","industrial"],"type":"certification","what_it_wont_solve":"It won't replace the need for strong cross-functional coordination between engineering, operations, and security teams, nor will it compensate for a lack of real operational ownership of OT environments.","x":1880,"y":1340},{"best_for":"Practitioners moving from purely technical roles into positions that require risk framing, stakeholder communication, and broader security program awareness.","cert_code":"CISSP","column":"c2","common_misconception":"CISSP is a technical leadership certification that proves hands-on capability.","cost_tier":"high","course_name":"SANS Training Program for CISSP® Certification","description":"CISSP represents a broad security management and governance baseline. It's less about hands-on capability and more about understanding how security programs are structured, measured, and communicated across an organisation.","difficulty":"medium","focus_areas":["security governance","risk management","security domains breadth","stakeholder communication"],"goals_supported":["move_toward_leadership"],"group":"readiness","id":"cissp","label":"CISSP","level":"foundational","link_label":"Official course page","notes":"This is a breadth and language certification. It helps you operate across domains, but it doesn't replace depth in any of them.","official_url":"https://www.sans.org/cyber-security-courses/sans-training-cissp-certification","order":26,"prerequisite_ids":["gsec"],"recommended_next_ids":["ldr419"],"recommended_prerequisite_ids":["gcih"],"row":"leadership_a","short_label":"LDR414","signals_you_are_ready":["You're already translating technical issues into risk or business impact for stakeholders.","You need broader coverage of security domains to support management or architectural decisions.","Your role increasingly involves communication, prioritisation, and trade-off decisions rather than purely technical execution."],"signals_you_should_wait":["You're still building core technical or incident response capability.","You're pursuing CISSP primarily as a signalling credential without applying the material in practice.","You have limited exposure to how security decisions affect the wider organisation."],"suitable_experience_levels":["mid_career","advanced"],"suitable_roles":["team_lead_manager","security_engineer","incident_responder"],"time_commitment":"medium","tracks":["foundations","leadership"],"type":"certification","what_it_wont_solve":"It won't make you an effective incident leader, improve technical depth, or replace real-world ownership of systems, teams, or decisions under pressure.","x":380,"y":1050},{"best_for":"Security leads and engineers who need to move from identifying technical issues to framing them as business risk and driving prioritised action.","cert_code":"N/A","column":"c3","common_misconception":"Risk assessment is a compliance exercise rather than a decision-making tool.","cost_tier":"high","course_name":"Performing A Cybersecurity Risk Assessment","description":"LDR419 focuses on translating technical realities into defensible risk decisions. It teaches how to assess, prioritise, and communicate risk in a way that informs funding, control selection, and organisational priorities.","difficulty":"medium","focus_areas":["risk assessment","prioritisation","decision support","stakeholder communication"],"goals_supported":["move_toward_leadership"],"group":"readiness","id":"ldr419","label":"LDR419 Performing A Cybersecurity Risk Assessment","level":"foundational","link_label":"Official course page","notes":"This is where leadership starts to become accountable for trade-offs. It shifts you from “finding problems” to “deciding what matters most.”","official_url":"https://www.sans.org/cyber-security-courses/performing-cybersecurity-risk-assessment-training","order":27,"prerequisite_ids":["cissp"],"recommended_next_ids":["gslc"],"recommended_prerequisite_ids":["gcih"],"row":"leadership_a","short_label":"LDR419","signals_you_are_ready":["You're expected to prioritise security work across competing risks and constraints.","You need to justify security decisions in terms of business impact, not just technical severity.","Your role involves influencing funding, control selection, or program direction."],"signals_you_should_wait":["You're still focused primarily on executing technical tasks rather than prioritising them.","You have limited exposure to how risk decisions are made or challenged within your organisation.","You're treating risk as a scoring exercise rather than a basis for action."],"suitable_experience_levels":["mid_career","advanced"],"suitable_roles":["team_lead_manager","security_engineer"],"time_commitment":"medium","tracks":["leadership"],"type":"certification","what_it_wont_solve":"It won't fix weak technical execution, poor visibility, or a lack of ownership over remediation and control implementation.","x":620,"y":1050},{"best_for":"Security managers and emerging leaders responsible for coordinating people, priorities, and outcomes across more than one stream of security work.","cert_code":"GSLC","column":"c4","common_misconception":"Program leadership is mostly reporting upward and providing stakeholder updates rather than improving how work is prioritised, coordinated, and delivered.","cost_tier":"high","course_name":"Security Leadership Essentials for Managers","description":"LDR512 is a management-focused step for practitioners moving from individual or team-level execution into running security programs, aligning resources, and improving delivery across multiple workstreams. Its value is less in technical depth and more in helping leaders make security work scalable, accountable, and sustainable.","difficulty":"medium","focus_areas":["programme leadership","execution management","governance","prioritisation","team effectiveness"],"goals_supported":["move_toward_leadership"],"group":"readiness","id":"gslc","label":"GSLC","level":"advanced","link_label":"Official course page","notes":"This is a management maturity step, not a substitute for operational leadership. It helps once the challenge has shifted from doing the work well to making the function run well.","official_url":"https://www.sans.org/cyber-security-courses/security-leadership-essentials-for-managers","order":28,"prerequisite_ids":["ldr419"],"recommended_next_ids":["gstrt"],"recommended_prerequisite_ids":["gcih"],"row":"leadership_a","short_label":"LDR512","signals_you_are_ready":["You're accountable for program outcomes, not only tasks.","You're balancing competing priorities across teams, projects, or stakeholders.","Your role now depends more on improving delivery, coordination, and execution quality than on being the deepest technical person in the room."],"signals_you_should_wait":["You still need frontline leadership experience first.","You're still primarily an individual contributor with limited responsibility for prioritisation, staffing, or delivery outcomes.","You're looking for a management credential before you have had to own trade-offs, timelines, or team execution problems directly."],"suitable_experience_levels":["mid_career","advanced"],"suitable_roles":["team_lead_manager"],"time_commitment":"medium","tracks":["leadership"],"type":"certification","what_it_wont_solve":"It won't replace operational credibility, incident leadership under pressure, or the need to exercise and validate critical response processes in practice.","x":1090,"y":1050},{"best_for":"Senior leaders responsible for defining security strategy, operating models, and aligning security program with organisational objectives.","cert_code":"GSTRT","column":"c5","common_misconception":"Strategy and policy are separate from day-to-day execution.","cost_tier":"high","course_name":"Security Strategic Planning, Policy, and Leadership","description":"LDR514 focuses on shaping how a security function operates at a strategic level, including policy, structure, and long-term planning. It helps leaders move from managing execution to defining how the organisation approaches security as a system.","difficulty":"medium","focus_areas":["strategic planning","policy development","operating model design","organisational alignment"],"goals_supported":["move_toward_leadership","improve_incident_handling"],"group":"readiness","id":"gstrt","label":"GSTRT","level":"advanced","link_label":"Official course page","notes":"This is a shift from “running the program” to “defining how the program operates.” It sits above execution, but must stay grounded in it to be effective.","official_url":"https://www.sans.org/cyber-security-courses/strategic-security-planning-policy-leadership","order":29,"prerequisite_ids":["gslc"],"recommended_next_ids":["ldr519","gsom","gcil"],"recommended_prerequisite_ids":["gcih"],"related_links":{"career":[{"label":"Career Coaching","url":"/career-coaching/"}],"organisation":[{"label":"Incident Response Capability Validation","url":"https://lykosdefence.com/validation/"},{"label":"Incident Response Playbooks","url":"https://lykosdefence.com/playbooks/"}],"reading":[{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"}]},"row":"leadership_a","short_label":"LDR514","signals_you_are_ready":["You're responsible for shaping how security operates across teams, not just managing delivery.","You're defining policies, standards, or long-term direction rather than only executing against them.","Your decisions affect multiple teams, functions, or business units."],"signals_you_should_wait":["You're still focused on team-level execution and delivery rather than organisational design.","You have limited responsibility for policy, governance, or long-term planning.","You're looking for strategy before having owned execution outcomes."],"suitable_experience_levels":["advanced"],"suitable_roles":["team_lead_manager","incident_responder"],"time_commitment":"medium","tracks":["leadership","readiness"],"type":"certification","what_it_wont_solve":"It won't ensure teams can execute under pressure, close operational gaps, or replace the need for exercises, playbooks, and validated response capability.","x":1360,"y":1050},{"best_for":"Senior security leaders responsible for governance, risk accountability, and aligning security outcomes with executive and board expectations.","cert_code":"N/A","column":"c6","common_misconception":"Executive security leadership is primarily about communication and reporting rather than ownership of risk decisions and their consequences.","cost_tier":"high","course_name":"Cybersecurity Risk Management and Compliance","description":"LDR519 focuses on enterprise-level security governance, risk ownership, and compliance alignment. It's about how senior leaders make, justify, and defend security decisions across an organisation under regulatory, financial, and operational constraints.","difficulty":"medium","focus_areas":["governance","enterprise risk management","compliance alignment","decision accountability","executive communication"],"goals_supported":["move_toward_leadership"],"group":"readiness","id":"ldr519","label":"Cybersecurity Risk Management and Compliance","level":"advanced","link_label":"Official course page","notes":"This is the governance layer of the roadmap. It's about owning and defending decisions, not just shaping or executing them.","official_url":"https://www.sans.org/cyber-security-courses/cybersecurity-risk-management-compliance","order":30,"prerequisite_ids":["gstrt"],"recommended_next_ids":[],"recommended_prerequisite_ids":["ldr419"],"related_links":{"career":[{"label":"Career Coaching","url":"/career-coaching/"}],"organisation":[{"label":"Incident Response Capability Validation","url":"https://lykosdefence.com/validation/"}],"reading":[{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"}]},"row":"leadership_b","short_label":"LDR519","signals_you_are_ready":["You're accountable for security outcomes at an organisational or business-unit level.","You're making or influencing decisions that balance risk, cost, and operational impact.","You need to justify security posture and investment to executives, boards, or regulators."],"signals_you_should_wait":["You're still primarily focused on team or programme execution rather than enterprise-level accountability.","You have limited exposure to governance, compliance, or regulatory expectations.","You haven't yet owned decisions where trade-offs have real business consequences."],"suitable_experience_levels":["advanced"],"suitable_roles":["team_lead_manager"],"time_commitment":"medium","tracks":["leadership","readiness"],"type":"certification","what_it_wont_solve":"It won't ensure operational effectiveness, incident execution capability, or fix gaps in detection, response, or engineering depth.","x":1620,"y":1160},{"best_for":"Senior responders, security managers, and leaders who already have an IR plan but aren't confident it would hold up during a serious incident.","cert_code":"Plan review","column":"c8","common_misconception":"Having an incident response plan means the organisation is prepared.","cost_tier":"low","description":"Review the incident response plan as if you expect to use it next month, not as a policy artefact that only needs to exist. Check scope, escalation criteria, ownership, decision authority, external dependencies, and whether the plan actually tells people what to do when ambiguity shows up.","difficulty":"medium","focus_areas":["incident response plan","escalation criteria","ownership","governance"],"goals_supported":["improve_incident_handling","move_toward_leadership"],"group":"readiness","id":"incident_response_plan_review","label":"Incident response plan review","level":"intermediate","notes":"This is often the first useful organisation-side step once leadership responsibility becomes real.","order":31,"prerequisite_ids":[],"provider":"Organisation practice","recommended_next_ids":["collection_management_framework","playbooks_quality_check"],"recommended_prerequisite_ids":["gsom","gcil"],"related_links":{"organisation":[{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"},{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"}]},"row":"leadership_c","short_label":"IR Plan Review","signals_you_are_ready":["Your organisation already has an IR plan and you suspect parts of it would be vague under pressure.","You're responsible for whether escalation, ownership, and decision paths make sense in practice.","The question has shifted from individual skill to whether the response function is actually organised."],"signals_you_should_wait":["You're still building basic incident-handling skill and don't yet influence the plan.","No meaningful plan exists yet and the organisation still needs first-pass incident structure.","You want document polish rather than hard questions about scope, ownership, and actionability."],"suitable_experience_levels":["mid_career","advanced"],"suitable_roles":["incident_responder","security_engineer"],"time_commitment":"medium","tracks":["leadership","readiness"],"type":"capability","what_it_wont_solve":"A plan review exposes gaps in clarity and ownership, but it doesn't create rehearsal, muscle memory, or leadership judgement by itself.","x":2140,"y":1020},{"best_for":"Incident leads and senior practitioners who need a clearer command model than “everyone joins the bridge and we work it out”.","cert_code":"Command structure","column":"c10.1","common_misconception":"A strong technical lead automatically creates a usable command model.","cost_tier":"low","description":"Define how command, control, and coordination actually work during a serious incident. Who leads, who decides, who communicates externally, who keeps situational awareness, and how those roles scale when the incident grows should be explicit before you need them.","difficulty":"medium","focus_areas":["incident command","decision authority","coordination","communications"],"goals_supported":["improve_incident_handling","move_toward_leadership"],"group":"readiness","id":"incident_command_structure","label":"Incident command structure","level":"advanced","notes":"This is where individual incident leadership becomes a repeatable operating model.","order":32,"prerequisite_ids":[],"provider":"Organisation practice","recommended_next_ids":["tabletop_exercise","validation"],"recommended_prerequisite_ids":["gcil"],"related_links":{"organisation":[{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"},{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"}]},"row":"readiness_a","short_label":"Incident Command","signals_you_are_ready":["Major incidents already involve multiple teams, legal, communications, or executive stakeholders.","You can feel that unclear authority causes more drag than purely technical uncertainty.","Someone needs to define who decides, who briefs, and who owns coordination before the next serious event."],"signals_you_should_wait":["You still need basic incident-handling fundamentals more than command-and-control structure.","Your organisation is looking for org charts without committing to real roles and decision authority.","You have no intention of rehearsing the structure after defining it."],"suitable_experience_levels":["mid_career","advanced"],"suitable_roles":["incident_responder","team_lead_manager","security_engineer"],"time_commitment":"medium","tracks":["leadership","readiness"],"type":"capability","what_it_wont_solve":"Clear command structure helps