2023 Training Catalogue Q2 Single v7 2023

85+
hands-on
courses
150+
extraordinary,
SANS-certified
instructors
40+
certifications
The proven industry standard for

cybersecurity training, certifications,
degrees, and research
REAL EXPERTISE.
REAL SKILLS.
REAL PROTECTION.
“The real value of this training lies at the The SANS Promise:
intersection of quality content and delivery You will be able to use the
by a subject-matter expert actively working skills you’ve learned in
in the field, making it incredibly relevant and our training and programs
immediately in your work.
immediately applicable to my job.”
—P. Watson
About SANS
SANS is the world’s largest and most trusted provider of cyber security
training. Founded in 1989, SANS operates globally and has over 200,000 alumni.
For over thirty years, we have worked Our training is designed to be practical; SANS training strengthens a student’s
with many of the world’s more prominent students are immersed in hands-on lab ability to achieve a GIAC certification, with
companies, military organisations, and exercises built to let them rehearse, hone both SANS and GIAC placing an emphasis
governments. and perfect what they’ve learned. on learning practical skills.
Technology may have changed in that The SANS Promise

How to register for SANS training
time, but our core mission has remained At the heart of everything we do is the
SANS runs training events both online and
constant: to protect people and assets SANS Promise: Students will be able to
In-Person globally. In-Person training runs
through sharing cutting-edge cyber- deploy the new skills they’ve learned
across an intensive 5/6 days. For Online
security skills and knowledge. immediately.
Training you have the choice of either
Strength from people The global community taking your course at your own pace
SANS Instructors are, first and foremost, SANS Institute is a prominent member of through SANS OnDemand over the course
industry professionals with a wealth of the global cybersecurity community. We of 4 months, or through SANS Live Online
real-world experience – experience that operate the Internet Storm Centre – the which offers live-streamed instructor-led
they bring into the classroom. internet’s early warning system. training across 1 or 2 weeks. With SANS
Online Training, you can experience all the
Across our roster of Instructors are many SANS also develops, maintains, and
features you love about SANS classroom-
active security practitioners who work publishes a large collection of research
based training events, without the need
for high profile organisations. The list papers about many aspects of information
to travel. Enjoy live, Instructor-led training
includes red team leaders, information security. These papers are made available
with courses available across multiple
warfare officers, technical directors, CISOs, for free.
time zones or train at your own pace,
and research fellows.
The GIAC Advantage anytime, anywhere with pre-recorded
Along with respected technical credentials, GIAC validates the skills of information sessions.
SANS Instructors are also expert teachers. security professionals, proving that those
Find your course, choose your training
Their passion for their subject shines certified have the technical knowledge
modality and enjoy everything the SANS
through, making the SANS classroom necessary to work in key areas of cyber
training experience has to offer.
efficient and effective. security.
Students should register online by visiting
Cutting edge training GIAC certifications are respected globally
www.sans.org
Cybercrime evolves constantly. SANS because they measure specific skill and
prepares students to meet today’s knowledge areas. GIAC offers the only
Contact SANS
dominant threats and tomorrow’s cyber security certifications that cover
UK, Mainland Europe and Nordics:
challenges. advanced technical subject areas.
+44 203 384 3470
We do this through constantly updating There are over 40 specialised GIAC Middle East & Africa: +971 04 431 0761
and rewriting our courses and support certifications. Several GIAC certifications Australia: +61 2 6174 4581
material. are accepted under the ANSI/ISO/IEC India: +91 974 1900 324
This process is steered by an expert panel 17024 Personnel Certification programme. Japan: +81 3 3242 6276
that draws on the global community’s Singapore: +65 8612 5278 / +65 3165 66 81
Many SANS training courses align
consensus regarding best practice.
with GIAC certifications. As such, SANS
Focussed training Or you can email us at
Training is an ideal preparation for a GIAC
SANS training is job and skill-specific. We emea@sans.org (for UK, Mainland Europe
certification attempt.
offer more than 70 courses, designed to & Nordics),
Why SANS is the best training and mea@sans.org (for Middle East & Africa)
align with dominant security team roles,
educational investment asiapacific@sans.org (for Asia Pacific)
duties, and disciplines.
SANS’ immersion training is intensive
The SANS Curriculum spans Digital and hands-on and our courseware is
Forensics, Audit, Management, unrivalled in the industry.
Offensive Operations, ICS, Secure
SANS Instructors and course authors are
Software Development and more (see
leading industry experts and practitioners.
pages 14-19). Each curriculum offers
Their real-world experience informs their
a progression of courses that can
teaching and SANS’ training content.
take practitioners from a subject’s
foundations right up to specialist skills
and knowledge.
Course Contents
SANS Essentials Courses 14 SANS Cybersecurity Leadership Courses 69
SEC275 Foundations: Computers, Technology, & Security 15 SEC405 Business Finance Essentials 70
FOR308 Digital Forensics Essentials 16 LDR414 SANS Training Program for CISSP® Certification 71
SEC301 Introduction to Cyber Security 17 LDR415 A Practical Introduction to Cyber Security Risk
SEC388 Introduction to Cloud Computing and Security 18 Management 72
SEC401 Security Essentials: Network, Endpoint, and Cloud 19 LDR433 Managing Human Risk 73
FOR402 Cybersecurity Writing: Hack the Reader 20 SEC440 CIS Critical Controls: A Practical Introduction 74
SEC474 Building A Healthcare Security & Compliance Program 75
SANS Cyber Defence Courses 22 AUD507 Auditing Systems, Applications, and the Cloud 76
LDR512 Security Leadership Essentials for Managers 77
SEC450 Blue Team Fundamentals: Security Operations LDR514 Security Strategic Planning, Policy, and Leadership 78
and Analysis 23 LDR516 Building and Leading Vulnerability Management
SEC497 Practical Open-Source Intelligence (OSINT) 24 Programs 79
SEC501 Advanced Security Essentials – Enterprise Defender 25 LDR520 Leading Cloud Security Design and Implementation 80
SEC503 Intrusion Detection In-Depth 26 LDR521 Leading Cybersecurity Change: Building a Security-Based
SEC505 Securing Windows and PowerShell Automation 27 Culture 81
SEC511 Continuous Monitoring and Security Operations 28 LEG523 Law of Data Security and Investigations 82
SEC530 Defensible Security Architecture and Engineering 29 MGT525 Managing Cybersecurity Initiatives and Effective
SEC555 SIEM with Tactical Analytics 30 Communications 83
SEC573 Automating Information Security with Python 31 LDR551 Building & Leading Security Operations Centers 84
SEC586 Blue Team Operations – Defensive Powershell 32 LDR553 Cyber Incident Management 85
SEC587 Advanced Open-Source Intelligence (OSINT) Gathering SEC566 Implementing & Auditing CIS Critical Controls 86
and Analysis 33
SEC595 Applied Data Science and Machine Learning for
Cybersecurity Professionals 34
SANS Cloud Security Courses 89
SEC488 Cloud Security Essentials 90
SANS Offensive Operations Courses 36 SEC510 Public Cloud Security: AWS, Azure, and GCP 91
SEC522 Aplication Security: Securing Web Apps, APIs, and
SEC460 Threat and Vulnerability Assessment 37 Microservices 92
SEC467 Social Engineering for Security Professionals 38 SEC540 Cloud Security and DevSecOps Automation 93
SEC504 Hacker Tools, Techniques, Exploits, and Incident SEC541 Cloud Security Attacker Techniques, Monitoring, and
Handling 39 Threat Detection 94
SEC542 Web App Penetration Testing and Ethical Hacking 40 SEC549 Enterprise Cloud Security Architecture 95
SEC554 Blockchain and Smart Contract Security 41 SEC588 Cloud Penetration Testing 96
SEC556 IoT Penetration Testing 42 MGT516 Managing Security Vulnerabilities: Enterprise and Cloud 97
SEC560 Enterprise Penetration Testing 43 MGT520 Leading Cloud Security Design and Implementation 98
SEC565 Red Team Operations and Adversary Emulation 44
SEC575 Mobile Device Security and Ethical Hacking 45 SANS Industrial Control Systems Courses 100
SEC580 Metasploit for Enterprise Penetration Testing 46
SEC588 Cloud Penetration Testing 47 ICS410 ICS/SCADA Security Essentials 101
SEC599 Defeating Advanced Adversaries – Purple Team Tactics ICS418 ICS Security Essentials for Managers 102
and Kill Chain Defenses 48 ICS456 Essentials for NERC Critical Infrastructure Protection 103
SEC617 Wireless Penetration Testing and Ethical Hacking 49 ICS515 ICS Active Defence and Incident Response 104
SEC660 Advanced Penetration Testing, Exploit Writing, and ICS612 ICS Cyber Security In-Depth 105
Ethical Hacking 50
SEC661 ARM Exploit Development 51
SANS Purple Team Courses 106
SEC699 Purple Team Tactics – Adversary Emulation for Breach
Prevention & Detection 52
SEC760 Advanced Exploit Development for Penetration Testers 53 About SANS 2
Contents 3
SANS Forensics and Incident Response Courses 55
GIAC 5
FOR498 Battlefield Forensics & Data Acquisition 56 New Courses & Certifications 6
FOR500 Windows Forensic Analysis 57
Training Formats 8
FOR508 Advanced Incident Response, Threat Hunting,
and Digital Forensics 58 NICE Framework 10
FOR509 Enterprise Cloud Forensics & Incident Response 59 Training Roadmap 12
FOR518 Mac and iOS Forensic Analysis and Incident Response 60 SANS Foundations 21
FOR528 Ransomware for Incident Responders 61
Security Awareness Training 35, 110
FOR532 Enterprise Memory Forensics In-Depth 62
FOR572 Advanced Network Forensics and Analysis 63 Technology Institute 54
FOR578 Cyber Threat Intelligence 64 SANS CISO Network 87
FOR585 Smartphone Forensic Analysis In-Depth 65 SANS Cyber Ranges 88, 116
FOR608 Enterprise-Class Incident Response & Threat Hunting 66 Voucher Program 99
FOR610 Reverse-Engineering Malware: Malware Analysis Tools
SANS Faculty 107
and Techniques 67
FOR710 Reverse-Engineering Malware: Advanced Code Analysis 68 Live Training 110
OnDemand 111
SANS Summits 112
SANS Mission Initiatives 118
Partnerships & Solutions 120
Tailored Group Training 122
Customer Reviews 124
Resources 126
TRAIN & CERTIFY –
INVEST IN YOUR FUTURE
63%
of organizations were
breached in the past year.*
* Forrester The 2021 State of Enterprise Breaches
Cybersecurity skills continue to be in high demand as organizations are challenged to get past the skills gap
C
in their search for infosec talent. As cyber threats and attacks increase in number and sophistication, there’s a
growing global incentive to focus on educating, empowering, and evolving the workforce to reduce cyber risk. M
People are truly the most critical line of defense against threats, and it’s essential to provide them with the Y
practical skills required to best defend your organization. From improving security awareness across
CM
enterprises to building high-performing cybersecurity teams, SANS has training, certifications, and resources
to help reduce risk to your organization. MY
CY
Fortify your
Enhance awareness Reduce the time to detect
CMY
organization’s
culture and an intrusion, respond to it, security posture K
cybersecurity readiness and restore operations
Improve your ability to Mitigate risk and

