Blue Teaming

4 min read

Enhance digital forensics and incident response (DFIR) skills with Sherlocks

Our new set of defensive labs is now available for all users. Find them on HTB Labs and start the investigation!

b3rt0ll0 sebh24, Nov 13,

In our latest report on the critical skills for modern SOC analysts, over half (58.4%) of participants ranked practical Machines (instances of vulnerable virtual machines) as the resources they’re most interested in to improve their DFIR skills. This is one of the main reasons why it is so exciting to add our new investigation-based defensive security scenarios to HTB Labs: Sherlocks.

15 Sherlocks will be initially available entirely for free to all users: this will give the opportunity to all platform members to experience a simulated incident investigation and familiarize themselves with a new type of practical labs. 

After the first release period, we will gradually start to divide Sherlocks into free and premium labs, but always keeping 8 (eight) of them accessible with a free plan. Premium Sherlocks will be included in VIP and VIP+ subscriptions. A new, free Sherlock will be regularly released every two weeks.

“Having worked in a variety of roles, from System Administrator to SOC Analyst, and even as a DFIR professional, relevant and fun learning experiences can be hard to find. A huge challenge was ensuring my technical skills were relevant, and that I had the motivation to continue learning. Sherlocks provides the community and industry the opportunity to do this. With a heavy focus on realism, I am confident any individual can utilize the skills learned within Sherlocks almost immediately.”


Sabastian Hague (sebh24), Defensive Security Content Lead @ Hack The Box

More about our latest report

We interviewed 400 cybersecurity professionals to discover what skills are required to be a modern SOC analyst and the future trends in the industry.


What is a Sherlock?

Let’s start from the basics. Sherlocks are defensive security practical labs simulating real-world incidents. You’ll be asked to conduct an investigation based on a provided cyber attack scenario and clues, with the goal of unraveling the dynamics behind them. By practicing with Sherlocks, individuals and organizations can grow their skills and knowledge on:

  • Digital Forensics and Incident Response (DFIR)

  • Security Operations Center (SOC)

  • Threat Hunting and Threat Intelligence

  • Malware Analysis

Sherlocks follow a semi-guided learning approach: a set of questions will appear to lead the investigator in the correct direction, with a very similar interface as the newly introduced Guided Mode feature on Machines. While in Guided Mode questions are meant to lead you through the scenario and get the flags, in Sherlocks questions are the actual flags!

Sherlocks Guided Mode

In any incident, we always say “context is king”. Reading the scenario, understanding what has occurred, and what you are investigating before starting any analysis is the correct practice to follow. This is also a great opportunity to deeply engage with the situation you are in. We have built Sherlocks to be as realistic as possible and therefore the scenario is extremely important!

What follows is the right phase to start analyzing the provided artifacts! Download the zip file, unzip it using the provided password, and get an understanding of the clues you have been provided with. At this stage, it's worth taking notes of what tools you might need. A simple CLI would suffice for some Sherlocks, whereas for others you may need to call on the help of Zimmerman’s Tools or install a local SIEM instance such as Splunk or ELK. 

You understand the scenario, and you have analyzed the data. Next, we need to answer the key questions within the Sherlock! As you answer the relevant questions the mystery of how the compromise, breach, or attack has happened will be gradually clear. 


Recommended read: A step-by-step guide to writing incident response reports (free template inside)

Comprehensive blue team upskilling

Hack The Box is now an all-in-one solution for defensive learning and upskilling. With the release of Sherlocks on HTB Labs, all our community and business clients have access to enhanced threat-connected content, from guided fundamental courses to fully practical scenarios.

All HTB defensive security content is mapped against the NIST/NICE framework, making it easier than ever to build a skills development path following the main industry threats and how to detect techniques, tactics, and procedures used by real adversaries.

As an example, every course featured on the SOC Analyst job-role path—and leading to the recently launched HTB Certified Defensive Security Analyst exam—can be further enhanced by practicing on Sherlocks, improving the capability to prioritize and identify logs.

Ultimate Blue Teaming - SOC

Defensive security for enterprises

The average cost of an attack is about $2.5M. At the same time, companies find it challenging to source and retain talented security professionals. This shortage leads to increased workloads and burnout among existing team members.

HTB’s defensive security-focused labs and courses provide professionals with the tools and skills to deliver the required day-to-day tasks to keep an organization secure and avoid risks. Sherlocks are already available as part of our Dedicated Labs business plans—get in touch with our team to know more.

Hack The Blog

The latest news and updates, direct from Hack The Box