decisions move, but it doesn't replace good plans, good evidence, or repeated rehearsal.","x":2650,"y":1340},{"best_for":"Senior responders and leaders who need more confidence that evidence sources will support a real investigation.","cert_code":"Evidence governance","column":"c9","common_misconception":"Good tooling coverage automatically means the evidence you need will be there.","cost_tier":"low","description":"Decide in advance what evidence the organisation needs to answer core investigative questions, where that evidence comes from, how long it's retained, and who owns it. A Collection Management Framework turns logging and telemetry into deliberate investigative support instead of hopeful accumulation.","difficulty":"medium","focus_areas":["evidence requirements","log retention","collection priorities","investigative confidence"],"goals_supported":["improve_incident_handling","deepen_forensic_capability","move_toward_leadership"],"group":"readiness","id":"collection_management_framework","label":"Collection management framework","level":"advanced","notes":"This is the evidence-governance node for leaders who want investigative confidence instead of optimistic assumptions.","order":33,"prerequisite_ids":[],"provider":"Organisation practice","recommended_next_ids":["playbooks_quality_check","validation"],"recommended_prerequisite_ids":["incident_response_plan_review"],"related_links":{"organisation":[{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"}]},"row":"leadership_c","short_label":"Collection framework","signals_you_are_ready":["The hard questions in incidents are increasingly about what evidence exists and whether it can support your conclusions.","You already have tooling and logging, but not enough confidence in what those sources can actually prove.","You're ready to make evidence decisions deliberately instead of discovering the gaps mid-incident."],"signals_you_should_wait":["The organisation still lacks even a baseline response plan or ownership model.","You're hoping a CMF will hide weak collection execution or low telemetry quality.","No one is prepared to make governance decisions about retention, ownership, or evidence priorities."],"suitable_experience_levels":["mid_career","advanced"],"suitable_roles":["incident_responder","dfir_practitioner","security_engineer"],"time_commitment":"medium","tracks":["dfir","readiness"],"type":"capability","what_it_wont_solve":"A CMF improves evidence readiness, but it doesn't substitute for collection execution, analysis skill, or leadership during the incident itself.","x":2400,"y":1020},{"best_for":"Leaders and senior practitioners who already have playbooks but are not convinced those playbooks would survive first contact with a real incident.","cert_code":"Playbooks","column":"c10.1","common_misconception":"If a playbook exists in the document library, the operational problem is solved.","cost_tier":"low","description":"Review whether the organisation's response playbooks are specific enough to be usable, scoped enough to be realistic, and aligned with actual evidence sources and decision points. Good playbooks reduce ambiguity; weak ones create false confidence.","difficulty":"medium","focus_areas":["playbooks","decision support","response workflow","scenario coverage"],"goals_supported":["improve_incident_handling","move_toward_leadership"],"group":"readiness","id":"playbooks_quality_check","label":"Playbooks quality check","level":"intermediate","link_label":"Review playbook quality","notes":"This is the point where IR documentation becomes operational rather than aspirational.","official_url":"https://lykosdefence.com/playbooks/","order":34,"prerequisite_ids":[],"provider":"Organisation practice","recommended_next_ids":["tabletop_exercise","validation"],"recommended_prerequisite_ids":["incident_response_plan_review","collection_management_framework"],"related_links":{"organisation":[{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"},{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"}]},"row":"leadership_c","short_label":"Playbook Review","signals_you_are_ready":["The organisation already has playbooks, but you aren't sure they're actionable or evidence-aware.","Teams need clearer step-by-step support for common incidents and escalation decisions.","You want to identify where playbooks are vague, optimistic, or detached from real evidence and ownership."],"signals_you_should_wait":["No baseline response plan exists yet.","The real problem is still command ambiguity or missing evidence, not playbook wording.","You're treating playbooks as a substitute for exercising the function."],"suitable_experience_levels":["mid_career","advanced"],"suitable_roles":["incident_responder","security_engineer"],"time_commitment":"medium","tracks":["leadership","readiness"],"type":"capability","what_it_wont_solve":"Better playbooks help teams move faster, but they still need a sound command model, evidence assumptions, and rehearsal.","x":2650,"y":1020},{"best_for":"Leaders and senior practitioners who need to move from document confidence to observed decision-making under pressure.","cert_code":"Exercise","column":"c11","common_misconception":"A tabletop is just awareness training for executives.","cost_tier":"medium","description":"Put the command model, playbooks, reporting lines, and decision paths under pressure without waiting for a real incident to do it for you. A good tabletop tests whether the organisation can coordinate, escalate, communicate, and make decisions with incomplete information.","difficulty":"medium","focus_areas":["exercising","escalation","communications","decision rehearsal"],"goals_supported":["improve_incident_handling","move_toward_leadership"],"group":"readiness","id":"tabletop_exercise","label":"Tabletop exercise","level":"intermediate","link_label":"Explore tabletop exercises","notes":"This is often the fastest way to surface the gap between documentation and execution.","official_url":"https://lykosdefence.com/tabletop-exercises/","order":35,"prerequisite_ids":[],"provider":"Organisation practice","recommended_next_ids":["validation"],"recommended_prerequisite_ids":["incident_command_structure","playbooks_quality_check"],"related_links":{"organisation":[{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"},{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"}]},"row":"readiness_a","short_label":"Tabletop","signals_you_are_ready":["The organisation already has enough structure that an exercise will reveal something useful.","Decision-making, escalation, and communications are active concerns in your role.","You want to see how the system behaves under pressure instead of only reviewing documents."],"signals_you_should_wait":["No one has defined even a baseline plan, ownership model, or playbook structure yet.","The organisation wants the appearance of testing without acting on the findings.","You're expecting the exercise itself to fix structural problems you already know about."],"suitable_experience_levels":["mid_career","advanced"],"suitable_roles":["incident_responder","security_engineer"],"time_commitment":"medium","tracks":["leadership","readiness"],"type":"capability","what_it_wont_solve":"Exercises expose gaps, but they don't close them unless the organisation updates plans, playbooks, ownership, and evidence assumptions afterwards.","x":2920,"y":1340},{"best_for":"Security leaders and senior practitioners responsible for whether incident response works beyond the individual level.","cert_code":"Validation","column":"c12","common_misconception":"If enough people are trained, the incident capability is mature.","cost_tier":"high","description":"Training improves individual judgement. Capability validation tests whether your organisation can actually execute: clear command, workable playbooks, realistic collection, defensible evidence handling, and decisions that stand up under pressure.","difficulty":"high","focus_areas":["playbooks","tabletop exercises","readiness","capability validation"],"goals_supported":["move_toward_leadership","improve_incident_handling"],"group":"readiness","id":"validation","label":"Incident capability validation","level":"advanced","link_label":"Capability validation options","notes":"Keep this bridge subtle. It exists to distinguish personal learning from organisational readiness.","official_url":"https://lykosdefence.com/validation/","order":37,"prerequisite_ids":[],"provider":"Lykos Defence / internal programs","recommended_next_ids":[],"recommended_prerequisite_ids":["playbooks_quality_check","tabletop_exercise"],"related_links":{"organisation":[{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"},{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"},{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"}]},"row":"readiness_a","short_label":"IR Validation","signals_you_are_ready":["You're accountable for whether the response capability actually works across teams, not just whether people are trained.","Plans and playbooks exist and now need realistic pressure-testing.","You need evidence about capability gaps before the next serious incident."],"signals_you_should_wait":["Foundational incident handling and ownership aren't in place yet.","The organisation isn't willing to act on validation findings.","You're treating validation as a badge rather than an improvement mechanism."],"suitable_experience_levels":["mid_career","advanced"],"suitable_roles":["incident_responder","security_engineer"],"time_commitment":"high","tracks":["leadership","readiness"],"type":"capability","what_it_wont_solve":"Validation exposes gaps. It still needs ownership, process improvement, and repetition to change outcomes.","x":3180,"y":1340}],"positions":{"columns":[{"id":"c1","label":"SEC401","x":20},{"id":"c1.1","label":"Labs \u0026 Systems","x":260},{"id":"c1.2","label":"Windows Internals","x":500},{"id":"c2","label":"SEC450 / LDR414 / ICS410","x":380},{"id":"c2.1","label":"Case Notes","x":860},{"id":"c3","label":"SEC504 / LDR419","x":620},{"id":"c3.1","label":"FOR500","x":970},{"id":"c4","label":"LDR512 / ICS515","x":1090},{"id":"c5","label":"FOR508 / FOR572 / LDR514","x":1360},{"id":"c6","label":"SEC511 / SEC503","x":1620},{"id":"c7","x":1880},{"id":"c8","x":2140},{"id":"c9","x":2400},{"id":"c10","label":"GLIR","x":2750},{"id":"c10.1","label":null,"x":2650},{"id":"c11","x":2920},{"id":"c12","x":3180}],"rows":[{"id":"foundations_a","y":80},{"id":"foundations_b","y":150},{"id":"soc_a","label":"GSOC / GCDA / GDSA","y":285},{"id":"soc_b","y":360},{"id":"soc_c","label":"GCIH / GCIA","y":430},{"id":"dfir_a","label":"GCFE / GCFR / GIME","y":570},{"id":"dfir_b","label":"GASF /","y":640},{"id":"dfir_c","label":"GCFA","y":732},{"id":"threat_hunting_a","y":840},{"id":"threat_hunting_b","label":"GNFA / GEIR","y":870},{"id":"leadership_a","label":"CISSP","y":1050},{"id":"leadership_b","y":1160},{"id":"leadership_c","y":1020},{"id":"readiness_a","label":"GICSP","y":1340},{"id":"readiness_b","y":1400}]},"recommendation_profiles":[{"bridge_text":"Organisations also need foundational work before specialist maturity.","common_misconception":"Foundations are optional once you know some tooling.","experience":"any","goal":"build_foundations","highlight_edge_ids":["edge_gsec_gcih","edge_gcih_gcfe"],"highlight_node_ids":["gsec","gcih","gcfe"],"id":"goal-foundations","label":"Foundations goal","primary_node_id":"gsec","recommended_first_id":"gsec","recommended_next_id":"gcih","related_links":[{"label":"Read the full SANS roadmap article","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"}],"role":"any","what_certs_wont_solve":"They do not create durable fundamentals without repeated practice.","why_this_fits":"Foundations work best when they stay broad long enough to support later specialisation."},{"bridge_text":"Forensic maturity still depends on collection quality and process discipline.","common_misconception":"Advanced forensics should come before core evidence interpretation.","experience":"any","goal":"deepen_forensic_capability","highlight_edge_ids":["edge_gcih_gcfe","edge_gcfe_gcfa"],"highlight_node_ids":["gcih","gcfe","gcfa"],"id":"goal-forensics","label":"Forensics depth goal","primary_node_id":"gcfe","recommended_first_id":"gcfe","recommended_next_id":"gcfa","related_links":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"Understanding Windows Artefacts as Evidence","url":"/understanding-windows-artefacts-as-evidence-not-indicators/"}],"role":"any","what_certs_wont_solve":"They do not remove ambiguity or make weak evidence strong.","why_this_fits":"Endpoint evidence first, then deeper enterprise-scale investigative depth."},{"bridge_text":"Handling maturity depends on whether the function can execute, not just describe what it would do.","common_misconception":"Process documents alone create strong incident handling.","experience":"any","goal":"improve_incident_handling","highlight_edge_ids":["edge_gcih_gcia","edge_gcih_gcfa_direct"],"highlight_node_ids":["gcih","gcia","gcfa"],"id":"goal-incident-handling","label":"Incident handling goal","primary_node_id":"gcih","recommended_first_id":"gcih","recommended_next_id":"gcia","related_links":[{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"},{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"}],"role":"any","what_certs_wont_solve":"They do not replace escalation discipline, communication, or rehearsal.","why_this_fits":"Incident handling improves fastest when you combine handler judgement with deeper detection and investigative capability."},{"bridge_text":"Depth, not breadth, usually breaks the plateau.","common_misconception":"Another broad certification will unlock progression.","experience":"mid_career","goal":"improve_technical_breadth","highlight_edge_ids":["edge_gcih_gcfe","edge_gcfe_gcfa"],"highlight_node_ids":["gcih","gcfe","gcfa"],"id":"mid-career-stuck","label":"Mid-career generalist trying to specialise","primary_node_id":"gcih","recommended_first_id":"gcih","recommended_next_id":"gcfe","related_links":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"Read the full SANS roadmap article","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"}],"role":"any","what_certs_wont_solve":"They do not replace focused depth or repetition.","why_this_fits":"Re-centres on incident handling and builds real investigative depth."},{"bridge_text":"Capability maturity depends on how well those pieces work together.","common_misconception":"Breadth equals collecting certifications.","experience":"any","goal":"improve_technical_breadth","highlight_edge_ids":["edge_gcih_gcia","edge_gcih_gcfa_direct"],"highlight_node_ids":["gcih","gcia","gcfa"],"id":"goal-breadth","label":"Technical breadth goal","primary_node_id":"gcia","recommended_first_id":"gcih","recommended_next_id":"gcia","related_links":[{"label":"Read the full SANS roadmap article","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"}],"role":"any","what_certs_wont_solve":"They do not integrate disciplines automatically.","why_this_fits":"Breadth comes from linking handling, detection, and investigation."},{"bridge_text":"Strong DFIR depends on process and validation.","common_misconception":"DFIR is primarily a tooling discipline.","experience":"any","goal":"move_into_dfir","highlight_edge_ids":["edge_gcih_gcfe","edge_gcfe_gcfa"],"highlight_node_ids":["gcih","gcfe","gcfa"],"id":"goal-dfir","label":"DFIR goal","primary_node_id":"gcfe","recommended_first_id":"gcih","recommended_next_id":"gcfe","related_links":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"}],"role":"any","what_certs_wont_solve":"They do not build evidentiary reasoning alone.","why_this_fits":"DFIR grows from handling into evidence and then enterprise investigation."},{"bridge_text":"Leadership maturity is measured by whether the function works under pressure.","common_misconception":"Leadership is just senior technical depth.","experience":"any","goal":"move_toward_leadership","highlight_edge_ids":["edge_ldr414_ldr419","edge_ldr419_ldr512"],"highlight_node_ids":["cissp","ldr419","gslc"],"id":"goal-leadership","label":"Leadership goal","primary_node_id":"ldr419","recommended_first_id":"cissp","recommended_next_id":"ldr419","related_links":[{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"role":"any","what_certs_wont_solve":"They do not create accountability, ownership, or operational credibility by themselves.","why_this_fits":"Leadership progression starts with breadth and risk language before moving into programme execution."},{"bridge_text":"The same principle applies to teams: foundational readiness matters before advanced capability.","common_misconception":"You need a niche DFIR or threat hunting cert immediately to look serious.","experience":"beginner","goal":"build_foundations","highlight_edge_ids":["edge_gsec_gcih","edge_gcih_gcfe"],"highlight_node_ids":["gsec","gcih","gcfe"],"id":"aspiring-foundations","label":"Aspiring practitioner starting from foundations","primary_node_id":"gsec","recommended_first_id":"gsec","recommended_next_id":"gcih","related_links":[{"label":"Read the full SANS roadmap article","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"},{"label":"Windows Artefacts as Evidence","url":"windows-artefacts/"},{"label":"Create a Personal Forensics Lab","url":"/create-a-personal-forensics-lab-part-1-the-primary-domain-controller/"}],"role":"aspiring_professional","what_certs_wont_solve":"They don't replace systems understanding, lab time, or repeated practice.","why_this_fits":"If you're still building core security fluency, start broad before specialising. Foundations first gives later incident and forensic work something to attach to."