Hack The Box: Cybersecurity Training
Popular Topics
  • JOIN NOW
ALL Red Teaming Blue Teaming Cyber Teams Education CISO Diaries Customer Stories Write-Ups CVE Explained News Career Stories Humans of HTB Attack Anatomy Artificial Intelligence

Blue Teaming

4 min read

Enhance digital forensics and incident response (DFIR) skills with Sherlocks

Our new set of defensive labs is now available for all users. Find them on HTB Labs and start the investigation!

b3rt0ll0 avatar sebh24 avatar
b3rt0ll0 &  sebh24, Nov 13,
2023
Hack The Box Article

In our latest report on the critical skills for modern SOC analysts, over half (58.4%) of participants ranked practical Machines (instances of vulnerable virtual machines) as the resources they’re most interested in to improve their DFIR skills. This is one of the main reasons why it is so exciting to add our new investigation-based defensive security scenarios to HTB Labs: Sherlocks.

15 Sherlocks will be initially available entirely for free to all users: this will give the opportunity to all platform members to experience a simulated incident investigation and familiarize themselves with a new type of practical labs. 

After the first release period, we will gradually start to divide Sherlocks into free and premium labs, but always keeping 8 (eight) of them accessible with a free plan. Premium Sherlocks will be included in VIP and VIP+ subscriptions. A new, free Sherlock will be regularly released every two weeks.

“Having worked in a variety of roles, from System Administrator to SOC Analyst, and even as a DFIR professional, relevant and fun learning experiences can be hard to find. A huge challenge was ensuring my technical skills were relevant, and that I had the motivation to continue learning. Sherlocks provides the community and industry the opportunity to do this. With a heavy focus on realism, I am confident any individual can utilize the skills learned within Sherlocks almost immediately.”

 

Sabastian Hague (sebh24), Defensive Security Content Lead @ Hack The Box

More about our latest report

We interviewed 400 cybersecurity professionals to discover what skills are required to be a modern SOC analyst and the future trends in the industry.

DOWNLOAD NOW

 

What is a Sherlock?

Let’s start from the basics. Sherlocks are defensive security practical labs simulating real-world incidents. You’ll be asked to conduct an investigation based on a provided cyber attack scenario and clues, with the goal of unraveling the dynamics behind them. By practicing with Sherlocks, individuals and organizations can grow their skills and knowledge on:

  • Digital Forensics and Incident Response (DFIR)

  • Security Operations Center (SOC)

  • Threat Hunting and Threat Intelligence

  • Malware Analysis

Sherlocks follow a semi-guided learning approach: a set of questions will appear to lead the investigator in the correct direction, with a very similar interface as the newly introduced Guided Mode feature on Machines. While in Guided Mode questions are meant to lead you through the scenario and get the flags, in Sherlocks questions are the actual flags!

Sherlocks Guided Mode

1. Understand the scenario

In any incident, we always say “context is king”. Reading the scenario, understanding what has occurred, and what you are investigating before starting any analysis is the correct practice to follow. This is also a great opportunity to deeply engage with the situation you are in. We have built Sherlocks to be as realistic as possible and therefore the scenario is extremely important!

2. Work your way through the data

What follows is the right phase to start analyzing the provided artifacts! Download the zip file, unzip it using the provided password, and get an understanding of the clues you have been provided with. At this stage, it's worth taking notes of what tools you might need. A simple CLI would suffice for some Sherlocks, whereas for others you may need to call on the help of Zimmerman’s Tools or install a local SIEM instance such as Splunk or ELK. 

3. Unravel the mystery

You understand the scenario, and you have analyzed the data. Next, we need to answer the key questions within the Sherlock! As you answer the relevant questions the mystery of how the compromise, breach, or attack has happened will be gradually clear. 

PLAY SHERLOCKS

Recommended read: A step-by-step guide to writing incident response reports (free template inside)

Comprehensive blue team upskilling

Hack The Box is now an all-in-one solution for defensive learning and upskilling. With the release of Sherlocks on HTB Labs, all our community and business clients have access to enhanced threat-connected content, from guided fundamental courses to fully practical scenarios.

