DFIR Labs – Frequently Asked Questions (FAQ)

About DFIR Labs

What are DFIR Labs?

DFIR Labs provide hands-on experience investigating real-world intrusion cases. Each lab includes telemetry data, detection alerts, and dashboards (such as Elasticsearch and Kibana) to simulate real-world investigation scenarios.

Lab Access and Activation

How long are the labs available after purchase?

Labs are available to activate at any time within 3 months of purchase. Once a lab is activated, you can access it for the duration you selected at purchase—2, 7, or 14 days.

What happens if I don’t activate my lab right away?

You have up to 3 months from the purchase date to activate any lab. There is no requirement to start immediately.

Can I revisit a lab after my access period ends?

Yes, but revisiting the same lab requires using another activation. Each activation grants access for the chosen duration (2, 7, or 14 days). After the access period ends, the lab environment is removed.

New Portal Access

How do I access and manage my labs?

We’ve launched a new DFIR Labs portal that allows you to manage your labs directly—no more relying on emails for access. Through the portal, you can view your purchased labs, activate them when ready, and track your remaining activations.

Access the portal here:
DFIR Labs Portal

What are the benefits of the new portal?

Manage and activate labs on your own schedule.
See available activations and lab status at a glance.
Enjoy a smoother, more reliable user experience without the need to wait for email-based activation links.

If you’d like a quick walkthrough of the portal features, feel free to reach out—we’re happy to help!

DFIR Labs Case Packs for Businesses and Education

Are there DFIR Labs case packs available for businesses?

Yes. We offer DFIR Labs Case Packs for Businesses, designed to support organizations that want to provide hands-on intrusion investigation training for their teams. These packs allow businesses to purchase labs in bulk at discounted rates, with flexible options depending on the number of activations required.

Bulk purchasing is ideal for:

Training multiple analysts across your organization.
Running internal workshops or tabletop exercises.
Offering structured, self-paced training without the need to manage infrastructure.

For more details on business options and pricing, visit:
DFIR Labs Business Options

Are there discounted DFIR Labs case packs for academic institutions?

Yes. We offer DFIR Labs Case Packs for Education (EDU) at already discounted rates to support academic programs, universities, and training institutions. These packs are designed to give students real-world, hands-on experience investigating intrusion scenarios while keeping costs accessible for educational programs.

The EDU case packs are perfect for:

Cybersecurity courses and digital forensics training.
Practical exercises in academic settings.
Adding real-world investigation scenarios to classroom curricula.

For details on EDU case packs and available options, visit:
DFIR Labs Case Packs for EDU

Can business or EDU case packs be used to manage multiple users?

Yes. Case packs for both businesses and educational institutions are designed with multi-user use in mind. Each lab remains isolated per user, and activations can be distributed across team members or students as needed. Each activation still follows the standard DFIR Labs access terms (2, 7, or 14 days per activation).

If you need help selecting the right pack for your team or program, feel free to contact us for recommendations.

Coupon and Activation Terms

Coupons are valid for 1 year from the date they are issued.
Each coupon provides XX activations total depending on the case pack purchased.
You may use these activations on any case in the DFIR Labs catalog—you choose which cases to spend your activations on.
Once you apply a coupon (100% off) to a specific case, you have 3 months to activate that particular case.

What does "no time restrictions" mean for coupons?

It means you are free to apply your activations on any case at any time within the coupon’s validity period (1 year). However, the standard access durations (2, 7, or 14 days) still apply after activation.

Lab Environment and User Policy

Can I share my lab access with a colleague?

No, each DFIR Lab license is for one individual user only. Lab environments are isolated, and sharing a session between multiple users is not allowed.

Is there a way to track my progress across labs?

Currently, there is no centralized manager dashboard for progress tracking. However, many labs include hints, instructional content, and links to public reports to support your investigation process. A progress-tracking feature is in development.

Learning Support and Resources

Do the labs include hints or guidance?

Yes. Especially for easier cases, hints and feedback are available throughout the lab to help guide your investigation and learning.

Are there any video walkthroughs available?

Not yet. We are looking to collaborate with educators to bring video walkthroughs to life. This is an area we're actively developing to enhance the learning experience.

Capture the Flag (CTF) Events

What can I expect from a DFIR Labs CTF Day event?

CTF Day events feature multiple DFIR Labs cases that you can solve within a set timeframe. You will investigate real-world inspired intrusions using provided telemetry data and detection tools. These events are designed to be educational and competitive, offering both beginners and experienced analysts a chance to sharpen their skills.

Do I need to be an expert to participate in CTF Day?

No, DFIR Labs CTF events are open to a range of skill levels. While some familiarity with intrusion analysis and security tools is helpful, many of the cases include hints and guidance to support learning along the way.

Are there prizes for the winners of the CTF?

Yes, DFIR Labs CTF events often include prizes for the top performers. The exact prize details may vary by event, so be sure to check the specific event page for up-to-date information.

Where can I see the past winners of DFIR Labs CTF events?

You can view a list of previous CTF winners on the DFIR Labs CTF Winners page. This page celebrates top performers and highlights their achievements in past competitions.

DFIR Labs Leaderboard and Scoring

How does the DFIR Labs leaderboard work?

The leaderboard tracks participant scores across DFIR Labs cases and events. Points are typically awarded based on the difficulty of the case, completion time, and accuracy of the investigation.

Do I need to join a CTF to appear on the leaderboard?

No, you can gain points and appear on the leaderboard by participating in individual DFIR Labs cases, not just during CTF events.

Testimonials and User Feedback

What do participants say about DFIR Labs?

Participants often highlight the real intrusion scenarios, the quality of the telemetry and data, and the hands-on learning approach as key benefits of DFIR Labs. Many users appreciate how the labs help them build or reinforce practical investigation skills. You can read testimonials here

Are DFIR Labs useful for both beginners and experienced analysts?

Yes. DFIR Labs cases range from beginner-friendly investigations with hints and instructional content to advanced scenarios that challenge even seasoned analysts. This makes the labs a great fit for continuous learning, no matter your experience level.

Bulk Purchase and Business Options

Are there discounts for bulk purchases?

Yes. Bulk discounts are available for purchases of five or more labs. For details, visit the business options page:
DFIR Labs Business Options

Need More Help?

If you have other questions or need assistance, feel free to reach out to us via our Contact Page.

Frequently Asked Questions