FIRST is providing several different trainings with the goal to educate new CSIRTs and enhance the capabilities of current teams. All material is available under the Creative Commons BY-NC-SA 4.0 license.

If you are interesting in hosting a training please contact us through

Available Trainings

FIRST CSIRT Basic Course

The goal of the basic course is to give an introduction into the operation of a CSIRT. It consists of the following six modules:

  1. CSIRT Fundamentals
  2. Starting with a CSIRT
  3. CSIRT Operation
  4. Working with Information Sources
  5. Incident Coordination
  6. CSIRT Performance Measurement

FIRST Threat intel Pipelines Course

FIRST Fusion Training

Services that conduct analysis and inclusion of multiple data sources. Take feeds of information, regardless of the source, and integrate it into an overall view of the situation (Situational Awareness).

The need for this training is identified by existing and upcoming CSIRTs. In both instances they are looking how to serve their constituency by providing appropriate information.

The training will cover the following topics:

It consist of seven modules:

  1. Actionable Information
  2. Collection
  3. Preparation
  4. Storage
  5. Analysis
  6. Distribution
  7. Lab: Extracting Indicators
  8. Lab: Handout

Mastering CVSSv3

The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. This self-paced e-learning course will specifically help you master CVSS version 3.0.

In this course, you will learn how to:

The course is available on our Learning Platform

There is also a shorter, slides based, version of the training available: Introduction to CVSS v3

PSIRT Training

This video-based course introduces practitioners to the core Service Areas of the PSIRT Services Framework.

The course covers the key concepts of developing and maintaining a mature PSIRT. Topics include:

The course is available on our Learning Platform

Incident Handling for Policy makers

This course is aimed at policymakers and decision makers. Participants will learn how incident response on a global scale functions and what the preconditions for establishing a successful CSIRT community are. Rather than presenting simple recipes the training focuses on concepts which are worked out by analysing real world incidents.

Incident Response for Policy makers

Conducting Exercises to improve Incident Response

Conducting exercices is extremely valuable to practice and improve your incident handling skills. This training course will teach students how to create and conduct an exercise, from a table top exercise to a full-fledged event with multiple participants.

Conducting Exercises to Improve Incident Response

Third party training material

A number of other organisations make training materials available under an open source license, which may be of interest to the FIRST community. Below some resources are listed in the hope that they may be useful. Being listed does not imply an endorsement of the material by FIRST.

ENISA CSIRT training material

The European Network and Information Security Agency has developed a full curriculum of courses for CSIRTs. This material is typically a bit more advanced than the FIRST basic training. It is useful for teams that want to acuire more specific skills.

All material is available from ENISA's training website


The RIPE Network Coordination Centre offers a number of training course mostly focusing around networking issues. Many of these trainings have strong security aspects and may be of interest to teams dealing with such issues. Some of the material is available under 2-Clause BSD License from RIPE's Training website


The ISC-CERT operates a virtual leraning portal. These online trainings target ICS operation and security. They are available, free of charge, from the ICS-CERT VLP portal.

OASIS STIX/TAXII Version 2 Training

OASIS Cyber Threat Intelligence (CTI) developed a full day of training that covers STIX/TAXII Version 2 Concepts & Overview; STIX Data Model Foundations; TAXII Foundations; STIXPreferred Interoperability Certification and STIX/TAXII In Practice.

All material is available here.