5-Day Instructor-Led Programme
The XNFA Certification Programme is the practitioner standard for network forensics analysts who investigate cyber incidents through network traffic analysis, protocol dissection, and adversary communication reconstruction. Assessed on Day 5 through a supervised network forensics investigation producing a professional findings report — no multiple choice, no exam.
Duration
5 Days
Price
$4,495
Network traffic is the most honest witness in a cyber investigation. Attackers can clear logs, delete files, and wipe systems — but network flows, PCAP captures, and DNS queries often remain as evidence of what occurred, when, and through which systems. The analyst who can read this evidence fluently has a significant investigative advantage. XNFA is built for DFIR professionals, SOC analysts, and threat hunters who want to develop network forensics as a core skill.
Across five instructor-led days, participants build capability from network protocol fundamentals through advanced traffic analysis with Wireshark, Zeek, and NetworkMiner, encrypted traffic analysis, DNS forensics, web proxy log analysis, and network evidence reconstruction to support incident timelines. Every session uses real PCAP files from real incidents, processed in a structured forensics workflow that produces legally defensible findings.
On Day 5, participants investigate a simulated breach through network evidence only — PCAPs, DNS logs, proxy logs, and NetFlow records. They reconstruct the attack, identify attacker infrastructure, and produce a professional network forensics report. A senior practitioner assesses methodology and report quality. XNFA certificate and Practitioner Assessment Report issued. Aligned with NIST SP 800-61, ISO 27035, ACPO digital evidence guidelines, and MITRE ATT&CK v14 network-layer techniques.
Hands-on Wireshark filter construction, Zeek log analysis, NetworkMiner session reconstruction, DNS forensics, encrypted traffic analysis, NetFlow analysis, and a supervised network investigation exercise on Day 5.
Mentor-led sessions reconstructing real adversary campaigns from network evidence, examining C2 traffic patterns, lateral movement in network captures, and data exfiltration through encrypted channels.
Investigate cyber incidents through structured network traffic analysis, reconstruct adversary campaigns from network evidence, and produce professional network forensics reports that satisfy incident investigation and regulatory requirements.
Conduct structured network traffic analysis using Wireshark, Zeek, and NetworkMiner to identify adversary activity in enterprise PCAP captures
Analyse DNS, web proxy, and NetFlow data to reconstruct adversary campaigns and identify attacker infrastructure from network evidence
Detect and analyse C2 communication patterns including beaconing, DNS tunnelling, and TLS-obscured traffic using fingerprinting techniques
Reconstruct multi-stage attack timelines from network evidence across PCAP, Zeek logs, NetFlow, and proxy log sources
Map network-layer adversary techniques to MITRE ATT&CK v14 for attribution and detection engineering purposes
Produce professional network forensics investigation reports that support incident response, regulatory notification, and legal proceedings
Minimum 12 months in a SOC, DFIR, network security, or IT infrastructure role
Working knowledge of TCP/IP networking and basic familiarity with Wireshark or equivalent packet analysis tool
Basic understanding of common network protocols: HTTP, DNS, SMTP, SMB
Organized by professional domains with comprehensive coverage
Master these in-demand skills through hands-on practice
A clear view of the roles this programme supports, what typically comes next, and where learners progress over time
Choose the learning format that works best for you and your team
Instructor-Led Training
Join live instructor-led sessions from anywhere. Interactive, engaging, and flexible.
Price per person
Group enrolments and early planning options available.
All prices are exclusive of VAT where applicable. Group enrolments and custom packages available on request.
Not everyone learns best in a group. If you want focused guidance, faster clarity, and confidence you can use on the job, our 1-to-1 Fast-Track Training gives you private, mentor-led support tailored to your experience and goals.
"Many learners choose 1-to-1 when they want understanding, not memorisation."
Credential
On successful completion of Xcademia Network Forensics Analyst, learners receive an Xcademia Certificate of Completion. This standalone certificate is issued directly by Xcademia and recognised by employers across the UK defence and security sector.
Everything you need to know about the certification exams
You will receive an Xcademia certificate of completion based on participation and successful completion of labs and scenario simulations.
Everything you need to know about this course
SANS FOR572 is a 6-day course costing approximately $8,780 plus $999 for the GNFA exam. XNFA is 5 instructor-led days ending in a supervised network forensics investigation on Day 5. Participants analyse real PCAP captures and log sources to reconstruct a simulated breach, producing a professional findings report. Less than a third of the total GNFA cost. The Practitioner Assessment Report documents what was found and how.
Take the next step in your professional development