Solve complex
identify and remediate impact to your
cybersecurity problems
vulnerabilities organization
using advanced tools
Your best cyber defense requires everyone in your

organization to be threat-aware and cyber-ready.
Only SANS delivers the security training, certification, and
awareness programs that transform your people into your protection.
SANS builds experts who outsmart cyber threats.
Real Expertise Real Skills Real Protection

Master practitioners who The real-world skills you Employees empowered
turn their knowledge into need to protect your to keep your
your expertise. business in real time. organization secure.
4
GIAC
The Highest Standard in
Cybersecurity Certification
Introducing CyberLive GIAC develops and administers premier,

Raising the bar even higher on professional cybersecurity certifications. Each
GIAC Certifications certification aligns with SANS training and ensures
CyberLive brings real-world, virtual
machine testing directly to cybersecurity
mastery in critical, specialized InfoSec domains –
practitioners, helping them prove their providing the highest, most rigorous assurance of
skills, abilities, and understanding.
All in real-time. cybersecurity knowledge and skill available to
Learn more at giac.org/cyberlive industry, government, and military clients across
“Increasingly, the hands-on portion is the world.
important to measure the abilities of
cyber professionals.” Learn more at GIAC.ORG
– Ben Boyle
GXPN, GDAT, GWAPT
What’s New at SANS?
SANS course authors develop the most up-to-date and relevant
content available.
Offensive Operations Cyber Defense & Blue Team Ops

SEC446: Hardware Assisted Hacking SEC673: Advanced Information Security
Tightly packed with tips, techniques, and hands-on Automation with Python
procedures, this course teaches the foundations of This course will teach you the advanced programming
both hardware theory and hardware practice, as well as concepts you need to make your code faster, more
how they relate to hardware and software security. efficient, and easier to develop and maintain. You will
learn how to automate common networking and
SEC565: Red Team Operations and desktop applications using Python objects.
Adversary Emulation
This course prepares operators to emulate adversaries
and threats in a professional manner to test a target
organization’s people, processes, and technology from
Cloud Security
a holistic perspective.
SEC388: Introduction to Cloud Computing
SEC568: Combating Supply Chain Attacks with and Security
Product Security Testing This course is designed for those in a decision-making
This course is a practical on-ramp into the world of or hands-on role whose organization is either planning
product security testing and risk analysis for to move to or already operating in the cloud.
introducing desktop, mobile, proprietary protocols, and
hardware devices into your environment. SEC549: Enterprise Cloud Security Architecture
Learn how to design and build an enterprise cloud
SEC598: Security Automation for Offense, security architecture in cloud-first and hybrid
Defense, and Cloud environments.
Learn how to break down an organization’s security
issues and define solutions to locally automate secure
configurations, set a desired state configuration, deploy ICS Security
infrastructure as code in different environments, and
detect and respond to security incidents in an
automated manner. ICS418: ICS Security Essentials for Managers
This course will help you learn to manage the people,
SEC670: Red Teaming Tools - Developing processes, and technologies necessary to create and
Windows Implants, Shellcode, Command and sustain lasting ICS cyber risk programs while promoting
Control a culture of safety, reliability, and security.
Learn the essential building blocks for developing
custom offensive tools through required programming,
APIs used, and mitigations for techniques. Cyber Ranges
Cybersecurity Leadership New Netwars Core Version 8!
SANS Netwars Core Version 8 is a new and exciting
Cyber Range from SANS. Featuring AWS cloud content
MGT553: Cyber Incident Management
and more, it has fun, story-driven challenges to keep
Go beyond technical analysis and response activities
you engaged in learning and practicing your essential
and learn how to effectively manage and lead people
cybersecurity skills. We’ve also eliminated the need to
and processes for cyber incidents.
download large VM files locally — 100% browser-based
challenges!
6
DFIR & Threat Hunting GIAC Certifications
FOR528: Ransomware for Incident Responders
GIAC iOS and MacOS Examiner (GIME)
This course uses deftly devised, real-world attacks
and their subsequent forensic artifacts to provide the The GIME certification validates a practitioner’s
analyst with everything needed to respond to knowledge of Mac and iOS computer forensic
ransomware incidents. analysis and incident response skills. GIME-certified
professionals are well-versed in traditional
FOR532: Enterprise Memory Forensics In-Depth investigations as well as intrusion analysis scenarios
for compromised Apple devices.
This course focuses on memory forensics from
acquisition to detailed analysis, from analyzing one GIAC Cloud Forensics Responder (GCFR)
machine to many machines all at once. It covers
The GCFR certification validates a practitioner’s
Windows, Mac, and Linux memory forensics as well
ability to track and respond to incidents across the
as cloud memory acquisition.
three major cloud providers. GCFR-certified
professionals are well-versed in the log collection
FOR589: Cybercrime Intelligence
and interpretation skills needed to manage rapidly
Learn to hunt for Criminal Intelligence (CRIMINT) on
changing enterprise cloud environments.
the Dark Web and analyze criminal “on-chain”
financial transactions using Blockchain Intelligence GIAC Cloud Threat Detection (GCTD)
(BLOCKINT) tools, as well as how to identify, analyze,
The GCTD certification validates a practitioner's
and extract cryptocurrency artifacts from criminal
ability to detect and investigate suspicious activity in
devices in computer and mobile forensics
cloud infrastructure. GCTD-certified professionals are
investigations.
experienced in cyber threat intelligence, secure cloud
configuration, and other practices needed to defend
FOR577: LINUX Incident Response & Analysis
cloud solutions and services.
Linux powers a vast range of business-critical
systems across the globe. From webservers to
database platforms, to network hardware to security
appliances, Linux can often be found “under the
Cyber Live
hood” making sure the system just keeps working.
This course gives incident responders and forensic The New Mark of Hands-On
investigators the knowledge they need to understand
Cybersecurity Skills
how the systems work, how attackers compromise
environments and how to respond and investigate in Cybersecurity professionals need discipline-specific
an effective manner. certifications and practical testing that validate their
knowledge and hands-on skills. GIAC recognized this
industry-wide need and developed CyberLive—
hands-on, real-world practical testing—to fill the
SANS OnDemand gaps in the market.
OnDemand 2.0
The new SANS OnDemand experience offers ultimate
flexibility and is packed with enhanced features to
build your cybersecurity skills at your own pace. Take
it for a test drive with one of our free course demos.
www.sans.org/course-preview
sans.org/mlp/new-sans-courses
7
SANS INSTITUTE
The most trusted resource for information security training,
cybersecurity certifications, and research.
The Highest Standard in Cybersecurity Education

Our instructors are experienced practitioners who also excel
in mentoring others. They are respected leaders in cyber who
share research, tools, and incident analysis with the world,
and bring practical, collaborative expertise to our community.
Along with our students and community contributors, these
dynamic instructors make SANS the engaging, high-quality
educational organization that it is.
“I have taken numerous courses over my career and many were online.
150+
Nothing, including expensive college-level courses, were on the same level
as SANS training. It's dense, rich, and immediately applicable. If the student
takes what they have learned into their workplace, they will immediately
be able to distinguish themselves. I’m already looking forward to my
extraordinary
SANS-certified
next SANS training opportunity, and I highly recommend it to others.”
instructors
—Dave Brock, Lytx Inc.
Multiple Training Formats

Find the option that best fits your schedule, budget, and preferred learning style.
OnDemand Live Online In-Person
Train anywhere and anytime with Avoid travel and attend scheduled Experience SANS courses taught by
four months of online access. live interactive streaming sessions world-renowned faculty in select
Receive training from the same top- direct from your SANS instructor, locations, featuring hands-on labs
notch SANS instructors who teach featuring many of the activities to practice your skills in a focused,
at our live training events – bringing that SANS students love at immersive environment without
the true SANS experience right to In-Person training events. distractions, plus opportunities to
you. Enjoy access to repeatable network with fellow cybersecurity
hands-on labs and premium live professionals.
subject-matter-expert support.
Private Courses Summits Ranges