All HTB defensive security content is mapped against the NIST/NICE framework, making it easier than ever to build a skills development path or incident response plan following the main industry threats and how to detect techniques, tactics, and procedures used by real adversaries.

As an example, every course featured on the SOC Analyst job-role path—and leading to the recently launched HTB Certified Defensive Security Analyst exam—can be further enhanced by practicing on Sherlocks, improving the capability to prioritize and identify logs.

Ultimate Blue Teaming - SOC
HTB FOR BLUE TEAMS


Defensive security for enterprises

The average cost of an attack is about $2.5M. At the same time, companies find it challenging to source and retain talented security professionals. This shortage leads to increased workloads and burnout among existing team members.

HTB’s defensive security-focused labs and courses provide professionals with the tools and skills to deliver the required day-to-day tasks to keep an organization secure and avoid risks. Sherlocks are already available as part of our Dedicated Labs business plans—get in touch with our team to know more.

GET A DEMO FREE TRIAL

Contents

  • What is a Sherlock?
    • 1. Understand the scenario
    • 2. Work your way through the data
    • 3. Unravel the mystery
  • Comprehensive blue team upskilling
  • Defensive security for enterprises

Latest News

Hack the Box Blog

CVE Explained

6 min read

Inside CVE-2025-32711 (EchoLeak): Prompt injection meets AI exfiltration

diskordia avatar diskordia, Jul 24, 2025

Hack the Box Blog

News

9 min read

HTB CJCA: A jumpstart into cybersecurity, the HTB way

JXoaT avatar JXoaT, Jul 23, 2025

Hack the Box Blog

Blue Teaming

4 min read

Cloud on fire: What the data from 4,549 players says about your weakest defenses

diskordia avatar diskordia, Jul 21, 2025

Hack The Blog

The latest news and updates, direct from Hack The Box

Read More
Hack The Box: Cybersecurity Training

The #1 platform to build attack-ready
teams and organizations.

Get a demo

Forrester wave leader Forrester wave leader
ISO 27001 ISO 27701 ISO 9001
G2 rating Capterra rating

Products
Teams
Courses & Certifications Cyber Ranges Enterprise Attack Simulations Cloud Infrastructure Simulations Capture The Flag Tabletop Exercises Talent Sourcing
Individuals
Courses & Certifications Hacking Labs Defensive Labs Red Team Labs Capture The Flag Job Board
Solutions
Job Roles
Red Teams Blue Teams Purple Teams
Industries
Government Higher Education Finance Professional Services
Use Cases
Technical Onboarding Team Benchmarking Candidate Assessment Threat Management Code Vulnerability Crisis Simulation Governance & Compliance
Resources
Community Blog Industry Reports Webinars AMAs Learn with HTB Customer Stories Cheat Sheets Compliance Sheets Glossary Guides & Templates Parrot OS Help Center
Programs
Channel & Resellers Ambassador Program Affiliate Program SME Program
Company
About us Careers Brand Guidelines Certificate Validation Trust Center Product Updates Status
Contact Us
Press Support Enterprise Sales
Partners
Become a Partner Register a Deal
Store
HTB Swag Buy Gift Cards
Products
Teams
Courses & Certifications Cyber Ranges Enterprise Attack Simulations Cloud Infrastructure Simulations Capture The Flag Tabletop Exercises Talent Sourcing

Individuals

Courses & Certifications Hacking Labs Defensive Labs Red Team Labs Capture The Flag Job Board
Solutions
Job Roles
Red Teams Blue Teams Purple Teams

Industries

Government Higher Education Finance Professional Services

Use Cases

Technical Onboarding Team Benchmarking Candidate Assessment Threat Management Code Vulnerability Crisis Simulation Governance & Compliance
Resources
Community Blog Industry Reports Webinars AMAs Learn with HTB Customer Stories Cheat Sheets Compliance Sheets Glossary Guides & Templates Parrot OS Help Center

Programs

Channel & Resellers Ambassador Program Affiliate Program SME Program
Company
About us Careers Brand Guidelines Certificate Validation Trust Center Product Updates Status

Contact Us

Press Support Enterprise Sales

Partners

Become a Partner Register a Deal

Store

HTB Swag Buy Gift Cards
Cookie Settings
Privacy Policy
User Agreement
© 2025 Hack The Box