},{"bridge_text":"Good SOC capability depends on process quality, not just alert volume.","common_misconception":"SOC work is mostly tool familiarity and alert clicking.","experience":"beginner","goal":"improve_incident_handling","highlight_edge_ids":["edge_gsec_gsoc","edge_gsec_gcih","edge_gcih_gmon"],"highlight_node_ids":["gsec","gsoc","gcih","gmon"],"id":"aspiring-soc","label":"Aspiring analyst into SOC work","primary_node_id":"gsoc","recommended_first_id":"gsec","recommended_next_id":"gsoc","related_links":[{"label":"Read the full SANS roadmap article","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"role":"aspiring_professional","what_certs_wont_solve":"They don't build judgement without triage repetition and good review loops.","why_this_fits":"This path moves from broad security grounding into operational analyst workflow and then toward SIEM-driven detection capability."},{"bridge_text":"The organisational version of technical breadth isn't owning more tools; it's making plans, evidence, and decision paths work together under pressure.","common_misconception":"Technical breadth means collecting unrelated certifications as early as possible.","experience":"beginner","goal":"improve_technical_breadth","highlight_edge_ids":["edge_lab_gsec","edge_gsec_gcih","edge_gcih_gcia"],"highlight_node_ids":["gsec","gcih","gcia"],"id":"aspiring-breadth","label":"Early technical breadth before specialising","primary_node_id":"gcih","recommended_first_id":"gsec","recommended_next_id":"gcih","related_links":[{"label":"Read the full SANS roadmap article","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"},{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"}],"role":"aspiring_professional","what_certs_wont_solve":"They don't create real breadth on their own. You still need labs, systems understanding, note taking, and repeated exposure to how incidents unfold in practice.","why_this_fits":"If your goal is breadth, the best early move is usually to build broad security fundamentals first, then incident handling, then branch into deeper detection, DFIR, or leadership paths once you have more context."},{"bridge_text":"DFIR capability depends on evidence handling and process discipline, not just training.","common_misconception":"Starting with GCFA accelerates DFIR progression.","experience":"beginner","goal":"move_into_dfir","highlight_edge_ids":["edge_gsec_gcih","edge_gcih_gcfe","edge_gcfe_gcfa"],"highlight_node_ids":["gsec","gcih","gcfe","gcfa"],"id":"aspiring-dfir","label":"Early move into DFIR","primary_node_id":"gcih","recommended_first_id":"gsec","recommended_next_id":"gcih","related_links":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"Read the full SANS roadmap article","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"}],"role":"aspiring_professional","what_certs_wont_solve":"They don't build investigative judgement without repeated practice.","why_this_fits":"Build foundations first, then incident handling, then forensics. This avoids jumping into DFIR without context."},{"bridge_text":"Leadership begins when you start thinking beyond your own tasks and pay attention to how the investigation is coordinated, communicated, and driven forward.","common_misconception":"Leadership begins once you're senior or have completed advanced certifications.","experience":"beginner","goal":"move_toward_leadership","highlight_edge_ids":["edge_lab_gsec","edge_gsec_gcih","edge_gcih_gcfe","edge_gcih_gslc"],"highlight_node_ids":["gsec","gcih","gcfe","gslc"],"id":"aspiring-analyst-leadership","label":"Aspiring analyst building early incident leadership habits","primary_node_id":"gcih","recommended_first_id":"gsec","recommended_next_id":"gcih","related_links":[{"label":"Read the full SANS roadmap article","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"role":"aspiring_professional","what_certs_wont_solve":"Certifications won't give you ownership, decision-making experience, or the ability to manage incident flow under pressure.","why_this_fits":"Early leadership in incident response doesn't start with a title. It starts with understanding how investigations flow, how decisions are made, and how to support coordination during incidents. Building handling capability first creates the foundation for later leadership."},{"bridge_text":"Foundations are what make later forensic and incident work meaningful.","common_misconception":"You can skip foundational practice and go straight into incident response or forensics.","experience":"beginner","goal":"build_foundations","highlight_edge_ids":["edge_gsec_gcih"],"highlight_node_ids":["gsec","gcih"],"id":"dfir-beginner-foundations-goal","label":"DFIR beginner (foundations focus)","primary_node_id":"gsec","recommended_first_id":"gsec","recommended_next_id":"gcih","role":"dfir_practitioner","what_certs_wont_solve":"They don't create intuition about systems or evidence without hands-on repetition.","why_this_fits":"Early DFIR progression depends heavily on building practical systems understanding before specialising."},{"bridge_text":"This is where DFIR shifts from reacting to alerts to reconstructing activity from evidence.","common_misconception":"Forensics is mainly about learning tools and artefact locations.","experience":"beginner","goal":"deepen_forensic_capability","highlight_edge_ids":["edge_gcih_gcfe","edge_gcfe_gcfa"],"highlight_node_ids":["gcih","gcfe","gcfa"],"id":"dfir-forensics-early","label":"DFIR practitioner building forensic foundations","primary_node_id":"gcfe","recommended_first_id":"gcfe","recommended_next_id":"gcfa","role":"dfir_practitioner","what_certs_wont_solve":"They don't create investigative discipline or evidentiary restraint without repetition.","why_this_fits":"This stage builds the ability to interpret endpoint artefacts and move beyond alert-driven response into evidence-based reasoning."},{"bridge_text":"Investigation quality comes from connecting evidence across systems, not just analysing one host well.","common_misconception":"Better tooling or deeper artefact knowledge automatically produces better investigations.","experience":"early_career","goal":"deepen_forensic_capability","highlight_edge_ids":["edge_gcfe_gcfa","edge_gcfa_gcia","edge_gcfa_gcfr"],"highlight_node_ids":["gcfe","gcfa","gcia","gcfr"],"id":"dfir-forensics-mid","label":"DFIR practitioner building enterprise investigation depth","primary_node_id":"gcfa","recommended_first_id":"gcfe","recommended_next_id":"gcfa","role":"dfir_practitioner","what_certs_wont_solve":"They don't ensure your findings are complete, defensible, or correctly scoped.","why_this_fits":"At this stage, the focus shifts to multi-system investigations, correlation across data sources, and stronger hypothesis-driven analysis."},{"bridge_text":"Forensic maturity now depends on adapting methods to the environment, not applying the same approach everywhere.","common_misconception":"Advanced DFIR is just deeper Windows expertise.","experience":"mid_career","goal":"deepen_forensic_capability","highlight_edge_ids":["edge_gcfa_gcfr","edge_gcfa_gime","edge_gcfa_glir"],"highlight_node_ids":["gcfa","gcfr","gime","glir"],"id":"dfir-forensics-advanced","label":"DFIR practitioner expanding into multi-domain forensics","primary_node_id":"gcfr","recommended_first_id":"gcfa","recommended_next_id":"gcfr","role":"dfir_practitioner","what_certs_wont_solve":"They don't solve data access, logging gaps, or collection limitations in modern environments.","why_this_fits":"Advanced DFIR work requires adapting investigative techniques across cloud, platform-specific, and non-Windows environments."},{"bridge_text":"Specialist depth only matters when it improves real investigative outcomes, not just technical understanding.","common_misconception":"Specialist tracks should be pursued as early as possible.","experience":"advanced","goal":"deepen_forensic_capability","highlight_edge_ids":["edge_gcfa_gcfr","edge_gcfr_geir","edge_gcfa_grem"],"highlight_node_ids":["gcfa","gcfr","geir","grem"],"id":"dfir-forensics-advanced","label":"DFIR practitioner specialising in advanced analysis","primary_node_id":"gcfr","recommended_first_id":"gcfa","recommended_next_id":"gcfr","role":"dfir_practitioner","what_certs_wont_solve":"They don't make specialist knowledge useful unless it feeds back into real investigations and decisions.","why_this_fits":"Specialist depth becomes valuable when investigations require understanding malware behaviour, adversary tooling, or intelligence context."},{"bridge_text":"Strong DFIR starts with understanding how incidents are recognised, escalated, and managed, not just how artefacts are collected.","common_misconception":"You need advanced forensic depth before you can improve incident handling.","experience":"beginner","goal":"improve_incident_handling","highlight_edge_ids":["edge_lab_gsec","edge_gsec_gcih"],"highlight_node_ids":["gsec","gcih"],"id":"dfir-practitioner-handling-beginner","label":"DFIR practitioner building incident handling foundations","primary_node_id":"gcih","recommended_first_id":"gsec","recommended_next_id":"gcih","related_links":[{"label":"Read the full SANS roadmap article","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"},{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"}],"role":"dfir_practitioner","what_certs_wont_solve":"They won't create calm triage, good escalation habits, or disciplined note taking unless you practise those behaviours repeatedly.","why_this_fits":"At this stage, the biggest gain usually comes from learning how incidents are handled before trying to deepen forensic technique. Better handling discipline gives later DFIR work context, pace, and structure."},{"bridge_text":"DFIR sits at the intersection of handling, evidence, and investigation—not as a separate track.","common_misconception":"Incident handling and forensics are separate disciplines.","experience":"early_career","goal":"improve_incident_handling","highlight_edge_ids":["edge_gcih_gcfe","edge_gcfe_gcfa"],"highlight_node_ids":["gcih","gcfe","gcfa"],"id":"dfir-practitioner-handling-early","label":"DFIR practitioner strengthening investigation workflow","primary_node_id":"gcih","recommended_first_id":"gcih","recommended_next_id":"gcfe","related_links":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"Understanding Windows Artefacts as Evidence","url":"/understanding-windows-artefacts-as-evidence-not-indicators/"}],"role":"dfir_practitioner","what_certs_wont_solve":"They don't integrate handling and investigation into a coherent workflow on their own.","why_this_fits":"Strong DFIR work depends on solid incident handling first, then moving into structured evidence analysis and investigation. This path helps connect handling decisions to endpoint evidence and more disciplined investigative flow."},{"bridge_text":"At this level, handling quality depends on how well you connect evidence, scope, communication, and investigative priorities under pressure.","common_misconception":"Better incident handling at this stage is mostly about using more tools.","experience":"mid_career","goal":"improve_incident_handling","highlight_edge_ids":["edge_gcih_gcfe","edge_gcfe_gcfa","edge_gcfe_gnfa","edge_gcfa_gcia"],"highlight_node_ids":["gcfe","gcfa","gnfa","gcia"],"id":"dfir-practitioner-handling-mid","label":"DFIR practitioner improving handling across larger investigations","primary_node_id":"gcfa","recommended_first_id":"gcfe","recommended_next_id":"gcfa","related_links":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"ShellBags and User Navigation","url":"/shellbags-and-user-navigation-what-windows-remembers-about-exploration/"}],"role":"dfir_practitioner","what_certs_wont_solve":"They don't automatically improve scoping, writing, or decision quality across complex investigations unless those skills are practised deliberately.","why_this_fits":"Once you already handle endpoint evidence reasonably well, the next handling improvement usually comes from learning how to manage larger, noisier, multi-host investigations with better structure, prioritisation, and investigative judgement."},{"bridge_text":"Advanced DFIR handling eventually becomes an organisational problem as much as an individual one: better decisions, better context, and a response model that can actually use the work.","common_misconception":"Advanced handling maturity comes mostly from more forensic depth.","experience":"advanced","goal":"improve_incident_handling","highlight_edge_ids":["edge_gcfa_gcfr","edge_gcfa_geir"],"highlight_node_ids":["gcfa","gcfr","geir"],"id":"dfir-practitioner-handling-advanced","label":"DFIR practitioner improving response handling at enterprise scale","primary_node_id":"gcfa","recommended_first_id":"gcfa","recommended_next_id":"gcfr","related_links":[{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"},{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"}],"role":"dfir_practitioner","what_certs_wont_solve":"They don't ensure the wider response function can absorb, coordinate, and act on investigative findings without stronger playbooks, command structure, and validation.","why_this_fits":"At advanced level, incident handling improvement is less about learning the mechanics of response and more about improving judgement, context, and consistency across larger cases, broader telemetry, and more consequential decisions."},{"bridge_text":"Breadth starts by understanding how incidents unfold across systems, not by collecting specialist topics too early.","common_misconception":"Technical breadth starts by jumping straight into niche forensic specialisations.","experience":"beginner","goal":"improve_technical_breadth","highlight_edge_ids":["edge_gsec_gcih"],"highlight_node_ids":["gsec","gcih"],"id":"dfir-breadth-beginner","label":"DFIR practitioner building broad technical foundations","primary_node_id":"gcih","recommended_first_id":"gsec","recommended_next_id":"gcih","related_links":[{"label":"Create a Personal Forensics Lab","url":"/create-a-personal-forensics-lab-part-1-the-primary-domain-controller/"},{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"}],"role":"dfir_practitioner","what_certs_wont_solve":"They don't replace operating system familiarity, lab work, or the repeated comparison of normal versus abnormal system behaviour.","why_this_fits":"Early breadth comes from building broad systems and incident-handling context before specialising by platform or artefact family. This gives later forensic work a stronger base."},{"bridge_text":"Broader DFIR capability starts by becoming stronger at connecting incidents to evidence, not by branching too widely too early.","common_misconception":"Breadth means moving horizontally across many topics before you have solid endpoint depth.","experience":"early_career","goal":"improve_technical_breadth","highlight_edge_ids":["edge_gcih_gcfe","edge_gcfe_gcfa"],"highlight_node_ids":["gcih","gcfe","gcfa"],"id":"dfir-breadth-early","label":"DFIR practitioner broadening from handling into endpoint forensics","primary_node_id":"gcfe","recommended_first_id":"gcih","recommended_next_id":"gcfe","related_links":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"Understanding Windows Artefacts as Evidence","url":"/understanding-windows-artefacts-as-evidence-not-indicators/"}],"role":"dfir_practitioner","what_certs_wont_solve":"They don't make evidence interpretation reliable without disciplined note taking, corroboration, and hands-on case exposure.","why_this_fits":"At this stage, breadth usually means strengthening endpoint evidence interpretation and linking incident handling decisions to what the host can actually prove."},{"bridge_text":"Real breadth shows up when you can carry investigative reasoning across different systems and evidence sources without losing discipline.","common_misconception":"Breadth at this stage means taking unrelated advanced certifications rather than extending the kinds of evidence and environments you can reason about.","experience":"mid_career","goal":"improve_technical_breadth","highlight_edge_ids":["edge_gcfe_gcfa","edge_gcfa_glir","edge_gcfa_gcti"],"highlight_node_ids":["gcfe","gcfa","glir","gcti"],"id":"dfir-breadth-mid","label":"DFIR practitioner expanding beyond core Windows investigations","primary_node_id":"gcfa","recommended_first_id":"gcfa","recommended_next_id":"glir","related_links":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"role":"dfir_practitioner","what_certs_wont_solve":"They don't automatically integrate cloud, Linux, intel, and endpoint findings into one coherent investigation unless you deliberately practise cross-platform scoping and analysis.","why_this_fits":"Once core Windows and enterprise investigation depth are stable, the best breadth move is often to expand into adjacent evidence domains such as Linux, CTI-informed investigations, or other environments your cases increasingly touch."