Train with your colleagues at your Take part in one or two-day Prepare for real-world IT and
organization’s location and freely special SANS events featuring cybersecurity roles with interactive
discuss issues and objectives expert presentations covering learning scenarios that build skills
specific to your environment. a single topic of interest to the which can be applied immediately
cybersecurity community. on the job.
If you’re new to SANS or unsure of the subject area or skill level to select for your next
training course, SANS offers free one-hour course previews via our OnDemand platform.
Preview our courses at sans.org/demo
8
Technology, Attackers, and Cyber Defense Techniques
Change Rapidly – Sometimes in Days
Our courses, labs, content, and certifications deliver on the most
advanced teaching techniques, labs, content, and certifications
that are TRUSTED by organizations worldwide.
• E
XPERTS: Trained by experts who
undergo years of training and teaching
mastery. Only the best of the best are “SANS is trusted. SANS delivers. SANS
invited to teach. never accepts anything less than the best
• C
ONTENT: Technology, attacker techniques, capabilities, and instructors
techniques, and defensive capabilities worldwide. It takes a lot for SANS to
are changing rapidly. SANS course maintain the ‘Most Trusted Source of
content is continually updated. Cyber Security Training, Certification, and
• S
KILLS: Real-world labs are architected, Research’ worldwide. We won’t lie. It is
engineered, written, and tested – hard. We deliver that promise. We know
continuously. your organization depends on it and
we take our jobs seriously. And we love
• T
RAINING VALIDATION: GIAC certifications
knowing what we do matters.”
keep pace with continually emerging
content and skills, ensuring for —Rob Lee, Chief Curriculum Director at SANS
employers that their people can perform
in the latest threat environment.
The SANS Promise

You will be able to use the skills you’ve learned in our
training and programs immediately in your work.
137,000+ 30+
GIAC Certifications Issued Countries Featuring SANS Training Events
40,000+ 85+ 40+ 150+

SANS Students Per Year Cybersecurity GIAC Certified
Courses Certifications Instructors
9
NICE Framework
The NICE framework provides a common language Use this as a blueprint to organize cybersecurity
to speak about cyber roles, jobs and tasks/ work into Categories, Specialty Areas, Work Roles
skills/knowledge (TSKs) in cybersecurity. The U.S. Tasks, and Knowledge, Skills and Abilities (KSAs).
Department of Commerce created this framework to www.nist.gov/itl/applied-cybersecurity/nice
enable workforce continuity.
Analyze (AN) Industrial Control Systems (NICE 2020)

NICE Specialty Recommended Course NICE Specialty Recommended Course
Work Role Work Role
Area (GIAC Certification) Area (GIAC Certification)
FOR578 (GCTI) FOR589 Process Control ICS410 (GICSP)
Threat Analysis Threat/Warning SEC504 (GCIH) FOR610 (GREM) Engineer/Instrument ICS612
(TWA) Analyst FOR532 FOR710 Operations & Control Engineer
FOR572 (GNFA) FOR577 Technology ICS/SCADA ICS410 (GICSP) ICS515 (GRID)
SEC560 (GPEN) SEC661 Engineering Security Engineer ICS418
Exploitation Exploitation ICS/OT Systems
SEC660 (GXPN) SEC542 (GWAPT) ICS410 (GICSP) ICS515 (GRID)
Analysis (EXP) Analyst
SEC760 Engineer ICS418 ICS612
FOR578 (GCTI) FOR589 OT Security ICS410 (GICSP) ICS418
OT SOC Operator ICS515 (GRID)
All-Source Analyst SEC504 (GCIH) FOR509 Operations Center
All-Source FOR532 FOR577
Analysis (ASA) Mission SEC504 (GCIH) FOR578 (GCTI)
Assessment SEC560 (GPEN) FOR532 Oversee and Govern (OV)
Specialist SEC588 (GCPN) FOR589 NICE Specialty Recommended Course
Work Role
SEC560 (GPEN) SEC699 Area (GIAC Certification)
SEC542 (GWAPT) FOR509 (GCFR) Cyber Legal LEG523 (GLEG) SEC403
SEC565 FOR518 (GIME) Advisor SEC402
Legal Advice
SEC588 (GCPN) FOR532 Privacy Officer/
Target Developer
SEC660 (GXPN) FOR585 (GASF)
and Advocacy SEC301 (GISF) ICS456 (GCIP)
(LGA) Privacy LDR512 (GSLC) SEC504 (GCIH)
SEC760 FOR589 Compliance
Targets (TGT) SEC661 FOR572 (GNFA) Manager
SEC599 (GDAT) Cyber Instructional SEC401 (GSEC) LDR521
FOR578 (GCTI) FOR589 Curriculum LDR433 (SSAP) SEC504 (GCIH)
Target Network SEC504 (GCIH) FOR572 (GNFA) Developer
Training,
Analyst SEC560 (GPEN) SEC401 (GSEC), SEC501 (GCED),
Education and Cyber Instructor
FOR532 SEC504 (GCIH), SEC403, SEC402
Awareness
(TEA) Security LDR433 (SSAP) SEC402
Awareness &
Collect and Operate (CO) Communications
LDR512 (GSLC)
LDR521
SEC403
NICE Specialty Recommended Course Manager

