Huntress foundations
Settle into the self-paced cadence, name the escalation ceiling, then build the mental model of Huntress as a managed security platform with a 24/7 SOC. Read an Incident Report the right way round, recognise the four product surfaces, navigate the portal without acting on the wrong customer.
Lessons
- 01 ~8 minHow this course works
Self-paced training works once you can see its shape. Ten short lessons, a checkpoint between sittings, a single final scenario assessment at the end, and the difference between an LMS recommendation and your MSP's sign-off.
- 02 ~7 minCapturing questions for your senior
Self-paced training mostly happens when seniors are unavailable. A running questions list with three fields (where, what, what you tried) unblocks you in the moment and stockpiles questions for a scheduled check-in.
- 03 ~10 minWhat "ready for live tickets" looks like
The 95% of daily Huntress ticket volume that stays inside the helpdesk, the 5% that always escalates, and why finishing this course is a recommendation of readiness rather than a sign-off.
- 04 ~8 minWhat Huntress is, and where it sits in the MSP stack
Huntress is a managed security platform with a 24/7 SOC. It collects telemetry, the SOC analyses and recommends, the tech actions — a different model from AV's autonomous block. Get the mental model right before lesson 05's keystone.
- 05 ~10 minThe managed-SOC model — the analyst has already done the analysis
The keystone lesson. By the time an Incident Report reaches you the SOC analyst has triaged, classified, and recommended. Your default disposition is execute, not investigate. Second-guessing without new signal is the cardinal mistake.
- 06 ~9 minThe product surfaces — EDR, ITDR, SIEM (with canaries inside EDR)
Managed EDR for endpoints (with ransomware canaries as a tripwire feature inside it), Managed ITDR for identities on Microsoft 365 and Google Workspace, and Managed SIEM for ingested logs. Identifying the surface from the header tells you which playbook applies before you read the body.
- 07 ~7 minPortal walkthrough — the global view (Command Center)
The Command Center is the dashboard you land on. Active issues for at-a-glance severity, Open Escalations for things needing your eyes, Triage Feed for chronology, and the top nav for drilling into Incidents, Organizations, and the rest.
- 08 ~8 minPortal walkthrough — inside an organisation
The most expensive mistake on this platform is the right action on the wrong customer. The organisation selector at the top of the page is the single source of truth for which tenant you're acting on, and a five-step pre-isolation sequence keeps the wrong-tenant error out.
- 09 ~8 minSeverity bands and SLAs
Low, High, Critical — the SOC grades, the tech doesn't re-grade. Each band drives a different response shape, and the SLA clock that wraps around it is your MSP's call rather than Huntress's.
- 10 ~10 minReading an Incident Report
The header chips name severity and the affected entity; the body lives in tabs (Report, Remaining Footholds, Remediations, AV Detections, Process Detections). Recommendation lives on the Report tab and is what you act on; Remediations is where you approve individual SOC-prescribed actions.
- 11 ~7 minRecommendation vs. context — what the SOC is asking you to do
Every Incident Report has a context zone (Summary, Evidence, Timeline) and an action zone (Recommendation). One test before any action — did the analyst say to do this, in the Recommendation? If no, stop.
- Final quiz
Test what you learned. Wrong answers are explained on the spot.