},{"bridge_text":"Breadth only matters if evidence can be collected, preserved, and interpreted effectively across the platforms your cases actually involve.","common_misconception":"Platform breadth is optional in modern investigations.","experience":"advanced","goal":"improve_technical_breadth","highlight_edge_ids":["edge_gime_gasf"],"highlight_node_ids":["gcfe","gime","gasf"],"id":"dfir-platform-breadth","label":"DFIR platform specialisation (Apple \u0026 mobile)","primary_node_id":"gime","recommended_first_id":"gime","recommended_next_id":"gasf","related_links":[{"label":"Understanding Windows Artefacts as Evidence","url":"/understanding-windows-artefacts-as-evidence-not-indicators/"},{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"}],"role":"dfir_practitioner","what_certs_wont_solve":"They don't solve acquisition, access, preservation, or legal constraints around non-Windows evidence sources.","why_this_fits":"Once core DFIR capability is stable, platform breadth becomes a meaningful differentiator. Expanding into Apple and mobile evidence sources helps when investigations no longer fit neatly inside Windows-centric assumptions."},{"bridge_text":"Leadership begins when you start paying attention to how the investigation runs, not just the part you are personally executing.","common_misconception":"Leadership starts once you're senior enough or technically complete.","experience":"beginner","goal":"move_toward_leadership","highlight_edge_ids":["edge_gsec_gcih","edge_gcih_gcfe"],"highlight_node_ids":["gsec","gcih","gcfe"],"id":"dfir-leadership-beginner","label":"DFIR practitioner building early leadership habits","primary_node_id":"gcih","recommended_first_id":"gsec","recommended_next_id":"gcih","related_links":[{"label":"Read the full SANS roadmap article","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"},{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"}],"role":"dfir_practitioner","what_certs_wont_solve":"They don't create ownership, judgement, or calm decision-making under pressure unless you repeatedly practise those behaviours in real work.","why_this_fits":"Early leadership in DFIR starts with understanding how incidents are handled, escalated, and coordinated before you try to lead them. Building strong handling judgement first gives later leadership responsibility something real to stand on."},{"bridge_text":"Leadership begins when you stop just solving problems and start owning how the investigation runs.","common_misconception":"Leadership starts after you're fully technically complete.","experience":"early_career","goal":"move_toward_leadership","highlight_edge_ids":["edge_gcih_gcfe","edge_gcih_gslc"],"highlight_node_ids":["gcih","gcfe","gslc"],"id":"dfir-leadership-early","label":"DFIR practitioner stepping into incident leadership","primary_node_id":"gslc","recommended_first_id":"gcih","recommended_next_id":"gslc","related_links":[{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"},{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"}],"role":"dfir_practitioner","what_certs_wont_solve":"They don't replace real responsibility for decisions, prioritisation, or the ability to keep an investigation moving in real time.","why_this_fits":"This stage introduces leadership at a broad level: coordinating teams, making bounded decisions, and managing flow rather than only performing analysis."},{"bridge_text":"The job now becomes ensuring the team works as a system, not just performing parts of it well.","common_misconception":"Leading incidents is just doing the same technical work at a higher level.","experience":"mid_career","goal":"move_toward_leadership","highlight_edge_ids":["edge_gcfa_gslc","edge_gcfa_gstrt"],"highlight_node_ids":["gslc","gcfa","gstrt"],"id":"dfir-leadership-mid","label":"DFIR practitioner leading investigations and teams","primary_node_id":"gcfa","recommended_first_id":"gslc","recommended_next_id":"gcfa","related_links":[{"label":"How to Test and Exercise Your Incident Response Capability","url":"https://blog.lykosdefence.com/posts/how-to-test-and-exercise-your-incident-response-capability/"},{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"}],"role":"dfir_practitioner","what_certs_wont_solve":"They don't build delegation, coaching, prioritisation, or the discipline to drive consistent execution across a team on their own.","why_this_fits":"At this stage, leadership shifts from coordinating individuals to owning outcomes, people, and escalation paths. The challenge is no longer only leading, but improving how the team executes across cases."},{"bridge_text":"At this stage, success is measured by whether the whole response function can execute, not just whether individual leaders are strong.","common_misconception":"Executive or programme-level leadership is mostly communication and reporting.","experience":"advanced","goal":"move_toward_leadership","highlight_edge_ids":["edge_ldr514_gcil","edge_ldr514_ldr519"],"highlight_node_ids":["gstrt","gcil","ldr519"],"id":"dfir-leadership-advanced","label":"DFIR leader shaping response programmes and readiness","primary_node_id":"gcil","recommended_first_id":"gstrt","recommended_next_id":"gcil","related_links":[{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"},{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"}],"role":"dfir_practitioner","what_certs_wont_solve":"They do not ensure the programme actually works, the plans are usable, or the organisation can coordinate effectively without rehearsal, validation, and ownership.","why_this_fits":"At the advanced level, leadership expands into programme ownership and organisational readiness: shaping the operating model, aligning response with business risk, and ensuring the function can execute consistently under pressure."},{"bridge_text":"Early incident response maturity comes from pairing technical growth with clear playbooks, realistic exercises, and disciplined review.","common_misconception":"Incident response starts with advanced forensics or niche tooling.","experience":"beginner","goal":"build_foundations","highlight_edge_ids":["edge_gsec_gcih"],"highlight_node_ids":["gsec","gcih"],"id":"incident-responder-foundations-beginner","label":"Incident responder building foundations","primary_node_id":"gcih","recommended_first_id":"gsec","recommended_next_id":"gcih","related_links":[{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"role":"incident_responder","what_certs_wont_solve":"They don't replace repeated case exposure, escalation judgement, or the ability to communicate clearly under pressure.","why_this_fits":"If you want to grow into incident response, the right first move is broad security grounding followed by practical incident handling. That gives you the baseline needed before deeper DFIR, cloud, or leadership branches make sense."},{"bridge_text":"Strong response foundations are built by connecting handling, evidence, and coordination early rather than treating them as separate problems.","common_misconception":"Foundations are finished once you understand alerts and containment basics.","experience":"early_career","goal":"build_foundations","highlight_edge_ids":["edge_gcih_gcfe","edge_gcfe_gcfa"],"highlight_node_ids":["gcih","gcfe","gcfa"],"id":"incident-responder-foundations-early","label":"Incident responder strengthening the response baseline","primary_node_id":"gcih","recommended_first_id":"gcih","recommended_next_id":"gcfe","related_links":[{"label":"How to Test and Exercise Your Incident Response Capability","url":"https://blog.lykosdefence.com/posts/how-to-test-and-exercise-your-incident-response-capability/"},{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"}],"role":"incident_responder","what_certs_wont_solve":"They don't automatically create clean handoffs, good note taking, or reliable escalation habits unless those are practised deliberately.","why_this_fits":"Once the broad base is there, the next foundation step is learning how incident handling decisions connect to evidence, scoping, and response flow. This is where response work becomes more disciplined and less reactive."},{"bridge_text":"Forensic depth starts with understanding how incidents unfold, not just learning lists of artefacts or tools.","common_misconception":"Forensics is the right entry point into incident response because it feels more specialised.","experience":"beginner","goal":"deepen_forensic_capability","highlight_edge_ids":["edge_gsec_gcih","edge_gcih_gcfe"],"highlight_node_ids":["gsec","gcih","gcfe"],"id":"incident-forensics-beginner","label":"Incident responder building the forensic baseline","primary_node_id":"gcih","recommended_first_id":"gsec","recommended_next_id":"gcih","related_links":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"}],"role":"incident_responder","what_certs_wont_solve":"They don't replace systems familiarity, evidence discipline, or the repeated practice required to tell meaningful artefacts from noise.","why_this_fits":"At beginner stage, deeper forensic capability starts with broad technical grounding and incident handling. That gives you enough context to understand why endpoint evidence matters before trying to specialise in it."},{"bridge_text":"Forensics starts when you stop asking “what alert fired” and start asking “what actually happened on the system?”","common_misconception":"Forensics is mainly about tools and artefact lists.","experience":"early_career","goal":"deepen_forensic_capability","highlight_edge_ids":["edge_gcih_gcfe","edge_gcfe_gcfa"],"highlight_node_ids":["gcih","gcfe","gcfa"],"id":"incident-forensics-early","label":"Incident responder moving into endpoint forensics","primary_node_id":"gcfe","recommended_first_id":"gcih","recommended_next_id":"gcfe","related_links":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"Understanding Windows Artefacts as Evidence","url":"/understanding-windows-artefacts-as-evidence-not-indicators/"}],"role":"incident_responder","what_certs_wont_solve":"They don't teach evidentiary reasoning, restraint, or corroboration on their own. Those come from repeated casework and careful interpretation.","why_this_fits":"The transition from handling to forensics usually starts with endpoint evidence. FOR500 helps you move from reacting to alerts toward interpreting artefacts, building timelines, and understanding what actually happened on the host."},{"bridge_text":"Investigation quality is defined by how well you connect evidence across systems and explain your confidence in the findings.","common_misconception":"Better tooling or faster timelines automatically produce better investigations.","experience":"mid_career","goal":"deepen_forensic_capability","highlight_edge_ids":["edge_gcfe_gcfa","edge_gcfa_gcfr"],"highlight_node_ids":["gcfe","gcfa","gcfr","gcia"],"id":"incident-forensics-mid","label":"Incident responder building enterprise investigation depth","primary_node_id":"gcfa","recommended_first_id":"gcfe","recommended_next_id":"gcfa","related_links":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"role":"incident_responder","what_certs_wont_solve":"They don't remove ambiguity, improve writing, or guarantee that your conclusions will hold up under scrutiny.","why_this_fits":"This stage moves from host-focused evidence into larger investigations involving correlation across systems, stronger scoping decisions, and more defensible enterprise-level reasoning."},{"bridge_text":"Specialisation only pays off when it improves real investigative outcomes, not just technical depth in isolation.","common_misconception":"Specialisation should come early because it makes you more advanced faster.","experience":"advanced","goal":"deepen_forensic_capability","highlight_edge_ids":["edge_gcfa_glir","edge_gcfa_geir"],"highlight_node_ids":["gcfa","gcfr","glir","geir"],"id":"incident-forensics-advanced","label":"Incident responder branching into forensic specialisation","primary_node_id":"glir","recommended_first_id":"gcfr","recommended_next_id":"glir","related_links":[{"label":"How to Test and Exercise Your Incident Response Capability","url":"https://blog.lykosdefence.com/posts/how-to-test-and-exercise-your-incident-response-capability/"},{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"}],"role":"incident_responder","what_certs_wont_solve":"They don't make specialist knowledge useful unless it feeds back into real investigations, clearer findings, and better investigative decisions.","why_this_fits":"Specialist depth becomes more valuable once your core investigation capability is already strong. At this point, branching into linux, cloud, or enterprise investigation can meaningfully improve how you handle more complex or unusual cases."},{"bridge_text":"Early breadth in incident response comes from understanding how different systems contribute to the same incident, not just from collecting more topics.","common_misconception":"Technical breadth means taking advanced niche courses as early as possible.","experience":"beginner","goal":"improve_technical_breadth","highlight_edge_ids":["edge_gsec_gcih","edge_gcih_gcia"],"highlight_node_ids":["gsec","gcih","gcia"],"id":"incident-breadth-beginner","label":"Incident responder building broad technical range","primary_node_id":"gcih","recommended_first_id":"gsec","recommended_next_id":"gcih","related_links":[{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"role":"incident_responder","what_certs_wont_solve":"They don't replace systems familiarity, repeated case exposure, or the habit of connecting what you see on one system to what may be happening elsewhere.","why_this_fits":"Early technical breadth comes from learning how systems, networks, and incidents fit together before specialising. Broad foundations plus incident handling give you enough context to make later forensic, detection, or cloud branches meaningful."},{"bridge_text":"Strong responders get broader by learning how alerts, evidence, and investigative decisions interact across the same case.","common_misconception":"Breadth means staying general instead of getting stronger anywhere in particular.","experience":"early_career","goal":"improve_technical_breadth","highlight_edge_ids":["edge_gcih_gcfe","edge_gcih_gcia"],"highlight_node_ids":["gcih","gcfe","gcia"],"id":"incident-breadth-early","label":"Incident responder broadening into evidence and detection depth","primary_node_id":"gcfe","recommended_first_id":"gcih","recommended_next_id":"gcfe","related_links":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"How to Test and Exercise Your Incident Response Capability","url":"https://blog.lykosdefence.com/posts/how-to-test-and-exercise-your-incident-response-capability/"}],"role":"incident_responder","what_certs_wont_solve":"They don't integrate endpoint, network, and response thinking automatically unless you deliberately connect them in your day-to-day work.","why_this_fits":"At this stage, breadth usually means learning how handling, endpoint evidence, and detection reasoning reinforce each other. This makes you more adaptable across real incidents instead of anchoring too early to one narrow perspective."},{"bridge_text":"Mid-career breadth shows up when you can move between environments and evidence types without losing investigative quality.","common_misconception":"Breadth at this stage means collecting unrelated advanced skills rather than extending your investigative range in a coherent way.","experience":"mid_career","goal":"improve_technical_breadth","highlight_edge_ids":["edge_gcfe_gcfa","edge_gcfa_gcfr","edge_gcfa_glir"],"highlight_node_ids":["gcfe","gcfa","gcfr","glir"],"id":"incident-breadth-mid","label":"Incident responder expanding across environments and evidence types","primary_node_id":"gcfr","recommended_first_id":"gcfa","recommended_next_id":"gcfr","related_links":[{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"},{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"}],"role":"incident_responder","what_certs_wont_solve":"They don't make cross-platform investigations easier unless your collection, scoping, and writing discipline are already strong.","why_this_fits":"Once enterprise investigation depth is in place, the next breadth gain often comes from handling different evidence models and environments more confidently, such as memory, Linux, or more complex multi-system incidents."},{"bridge_text":"Cloud response maturity depends on evidence design, ownership, and process discipline, not just better tooling.","common_misconception":"Cloud incident response is mainly a logging problem.","experience":"advanced","goal":"improve_technical_breadth","highlight_edge_ids":["edge_gcfa_grem","edge_gcfa_gcti"],"highlight_node_ids":["gcfa","grem","gcti"],"id":"incident-response-cloud","label":"Cloud response branch","primary_node_id":"gcti","recommended_first_id":"gcfa","recommended_next_id":"geir","related_links":[{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"},{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"}],"role":"incident_responder","what_certs_wont_solve":"They do not fix unclear ownership, weak retention, poor access to audit data, or immature cloud operating models.","why_this_fits":"At advanced level, technical breadth often means learning how to investigate in environments where endpoint-centric assumptions break down. This branch shifts attention toward cloud-native evidence, identity, control-plane activity, and the operational realities of distributed systems."