Work Role
Area (GIAC Certification) LDR512 (GSLC) LDR551 (GSOM)
Information
FOR498 (GBFA) FOR532 LDR514 (GSTRT) SEC504 (GCIH)
Systems Security
All FOR578 (GCTI) FOR589 Cybersecurity LDR520 SEC488 (GCLD)
Manager
Source-Collection FOR508 (GCFA) FOR608 Management LDR521
Collection Manager FOR509 (GCFR) FOR577 (MGT) Communications SEC301 (GISF)
Operations FOR518 (GIME) Security (COMSEC) LDR512 (GSLC)
Manager
(CLO) All FOR498 (GBFA) FOR532
Source-Collection FOR578 (GCTI) FOR589 Cyber Workforce LDR512 (GSLC)
Requirements FOR508 (GCFA) Strategic Developer and LDR514 (GSTRT)
Manager FOR509 (GCFR) Planning Manager LDR521
FOR532 SEC504 (GCIH) and Policy LDR512 (GSLC)
Cyber Policy and
Cyber Intel Planner FOR589 (SPP) LDR514 (GSTRT)
Strategy Planner
FOR578 (GCTI) LDR521
SEC565 SEC699 LDR512 (GSLC)
Cyber Executive Cyber Executive Cyber
SEC560 (GPEN) SEC599 (GDAT) LDR514 (GSTRT)
Operational Cyber Ops Leadership (EXL) Leadership
LDR521
SEC542 (GWAPT) SEC467
Planning Planner
SEC588 (GCPN) SEC556
(OPL) LDR512 (GSLC) LDR520
SEC660 (GXPN) FOR577 Program Manager
LDR514 (GSTRT) LDR521
SEC565, SEC699 FOR589 LDR512 (GSLC) LDR520
Partner Integration
SEC599 (GDAT) FOR578 (GCTI) IT Project Manager MGT525 (GCPM) LDR521
Planner
FOR532 Program/Project LDR514 (GSTRT)
FOR508 (GCFA) SEC560 (GPEN) Management
Product Support LDR512 (GSLC)
FOR528 SEC660 (GXPN) (PMA) and Manager MGT525 (GCPM)
Cyber Operations FOR532 SEC556 Acquisition
Cyber Operator FOR572 (GNFA) SEC467 IT Investment/ SEC401 (GSEC) LDR512 (GSLC)
(OPS) Portfolio Manager SEC504 (GCIH)
FOR578 (GCTI) SEC573 (GPYC)
FOR589 FOR577 AUD507 (GSNA) SEC402
FOR608 IT Program Auditor
SEC460 (GEVA) SEC403
10
Securely Provision (SP) Protect and Defend (PR)
NICE Specialty Recommended Course NICE Specialty Recommended Course
Work Role Work Role
Area (GIAC Certification) Area (GIAC Certification)
Authorizing SEC301 (GISF) SEC402 SEC401 (GSEC) SEC586
Official/ LDR512 (GSLC) SEC403 SEC450 (GSOC) FOR532
Designating LDR415 SEC504 (GCIH) FOR578 (GCTI)
Risk Representative Cybersecurity
Cyber Defense SEC501 (GCED) FOR589
Management SEC460 (GEVA) SEC401 (GSEC) Defense
Analyst SEC503 (GCIA) FOR610 (GREM)
(RSK) AUD507 (GSNA) SEC510 (GCPS) Analysis (CDA) SEC511 (GMON) FOR710
Security Control
SEC560 (GPEN) SEC566 (GCCC) SEC573 (GPYC)
Assessor
SEC542 (GWAPT) MGT516 SEC541 (GCTD)
SEC588 (GCPN)
Cybersecurity SEC568 SEC511 (GMON)
Software SEC522 (GWEB) SEC542 (GWAPT) Cyber Defense SEC401 (GSEC) SEC586
Defense
Software Developer SEC540 (GCSA) SEC549 Infrastructure SEC450 (GSOC) SEC460 (GEVA)
Infrastructure Support Specialist
Development SEC542 (GWAPT) SEC540 (GCSA) Support (INF) SEC501 (GCED)
(DEV) Secure Software
SEC510 (GCPS) SEC573 (GPYC) SEC504 (GCIH) FOR532
Assessor
SEC522 (GWEB) SEC549 FOR508 (GCFA) FOR589
Enterprise SEC530 (GDSA) SEC540 (GCSA) FOR572 (GNFA) FOR710
Systems Architect SEC510 (GPCS) Incident FOR509 (GCFR) ICS515 (GRID)
Cyber Defense
Architecture Response Incident FOR608 SEC541 (GCTD)
(ARC) SEC488 (GCLD) SEC530 (GDSA)
Security Architect (CIR) Responder FOR610 (GREM) SEC586
SEC511 (GMON) SEC510 (GPCS)
FOR518 (GIME) FOR532
Research & SEC568 SEC522 (GWEB) FOR528 FOR577
Technology
Development SEC573 (GPYC) SEC510 (GPCS) FOR578 (GCTI)
R&D (TRD) Specialist SEC540 (GCSA)
SEC460 (GEVA) SEC556
Systems Systems MGT525 (GCPM) Vulnerability
SEC542 (GWAPT) SEC660 (GXPN)
Requirements Requirements SEC402 Assessment
SEC588 (GCPN) LDR516
Planning (SRP) Planner SEC403 Analyst
SEC560 (GPEN)
Vulnerability
SEC460 (GEVA) SEC556 SEC560 (GPEN) SEC588 (GCPN)
Test and System Testing SEC568 AUD507 (GSNA), Assessment and
Pen Tester SEC542 (GWAPT) SEC660 (GXPN)
Evaluation & Evaluation SEC560 (GPEN) SEC402 Management SEC556 SEC467
(TST) Specialist SEC588 (GCPN) SEC403 (VAM)
Adversary SEC565 SEC504 (GCIH)
SEC542 (GWAPT) SEC599 (GDAT) SEC556
Emulation
Information SEC540 (GCSA) SEC510 (GPCS) Specialist/Red SEC699 SEC660 (GXPN)
Systems Systems Security SEC522 (GWEB) Teamer SEC670 SEC760
Development Developer SEC542 (GWAPT)
(SYS) SEC540 (GCSA) SEC542 (GWAPT)
Systems Developer
SEC522 (GWEB) Operate and Maintain (OM)
NICE Specialty Recommended Course
Work Role
Investigate (IN) Area (GIAC Certification)
NICE Specialty Recommended Course Database SEC401 (GSEC) FOR498 (GBFA)
Work Role Administrator FOR308
Area (GIAC Certification)
Data SEC401 (GSEC) FOR498 (GBFA)
FOR498 (GBFA) FOR608
FOR308 FOR585 (GASF) Administration SEC573 (GPYC) FOR585 (GASF)
FOR500 (GCFE) FOR518 (GIME), (DTA) Data Analyst FOR578 (GCTI) FOR518 GIME)
Cyber SEC595
Cyber Crime FOR508 (GCFA) FOR578 (GCTI)
Investigation FOR308
Investigator FOR528 FOR589
(INV) FOR532 FOR610 (GREM)
Knowledge SEC301 (GISF) FOR498 (GBFA)
FOR572 (GNFA) FOR710 Knowledge SEC402 FOR585 (GASF)
FOR509 (GCFR) Management
Manager SEC403 FOR518 GIME)
FOR308 FOR509 (GCFR) (KMG) FOR308
FOR508 (GCFA) FOR518 (GIME) SEC401 (GSEC)
FOR528 FOR589 Customer Service
Law Enforcement/ Technical Support SEC505 (GCWN)
FOR532 FOR608 and Technical SEC504 (GCIH)
CounterIntelligence Specialist
FOR498 (GBFA) FOR710 Support (STS)
Forensics Analyst
FOR572 (GNFA) FOR308
FOR610 (GREM) SEC573 (GPYC) Network SEC401 (GSEC)
Digital Network
FOR578 (GCTI) Operations SEC501 (GCED)
Forensics Services (NET) Specialist SEC555 (GCDA)
FOR500 (GCFE) FOR608
(FOR) Systems SEC401 (GSEC) FOR308
FOR308 FOR518 (GIME) System
FOR498 (GBFA) FOR572 (GNFA) Administration SEC505 (GCWN) FOR498 (GBFA)
Administrator
Cyber Defense FOR508 (GCFA), FOR585 (GASF) (ADM) SEC586
Forensics Analyst FOR509 (GCFR) FOR610 (GREM) SEC401 (GSEC) SEC586
FOR528 FOR710 SEC488 (GCLD) FOR308
FOR532 SEC573 (GPYC)
Systems Systems Security
SEC504 (GCIH) FOR585 (GASF)
FOR589 Analysis (ANA) Analyst
AUD507 (GSNA) FOR518 GIME)
SEC505 (GCWN)
11
SANS Training Roadmap Essentials ICS410 ICS/SCADA Security Essentials | GICSP
Baseline Skills Focused Job Roles Specific Skills, Specialized Roles
NEW TO CYBERSECURITY | COMPUTERS, TECHNOLOGY, AND SECURITY DESIGN, DETECTION, AND DEFENSIVE CONTROLS ADVANCED CYBER DEFENSE | HARDEN SPECIFIC DEFENSES
COMPUTER & IT
SEC275 Foundations: Computers, Technology & Security | GFACT
Focused Cyber Defense Skills Platform-Focused
FUNDAMENTALS
ADVANCED WINDOWS/
SEC501 Advanced Security Essentials – Enterprise Defender | GCED SEC505 Securing Windows and PowerShell Automation | GCWN
CYBERSECURITY GENERALIST POWERSHELL
SEC301 Introduction to Cyber Security | GISF
FUNDAMENTALS
MONITORING Topic-Focused
SEC511 Continuous Monitoring and Security Operations | GMON
These entry-level courses cover a wide spectrum of security topics and are liberally & OPERATIONS
TRAFFIC ANALYSIS SEC503 Network Monitoring and Threat Detection In-Depth | GCIA
sprinkled with real-life examples. A balanced mix of technical and managerial
SECURITY SEC530 Defensible Security Architecture and Engineering: Implementing
issues makes these course appealing to attendees who need to understand the ARCHITECTURE Zero Trust for the Hybrid Enterprise | GDSA SIEM SEC555 SIEM with Tactical Analytics | GCDA
salient facets of information security basics and the basics of risk management.
The detection of what is happening in your environment requires an increasingly POWERSHELL SEC586 Security Automation with PowerShell
sophisticated set of skills and capabilities. Identifying security anomalies requires SEC573 Automating Information Security with Python | GPYC
PYTHON CODING
increased depth of understanding to deploy detection and monitoring tools and to SEC673 Advanced Information Security Automation with Python
CORE TECHNIQUES | PREVENT, DEFEND, MAINTAIN interpret their output.
SEC595 Applied Data Science and Machine Learning
DATA SCIENCE
for Cybersecurity Professionals
Every Security Professional Should Know
SECURITY Open-Source Intelligence
SEC401 Security Essentials: Network, Endpoint, and Cloud | GSEC Open-Source Intelligence
ESSENTIALS
Whether you are new to information security or a seasoned practitioner with a OSINT SEC497 Practical Open-Source Intelligence (OSINT) | GOSI OSINT SEC587 Advanced Open-Source Intelligence (OSINT) Gathering & Analysis
specialized focus, SEC401 will provide the essential information security skills and
techniques you need to protect and secure your critical information and technology
assets, whether on-premise or in the cloud. OFFENSIVE OPERATIONS | VULNERABILITY ANALYSIS, PENETRATION TESTING SPECIALIZED OFFENSIVE OPERATIONS | FOCUSED TECHNIQUES & AREAS
BLUE TEAM SEC450 Blue Team Fundamentals: Security Operations and Analysis | GSOC Every Offensive Professional Should Know Network, Web, and Cloud
ATTACKER NETWORK
SEC504 Hacker Tools, Techniques, and Incident Handling | GCIH SEC560 Enterprise Penetration Testing | GPEN SEC660 Advanced Penetration Testing, Exploit Writing,
TECHNIQUES PEN TESTING and Ethical Hacking | GXPN
EXPLOIT DEVELOPMENT
SEC661 ARM Exploit Development
All professionals entrusted with hands-on cybersecurity work should be trained to WEB APPS SEC542 Web App Penetration Testing and Ethical Hacking | GWAPT SEC760 Advanced Exploit Development for Penetration Testers
possess a common set of capabilities enabling them to secure systems, practice defense in VULNERABILITY
SEC460 Enterprise and Cloud | Threat and Vulnerability Assessment | GEVA CLOUD PEN TEST SEC588 Cloud Penetration Testing | GCPN
depth, understand how attacks work, and manage incidents when they occur. To be secure, ASSESSMENT
you should set a high bar for the baseline set of skills in your security organization. Specialized Penetration Testing
The professional who can find weakness is often a different breed than one focused
exclusively on building defenses. A basic tenet of Red Team/Blue Team deployments SOCIAL ENGINEERING SEC467 Social Engineering for Security Professionals
TECHNICAL TRAINING FROM SANS SECURITY AWARENESS is that finding vulnerabilities requires different ways of thinking and different tools. BLOCKCHAIN SEC554 Blockchain and Smart Contract Security
Offensive skills are essential for cybersecurity professionals to improve their defenses.
Security Essentials for IT Administrators SEC565 Red Team Operations and Adversary Emulation
RED TEAM SEC670 Red Teaming Tools - Developing Windows
Protecting your organization from cyber threats requires continuous investment in Implants, Shellcode, Command and Control
INCIDENT RESPONSE & THREAT HUNTING | HOST & NETWORK FORENSICS
skills development to stay ahead of any emerging threats. This short-form computer-
based training provides technical teams with a deep understanding of evolving security Every Forensics and Incident Response Professional Should Know SEC575 iOS and Android Application Security
MOBILE
Analysis and Penetration Testing | GMOB
concepts with a learning progression suited to their skillset. FOR500 Windows Forensic Analysis | GCFE
FOR508 Advanced Incident Response, Threat Hunting, PRODUCT SECURITY SEC568 Combating Supply Chain Attacks with Product Security Testing
ENDPOINT and Digital Forensics | GCFA
PEN TEST SEC580 Metasploit for Enterprise Penetration Testing
FORENSICS ESSENTIALS FORENSICS FOR532 Enterprise Memory Forensics In-Depth
FOR577: LINUX Incident Response & Analysis SEC556 IoT Penetration Testing
Every Forensics and Incident Response Professional Should Know FOR608 Enterprise-Class Incident Response & Threat Hunting WIRELESS
SEC617 Wireless Penetration Testing and Ethical Hacking | GAWN
FORENSICS ESSENTIALS FOR308 Digital Forensics Essentials NETWORK FOR572 Advanced Network Forensics: Threat Hunting, Purple Team
FORENSICS Analysis, and Incident Response | GNFA
SEC598 Security Automation for Offense, Defense, and Cloud
BATTLEFIELD FORENSICS Whether you’re seeking to maintain a trail of evidence on host or network systems, SEC599 Defeating Advanced Adversaries –
FOR498 Battlefield Forensics & Data Acquisition | GBFA
& DATA ACQUISITION or hunting for threats using similar techniques, larger organizations need specialized ADVERSARY EMULATION Purple Team Tactics and Kill Chain Defenses | GDAT
professionals who can move beyond first-response incident handling in order to SEC699 Purple Team Tactics – Adversary Emulation
for Breach Prevention & Detection
analyze an attack and develop an appropriate remediation and recovery plan.
CLOUD SECURITY ESSENTIALS DIGITAL FORENSICS, MALWARE ANALYSIS,

