Courses Phishing Phishing Forensics: Investigate and Report Like a Pro

Course Complete — Phishing Forensics

🔍

You Are a Phishing Forensics Analyst!

You've completed the TRACE course and earned the skills to investigate phishing evidence, read what every email really carries, and report in a way that actually stops campaigns

Your Certificate

Certified Phishing Forensics Analyst

This certifies that

Your Name

is now a Certified Phishing Forensics Analyst, having successfully completed

Phishing Forensics: Investigate and Report Like a Pro

Mastering the TRACE Framework — Take a Snapshot, Reveal the Real, Authenticate the Sender, Check the Landing, Escalate

Completion Date April 18, 2026
Course Duration 4 Hours
Blue Security Ops

Skills Mastered

📸

Take a Snapshot

Preserve phishing evidence safely without destroying headers — before forwarding, deleting, or clicking anything

🔎

Reveal the Real

Read what every email carries beyond the surface layer — the "View Original" path and the three lines that matter

Authenticate the Sender

Interpret SPF, DKIM, and DMARC results in plain English — pass, fail, or missing — and what each means

🔗

Check the Landing

Safely investigate link destinations — including homograph attacks and redirect chains — without ever clicking

📋

Escalate

Write reports that actually help SOCs, brand teams, and law enforcement identify and stop the campaign

The TRACE Framework

Investigate Every Suspicious Message

  • T TAKE A SNAPSHOT — Screenshot the email with full headers visible. Forward as attachment if your client supports it.
  • R REVEAL THE REAL — Open "View Original" / "Show Headers." Find From, Reply-To, and Return-Path.
  • A AUTHENTICATE THE SENDER — Look for SPF/DKIM/DMARC results. Fail or missing = red flag.
  • C CHECK THE LANDING — Hover over links, copy the URL, run it through a sandbox. Never click directly.

Then always → ESCALATE

Escalation Decision Tree

  • 1 Report to IT/SOC first — Use your organization's phishing report button or abuse email. Include your screenshots.
  • 2 Report externally if needed — APWG ([email protected]), brand abuse team, or IC3 for financial fraud.
  • 3 Your report protects others — Campaign reports lead to takedowns. One report can protect thousands of other targets.

Course Modules Completed

Module Topic Status
Module 1 The Forensic Mindset
Module 2 Take a Snapshot (T)
Module 3 Reveal the Real Sender (R + A)
Module 4 Check the Landing (C)
Module 5 Escalate (E)
Final Final Assessment
Practice the framework on a simulated shift

The TRACE Sandbox puts you in a SOC analyst's seat for a simulated workday. Six messages, full TRACE workflow on each, per-letter scorecard at the end. Rehearse until it's muscle memory.

Start your shift →

What's Next, Forensics Analyst?

You've built the investigator's toolkit. Here's where to take those skills further:

Practice with Real Phishing Scenarios

Apply your TRACE skills against realistic phishing simulations. Recognition and investigation work together — sharpen both.

Go to Training

Move Toward SOC Analyst Skills

The MITRE ATT&CK quizzes take you from phishing investigation into the full threat detection and response workflow used by security operations centers.

Start SOC Quiz

Use the TRACE Toolkit on Real Messages

The header decoder tool lets you paste raw email headers and get a plain-English breakdown — everything you learned in this course, automated.

Open Header Decoder
Practice with Real Phishing Scenarios Move Toward SOC Analyst Skills Use the TRACE Toolkit