About

Hi, I'm Andrew Prince. I work in digital forensics, incident response, and threat hunting. Day to day, I handle IR investigations, SIEM and log analysis, and writing automation to scale detection and response.

Outside of that, I enjoy spending time researching Windows forensic artifacts, malware samples, and defensive tradecraft that holds up against how adversaries actually behave.

My career spans over a decade, starting in software development and moving through systems administration before settling into DFIR. Alongside the practitioner work, I build forensic tools, usually to scratch my own investigation itches. Some of it ends up on this site.

I also build cyber ranges and teach. Over the years I've trained thousands of analysts worldwide and supported major MDR teams preparing their responders for real adversary operations.

I stood up this blog to share research, investigation notes, lessons learned, and the occasional half-baked idea with the community.

Teaching schedule

Course author and instructor at TCM Security:

• SOC 101: Security Operations Fundamentals

  An intensive entry-level course preparing new analysts for T1/T2 SOC roles through hands-on labs in phishing triage, SIEM and log analysis, endpoint and network monitoring, threat intelligence, and incident response fundamentals.

• SOC 201: IR, Threat Hunting, and Forensics

  An intermediate course teaching incident responders, threat hunters, and forensic examiners the skills needed to detect, investigate, and contain intrusions across enterprise environments.

• Windows Forensic Analysis

  A course that builds deep practical knowledge of Microsoft Windows forensic artifacts through evidence acquisition, artifact interpretation, user activity reconstruction, and organization of findings.

One of the best hands-on courses I have seen. It is now the standard for me to recommend to anyone looking to break into T1/T2. I've even put in a training request for some of my employees.

Manager, Cybersecurity Operations, Arctic Wolf

It's not often that a course leaves me this impressed. Security Operations (SOC) 101 by Andrew Prince is one of the most comprehensive courses I've taken in a long time, and that's saying a lot. It's hard to put into words just how complete this course is.

Roger Bergling, INVID Gruppen

Credentials

Education

• SANS Technology Institute, Graduate Certificate in Incident Response
• Western University, BA
• Fanshawe College, Diploma

Certifications

• GIAC GCFE (Certified Forensic Examiner), GCFA (Certified Forensic Analyst)
• OffSec OSCP
• CompTIA CySA+, Security+, A+
• Microsoft AZ-500 (Azure Security Engineer Associate), AZ-900 (Azure Fundamentals)
• CyberDefenders CCD, Security Blue BTL1
• Probably a few others that I'm forgetting...

Right now

See my /now page for a running snapshot of what I'm working on, reading, and thinking about.

Connect with me

Find me at any of these links, or drop a line by email.

• LinkedIn
• GitHub
• YouTube

Anything you read here reflects my personal views, not those of any employer or client.