Every Cloud Security Professional Should Know
& THREAT INTELLIGENCE | SPECIALIZED INVESTIGATIVE SKILLS
CORE CLOUD SECURITY
Specialization
ESSENTIALS SEC488 Cloud Security Essentials | GCLD
Preparation for More Focused Job Functions
CLOUD FORENSICS FOR509 Enterprise Cloud Forensics & Incident Response | GCFR
If you are new to cybersecurity or looking to up-skill, cloud security
PUBLIC CLOUD SEC510 Public Cloud Security: AWS, Azure, and GCP | GPCS
essentials is a requirement for today’s organizations. This course RANSOMWARE FOR528 Ransomware for Incident Responders
provides the basic knowledge required to introduce students to the cloud AUTOMATION
SEC540 Cloud Security and DevSecOps Automation | GCSA FOR610 Reverse-Engineering Malware:
security industry, as well as in-depth, hands-on practice in labs. & DEVSECOPS
MALWARE ANALYSIS Malware Analysis Tools and Techniques | GREM
MONITORING SEC541 Cloud Security Attacker Techniques, Monitoring & Threat Detection FOR710 Reverse-Engineering Malware: Advanced Code Analysis
& DETECTION | GCTD
CLOUD FUNDAMENTALS Threat Intelligence
ARCHITECTURE SEC549 Enterprise Cloud Security Architecture
Built for professionals who need to be conversant in basic cloud security concepts, CYBER THREAT INTELLIGENCE
FOR578 Cyber Threat Intelligence | GCTI
principles, and terms, but who are not responsible for hands-on cloud activities. With the massive global shift to the cloud, it becomes more critical for every organization FOR589 Cybercrime Intelligence
to have experts who understand the security risks and benefits that come with public Digital Forensics & Media Exploitation
INTRODUCTION SEC388 Intro to Cloud Computing and Security
cloud use, how to navigate and take full advantage of multicloud environments,
and how to incorporate security from the start of all development projects. SMARTPHONES FOR585 Smartphone Forensic Analysis In-Depth | GASF
TECHNICAL TRAINING FROM SANS SECURITY AWARENESS FOR518 Mac and iOS Forensic Analysis and
MAC FORENSICS
Developer Secure Code Training Incident Response | GIME
Educate everyone involved in the software development process including developers, LINUX FORENSICS FOR577 Linux Incident Response & Analysis
architects, managers, testers, business owners, and partners with role-focused training
that ensures your team can properly build defensible applications from the start.
SPECIALIZATION IN CLOUD SECURITY
Specialization for Advanced Skills & Roles
INDUSTRIAL CONTROL SYSTEMS SECURITY INDUSTRIAL CONTROL SYSTEMS SECURITY APPLICATION SEC522 Application Security: Securing Web Apps, APIs, and
SECURITY Microservices | GWEB
Every ICS Security Professional Should Know Every ICS Security Professional Should Know
CLOUD PEN TEST SEC588 Cloud Penetration Testing | GCPN
ESSENTIALS ICS410 ICS/SCADA Security Essentials | GICSP ICS DEFENSE
ICS515 ICS Visibility, Detection, and Response | GRID
& RESPONSE CLOUD FORENSICS FOR509 Enterprise Cloud Forensics and Incident Response | GCFR
ICS ADVANCED DESIGN &
ICS612 ICS Cybersecurity In-Depth MGT520 Leading Cloud Security Design and Implementation
SECURITY IMPLEMENTATION
INDUSTRIAL CONTROL SYSTEMS SECURITY
NERC Protection Learning how to convert traditional cybersecurity skills into the nuances of cloud
Every ICS Security Manager Should Know
NERC SECURITY security is a necessity for proper monitoring, detection, testing, and defense.
ICS456 Essentials for NERC Critical Infrastructure Protection | GCIP
ESSENTIALS ICS418 ICS Security Essentials for Managers ESSENTIALS
TECHNICAL TRAINING FROM SANS SECURITY AWARENESS

FOUNDATIONAL LEADERSHIP CORE LEADERSHIP ICS Engineer Training
Every Cybersecurity Manager Should Know Transformational Cybersecurity Leader Help protect critical systems by reinforcing the behavior your engineers, system
operators and others who interact with ICS environments require to prevent, identify and
CISSP® TRAINING LDR414 SANS Training Program for CISSP® Certification | GISP TECHNOLOGY respond to cyber incidents.
LDR512 Security Leadership Essentials for Managers | GSLC
LEADERSHIP
SECURITY
LDR433 Managing Human Risk | SSAP
AWARENESS SECURITY
LDR514 Security Strategic Planning, Policy, and Leadership | GSTRT
STRATEGY
With an increasing number of talented technologists, organizations require LEADERSHIP SPECIALIZATIONS
effective leaders to manage their teams and processes. Those leaders will not SECURITY CULTURE LDR521 Leading Cybersecurity Change: Building a Security-Based Culture
Management Specialization
necessarily perform hands-on work, but they must know enough about the Operational Cybersecurity Executive
underlying technologies and frameworks to help set strategy, develop appropriate AUDIT & MONITOR AUD507 Auditing Systems, Applications, and the Cloud | GSNA
policies, interact with skilled practitioners, and measure outcomes. VULNERABILITY
LDR516 Building and Leading Vulnerability Management Programs DESIGN &
MANAGEMENT LDR520 Leading Cloud Security Design and Implementation
IMPLEMENTATION
SOC LDR551 Building and Leading Security Operations Centers | GSOM
LAW &
LEG523 Law of Data Security and Investigations | GLEG
FRAMEWORKS INVESTIGATIONS
SEC566 Implementing and Auditing Security Frameworks & Controls | GCCC
& CONTROLS
PROJECT MGT525 Managing Cybersecurity Initiatives & Effective Communication
MANAGEMENT | GCPM
INCIDENT
CYBER RANGES CYBER RANGES LDR553 Cyber Incident Management
RESPONSE
CTF & TRIVIA Bootup CTF CYBER DEFENSE NetWars Cyber Defense
SKILLS DIGITAL FORENSICS & INCIDENT RESPONSE NetWars DFIR
ASSESSMENT MANAGE HUMAN RISK WITH TRAINING FROM SANS SECURITY AWARENESS
NetWars Core INDUSTRIAL CONTROL SYSTEMS NetWars ICS
& PRACTICAL
APPLICATION EndUser Awareness Training
POWER GENERATION AND DISTRIBUTION NetWars GRID
These cyber range offerings cover the broadest range of topics Computer-based end-user training is built from a curated selection of the most pressing
SANS offers specialized versions of NetWars for more specific job roles. These risk and compliance topics to address employee security behaviors. This engaging,
and are meant for all InfoSec professionals at all levels.
cyber ranges dive deeper into the respective topics and help advance your career modular, and multilingual suite of content reduces training fatigue and increases
with situation-based challenges and scenarios rooted in real-life events. comprehension by tailoring your security awareness training program to the role- and
industry-based issues relevant to your organization.
SANS CURRICULUM FOCUS AREA
NEW2CYBER
Cybersecurity and IT Essentials
All professionals entrusted with hands-on

cybersecurity work should be trained to possess a
common set of skills to understand how attackers
operate, implement defense in depth, and respond
to incidents to mitigate risks and properly secure
systems.
To be secure, you should set a high bar for the baseline set of skills in
your organization. SANS New2Cyber courses will teach you to:
• Adopt techniques that focus on • Use strategies and tools Enhance your training with:
high-priority security problems to detect attacks • Cyber Defense Netwars
within your organization • Develop effective security
sans.org/netwars
• Build a solid foundation of metrics that provide a focused • The SANS Technology Institute’s
undergraduate and graduate
core policies and practices to playbook that IT can implement, cybersecurity programs
enable you and your security auditors can validate, and sans.edu
teams to practice proper executives can understand • Free Resources
incident response • Implement a comprehensive
sans.org/free
• Deploy a toolbox of strategies security program focused on

and techniques to help defend preventing, detecting, and
an enterprise from every angle responding to attacks
• Identify the latest attack vectors • Build an internal security
and implement controls to roadmap that can scale
prevent and detect them today and into the future
“This training has given me a great overview of New2Cyber Job Roles:

• Security Analyst
everything security related...showing you such a broad • Digital Forensic Analyst
amount of information that you will use to determine • Security Engineer
• Technical Manager
security issues you may not have considered before.” • Auditor
—Frank Perrilli, IESO
14
SEC275: Foundations: Computers,
Technology, & Security
SEC275: Foundations – Computers, GFACT
Foundational Cybersecurity
Technology, and Security Technologies