},{"bridge_text":"Leadership begins when you pay attention to how the response runs, not just the technical task in front of you.","common_misconception":"Leadership starts once you're senior enough or have completed a leadership course.","experience":"beginner","goal":"move_toward_leadership","highlight_edge_ids":["edge_gsec_gcih","edge_gcih_gcfe"],"highlight_node_ids":["gsec","gcih","gcfe"],"id":"incident-responder-leadership-beginner","label":"Incident responder building early leadership habits","primary_node_id":"gcih","recommended_first_id":"gsec","recommended_next_id":"gcih","related_links":[{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"role":"incident_responder","what_certs_wont_solve":"They don't create ownership, calm judgement, or the ability to communicate clearly under pressure unless those behaviours are practised in real work.","why_this_fits":"Early leadership in incident response starts with understanding how incidents are recognised, escalated, and managed before trying to lead them. Broad foundations plus handling discipline give later leadership responsibility something real to stand on."},{"bridge_text":"Incident leadership begins when the job shifts from solving the problem yourself to helping the organisation solve it under pressure.","common_misconception":"Strong technical responders naturally become strong incident leaders.","experience":"early_career","goal":"move_toward_leadership","highlight_edge_ids":["edge_gcih_gslc","edge_ldr512_ldr514"],"highlight_node_ids":["gcih","gslc","gstrt"],"id":"incident-responder-leadership-early","label":"Incident responder stepping into coordination leadership","primary_node_id":"gslc","recommended_first_id":"gcih","recommended_next_id":"gslc","related_links":[{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"role":"incident_responder","what_certs_wont_solve":"They don't create leadership judgement, ownership, or tested readiness on their own.","why_this_fits":"This stage suits responders who are moving from handling incidents themselves to helping lead how incidents are coordinated, escalated, and managed across a team or function. The goal is to broaden from technical execution into delivery, prioritisation, and management discipline."},{"bridge_text":"This is the point where individual response skill has to become team-level execution and management capability.","common_misconception":"Leadership is just senior technical depth plus stakeholder communication.","experience":"mid_career","goal":"move_toward_leadership","highlight_edge_ids":["edge_gcfe_gslc","edge_ldr512_ldr514"],"highlight_node_ids":["gcfe","gslc","gstrt","gcil"],"id":"incident-responder-leadership-mid","label":"Incident responder moving into management and program leadership","primary_node_id":"gslc","recommended_first_id":"gslc","recommended_next_id":"gstrt","related_links":[{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"},{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"}],"role":"incident_responder","what_certs_wont_solve":"They don't replace real incident ownership, delegation, or the ability to make trade-offs across people, priorities, and time pressure.","why_this_fits":"At this stage, leadership shifts from coordinating incidents to owning execution quality across teams, workstreams, and escalation paths. LDR512 helps responders move from being strong operators to managing programs, priorities, and outcomes more deliberately."},{"bridge_text":"This is where leadership becomes less about running incidents and more about ensuring the organisation is structured to handle them well.","common_misconception":"Seniority in incident response automatically translates into strategic leadership.","experience":"advanced","goal":"move_toward_leadership","highlight_edge_ids":["edge_ldr512_ldr514","edge_ldr514_ldr519"],"highlight_node_ids":["gslc","gstrt","ldr519","gcil"],"id":"incident-responder-leadership-advanced","label":"Senior incident responder moving into strategic response leadership","primary_node_id":"gstrt","recommended_first_id":"gstrt","recommended_next_id":"ldr519","related_links":[{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"role":"incident_responder","what_certs_wont_solve":"They don't replace organisational influence, accountability for outcomes, or the need to validate team capability through exercises and real incidents.","why_this_fits":"At this stage, leadership means moving beyond incident command into shaping policy, operating models, risk alignment, and readiness across the wider function. The challenge is no longer just running incidents well, but ensuring the organisation is designed to handle them consistently."},{"bridge_text":"Strong OT foundations start with understanding how security and incident response work in general before adapting those ideas to industrial constraints.","common_misconception":"OT security should be the first specialisation because it's more niche and therefore more valuable.","experience":"beginner","goal":"build_foundations","highlight_edge_ids":["edge_gsec_gcih","edge_gsec_gicsp"],"highlight_node_ids":["gsec","gcih","gicsp"],"id":"industrial-foundations-beginner","label":"Security engineer building IT-to-OT foundations","primary_node_id":"gcih","recommended_first_id":"gsec","recommended_next_id":"gcih","related_links":[{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"role":"security_engineer","what_certs_wont_solve":"They don't replace core systems understanding, response discipline, or the practical habits needed to reason clearly during incidents.","why_this_fits":"Early foundations for ICS and OT work still start with broad security grounding and incident handling. Before specialising in industrial environments, you need a solid base in how systems, networks, and incidents behave under normal enterprise conditions."},{"bridge_text":"OT foundations mature when security engineers understand that response in industrial environments must support safety, uptime, and operational reality, not just security control objectives.","common_misconception":"ICS and OT security are just enterprise security with different tooling and network diagrams.","experience":"early_career","goal":"build_foundations","highlight_edge_ids":["edge_gsec_gcih","edge_gsec_gicsp","edge_gicsp_grid"],"highlight_node_ids":["gcih","gicsp","grid","ics612"],"id":"industrial-foundations-early","label":"Security engineer grounding in ICS and OT response fundamentals","primary_node_id":"gicsp","recommended_first_id":"gicsp","recommended_next_id":"grid","related_links":[{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"},{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"}],"role":"security_engineer","what_certs_wont_solve":"They do not replace operational context, plant knowledge, or the coordination required between engineering, operations, and security teams.","why_this_fits":"Once the general base is in place, the next foundation step is learning how industrial environments differ from IT: safety constraints, operational ownership, protocol realities, and the limits of standard response assumptions. This stage gives engineers the context needed before moving into deeper OT security or engineering work."},{"bridge_text":"OT forensic depth starts with understanding incident response and evidence handling generally before adapting those ideas to industrial constraints.","common_misconception":"OT forensics should be the first specialisation because it's more niche and therefore more valuable.","experience":"beginner","goal":"deepen_forensic_capability","highlight_edge_ids":["edge_gsec_gcih","edge_gsec_gicsp"],"highlight_node_ids":["gsec","gcih","gicsp"],"id":"industrial-forensics-beginner","label":"Security engineer building the OT/ICS forensic baseline","primary_node_id":"gcih","recommended_first_id":"gsec","recommended_next_id":"gcih","related_links":[{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"role":"security_engineer","what_certs_wont_solve":"They don't replace systems familiarity, evidence discipline, or the repeated practice required to reason clearly from limited data under pressure.","why_this_fits":"At beginner stage, forensic capability for OT and ICS still starts with broad technical grounding and incident handling. Before specialising in industrial environments, you need a reliable understanding of how incidents are triaged, scoped, and investigated in general."},{"bridge_text":"OT forensics begins when you stop assuming you can collect everything you want and start working within real operational constraints.","common_misconception":"OT evidence collection is just enterprise forensics with different logs and protocols.","experience":"early_career","goal":"deepen_forensic_capability","highlight_edge_ids":["edge_gsec_gcih","edge_gsec_gicsp","edge_gicsp_grid"],"highlight_node_ids":["gcih","gicsp","grid"],"id":"industrial-forensics-early","label":"Security engineer moving into ICS and OT evidence","primary_node_id":"gicsp","recommended_first_id":"gicsp","recommended_next_id":"grid","related_links":[{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"},{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"}],"role":"security_engineer","what_certs_wont_solve":"They don't replace operational context, plant knowledge, or the coordination required between engineering, operations, and security teams during an incident.","why_this_fits":"This stage introduces the reality that OT and ICS investigations are constrained by safety, uptime, vendor limitations, and operational ownership. It helps engineers move from general incident thinking into evidence collection and investigative reasoning that fit industrial environments."},{"bridge_text":"Industrial investigation quality depends on how well you align evidence, safety, and operational reality rather than how much data you can collect.","common_misconception":"Better tooling or more monitoring automatically produces better OT investigations.","experience":"mid_career","goal":"deepen_forensic_capability","highlight_edge_ids":["edge_gicsp_grid","edge_grid_ics612"],"highlight_node_ids":["gicsp","grid","ics612"],"id":"industrial-forensics-mid","label":"Security engineer building industrial investigation depth","primary_node_id":"grid","recommended_first_id":"grid","recommended_next_id":"ics612","related_links":[{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"},{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"}],"role":"security_engineer","what_certs_wont_solve":"They don't remove ambiguity, fix weak retention, or guarantee that investigative findings will be meaningful without strong operational context.","why_this_fits":"At this stage, forensic depth means becoming stronger at investigating across industrial systems, protocols, and operational boundaries rather than relying on IT-centric assumptions. The focus shifts toward understanding what evidence exists, what can be collected safely, and how to interpret it credibly."},{"bridge_text":"Advanced OT forensic maturity is measured by whether the organisation can investigate safely and credibly in the real environment, not just by whether an engineer knows the theory.","common_misconception":"Specialist OT/ICS forensic knowledge automatically makes the organisation investigation-ready.","experience":"advanced","goal":"deepen_forensic_capability","highlight_edge_ids":["edge_grid_ics612"],"highlight_node_ids":["grid","ics612","validation"],"id":"industrial-forensics-advanced","label":"Security engineer specialising in OT and ICS investigative depth","primary_node_id":"ics612","recommended_first_id":"ics612","recommended_next_id":"validation","related_links":[{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"},{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"}],"role":"security_engineer","what_certs_wont_solve":"They don't prove that collection assumptions are realistic, that engineering teams can support incident work, or that the wider response model will hold up under pressure.","why_this_fits":"At advanced level, forensic capability becomes an organisational and operational problem as much as a technical one. The challenge is not only understanding industrial evidence, but ensuring the environment, people, and processes can support credible investigation without compromising safety or operations."},{"bridge_text":"Strong OT incident handling starts with general response judgement before adapting that judgement to industrial constraints.","common_misconception":"OT incident handling should be learned first because it's more specialised and therefore more valuable.","experience":"beginner","goal":"improve_incident_handling","highlight_edge_ids":["edge_gsec_gcih","edge_gsec_gicsp"],"highlight_node_ids":["gsec","gcih","gicsp"],"id":"industrial-handling-beginner","label":"Security engineer building incident handling foundations for OT/ICS","primary_node_id":"gcih","recommended_first_id":"gsec","recommended_next_id":"gcih","related_links":[{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"role":"security_engineer","what_certs_wont_solve":"They don't replace core systems understanding, decision-making under pressure, or the discipline required to manage incidents without causing additional harm.","why_this_fits":"Early incident handling capability in OT and ICS still starts with broad technical grounding and practical incident handling. Before specialising in industrial environments, you need a reliable understanding of triage, escalation, containment trade-offs, and response flow."},{"bridge_text":"OT handling matures when response decisions are grounded in operational reality rather than imported directly from enterprise IT.","common_misconception":"OT incident handling is just enterprise response with different protocols and asset names.","experience":"early_career","goal":"improve_incident_handling","highlight_edge_ids":["edge_gsec_gcih","edge_gsec_gicsp","edge_gicsp_grid"],"highlight_node_ids":["gcih","gicsp","grid"],"id":"industrial-handling-early","label":"Security engineer grounding incident handling in OT/ICS reality","primary_node_id":"gicsp","recommended_first_id":"gicsp","recommended_next_id":"grid","related_links":[{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"},{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"}],"role":"security_engineer","what_certs_wont_solve":"They don't replace plant context, knowledge of operational priorities, or the coordination required between engineering, operations, and security teams.","why_this_fits":"This stage helps engineers understand how incident handling changes in industrial environments, where safety, uptime, vendor constraints, and operational ownership all affect what “good response” looks like."},{"bridge_text":"Industrial incident handling gets stronger when technical insight is matched by clear roles, communication paths, and workable response decisions.","common_misconception":"Better OT tooling or deeper protocol knowledge automatically leads to better incident handling.","experience":"mid_career","goal":"improve_incident_handling","highlight_edge_ids":["edge_gicsp_grid","edge_grid_ics612"],"highlight_node_ids":["gicsp","grid","ics612","gcil"],"id":"industrial-handling-mid","label":"Security engineer improving coordinated OT/ICS response","primary_node_id":"grid","recommended_first_id":"grid","recommended_next_id":"ics612","related_links":[{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"},{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"}],"role":"security_engineer","what_certs_wont_solve":"They don't fix unclear decision authority, weak communications, or poor coordination between teams during real incidents.","why_this_fits":"At this stage, incident handling improvement comes from coordinating response across industrial systems, engineering teams, and operational stakeholders rather than only understanding the environment technically. The challenge is keeping investigations and containment aligned with safety and availability constraints."},{"bridge_text":"Mature OT incident handling is measured by whether the organisation can respond safely and coherently in the real environment, not just whether the technical team is capable in theory.","common_misconception":"Strong architecture or specialist OT security knowledge automatically produces strong incident response outcomes.","experience":"advanced","goal":"improve_incident_handling","highlight_edge_ids":["edge_grid_ics612"],"highlight_node_ids":["grid","ics612","gcil"],"id":"industrial-handling-advanced","label":"Security engineer shaping response-capable OT/ICS operations","primary_node_id":"validation","recommended_first_id":"ics612","recommended_next_id":"validation","related_links":[{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"},{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"}],"role":"security_engineer","what_certs_wont_solve":"They don't prove the operating model works under pressure, that engineering teams can support response safely, or that the organisation can make good trade-offs during a real incident.","why_this_fits":"At the advanced level, improving incident handling becomes an organisational design problem. The goal is to ensure systems, teams, evidence assumptions, and escalation paths all support safe, credible, and repeatable response in higher-consequence environments."