Train the way
you fight.
Most cybersecurity training teaches tools. Very little prepares teams to investigate real incidents under real conditions. CSG training is built for the second category.
- Incident responders
- Cloud security engineers
- Digital forensics analysts
- Security operations teams
- Government and defense cyber units
The Principle
Modern incidents do not occur in clean lab environments.
They unfold across cloud infrastructure, identity systems, SaaS platforms, and network layers simultaneously. Traditional training that isolates a single platform produces investigators who struggle at the seams — where attacks actually live.
CSG training reflects the reality of modern enterprise environments. Participants work through realistic, artifact-driven scenarios that mirror how incidents actually behave — not how they are simplified for a lab.
What Participants Do
Active investigation — not passive instruction.
- Identify and interpret evidence across multiple systems
- Reconstruct attacker activity step by step
- Build defensible timelines under operational pressure
- Correlate logs across cloud, identity, and SaaS
- Validate findings against raw artifacts — not dashboards
- Establish attribution — who, how, and why
- Collaborate and make decisions under time constraints
Multi-cloud, multi-domain, and connected to operational technology.
CSG training environments are designed to reflect how modern enterprise systems actually operate — where investigations span multiple platforms and operational domains simultaneously. Participants are not isolated in a single-cloud sandbox.
- EC2 & IAM
- S3 & VPC
- CloudTrail
- GuardDuty
- Entra ID
- Azure Activity Logs
- Unified Audit Logs
- Defender Telemetry
- Cloud Logging
- Admin Activity
- Drive & Account Telemetry
- Identity Platform
- IdP Integrations
- Cross-platform SSO
- API & OAuth Telemetry
- Third-party Access Logs
- PCAP & Flow Data
- Memory Captures
- EC2 Disk Images
- Container Environments
- Cloud-connected Devices
- Historian & SCADA Telemetry
- IT/OT Boundary Evidence
- Remote Access Logs
OT and IIoT systems are no longer isolated.
They report telemetry to cloud platforms, rely on identity systems for access, and integrate with SaaS applications. When incidents involve OT and IIoT, evidence often exists outside the device itself — in cloud logs, identity systems, and supporting infrastructure.
CSG training prepares investigators to follow that evidence across the boundaries where traditional IT/OT separation no longer applies.
- Trace how devices connect to cloud and identity systems
- Identify where evidence is generated across those connections
- Investigate incidents spanning IT, cloud, and OT environments
- Understand how attacker activity propagates through integrated systems
Artifact-driven. Cross-platform. Reconstruction-focused.
Unlike training that focuses on alerts and dashboards, CSG emphasizes direct interaction with evidence. Participants locate where evidence actually resides, correlate logs across systems, validate findings against raw artifacts, and distinguish signal from noise. This builds investigative intuition — not just tool proficiency.
Real-world incidents do not stay within a single platform. CSG training emphasizes correlating evidence across cloud providers, SaaS applications, and identity systems — understanding how attacker movement crosses domain boundaries and validating findings using both logs and underlying artifacts.
Training scenarios mirror the full lifecycle of an incident. Participants reconstruct the complete timeline — from initial access to final impact — with the evidentiary rigor required to produce findings defensible to regulators, legal counsel, and leadership.
Investigation does not occur in isolation. Participants practice making decisions under pressure — prioritizing evidence, managing incomplete information, and communicating findings clearly to stakeholders who need to act. Operational readiness, not just analytical skill.
Who, how, and why — the questions most training programs never reach.
Attribution is rarely taught in modern cybersecurity training. Most programs focus on identifying what happened and stop there. CSG introduces attribution as a standard component of the investigative workflow — moving beyond indicators of compromise into behavior, intent, and methodology.
This approach aligns with foundational work in the digital forensics community, including contributions from practitioners such as Brett Shavers, and extends attribution methodology into operational training across cloud, SaaS, and converged environments.
- What happened — and in what sequence?
- How did the attacker operate across systems?
- What was their objective?
- Who is responsible?
CTF & Reconstruction
Training culminates in structured exercises built on real-world scenarios.
Capture the Flag exercises at CSG are not abstract puzzle-solving. They are staged incident investigations in live environments — where participants must apply every investigative workflow they’ve developed under time and operational pressure.
These exercises reinforce both technical skill and the decision-making that separates investigators who perform under pressure from those who don’t.
- Investigate staged incidents in live environments
- Submit findings based on evidence and analysis
- Work individually or as teams under time constraints
- Produce defensible timelines and attribution assessments
The Reconstruction Standard
Every scenario requires participants to answer the full set of questions.
- What happened — and what evidence supports it?
- When did it occur — and in what sequence?
- How did the attacker operate across systems?
- What systems and data were affected?
- Who is responsible — and what was their objective?
What organizations gain when teams complete CSG training.
Teams capable of conducting complete incident investigations — from initial evidence collection to defensible timeline reconstruction — without external dependency.
Faster, more accurate incident reconstruction across cloud, identity, and SaaS environments — with investigators who know where to look before the pressure begins.
Improved team performance under real incident conditions — investigators who communicate clearly, prioritize effectively, and maintain discipline when information is incomplete.
Less reliance on outside responders during incidents. Teams operate independently because the capability was built through practice — not acquired through a vendor contract.
Findings that hold under legal, regulatory, and leadership scrutiny — produced with documented methodology, chain of custody, and evidentiary confidence.
Stronger alignment between how teams train and how real incidents unfold — closing the gap between certification knowledge and operational readiness.
Training alone is not readiness. It is one phase of a larger system.
CSG training is not a standalone offering. It is Phase 3 of the Cyber Readiness Program — designed to follow the environment mapping and architecture work of Phases 1 and 2, and feed directly into the incident validation of Phase 4. Training aligned with architecture produces teams that can actually perform, not just teams that have attended a course.
View the full Cyber Readiness ProgramIf your teams need to operate under real conditions — not just pass a certification.
We can help you build the investigative capability required to investigate, reconstruct, and produce defensible findings across converged environments. No theory. No isolated lab environments. Operational preparation.