giac.org/gfact
6 38 Laptop SANS Foundations is the best course available to learn the core knowledge and develop
Required
Day Program CPEs practical skills in computers, technology, and security foundations that are needed
to kickstart a career in cybersecurity. The course features a comprehensive variety of
What You Will Learn innovative, hands-on labs, and practical exercises that go far beyond what is offered
The course provides exactly what you need to go
in any other foundational course in cybersecurity. These labs are developed by leading
from zero technical and security knowledge to a subject-matter experts, drawing on the latest technology, techniques, and concepts in
level of sufficient theoretical understanding and cybersecurity.
applied practical skills that will enable you to
speak the same language as industry professionals. The course provides students with the practical learning and key skills to empower
Students will develop fundamental skills and
knowledge in key IT subject areas such as: future cybersecurity learning and professional development.
• Computer Components & Concepts
• Operating Systems & Virtualization
Author Statement
• Linux
• The Web “Cybersecurity is an exciting and fast-growing field, and it must be at a time when the
• Networking Fundamentals
global talent shortage continues to grow, and both the number of threats and malicious
actors continues to rise. While job roles in application security, reverse malware
• Servers and Services
engineering, and threat hunting may sound enticing, practitioners in these roles all
• Practical Programming Concepts
had to start by learning the basics. There are essential computing and technology skills
• Structured Query Language – SQL
that all successful cybersecurity professionals first learn that serve as the baseline
- Basic statements
for careers and future education in the field. SANS Foundations serves as the launch
- MySQL Joins of an IT education and career or can fill in the gaps by introducing students to these
- Operators fundamentals.
- Database Administration
“By providing students with minimal technology proficiency and the ability to recognize
• Windows Foundations
key terms and develop competencies with tools and systems in a comfortable
• Advanced Computer Hardware atmosphere, they are prepared for future skills development. Whether you are a career
• Security Concepts seeker, self-driven learner, or in an immersive training program, SANS Foundations will
• Offensive Security Concepts provide you with the core IT and computer knowledge and abilities integral to a future
• Network and Computer Infiltration career in cybersecurity.
“SANS Foundations teaches students a broad array of fundamental knowledge in areas
such as computer hardware, networking, Linux, operating systems, data storage, and
What is included with SANS Foundations?
much more. The skills gained are applicable to everyone in an IT, computing, or security
• Over 120 hours of curated content
role. Practical skills are key to success in cybersecurity, and thus there are over 100 labs
• Hands-on labs experience
and hands-on exercises in the course to kickstart your cybersecurity journey. The course
• Quizzes to consolidate learning outcomes will set you up for entering the workforce and be ready to continue learning in more
• Training by world-renowned experts advanced, technical areas across cybersecurity.”
• Engaging 4K video content Proctored final exam
delivered by GIAC —James Lyne, SANS Chief Technology Officer
“Great content and learning, very positive. Really a great way to step into
cybersecurity and build skills day to day.”
“The labs were a great way to practice and learn the new commands, I loved
them. Another great tool were the videos with execution examples.”
Certification: GIAC Foundational Cybersecurity Technologies (GFACT)

sans.org/sec275
• Watch a preview of this course
• Discover how to take this course: Online, In-Person
giac.org/gfact
sans.org/SEC275 15
FOR308: Digital Forensics Essentials
FOR308: Digital Forensics Essentials
6 36 Laptop More than half of jobs in the modern world use a computer. The vast majority of people aged
Required
Day Program CPEs 18-30 are ‘digitally fluent’; accustomed to using smartphones, smart TVs, tablets and home
assistants, in addition to laptops and computers, simply as part of everyday life. Yet, how many
You Will Be Able To of these users actually understand what’s going on under the hood? Do you know what your
• Effectively use digital forensics computer or smartphone can tell someone about you? Do you know how easy it might be for
methodologies someone to access and exploit that data? Are you fed up with not understanding what technical
• Ask the right questions in relation to people are talking about when it comes to computers and files, data and metadata? Do you know
digital evidence what actually happens when a file is deleted? Do you want to know more about Digital Forensics
• Understand how to conduct digital and Incident Response? If you answered ‘yes’ to any of the above, this course is for you. This is an
forensics engagements compliant with
acceptable practice standards introductory course aimed at people from non-technical backgrounds, to give an understanding,
• Develop and maintain a digital forensics in layman’s terms, of how files are stored on a computer or smartphone. It explains what Digital
capacity Forensics and Incident Response are and the art of the possible when professionals in these
• Understand incident response processes fields are given possession of a device.
and procedures and when to call on the
team This course is intended to be a starting point in the SANS catalogue and provide a grounding in
• Describe potential data recovery options knowledge, from which other, more in-depth, courses will expand.
in relation to deleted data
• Identify when digital forensics may be IT’S NOT JUST ABOUT USING TOOLS AND PUSHING BUTTONS
useful and understand how to escalate to
an investigator Digital forensics has evolved from methods and techniques that were used by detectives in the
• If required, use the results of your digital 1990’s to get digital evidence from computers, into a complex and comprehensive discipline.
forensics in court The sheer volume of digital devices and data that we could use in investigative ways meant that
digital forensics was no longer just being used by police detectives. It was now being used as a
full forensic science. It was being used in civil legal processes. It was being used in the military
Course Topics and intelligence services to gather intelligence and actionable data. It was being used to identify
• Introduction to digital investigation and how people use and mis-use devices. It was being used to identify how information systems and
evidence
networks were being compromised and how to better protect them. And that is just some of the
• Where to find digital evidence
current uses of digital forensics.
• Digital forensics principles
• Digital forensics and incident response However digital forensics and incident response are still largely misunderstood outside of a very
processes small and niche community, despite their uses in the much broader commercial, information
• Digital forensics acquisition security, legal, military, intelligence and law enforcement communities.
• Digital forensics examination and analysis
Many digital forensics and incident response courses focus on the techniques and methods
• Presenting your findings
used in these fields, which often do not address the core principles: what digital forensics
• Understanding digital forensic reports
and incident response are and how to actually make use of digital investigations and digital
• Challenges in digital forensics
evidence. This course provides that. It serves to educate the users and potential users of digital
• Building and developing digital forensics
capacity
forensics and incident response teams, so that they better understand what these teams do and
how their services can be better leveraged. Such users include executives, managers, regulators,
• Legality of digital evidence
legal practitioners, military and intelligence operators and investigators. In addition, not only
• How to testify in court
does this course serve as a foundation for prospective digital forensics practitioners and
incident responders, but it also fills in the gaps in fundamental understanding for existing digital
forensics practitioners who are looking to take their capabilities to a whole new level.
“FOR308 is packed with technical information and covers aspects

necessary for those taking their first steps in the digital forensics as
well as those who think about leading teams in the field. An overall good
balance of theory to practice, delivered in a very professional manner.”
— Wiktor Kardacki, 6point5

sans.org/for308 • Discover how to take this course: Online, In-Person
16 sans.org/FOR308
SEC301: Introduction to Cyber Security
GISF
SEC301: Introduction to Cyber Security Information Security
Fundamentals
giac.org/gisf
5 30 Laptop To determine if SANS SEC301: Introduction to Cyber Security is right for you, ask yourself five
Required
Day Program CPEs simple questions:
• Do you have basic computer knowledge, but are new to cybersecurity and in need of an
You Will Be Able To introduction to the fundamentals?
• Communicate with confidence regarding • Are you bombarded with complex technical security terms that you don’t understand?
information security topics, terms, and
concepts • Are you a non-IT security manager who lays awake at night worrying that your company will
• Understand and apply the Principles of be the next mega-breach headline story on the 6 o’clock news?
Least Privilege
• Do you need to be conversant in basic security concepts, principles, and terms, even if you
• Understand and apply the Confidentiality,
Integrity, and Availability (CIA) for don’t need “deep in the weeds” detail?
prioritization of critical security resources
• Have you decided to make a career change to take advantage of the job opportunities in
• Build better passwords that are more
secure while also being easier to
cybersecurity and need formal training and certification?
remember and type
If you answer yes to any of these questions, then the SEC301: Introduction to Cyber Security
• Grasp basic cryptographic principles,
training course is for you. Students with a basic knowledge of computers and technology but no
processes, procedures, and applications
prior cybersecurity experience can jump-start their security education with insight and instruction
• Understand how a computer works
from real-world security experts in SEC301.
• Understand computer network basics
• Have a fundamental grasp of any number This completely revised and comprehensive five-day course covers a wide range of baseline
of technical acronyms: TCP/IP, IP, TCP, UDP, topics, including terminology, the basics of computer networks, security policies, incident
MAC, ARP, NAT, ICMP, and DNS, and the list
goes on. response, passwords, and even an introduction to cryptographic principles. The hands-on, step-
• Utilize built-in Windows tools to see your by-step learning format will enable you to grasp all the information presented even if some of the
network settings topics are new to you. You’ll learn fundamentals of cybersecurity that will serve as the foundation
• Recognize and be able to discuss various of your security skills and knowledge for years to come.
security technologies, including anti-
malware, firewalls, intrusion detection Written by a security professional with over 30 years of experience in both the public and private
systems, sniffers, ethical hacking, active
defense, and threat hunting.
sectors, SEC301 provides uncompromising real-world insight from start to finish. The course
• Understand wireless technologies
prepares you for the Global Information Security Fundamentals (GISF) certification test, as well
including WiFi, Bluetooth, mobile phones as for the next SANS course in this progression, SEC401: Security Essentials Bootcamp Style. It
and the Internet of Things (IoT) also delivers on the SANS promise: You will be able to use the knowledge and skills you learn in
• Explain a variety of frequent attacks such SEC301 as soon as you return to work.
as social engineering, drive-by downloads,
watering hole attacks, lateral movement,
and other attacks
• Understand different types of malware
• Understand browser security and the
privacy issues associated with web
browsing “SEC301 is an extremely valuable course, even for someone
• Explain system hardening with 12 years of IT experience!”
• Discuss system patching — Brian Pfau, Banfield Pet Hospital
• Understand virtual machines and cloud
computing
• Understand backups and create a backup
plan for your personal life that virtually
guarantees you never have to pay ransom
to access your data
“SEC301 is a great class for the individual who wants to learn
an extensive amount of material in one week.”
— Steven Chovanec, Discover Financial Services
Certification: GIAC Information Security Fundamentals (GISF)

sans.org/sec301
giac.org/gisf
sans.org/SEC301 17
SEC388: Introduction to Cloud Computing
and Security
SEC388: Introduction to Cloud Computing and Security
3 18 Laptop Ground School for Cloud Security