},{"bridge_text":"Breadth starts by understanding how IT systems work, then learning where those assumptions break in OT.","common_misconception":"Breadth means starting in OT immediately because it is more specialised.","experience":"beginner","goal":"improve_technical_breadth","highlight_edge_ids":["edge_gsec_gcih","edge_gsec_gicsp"],"highlight_node_ids":["gsec","gcih","gicsp"],"id":"industrial-breadth-beginner","label":"Security engineer building cross-domain foundations (IT to OT)","primary_node_id":"gsec","recommended_first_id":"gsec","recommended_next_id":"gcih","related_links":[{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"},{"label":"Career coaching","url":"/career-coaching/"}],"role":"security_engineer","what_certs_wont_solve":"They do not replace systems fluency, hands-on practice, or the ability to reason across environments.","why_this_fits":"Breadth in OT starts with strong general security and systems understanding. Before expanding into industrial environments, you need a clear model of how enterprise systems, networks, and incidents behave."},{"bridge_text":"Breadth grows when you understand not just how OT works, but how it changes your assumptions about security and response.","common_misconception":"OT is just another environment to plug existing security controls into.","experience":"early_career","goal":"improve_technical_breadth","highlight_edge_ids":["edge_gsec_gcih","edge_gcih_gcfe","edge_gsec_gicsp","edge_gicsp_grid"],"highlight_node_ids":["gcih","gicsp","grid","gcfe"],"id":"industrial-breadth-early","label":"Security engineer expanding into ICS and OT environments","primary_node_id":"gicsp","recommended_first_id":"gicsp","recommended_next_id":"grid","related_links":[{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"role":"security_engineer","what_certs_wont_solve":"They do not give you operational context, vendor-specific knowledge, or the ability to safely interact with live systems.","why_this_fits":"This stage introduces the differences between IT and OT environments: protocols, architectures, safety constraints, and operational ownership. Breadth here means understanding how security, detection, and response must adapt to those differences."},{"bridge_text":"Real breadth appears when you can move between IT, OT, detection, and response without breaking the investigation or the environment.","common_misconception":"Breadth means knowing more technologies rather than integrating them.","experience":"mid_career","goal":"improve_technical_breadth","highlight_edge_ids":["edge_gicsp_grid","edge_grid_ics612"],"highlight_node_ids":["gicsp","grid","ics612","gcda","gcia"],"id":"industrial-breadth-mid","label":"Security engineer integrating IT, OT, and response disciplines","primary_node_id":"grid","recommended_first_id":"grid","recommended_next_id":"ics612","related_links":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"}],"role":"security_engineer","what_certs_wont_solve":"They do not ensure that systems, detections, and response processes actually work together in practice.","why_this_fits":"At this stage, breadth means connecting industrial systems, detection, investigation, and response into a coherent model. The focus shifts from understanding domains separately to working across them effectively."},{"bridge_text":"Expert breadth is about making systems, teams, and processes work together reliably, not just understanding each part in isolation.","common_misconception":"Broad expertise means knowing every system equally well.","experience":"advanced","goal":"improve_technical_breadth","highlight_edge_ids":["edge_grid_ics612","edge_sec555_sec530"],"highlight_node_ids":["grid","ics612","gdsa","gcil","validation"],"id":"industrial-breadth-advanced","label":"Security engineer shaping cross-domain OT/ICS security architecture","primary_node_id":"ics612","recommended_first_id":"ics612","recommended_next_id":"gdsa","related_links":[{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"},{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"}],"role":"security_engineer","what_certs_wont_solve":"They do not create alignment between engineering, operations, and security teams or ensure the system works under pressure.","why_this_fits":"At advanced level, breadth becomes architectural and systemic. The goal is to design environments where IT, OT, detection, and response capabilities work together under real constraints, including safety, uptime, and risk."},{"bridge_text":"Leadership begins when you start paying attention to how decisions are made across security, engineering, and operations—not just the technical work itself.","common_misconception":"Leadership begins once you have enough seniority or technical depth.","experience":"beginner","goal":"move_toward_leadership","highlight_edge_ids":["edge_gsec_gicsp","edge_gsec_gcih"],"highlight_node_ids":["gsec","gcih","gicsp"],"id":"industrial-leadership-beginner","label":"Security engineer building early OT/ICS leadership awareness","primary_node_id":"gcih","recommended_first_id":"gsec","recommended_next_id":"gcih","related_links":[{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"role":"security_engineer","what_certs_wont_solve":"They don't create ownership, influence, or the ability to navigate operational trade-offs in real environments.","why_this_fits":"Early leadership in OT/ICS starts with understanding how incidents are handled, how decisions are made, and how operational constraints affect response. Before leading others, you need to see how security interacts with engineering and operations in practice."},{"bridge_text":"OT leadership begins when you can align security goals with operational realities rather than treating them as separate concerns.","common_misconception":"Strong technical engineers naturally become effective cross-functional leaders.","experience":"early_career","goal":"move_toward_leadership","highlight_edge_ids":["edge_gsec_gcih","edge_gsec_gicsp","edge_gcih_gslc"],"highlight_node_ids":["gcih","gicsp","gslc","grid"],"id":"industrial-leadership-early","label":"Security engineer stepping into OT/ICS coordination leadership","primary_node_id":"gicsp","recommended_first_id":"gicsp","recommended_next_id":"gslc","related_links":[{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"role":"security_engineer","what_certs_wont_solve":"They don't create influence, alignment, or the ability to drive decisions across teams with competing priorities.","why_this_fits":"This stage suits engineers who are beginning to coordinate work across teams—security, operations, and engineering—rather than only contributing technically. The focus is on understanding priorities, constraints, and communication across disciplines."},{"bridge_text":"Leadership at this level is about making the system work—people, processes, and technology—not just managing individual efforts.","common_misconception":"Program leadership is mostly reporting, governance, and stakeholder updates.","experience":"mid_career","goal":"move_toward_leadership","highlight_edge_ids":["edge_gsec_gicsp","edge_gcih_gslc","edge_ldr512_ldr514"],"highlight_node_ids":["gicsp","gslc","gstrt","gcil","ics612"],"id":"industrial-leadership-mid","label":"Security engineer leading OT/ICS programmes and response","primary_node_id":"gslc","recommended_first_id":"gslc","recommended_next_id":"gstrt","related_links":[{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"},{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"}],"role":"security_engineer","what_certs_wont_solve":"They don't ensure that teams can execute under pressure or that response processes work in real operational environments.","why_this_fits":"At this stage, leadership shifts from coordination into ownership of outcomes—program delivery, incident response capability, and alignment between security and operational teams. The goal is to ensure work is executed consistently and effectively across environments."},{"bridge_text":"Mature OT leadership is measured by whether the organisation can operate safely and respond effectively under real conditions, not just by strategy or planning.","common_misconception":"Executive-level leadership is primarily about communication and high-level oversight.","experience":"advanced","goal":"move_toward_leadership","highlight_edge_ids":["edge_ldr512_ldr514","edge_ldr514_ldr519"],"highlight_node_ids":["gslc","gstrt","ldr519","gcil","ics612"],"id":"industrial-leadership-advanced","label":"Security engineer shaping organisational OT/ICS security and readiness","primary_node_id":"gstrt","recommended_first_id":"gstrt","recommended_next_id":"ldr519","related_links":[{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"role":"security_engineer","what_certs_wont_solve":"They don't replace accountability for outcomes, the need for operational credibility, or validation that the organisation can actually respond effectively.","why_this_fits":"At the highest level, leadership becomes an organisational design problem. The focus is on governance, operating models, and ensuring that OT/ICS security and response capabilities align with business risk, safety requirements, and operational priorities."},{"bridge_text":"Strong SOC foundations start with understanding how systems behave, how incidents unfold, and how alerts relate to real response work.","common_misconception":"SOC work starts with SIEM queries and alert triage tools rather than broad systems and security fundamentals.","experience":"beginner","goal":"build_foundations","highlight_edge_ids":["edge_lab_gsec","edge_gsec_gcih"],"highlight_node_ids":["lab_foundations","gsec","gcih"],"id":"soc-foundations-beginner","label":"SOC analyst building core foundations","primary_node_id":"gsec","recommended_first_id":"gsec","recommended_next_id":"gcih","related_links":[{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"},{"label":"Build a personal forensics lab","url":"/create-a-personal-forensics-lab-part-1-the-primary-domain-controller/"}],"role":"soc_analyst","what_certs_wont_solve":"They don't replace operating system familiarity, network understanding, or the repeated exposure needed to tell normal behaviour from suspicious activity.","why_this_fits":"Early SOC foundations come from broad security grounding first, then incident handling. This helps analysts understand what they're seeing across systems, networks, and alerts before specialising into detection, forensics, or hunting."},{"bridge_text":"SOC foundations mature when analysts can connect alerts to incident flow, investigative context, and better detection decisions.","common_misconception":"Foundations are complete once you know how to close alerts and follow playbooks.","experience":"early_career","goal":"build_foundations","highlight_edge_ids":["edge_gsec_gcih","edge_gcih_gcia"],"highlight_node_ids":["gsec","gcih","gcia"],"id":"soc-foundations-early","label":"SOC analyst strengthening the operational baseline","primary_node_id":"gcih","recommended_first_id":"gcih","recommended_next_id":"gcia","related_links":[{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"},{"label":"How to Test and Exercise Your Incident Response Capability","url":"https://blog.lykosdefence.com/posts/how-to-test-and-exercise-your-incident-response-capability/"}],"role":"soc_analyst","what_certs_wont_solve":"They don't create good escalation judgement, disciplined case handling, or reliable handovers unless those habits are practised deliberately.","why_this_fits":"Once the broad base is in place, the next foundation step is learning how to handle incidents more systematically and then improving detection depth. This helps analysts move from reacting to alerts toward understanding escalation quality, investigative context, and network-level reasoning."},{"bridge_text":"Forensic depth starts with understanding how alerts relate to real incidents, not just learning lists of artefacts or tools.","common_misconception":"Forensics is the right entry point into SOC work because it feels more specialised than detection.","experience":"beginner","goal":"deepen_forensic_capability","highlight_edge_ids":["edge_gsec_gcih","edge_gcih_gcfe"],"highlight_node_ids":["gsec","gcih","gcfe"],"id":"soc-forensics-beginner","label":"SOC analyst building the forensic baseline","primary_node_id":"gcih","recommended_first_id":"gsec","recommended_next_id":"gcih","related_links":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"}],"role":"soc_analyst","what_certs_wont_solve":"They don't replace systems familiarity, alert triage discipline, or the repeated practice required to separate meaningful artefacts from noise.","why_this_fits":"At beginner stage, forensic capability starts with broad technical grounding and incident handling. That gives SOC analysts enough context to understand why host evidence matters before trying to specialise in it."},{"bridge_text":"Forensics starts when you stop asking “why did this detection fire?” and start asking “what actually happened on the endpoint?”","common_misconception":"Alert context and detection content are enough to explain what happened on a system.","experience":"early_career","goal":"deepen_forensic_capability","highlight_edge_ids":["edge_gcih_gcfe","edge_gcfe_gcfa"],"highlight_node_ids":["gcih","gcfe","gcfa","gcia"],"id":"soc-forensics-early","label":"SOC analyst moving into endpoint forensics","primary_node_id":"gcfe","recommended_first_id":"gcih","recommended_next_id":"gcfe","related_links":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"Understanding Windows Artefacts as Evidence","url":"/understanding-windows-artefacts-as-evidence-not-indicators/"}],"role":"soc_analyst","what_certs_wont_solve":"They don't teach evidentiary reasoning, corroboration, or disciplined timeline reconstruction on their own.","why_this_fits":"The transition from SOC analysis into forensics usually starts with endpoint evidence. GCFE helps analysts move from reacting to alerts toward interpreting artefacts, building timelines, and understanding what actually happened on the host."},{"bridge_text":"Investigation quality is defined by how well you connect detections to evidence and explain confidence in the findings.","common_misconception":"Better tooling or more telemetry automatically produces better investigations.","experience":"mid_career","goal":"deepen_forensic_capability","highlight_edge_ids":["edge_gcfe_gcfa","edge_gcfa_gcfr"],"highlight_node_ids":["gcia","gcfe","gcfa","gcfr"],"id":"soc-forensics-mid","label":"SOC analyst building enterprise investigation depth","primary_node_id":"gcfa","recommended_first_id":"gcfe","recommended_next_id":"gcfa","related_links":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"role":"soc_analyst","what_certs_wont_solve":"They don't remove ambiguity, improve case writing, or guarantee that conclusions will hold up under scrutiny.","why_this_fits":"This stage moves from host-focused evidence into larger investigations involving correlation across alerts, endpoints, memory, and other enterprise data sources. It helps SOC analysts become stronger at scoping incidents instead of only escalating them."},{"bridge_text":"Specialisation only pays off when it improves real investigative outcomes, not just technical depth in isolation.","common_misconception":"Specialisation should come early because it makes a SOC analyst more advanced faster.","experience":"advanced","goal":"deepen_forensic_capability","highlight_edge_ids":["edge_gcfa_glir","edge_gcfa_geir"],"highlight_node_ids":["gcfa","gcfr","glir","geir"],"id":"soc-forensics-advanced","label":"SOC analyst branching into forensic specialisation","primary_node_id":"glir","recommended_first_id":"gcfr","recommended_next_id":"glir","related_links":[{"label":"How to Test and Exercise Your Incident Response Capability","url":"https://blog.lykosdefence.com/posts/how-to-test-and-exercise-your-incident-response-capability/"},{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"}],"role":"soc_analyst","what_certs_wont_solve":"They don't make specialist knowledge useful unless it feeds back into better investigations, clearer escalation, and stronger defensive decisions.","why_this_fits":"Specialist depth becomes more valuable once core investigative capability is already strong. At this point, branching into memory, Linux, or cloud investigation can meaningfully improve how you handle more complex cases and support incident response more effectively."},{"bridge_text":"Handling is where alert familiarity turns into operational judgement.","common_misconception":"Working in a SOC automatically builds incident handling capability.","experience":"beginner","goal":"improve_incident_handling","highlight_edge_ids":["edge_gsec_gcih","edge_gcih_gcia"],"highlight_node_ids":["gsec","gcih","gcia"],"id":"soc-handling-beginner","label":"SOC analyst building incident handling foundations","primary_node_id":"gcih","recommended_first_id":"gsec","recommended_next_id":"gcih","related_links":[{"label":"Read the full SANS roadmap article","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"role":"soc_analyst","what_certs_wont_solve":"They don't teach prioritisation, escalation judgement, or calm decision-making under pressure unless those habits are practised deliberately.","why_this_fits":"Early SOC handling maturity comes from broad security grounding followed by incident handling. This helps analysts move from reacting to alerts toward understanding triage, escalation, and what good response decisions look like."