How does XNFA compare to SANS FOR572 (GNFA)?

SANS FOR572 costs approximately $9,779 total. XNFA is 5 instructor-led days ending in a supervised network forensics investigation on Day 5. Participants analyse real PCAP captures and multi-source log data to reconstruct a simulated breach, producing a professional findings report. Less than a third of the GNFA total cost. The Practitioner Assessment Report documents investigation methodology and report quality.

What PCAP sizes will participants work with?

PCAPs range from a few MB for targeted incident captures to multi-GB captures representing enterprise-scale traffic from multi-day incidents. Large PCAP processing methodology using tshark and argus is covered alongside Wireshark for targeted analysis. Day 5 investigation uses realistic multi-source evidence including PCAP, Zeek logs, NetFlow, and proxy logs.

Does XNFA cover cloud traffic analysis?

Yes. Day 4 covers cloud storage exfiltration detection in proxy logs for OneDrive, Dropbox, Google Drive, and Box traffic patterns. QUIC protocol forensics for modern HTTPS traffic is covered in Day 4. Microsoft 365 traffic identification in proxy logs is covered in the lateral movement module.

How does XNFA complement XSOC and XDFI?

XNFA is the specialist network forensics capability that sits between XSOC (detection and alert triage) and XDFI (full DFIR). XSOC analysts benefit from XNFA skills when investigating complex alerts from network detection tools. DFIR practitioners benefit from XNFA when disk forensics cannot reconstruct what happened. XNFA can be taken before or after either programme.

What career paths does XNFA support?

Network Forensics Analyst: £55,000 to £90,000 UK. DFIR Specialist with network specialism: £65,000 to £100,000. SOC L3 Analyst: £50,000 to £85,000. Network forensics consultants earn £750 to £1,200 per day.

Xcademia Network Forensics Analyst

Name: Xcademia Network Forensics Analyst
Price: 3595 GBP
Availability: InStock

5-Day Instructor-Led Programme

The XNFA Certification Programme is the practitioner standard for network forensics analysts who investigate cyber incidents through network traffic analysis, protocol dissection, C2 communication identification, and adversary campaign reconstruction from PCAP, Zeek logs, NetFlow, and proxy data. Assessed on Day 5 through a supervised network forensic investigation producing a professional findings report. No MCQs. No exam.

Duration

5 Days

Price

$4,495

Course Overview

Network traffic is the most honest witness in a cyber investigation. Attackers can clear logs, delete files, and wipe systems, but network flows, PCAP captures, and DNS queries often remain as evidence of what occurred, when, and through which systems. The analyst who can read this evidence fluently has a significant investigative advantage. XNFA is built for DFIR professionals, SOC analysts, and threat hunters who want to develop network forensics as a core specialism.

Across five instructor-led days, participants build capability from network protocol fundamentals through advanced traffic analysis with Wireshark, Zeek, and NetworkMiner, encrypted traffic analysis using JA3 and JA3S fingerprinting, DNS forensics, web proxy log analysis, NetFlow analysis, lateral movement and data exfiltration detection in network evidence, and network evidence timeline reconstruction for investigation. Every session uses real PCAP files from real incidents in a structured forensics workflow.

On Day 5, participants investigate a simulated breach through network evidence only: PCAPs, DNS logs, proxy logs, and NetFlow records. They reconstruct the attack, identify attacker infrastructure, map to MITRE ATT&CK, and produce a professional network forensics report. A senior practitioner assesses methodology and report quality. XNFA certificate and Practitioner Assessment Report issued together.

Hands-On Learning

Hands-on Wireshark display filter construction, Zeek log analysis and scripting, NetworkMiner session reconstruction, DNS forensics, JA3/JA3S fingerprinting, NetFlow analysis with SiLK, and a supervised network investigation exercise on Day 5.

Xcademia Network Forensics Analyst

Course Overview

Hands-On Learning

Mentor-Led Sessions

Career-Ready Skills

Learning Outcomes

Prerequisites

Detailed Syllabus

Domain 1: Network Protocol Analysis and Traffic Investigation Foundations

Module 1 : TCP/IP and Protocol Analysis for Network Forensics

Topics Covered:

Module 2 : Wireshark Advanced Analysis for Forensic Investigations

Module 3 : Zeek Network Security Monitoring and Log Analysis

Module 4 : NetworkMiner and Session Reconstruction

Domain 2: C2 Detection, Encrypted Traffic Analysis and Lateral Movement

Domain 3: NetFlow Analysis, Timeline Reconstruction and Investigation Report

Xcademia Network Forensics Analyst — Capstone Project

Framework Alignment

MITRE ATT&CK v14

NIST SP 800-61

ISO 27035

ACPO Digital Evidence Guidelines

Zeek Project

JA3/JA3S Project

SiLK (System for Internet-Level Knowledge)

RFC Standards

Skills You'll Gain

Career Progression

Ways to Learn

Live Online

Prefer a Faster, Personalised Route into IT?

Exam & Certification Information

Xcademia Certification Programme

Frequently Asked Questions

Ready to Start Your Learning Journey?