Day Program CPEs Required
The purpose of SEC388 is to learn the fundamentals of cloud computing and security. We do this
by introducing, and eventually immersing, you in both AWS and Azure; by doing so, we are able
You Will Be Able To to expose you to important concepts, services, and the intricacies of each vendor’s platform.
• Make sense of different cloud-based This course provides you with the knowledge you need to confidently speak to modern
services
cybersecurity security issues brought on by the cloud, and become well versed with applicable
• Understand and analyze risk in the cloud
terminology. You won’t just learn about cloud security, you will learn the “how” and the “what”
• Interact with Azure and AWS environments
using a browser and command line tools
behind the critical cloud security topics impacting businesses today.
• Change behavior and build a security-
aware culture Business Takeaways
• Deploy and integrate cloud services in AWS This course will help your organization:
and Azure
• Develop professionals – technical or managerial – that know how to use AWS and
• Get up to speed quickly on cloud security
issues and terminology Azure services
• Detect and effectively respond to a • Anticipate what cloud security threats are applicable to your business
simulated cloud breach
• Learn how to mitigate threats
• Speak the same language as technical
security professionals • Create a culture where security empowers the business to succeed
• Learn how to automate common tasks
using cloud shells Hands-On Training
• Defend cloud services from attacks
All labs in SEC388 are focused on Azure and AWS and involve directly interacting with each
• Track, audit and manage budgeting in your
cloud environments cloud service provider. Students will use a browser to access each cloud environment to gain
familiarity with cloud computing concepts. During labs, students will implement cloud services,
deploy a cloud-based website, and perform essential security tasks in order to become
accustomed to cloud computing and cloud security. The total time committed to labs is about
37% of the course.
Author Statement
“Cloud computing is not new and the adoption of the cloud by organizations continues to grow
at an astounding rate. Due to this, many people are finding themselves in the position where
it clearly makes sense to learn more about cloud computing. Interestingly, this rise in cloud
computing has brought forth a rise in cloud-related breaches – and it makes perfect sense
“Serge is the best instructor why. As we see with any new frontier in computer science, what’s old is new again, and many
of the mistakes of the past, are being revived in today’s modern world of cloud computing. It is
I’ve ever had! He’s so
critically important to develop the skills and knowledge needed to positively influence cloud
knowledgeable and has a security in every capacity we can influence. Regardless of your background, SEC388’s entry-level
great teaching style. Very approach and focus on cloud computing and security will help you prepare for a rewarding
relatable and helps when career, just as it will help level-up your skills as an accomplished professional, ultimately
people have questions.” preparing you for success in a world of cloud computing.”
—Seth J., SEC542 student —Serge Borso
sans.org/sec388 • Discover how to take this course: Online, In-Person
18 sans.org/SEC388
SEC401: Security Essentials - Network,
Endpoint, and Cloud
SEC401: Security Essentials: GSEC
Network, Endpoint, and Cloud
Security Essentials
giac.org/gsec
6 46 Laptop This course will show you the most effective steps to prevent attacks and detect
Required
Day Program CPEs adversaries with actionable techniques that can be used as soon as you get back to
work. You’ll learn tips and tricks designed to help you win the battle against the wide
You Will Be Able To range of cyber adversaries that want to harm your environment.
• Understand the core areas of cybersecurity and Organizations are going to be targeted, so they must be prepared for eventual
how to create a security program that is built on a
compromise. Today more than ever before, TIMELY detection and response is critical. The
foundation of Detection, Response, and Prevention
longer an adversary is present in your environment, the more devastating and damaging
• Apply practical tips and tricks that focus on
addressing high-priority security problems within the impact becomes. The most important question in information security may well be,
your organization and doing the right things that “How quickly can we detect, respond, and REMEDIATE an adversary?”
lead to security solutions that work
• Understand how adversaries adapt tactics and Information security is all about making sure you focus on the right areas of defense,
techniques, and importantly how to adapt your especially as applied to the uniqueness of YOUR organization. In SEC401 you will learn
defense accordingly the language and underlying workings of computer and information security, and how
• Know what ransomware is and how to better best to apply them to your unique needs. You will gain the essential and effective
defend against it
security knowledge you will need if you are given the responsibility to secure systems
• Leverage a defensible network architecture (VLANs,
NAC, and 802.1x) based on advanced persistent and/or organizations.
threat indicators of compromise
Whether you are new to information security or a seasoned practitioner with a
• Understand the Identity and Access Management specialized focus, SEC401 will provide the essential information security skills and
(IAM) methodology, including aspects of strong
authentication (Multi-Factor Authentication) techniques you need to protect and secure your organization’s critical information and
• Leverage the strengths and differences among the technology assets, whether on-premise or in the cloud. SEC401 will also show you how to
top three cloud providers (Amazon, Microsoft, and directly apply the concepts learned into a winning defensive strategy, all in the terms of
Google), including the concepts of multi-cloud
the modern adversary. This is how we fight; this is how we win!
• Identify visible weaknesses of a system using
various tools and, once vulnerabilities are
discovered, configure the system to be more Is SEC401: Security Essentials: Network, Endpoint, and Cloud
secure (realistic and practical application of a the right course for you?
capable vulnerability management program)
• Sniff network communication protocols to
Ask yourself the following questions:
determine the content of network communication • Do you fully understand why some organizations become compromised and others
(including access credentials) using tools such as
tcpdump and Wireshark do not?
• Use Windows, Linux, and macOS command line • If there were compromised systems on your network, are you confident that you
tools to analyze a system looking for high-risk would be able to find them?
indicators of compromise, as well as the concepts
of basic scripting for the automation of continuous • Do you understand the effectiveness of each security control and are you certain
monitoring that they are all configured correctly?
• Build a network visibility map that can be used to • Are the proper security metrics set up and communicated to your executives to help
validate the attack surface and determine the best
methodology to reduce the attack surface through drive the best security decisions?
hardening and configuration management
SEC401 provides the information security knowledge necessary to help you answer these
• Know why some organizations win and some lose
when it comes to security, and most importantly, questions, delivered in a bootcamp-style format and reinforced with hands-on labs.
how to be on the winning side SEC401 can be taken in Japanese language with Japanese textbooks.
“SEC401 gives you a fantastic knowledge base to build on,

and I would say it’s essential for anyone working in cybersecurity.”
— Thomas Wilson, Agile Systems
Certification: GIAC Security Essentials (GSEC) • Watch a preview of this course

sans.org/sec401
giac.org/gsec • Discover how to take this course: Online, In-Person
sans.org/SEC401 19
SEC402: Cybersecurity Writing: Hack the Reader
SEC402: Cybersecurity Writing: Hack the Reader
2 12 Laptop Want to write better? Learn to hack the reader! Discover how to find an opening, break down your
Day Course CPEs Not Needed
readers’ defenses, and capture their attention to deliver your message--even if they’re too busy or
indifferent to others’ writing. This unique course, built exclusively for cybersecurity professionals,
You Will Be Able To will strengthen your writing skills and boost your security career.
• Uncover the five “golden elements” of You will:
effective reports, briefings, emails, and
other cybersecurity writing • Uncover the five “golden elements” of effective reports, briefings, emails, and other
• Make these elements part of your arsenal cybersecurity writing.
through hands-on exercises that draw upon
common security scenarios
• Make these elements part of your arsenal through hands-on exercises that draw upon
• Learn the key topics you need to address
common security scenarios.
in security reports and other written • Learn the key topics you need to address in security reports and other written
communications
communications.
• Understand how to pick the best words,
structure, look, and tone • Understand how to pick the best words, structure, look, and tone.
• Begin improving your skills at once by • Begin improving your skills at once by spotting and fixing weaknesses in security samples.
spotting and fixing weaknesses in security • Receive practical checklists to ensure you’ll write clearly and effectively right away.
samples
• Receive practical checklists to ensure you’ll This isn’t your normal writing course:
write clearly and effectively right away
• The course builds upon the author’s two decades of cybersecurity experience. You’ll learn
from examples relevant to security professionals, whether they’re experts or beginners,
Who Should Attend
managers or individual team members.
If your cybersecurity job involves writing
emails, reports, proposals, or other content, • The course focuses on common writing problems you’ll learn to avoid, instead of
you’ll find this course indispensable, whether presenting tedious grammar rules or theoretical explanations. You’ll advance your writing
you are:
by reviewing and improving real-world cybersecurity samples.
• A manager or an individual team member
• A consultant or an internally-focused Master the writing secrets that’ll make you stand out in the eyes of your peers, colleagues,
employee managers, and clients. Learn to communicate your insights, requests, and recommendations
• An expert or a beginner persuasively and professionally. Make your cybersecurity writing remarkable.
• A defender or an attacker
• An earthling or an alien Author Statement
You get the idea—the course is for all How can you stand out from other cybersecurity professionals with similar technical skills? How
cybersecurity professionals who want to
improve their written communications and can you get your managers, clients, and colleagues to notice your contribution, accept your advice,
boost their careers. and appreciate your input? Write better!
Here’s an uncommon opportunity to improve your writing skills without sitting through tedious
NICE Framework Work Roles
lectures or writing irrelevant essays. You’ll make your writing remarkable by learning how to avoid
• Authorizing Official/Designating
Representative (OPM 611) common mistakes, working on real-world exercises to spot and correct cybersecurity writing
• Systems Requirements Planner (OPM 641) problems. You’ll write clearly and effectively right away with the help of practical checklists.
• System Testing and Evaluation Specialist This course captures my experience of writing in cybersecurity for over two decades and
(OPM 671)
incorporates insights from other members of the community. It’s a course I wish I could have
• Knowledge Manager (OPM 431)
attended when I needed to improve my own writing skills. It’s a course I know will help you propel
• Cyber Legal Advisor (OPM 731)
your own cybersecurity career.
• Cyber Instructor (OPM 712)
• Security Awareness & Communications —Lenny Zeltser
Manager (OPM 712)
• IT Program Auditor (OPM 805)
“Outstanding course. It provides a writing framework/rubric

to evaluate and guide future writing.”
—Jordan Whitley, New York Life

20 sans.org/SEC402
Computers,
Technology
and Security
Computers,
Technology
SANS Foundations is the best single course available to learn core knowledge
& Security
and develop practical skills in computers, technology, and security
fundamentals that are needed to kickstart a career in cybersecurity.
What is included with SANS Foundations?

• Over 120 hours of curated content
• Hands-on labs experience
• Quizzes to consolidate learning outcomes
• Training by world-renowned experts
• Engaging 4K video content
• Proctored final exam delivered by GIAC
What will Students learn in this course?

The course provides students with exactly what they need to
go from zero technical and security knowledge to a level of
sufficient theoretical understanding and applied practical skills
that will enable them to speak the same language as industry
professionals. Students will develop fundamental skills and
knowledge in key IT subject areas such as Linux, programming,
networking, computer hardware, operating systems, encryption,
basic security concepts, and more!
Who should take this course?

