When an event occurs, the cybersecurity operator only ever sees the symptoms or consequences of the event, rather than the actions themselves. Like a medic, the cybersecurity operator has two tasks: mending the symptoms and treating the cause. Unlike a medic, operators cannot ask the patient questions about the events leading up to the symptoms starting; the data has either already been collected or it is gone. 

To figure out what has happened – in order to establish, and hence to find treatments for, the cause – the operator can choose from two paths, or a combination of both. These two different approaches to analysis are called deterministic and probabilistic. The ability to compare and contrast between these approaches is topic 4.10 in the 210-255 specification:

In this section, we will outline the similarities and differences between the two techniques in key areas, before looking at examples of each technique.