},{"bridge_text":"Handling improves when analysts can connect detections to response flow, evidence needs, and decision quality.","common_misconception":"Closing alerts efficiently means incident handling is already strong.","experience":"early_career","goal":"improve_incident_handling","highlight_edge_ids":["edge_gcih_gcia","edge_gcih_gcfe"],"highlight_node_ids":["gcih","gcia","gcfe"],"id":"soc-handling-early","label":"SOC analyst improving escalation and investigative flow","primary_node_id":"gcih","recommended_first_id":"gcih","recommended_next_id":"gcia","related_links":[{"label":"How to Test and Exercise Your Incident Response Capability","url":"https://blog.lykosdefence.com/posts/how-to-test-and-exercise-your-incident-response-capability/"},{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"}],"role":"soc_analyst","what_certs_wont_solve":"They don't fix weak handovers, poor case notes, or inconsistent escalation criteria on their own.","why_this_fits":"At this stage, the goal is to improve how alerts become investigations. Better incident handling here means stronger escalation quality, better triage decisions, and more confidence in when to pivot from detection into evidence collection or deeper investigation."},{"bridge_text":"Handling gets stronger when telemetry, triage, detection, and escalation work as one system rather than separate activities.","common_misconception":"Improving detection quality alone improves incident handling.","experience":"mid_career","goal":"improve_incident_handling","highlight_edge_ids":["edge_gcih_gcia","edge_gmon_gcia","edge_gmon_sec555"],"highlight_node_ids":["gcih","gcia","gmon","gcda"],"id":"soc-handling-mid","label":"SOC analyst integrating detection and response","primary_node_id":"gmon","recommended_first_id":"gcia","recommended_next_id":"gmon","related_links":[{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"},{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"}],"role":"soc_analyst","what_certs_wont_solve":"They don't fix weak workflows, unclear ownership, or poor follow-through unless the operating model around them improves too.","why_this_fits":"Mid-career handling improvement comes from connecting triage, detection, and response into one tighter operating loop. At this point, the challenge is no longer just identifying suspicious activity, but ensuring the SOC can investigate, escalate, and hand off consistently."},{"bridge_text":"Good detection design supports response, but mature handling still depends on role clarity, operational context, and tested coordination.","common_misconception":"Better architecture or better detections automatically lead to better response outcomes.","experience":"advanced","goal":"improve_incident_handling","highlight_edge_ids":["edge_sec555_sec530","edge_gcil_validation"],"highlight_node_ids":["gcda","gdsa","gcil","validation"],"id":"soc-handling-advanced","label":"SOC analyst shaping response-capable detection systems","primary_node_id":"gdsa","recommended_first_id":"gcda","recommended_next_id":"gdsa","related_links":[{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"},{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"}],"role":"soc_analyst","what_certs_wont_solve":"They don't validate whether systems, teams, and escalation paths actually work during incidents.","why_this_fits":"At the advanced level, incident handling improves when the surrounding systems, detections, and escalation paths are designed to support real investigations. The focus shifts from individual analyst skill toward building a SOC that can hand off, coordinate, and respond reliably under pressure."},{"bridge_text":"Breadth starts when alert handling is grounded in system behaviour, incident flow, and escalation quality.","common_misconception":"Technical breadth means learning lots of tools before understanding how incidents actually unfold.","experience":"beginner","goal":"improve_technical_breadth","highlight_edge_ids":["edge_lab_gsec","edge_gsec_gcih","edge_gcih_gcia"],"highlight_node_ids":["lab_foundations","gsec","gcih","gcia"],"id":"soc-breadth-beginner","label":"SOC analyst building broader technical context","primary_node_id":"gcih","recommended_first_id":"gsec","recommended_next_id":"gcih","related_links":[{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"},{"label":"Build a personal forensics lab","url":"/create-a-personal-forensics-lab-part-1-the-primary-domain-controller/"}],"role":"soc_analyst","what_certs_wont_solve":"They don't replace systems familiarity, good triage habits, or the repeated practice needed to connect alerts to real investigative context.","why_this_fits":"Early breadth for SOC analysts comes from broad technical grounding first, then incident handling. This helps you understand how systems, alerts, and response decisions connect before you branch into deeper detection, forensics, or specialist environments."},{"bridge_text":"Real breadth begins when you can connect detections to endpoint evidence and make better decisions about what matters.","common_misconception":"Breadth means staying general instead of getting stronger anywhere in particular.","experience":"early_career","goal":"improve_technical_breadth","highlight_edge_ids":["edge_gcih_gcia","edge_gcih_gcfe"],"highlight_node_ids":["gcih","gcia","gcfe"],"id":"soc-breadth-early","label":"SOC analyst broadening across detection and evidence","primary_node_id":"gcia","recommended_first_id":"gcih","recommended_next_id":"gcia","related_links":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"role":"soc_analyst","what_certs_wont_solve":"They don't automatically connect detections to investigative reasoning unless you deliberately work across alerts, artefacts, and case notes in real incidents.","why_this_fits":"At this stage, breadth means becoming stronger at both detection and evidence. SOC analysts get broader by learning how network signals, endpoint artefacts, and incident handling reinforce each other rather than treating them as separate disciplines."},{"bridge_text":"Breadth becomes more valuable when your investigative lessons can be turned into better detections, cleaner workflows, and more repeatable outcomes.","common_misconception":"Breadth at this stage is just adding more data sources or dashboards.","experience":"mid_career","goal":"improve_technical_breadth","highlight_edge_ids":["edge_gmon_gcia","edge_gmon_sec555","edge_sec555_sec573"],"highlight_node_ids":["gcia","gmon","gcda","gpyc"],"id":"soc-breadth-mid","label":"SOC analyst expanding into monitoring, automation, and detection engineering","primary_node_id":"gcda","recommended_first_id":"gmon","recommended_next_id":"gcda","related_links":[{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"},{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"}],"role":"soc_analyst","what_certs_wont_solve":"They don't ensure detections are useful, repeatable, or well integrated into analyst workflow without deliberate engineering and feedback loops.","why_this_fits":"Mid-career breadth comes from moving beyond investigation alone and improving the systems that support detection and response. This is where monitoring quality, analytics, and automation start to matter as much as individual triage skill."},{"bridge_text":"OT capability only becomes meaningful when defensive knowledge can operate inside real-world industrial constraints rather than abstract security models.","common_misconception":"OT security and monitoring are just another variation of enterprise IT security.","experience":"advanced","goal":"improve_technical_breadth","highlight_edge_ids":["edge_gicsp_grid","edge_grid_ics612"],"highlight_node_ids":["gicsp","grid","ics612"],"id":"soc-breadth-advanced","label":"SOC analyst branching into specialist environments (ICS / OT)","primary_node_id":"gicsp","recommended_first_id":"gicsp","recommended_next_id":"ics612","related_links":[{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"},{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"}],"role":"soc_analyst","what_certs_wont_solve":"They don't replace operational context, plant knowledge, safety constraints, or the coordination required between engineering, operations, and security teams.","why_this_fits":"Once the general blue-team and detection base is strong, technical breadth can expand into specialist environments such as ICS and OT. This branch is useful when your work increasingly touches industrial systems, safety-sensitive operations, or higher-consequence environments where IT assumptions no longer hold."},{"bridge_text":"Leadership begins when you stop focusing only on your own queue and start paying attention to how the wider response process runs.","common_misconception":"Leadership starts once you're senior enough or have completed a leadership course.","experience":"beginner","goal":"move_toward_leadership","highlight_edge_ids":["edge_gsec_gcih","edge_gcih_gcia"],"highlight_node_ids":["gsec","gcih","gcia"],"id":"soc-leadership-beginner","label":"SOC analyst building early leadership habits","primary_node_id":"gcih","recommended_first_id":"gsec","recommended_next_id":"gcih","related_links":[{"label":"A Roadmap to Earning Your First or Next SANS Certification","url":"/a-roadmap-to-earning-your-first-or-next-sans-certification/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"role":"soc_analyst","what_certs_wont_solve":"They don't create ownership, calm judgement, or the ability to communicate clearly under pressure unless those behaviours are practised in real operational work.","why_this_fits":"Early leadership in a SOC starts with understanding how alerts are triaged, escalated, and handed off before trying to lead others. Broad foundations plus handling discipline give later leadership responsibility something real to stand on."},{"bridge_text":"SOC leadership begins when the job shifts from handling the work yourself to helping the team handle it consistently under pressure.","common_misconception":"Strong analysts naturally become strong SOC leaders.","experience":"early_career","goal":"move_toward_leadership","highlight_edge_ids":["edge_gcih_gslc","edge_ldr512_ldr514"],"highlight_node_ids":["gcih","gcia","gslc","gstrt"],"id":"soc-leadership-early","label":"SOC analyst stepping into coordination leadership","primary_node_id":"gslc","recommended_first_id":"gcih","recommended_next_id":"gslc","related_links":[{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"role":"soc_analyst","what_certs_wont_solve":"They don't create leadership judgement, ownership, or tested readiness on their own.","why_this_fits":"This stage suits analysts who are moving from closing alerts themselves to helping shape how the SOC triages, escalates, and manages response flow across a team or shift. The goal is to broaden from technical execution into coordination, prioritisation, and management discipline."},{"bridge_text":"This is the point where individual analyst skill has to become team-level execution and management capability.","common_misconception":"Leadership is just senior technical depth plus stakeholder communication.","experience":"mid_career","goal":"move_toward_leadership","highlight_edge_ids":["edge_ldr512_ldr514"],"highlight_node_ids":["gcia","gslc","gstrt","gcil"],"id":"soc-leadership-mid","label":"SOC analyst moving into management and program leadership","primary_node_id":"gslc","recommended_first_id":"gslc","recommended_next_id":"gstrt","related_links":[{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"},{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"}],"role":"soc_analyst","what_certs_wont_solve":"They don't replace real ownership, delegation, or the ability to make trade-offs across people, priorities, and time pressure.","why_this_fits":"At this stage, leadership shifts from coordinating alerts and escalations to owning execution quality across teams, workflows, detections, and response paths. LDR512 helps analysts move from being strong operators to managing programs, priorities, and outcomes more deliberately."},{"bridge_text":"This is where leadership becomes less about running the queue and more about ensuring the organisation is structured to respond well when it matters.","common_misconception":"Seniority in a SOC automatically translates into strategic leadership.","experience":"advanced","goal":"move_toward_leadership","highlight_edge_ids":["edge_ldr512_ldr514","edge_ldr514_ldr519"],"highlight_node_ids":["gslc","gstrt","ldr519","gcil"],"id":"soc-leadership-advanced","label":"Senior SOC analyst moving into strategic response leadership","primary_node_id":"gstrt","recommended_first_id":"gstrt","recommended_next_id":"ldr519","related_links":[{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"role":"soc_analyst","what_certs_wont_solve":"They don't replace organisational influence, accountability for outcomes, or the need to validate team capability through exercises and real incidents.","why_this_fits":"At this stage, leadership means moving beyond shift or function management into shaping policy, operating models, risk alignment, and readiness across the wider detection and response capability. The challenge is no longer just running the SOC well, but ensuring the organisation is designed to detect, investigate, and respond consistently."},{"bridge_text":"Hunting starts with understanding what “normal” looks like before trying to find what isn’t.","common_misconception":"Threat hunting is a separate skill you can learn without deep system or detection knowledge.","experience":"beginner","goal":"build_foundations","highlight_edge_ids":["edge_gsec_gcih","edge_gsec_gsoc"],"highlight_node_ids":["gsec","gsoc","gcih"],"id":"threat-hunter-foundations-early","label":"Aspiring threat hunter building technical foundations","primary_node_id":"gsec","recommended_first_id":"gsec","recommended_next_id":"gsoc","role":"threat_hunter","what_certs_wont_solve":"They don't create intuition about systems or telemetry without hands-on exposure and repetition.","why_this_fits":"Threat hunting depends on strong systems understanding and exposure to real detection workflows. This stage builds the baseline needed to recognise normal vs abnormal behaviour."},{"bridge_text":"You can't hunt what you can't see. Visibility comes before hypothesis.","common_misconception":"You can start hunting effectively without understanding how data is collected and structured.","experience":"early_career","goal":"build_foundations","highlight_edge_ids":["edge_gsoc_gmon","edge_gsoc_gnfa","edge_gmon_gcia"],"highlight_node_ids":["gsoc","gmon","gnfa","gcih"],"id":"threat-hunter-foundations-detection","label":"Threat hunter building detection and telemetry foundations","primary_node_id":"gmon","recommended_first_id":"gsoc","recommended_next_id":"gmon","role":"threat_hunter","what_certs_wont_solve":"They don't fix weak telemetry pipelines or poor data quality.","why_this_fits":"Hunting depends heavily on telemetry. This stage builds understanding of logs, SIEM workflows, and network visibility before attempting hypothesis-driven hunting."},{"bridge_text":"Forensic depth begins when you stop asking what looks suspicious and start proving what actually happened.","common_misconception":"Hunting experience automatically translates into forensic capability.","experience":"beginner","goal":"deepen_forensic_capability","highlight_edge_ids":["edge_gcih_gcfe","edge_gcfe_gcfa"],"highlight_node_ids":["gcih","gcfe","gcfa"],"id":"threat-hunter-forensics-beginner","label":"Threat hunter building forensic foundations","primary_node_id":"gcfe","recommended_first_id":"gcih","recommended_next_id":"gcfe","related_links":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"role":"threat_hunter","what_certs_wont_solve":"They don't create evidentiary discipline, careful interpretation, or restrained conclusions without repeated investigative practice.","why_this_fits":"This stage helps hunters move from behavioural suspicion into endpoint evidence and artefact interpretation. It builds the foundation needed to support hypotheses with defensible evidence rather than intuition alone."},{"bridge_text":"Strong forensic work connects artefacts, timelines, and environments rather than relying on one data source.","common_misconception":"Better hunting and better forensics are the same thing.","experience":"early_career","goal":"deepen_forensic_capability","highlight_edge_ids":["edge_gcfe_gcfa","edge_gcfa_gcfr"],"highlight_node_ids":["gcia","gcfe","gcfa","gcfr"],"id":"threat-hunter-forensics-early","label":"Threat hunter building investigative DFIR depth","primary_node_id":"gcfa","recommended_first_id":"gcfe","recommended_next_id":"gcfa","related_links":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"Build Your Own Forensics Go-Bag","url":"/build-your-own-forensics-go-bag/"}],"role":"threat_hunter","what_certs_wont_solve":"They don't ensure your investigations are well-scoped, complete, or defensible unless you deliberately improve scoping, corroboration, and writing.","why_this_fits":"At this stage, the goal is to combine detection-led reasoning with stronger endpoint and enterprise investigation skills across multiple systems and data sources. This is where hunting starts to become more evidentiary and less purely behavioural."},{"bridge_text":"At this level, forensic maturity comes from adapting your methods to the environment and integrating multiple evidence sources.","common_misconception":"Advanced forensics just means more Windows depth or bigger timelines.","experience":"mid_career","goal":"deepen_forensic_capability","highlight_edge_ids":["edge_gcfa_gcfr","edge_gcfa_glir","edge_gcfa_gcti"],"highlight_node_ids":["gcfa","gcfr","glir","gcti"],"id":"threat-hunter-forensics-mid","label":"Threat hunter expanding into multi-domain forensics","primary_node_id":"gcfr","recommended_first_id":"gcfa","recommended_next_id":"gcfr","related_links":[{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"},{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"}],"role":"threat_hunter","what_certs_wont_solve":"They don't fix access limitations, poor retention, or weak collection assumptions in modern environments.","why_this_fits":"Once core forensic investigation is stable, the next depth gain often comes from expanding across environments and evidence models such as cloud, Linux, and intelligence-supported investigation. This helps hunters carry their reasoning into more complex and less familiar terrain."},{"bridge_text":"Specialisation only pays off when it strengthens investigative outcomes rather than becoming a separate technical hobby.","common_misconception":"Specialist forensic tracks should come early because they look more advanced.","experience":"advanced","goal":"deepen_forensic_capability","highlight_edge_ids":["edge_gcfa_grem","edge_grem_for710","edge_gcfa_gcti"],"highlight_node_ids":["gcfa","grem","for710","gcti"],"id":"threat-hunter-forensics-advanced","label":"Threat hunter specialising in advanced forensic analysis","primary_node_id":"grem","recommended_first_id":"gcfa","recommended_next_id":"grem","related_links":[{"label":"Build Your Own Forensics Go-Bag","url":"/build-your-own-forensics-go-bag/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"role":"threat_hunter","what_certs_wont_solve":"They don't make specialist depth valuable unless it improves real investigations, detections, and defensive decisions.","why_this_fits":"Specialist depth becomes useful when hunt-led investigations require understanding malware behaviour, adversary tooling, or intelligence context at a much deeper level. At this stage, specialisation can meaningfully improve how you investigate, explain, and defend complex findings."},{"bridge_text":"Breadth starts by linking detection signals to investigative context, not by branching too early into disconnected specialties.","common_misconception":"Breadth means learning many tools across unrelated domains.","experience":"beginner","goal":"improve_technical_breadth","highlight_edge_ids":["edge_gcih_gcia","edge_gcih_gcfe"],"highlight_node_ids":["gcih","gcia","gcfe"],"id":"threat-hunter-breadth-beginner","label":"Threat hunter building broader detection context","primary_node_id":"gcia","recommended_first_id":"gcih","recommended_next_id":"gcia","related_links":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"role":"threat_hunter","what_certs_wont_solve":"They don't connect detection and investigation unless you deliberately apply both in real cases and compare signals against evidence.","why_this_fits":"Early breadth for hunters usually comes from strengthening incident handling and detection depth while beginning to understand endpoint evidence alongside network signals. This gives you more than one way to reason about suspicious activity."},{"bridge_text":"Real breadth shows up when you can pivot across environments and still maintain a coherent investigation.","common_misconception":"Network, endpoint, cloud, and intelligence work are independent tracks that can be developed in isolation.","experience":"early_career","goal":"improve_technical_breadth","highlight_edge_ids":["edge_gcfa_gcfr","edge_gcfa_gcti"],"highlight_node_ids":["gcia","gcfa","gcfr","gcti"],"id":"threat-hunter-breadth-early","label":"Threat hunter expanding across detection and investigation","primary_node_id":"gcfa","recommended_first_id":"gcia","recommended_next_id":"gcfa","related_links":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"Build Your Own Forensics Go-Bag","url":"/build-your-own-forensics-go-bag/"}],"role":"threat_hunter","what_certs_wont_solve":"They don't automatically create better correlation, prioritisation, or investigative reasoning across data sources.","why_this_fits":"At this stage, breadth means combining detection-led reasoning with stronger endpoint and enterprise investigation depth. The goal is to move beyond isolated detections and build fuller investigations across multiple systems and data sources."},{"bridge_text":"Breadth becomes more valuable when investigative insight can be turned into repeatable detection and response improvements.","common_misconception":"Breadth at this level is mostly about adding more data sources or one more specialised discipline.","experience":"mid_career","goal":"improve_technical_breadth","highlight_edge_ids":["edge_gcfa_gcti","edge_gcfa_gcda","edge_sec555_sec573"],"highlight_node_ids":["gcfa","gcda","gpyc","gcti"],"id":"threat-hunter-breadth-mid","label":"Threat hunter integrating multi-domain depth","primary_node_id":"gcda","recommended_first_id":"gcfa","recommended_next_id":"gcda","related_links":[{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"role":"threat_hunter","what_certs_wont_solve":"They don't ensure your findings become durable detections, better automation, or more repeatable workflows without deliberate engineering and feedback loops.","why_this_fits":"Mid-career breadth starts to include the ability to turn investigations into scalable detection, automation, and intelligence-informed workflows. At this point, the question isn't only what you can investigate yourself, but how your insights improve the wider hunt and detection function."},{"bridge_text":"Advanced breadth is about making systems work together reliably, not just understanding each piece in isolation.","common_misconception":"Broad expertise means knowing every domain equally well.","experience":"advanced","goal":"improve_technical_breadth","highlight_edge_ids":["edge_sec555_sec530","edge_sec555_sec573","edge_gcfa_gcti"],"highlight_node_ids":["gcda","gdsa","gpyc","gcti"],"id":"threat-hunter-breadth-advanced","label":"Threat hunter shaping cross-domain detection and investigation","primary_node_id":"gdsa","recommended_first_id":"gcda","recommended_next_id":"gdsa","related_links":[{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"},{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"}],"role":"threat_hunter","what_certs_wont_solve":"They don't create alignment between systems, teams, detections, and workflows without deliberate design, ownership, and reinforcement.","why_this_fits":"At the advanced level, breadth becomes architectural and systemic. The challenge is no longer just understanding multiple domains, but shaping how detection, investigation, automation, and intelligence work together across the organisation."},{"bridge_text":"DFIR starts when hunting hypotheses must be validated under incident pressure rather than simply surfaced.","common_misconception":"Threat hunting naturally translates into DFIR capability.","experience":"beginner","goal":"move_into_dfir","highlight_edge_ids":["edge_gcih_gcfe","edge_gcih_gcia"],"highlight_node_ids":["gcih","gcia","gcfe"],"id":"threat-hunter-dfir-beginner","label":"Threat hunter grounding in incident handling","primary_node_id":"gcih","recommended_first_id":"gcih","recommended_next_id":"gcfe","related_links":[{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"},{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"}],"role":"threat_hunter","what_certs_wont_solve":"They don't teach incident ownership, triage discipline, or structured escalation on their own.","why_this_fits":"Hunters moving into DFIR usually need stronger incident handling structure before focusing on evidence. This stage grounds hunting activity in real response workflows and helps turn behavioural suspicion into something more disciplined."},{"bridge_text":"The shift here is from “this looks suspicious” to “this is what actually happened on the host.”","common_misconception":"Detection and hunting provide enough context to understand what happened.","experience":"early_career","goal":"move_into_dfir","highlight_edge_ids":["edge_gcih_gcfe","edge_gcfe_gcfa"],"highlight_node_ids":["gcia","gcfe","gcfa","gcih"],"id":"threat-hunter-dfir-early","label":"Threat hunter moving into endpoint forensics","primary_node_id":"gcfe","recommended_first_id":"gcfe","recommended_next_id":"gcfa","related_links":[{"label":"Understanding Windows Artefacts as Evidence","url":"/understanding-windows-artefacts-as-evidence-not-indicators/"},{"label":"Windows Artefacts as Evidence","url":"/windows-artefacts/"}],"role":"threat_hunter","what_certs_wont_solve":"They don't replace disciplined evidence interpretation, corroboration, or careful timeline reconstruction.","why_this_fits":"This stage introduces endpoint evidence and timeline building, allowing hunters to validate hypotheses with defensible artefacts rather than behavioural indicators alone."},{"bridge_text":"Investigation depth requires connecting multiple evidence sources and explaining confidence clearly, not just identifying patterns faster.","common_misconception":"Strong hunting automatically produces strong investigations.","experience":"mid_career","goal":"move_into_dfir","highlight_edge_ids":["edge_gcfa_gcfr","edge_gcfa_geir"],"highlight_node_ids":["gcfa","gcia","gcfr","geir"],"id":"threat-hunter-dfir-mid","label":"Threat hunter building enterprise DFIR capability","primary_node_id":"gcfa","recommended_first_id":"gcfa","recommended_next_id":"gcfr","related_links":[{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"},{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"}],"role":"threat_hunter","what_certs_wont_solve":"They don't create defensible conclusions, disciplined scoping, or consistent investigative methodology by themselves.","why_this_fits":"At this stage, hunters expand into enterprise-scale investigations, correlating network, endpoint, memory, and cloud evidence across more complex incidents. The work becomes less about identifying patterns and more about building defensible investigative narratives across systems."},{"bridge_text":"The goal isn't deeper hunting or deeper DFIR in isolation, but combining both into stronger investigative outcomes.","common_misconception":"Specialisation replaces the need for strong investigative fundamentals.","experience":"advanced","goal":"move_into_dfir","highlight_edge_ids":["edge_gcfa_gcti","edge_gcfa_grem","edge_grem_for710"],"highlight_node_ids":["gcfa","gcti","grem","for710"],"id":"threat-hunter-dfir-advanced","label":"Threat hunter specialising within DFIR","primary_node_id":"gcti","recommended_first_id":"gcfa","recommended_next_id":"gcti","related_links":[{"label":"Build Your Own Forensics Go-Bag","url":"/build-your-own-forensics-go-bag/"},{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"}],"role":"threat_hunter","what_certs_wont_solve":"They don't make intelligence or malware analysis useful unless those skills feed back into real investigations, detections, and defensive decisions.","why_this_fits":"At the advanced level, hunters can integrate intelligence, malware analysis, and deeper specialist investigation into complex or long-running cases. Specialisation becomes valuable once strong investigative fundamentals are already stable."},{"bridge_text":"Leadership begins when the job shifts from finding problems to helping the organisation decide what to do about them.","common_misconception":"Strong hunting naturally translates into strong leadership.","experience":"beginner","goal":"move_toward_leadership","highlight_edge_ids":["edge_gcih_gcia","edge_gcih_gcfe"],"highlight_node_ids":["gcih","gcia","gcfe"],"id":"threat-hunter-leadership-beginner","label":"Threat hunter building early leadership habits","primary_node_id":"gcih","recommended_first_id":"gcih","recommended_next_id":"gcia","related_links":[{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"},{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"}],"role":"threat_hunter","what_certs_wont_solve":"They don't replace ownership, judgement under pressure, or the ability to help coordinate people and decisions in real time.","why_this_fits":"Early leadership for hunters starts with understanding how findings affect real incidents, escalation, and investigative direction. This stage helps move from producing observations to understanding how those observations should change response."},{"bridge_text":"Hunt leadership starts to matter when the question becomes whether the team can repeatedly produce useful outcomes, not just whether one hunter is strong.","common_misconception":"Leading a hunt function is mostly about assigning work and reporting status.","experience":"early_career","goal":"move_toward_leadership","highlight_edge_ids":["edge_gmon_gcia","edge_gmon_gsom"],"highlight_node_ids":["gcia","gcil","gmon","gsom"],"id":"threat-hunter-leadership-early","label":"Threat hunter leading investigations and hunt outcomes","primary_node_id":"gsom","recommended_first_id":"gcia","recommended_next_id":"gsom","related_links":[{"label":"Incident response playbooks","url":"https://lykosdefence.com/playbooks/"},{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"}],"role":"threat_hunter","what_certs_wont_solve":"They don't create good operating rhythms, quality review loops, or a mature escalation model by themselves.","why_this_fits":"At this stage, leadership means moving beyond individual investigations and helping shape how hunt findings are prioritised, reviewed, and translated into action across a team or function."},{"bridge_text":"At this level, the challenge shifts from producing findings to building a function that can turn those findings into dependable outcomes.","common_misconception":"Advanced leadership is mostly stakeholder communication and executive reporting.","experience":"mid_career","goal":"move_toward_leadership","highlight_edge_ids":["edge_gsom_gcil","edge_ldr514_ldr519"],"highlight_node_ids":["gsom","gcil","gstrt","ldr519"],"id":"threat-hunter-leadership-mid","label":"Threat hunter leading response-capable programs","primary_node_id":"gstrt","recommended_first_id":"gsom","recommended_next_id":"gstrt","related_links":[{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"},{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"}],"role":"threat_hunter","what_certs_wont_solve":"They don't prove the team can execute under pressure or that the operating model actually works during incidents.","why_this_fits":"Mid-career leadership means moving beyond hunt execution into program design, response coordination, and ensuring the wider function can detect, investigate, and act coherently when findings matter most."},{"bridge_text":"Mature leadership is measured by whether the organisation can respond effectively, not just whether the hunt team is technically strong.","common_misconception":"Executive-level leadership is mainly about communication and visibility.","experience":"advanced","goal":"move_toward_leadership","highlight_edge_ids":["edge_ldr514_ldr519","edge_ldr519_validation"],"highlight_node_ids":["gstrt","ldr519","gsom","gcil"],"id":"threat-hunter-leadership-advanced","label":"Threat hunter shaping organisational readiness","primary_node_id":"ldr519","recommended_first_id":"gstrt","recommended_next_id":"ldr519","related_links":[{"label":"Incident capability validation","url":"https://lykosdefence.com/validation/"},{"label":"Tabletop exercises","url":"https://lykosdefence.com/tabletop-exercises/"}],"role":"threat_hunter","what_certs_wont_solve":"They don't replace accountability for outcomes, operational credibility, or the need to validate capability through exercises and real incidents.","why_this_fits":"At the advanced level, leadership becomes an organisational problem: governance, capability design, and making sure detection and hunt work align with business risk, response readiness, and the wider operating model."}],"stages":[{"description":"Baseline coverage and first-principles depth.","id":"stage_foundational","label":"1. Foundational"},{"description":"Core analyst and handler capability.","id":"stage_core","label":"2. Core operations"},{"description":"Role-aligned specialisation and branch points.","id":"stage_applied","label":"3. Applied practice"},{"description":"Deeper investigative and leadership depth.","id":"stage_advanced","label":"4. Advanced"},{"description":"Specialist tracks and senior capability.","id":"stage_specialist","label":"5. Specialist"},{"description":"Highest-depth or function-wide outcomes.","id":"stage_expert","label":"6. Expert"}],"track_rows":[{"height":190,"id":"foundations","label":"Foundations","y":30},{"height":190,"id":"soc","label":"SOC","y":270},{"height":280,"id":"dfir","label":"DFIR","y":500},{"height":190,"id":"threat_hunting","label":"Threat hunting","y":800},{"height":260,"id":"leadership","label":"Leadership","y":1020},{"height":190,"id":"readiness","label":"ICS/OT","y":1310}],"tracks":[{"description":"Baseline technical and security foundations.","id":"foundations","label":"Foundations"},{"description":"Security operations, detection, and monitoring paths.","id":"soc","label":"SOC"},{"description":"Digital forensics and incident response specialisation.","id":"dfir","label":"DFIR"},{"description":"Proactive investigation and adversary-focused analysis.","id":"threat_hunting","label":"Threat Hunting"},{"description":"People, programme, and strategic security leadership.","id":"leadership","label":"Leadership"},{"description":"Operational readiness and incident execution maturity.","id":"readiness","label":"Readiness"}]}