This course is designed for:
• Career changers
• Online self-driven learners seeking new skills
• College and university students I think the biggest value add for
• Business professionals without a deep cybersecurity SANS Foundations was simply how
background
• New hires in IT/cybersecurity comprehensive it was. It covered a
• Participants in reskilling programs lot of topics, but each was covered
in enough depth for a better
For more information visit handle on the basics without being
www.sans-foundations.com overwhelming.
or email - U.S. government federal law
enforcement professional
foundations@sans.org
21
Cyber Defense &
Blue Team Operations
The term Blue Team comes from the world of

military exercises, during which the Red Team
plays the role of the adversary and the Blue
Team acts as the friendly force defending itself
from Red Team cyber-attacks.
In cybersecurity, the Blue Team’s focus is on defending the
organization from cyber-attacks. Blue Teams develop and
implement multiple security controls in a layered defense-
in-depth strategy, verify their effectiveness, and continuously
monitor and improve defenses.
Cyber Defense and Blue Team Ops courses will teach you to:
• Deploy tools and techniques • Apply a proactive approach Enhance your training with:
needed to defend your networks to Network Security • Cyber Defense Netwars

with insight and awareness Monitoring (NSM)/Continuous sans.org/netwars
Diagnostics and Mitigation • SANS Summits:

• Implement a modern security Blue Team and
(CDM)/Continuous Security
design that allows you to Open-Source Intelligence
Monitoring (CSM) sans.org/summit
protect your assets and
defend against threats • Use methods and processes • Free Resources:
Podcasts, webcasts, live stream
to enhance existing logging video discussions, blogs and more
• Establish and maintain a sans.org/cyber-defense
solutions
holistic and layered approach
• The SANS Technology Institute’s
to security • Apply technical security undergraduate and graduate
principles and controls cybersecurity programs, including
• Detect intrusions and a Graduate Certificate in
for the cloud Cyber Defense Operations
analyze network traffic
sans.edu
Cyber Defense & Blue Team Ops Job Roles:

“Using the techniques from this class, • SOC Analyst/Manager
• Intrusion Detection Engineer, Threat Hunter
I will immediately be able to improve • Security and Network Engineers/Architect
our logging and detection capabilities.” • Investigator/OSINT Analyst
• Endpoint/Server System Administrators
—Kendon Emmons, Dart Container
• Automation and DevSecOps
• Incident Responders
• Cyber Threat Intelligence Analysts
22
SEC450: Blue Team Fundamentals: Security
Operations and Analysis
SEC450: Blue Team Fundamentals:
Security Operations and Analysis
6 36 Laptop If you’re looking for the gold standard in cyber security analyst training, you’ve found it! SANS
Required
Day Program CPEs SEC450 and the accompanying GIAC GSOC certification are the premier pair for anyone looking for
a comprehensive security operations training course and certification. Check out the extensive
Business Takeaways syllabus and description below for a detailed run down of course content and don’t miss the free
This course will help your organization:
demo available by clicking the “Course Demo” button!
• Make the most of security telemetry Designed for teams of all types, SEC450 will get you hands-on with the tools and techniques
including endpoint, network, and cloud- required to stop advanced cyberattacks! Whether you are a part of a full SOC in a large organization,
based sensors
a small security ops group, or an MSSP responsible for protecting customers, SEC450 will teach you
• Reduce false positives to a minimum
and your team the critical skills for understanding how to defend a modern organization.
• Quickly and accurately triage security
incidents Designed By Security Analysts, For Security Analysts
• Improve the effectiveness, efficiency, and
success of your SOC SEC450 is authored, designed, and advised by a group of veteran SOC analysts and managers to
be a one-stop shop for all the essential techniques, tools, and data your team will need to be
effective, including:
Why Choose SANS SEC450
• Security Data Collection – How to make the most of security telemetry including endpoint,
Over the Competition?
network, and cloud-based sensors
Unmatched in the industry with its volume
and depth, SEC450 includes: • Automation – How to identify the best opportunities for SOAR platform and other script-
• Nearly 1000 pages of instructional content based automation
with extensive notes and documentation
• Efficient Security Process – How to keep your security operations tempo on track with in-
• 15 hands-on exercises putting real SOC
tools and situations in front of students
depth discussions on what a SOC or security operations team should be doing at every step
to emphasize lessons and a 400+ page from data generation to detection, triage, analysis, and incident response
in-depth instructional exercise workbook
to go with them • Quality Triage and Analysis – How to quickly identify and separate typical commodity attack
• Full lab walkthrough videos, recorded
alerts from high-risk, high-impact advanced attacks, and how to do careful, thorough, and
and explained step by step by the course cognitive-bias free security incident analysis
author
• False Positive Reduction – Detailed explanations, processes, and techniques to reduce false
• A custom course Linux virtual machine
positives to a minimum
filled with SOC tools
• A full day capture-the-flag contest • SOC Tools – Includes hands-on exercises
experience with 75 challenges where • Burnout and Turnover Reduction – Informed with both scientific research and years of
students will apply their learning and put
their skills to the test! personal experience, this class teaches what causes cyber security analyst burnout and how
• Continuously updated material to cover you and your team can avoid it by understanding the causes and factors that lead to burnout.
the newest attackers and techniques This class will help you build a long-term sustainable cyber defense career so you and your
This depth of material makes SEC450 and team can deliver the best every day!
the GSOC certification a cyber security
analyst training class like no other, covering • Certification – The ability to add on the GIAC GSOC certification that encourages students to
techniques, mindset, and tools at a level retain the material over the long term, and helps you objectively demonstrate you and your
unmatched by other offerings. Whether team’s level of skill
you’re taking SEC450 yourself or including
it in your analyst training plan, we’d love SEC450 takes the approach of not just teaching what to do, but also why these techniques work
to have you and your org join the growing
list of alumni and GSOC certified security and encourages students to ask the critical question “How can we objectively measure that
analysts helping to halt the flow of security is improving?” And unlike shorter security analyst training courses, SEC450 has the time to
disruptive cyberattacks!
cover the deeper reasoning and principles behind successful cyber defense strategies, ensuring
students can apply the concepts even beyond the class material to take their defensive skills and
thinking to the next level. Don’t just take our word for it, ask any of the course alumni! SEC450
instructors repeatedly see the long lists of improvement ideas students finish the class with, eager
to bring them back to their organizations.
Certification: GIAC Security Operations Certified (GSOC)

giac.org/gsoc
sans.org/SEC450 23
SEC497: Practical Open-Source Intelligence
(OSINT)
GOSI
SEC497: Practical Open-Source Intelligence (OSINT) Open Source Intelligence
giac.org/gosi
6 36 Laptop SEC497 is a comprehensive training course on Open-Source Intelligence (OSINT) written by an

Required
Day Program CPEs industry professional with over two decades of experience. The course is designed to teach
you the most important skills, tools, and methods needed to launch or further refine your
You Will Be Able To investigation skills. SEC497 will provide actionable information to students throughout the OSINT
• Perform a variety of OSINT investigations world, including intelligence analysts, law enforcement officials, cyber threat intelligence and
while practicing good OPSEC cyber defenders, pen testers, investigators, and anyone else who wants to improve their OSINT
• Create sock puppet accounts skills. There is something for everyone, from newcomers to experienced practitioners.
• Locate information on the internet,
including some hard-to-find and deleted
SEC497 focuses on practical techniques that are useful day in and day out. This course is
information constructed to be accessible for those new to OSINT while providing experienced practitioners
• Locate individuals online and examine with tried-and-true tools that they can add to their arsenal to solve real-world problems. The
their online presence course has a strong focus on understanding how systems work to facilitate informed decisions,
• Understand and effectively search the and includes hands-on exercises based on actual scenarios from the government and private
dark web
sectors. We will discuss cutting-edge research and outlier techniques and not only talk about
• Create an accurate report of the online
infrastructure for cyber defense, merger what is possible, we will practice doing it! Dive into the course syllabus below for a detailed
and acquisition analysis, pen testing, and breakdown of the topics covered.
other critical areas for an organization.
• Use methods that can often reveal who
owns a website as well as the other Course Author Statement
websites that they own or operate
“When I started the first open-source intelligence (OSINT) unit for my organization over a decade
• Understand the different types of breach
data available and how they can be used ago, I was told we had no budget for tools, equipment, or training. I used to joke that one nice
for offensive and defensive purposes thing about not having a budget was that it made many of my decisions very easy. If there was
• Effectively gather and utilize social media something I needed, I either built it myself or did without.
data
• Understand and use facial recognition and “Coming from that background forces you to understand how things work and what truly
facial comparison engines matters. In addition to performing countless OSINT investigations, I’ve traveled across the world
• Quickly and easily triage large datasets to for over a decade teaching operational security (OPSEC) and OSINT to various government
learn what they contain
agencies and consulted with numerous private companies, ranging from small start-ups to
• Identify malicious documents and Fortune 100 enterprises. I have helped hunt down international fugitives, identified online
documents designed to give away your
location infrastructure for a merger and acquisitions due diligence report, and handled numerous tasks
in between. This course allows me me share my experience with what works, what does not
work, and how we can achieve our goals with minimal effort and cost.”
Business Takeaways —Matt Edmondson
success of OSINT investigations
• Build an OSINT team that can perform
a variety of OSINT investigations while GOSI
practicing good OPSEC Open Source Intelligence
giac.org/gosi
• Create accurate reporting of your “The module on dealing
organization’s online infrastructure
GIAC Open Source Intelligence with large data sets was
• Understand how breach data can be used
for offensive and defensive purposes As the first and only non-vendor specific, industry-wide OSINT very helpful. Getting a
certification, the GIAC Open Source Intelligence (GOSI) certification
represents a huge milestone in the worlds of open source intelligence deep understanding on
and cyber reconnaissance. It creates a marker from which students the challenges large data
can be recognized for their achievements and competence in the
OSINT field of study. Whether they are performing social media sets pose and how to work
analysis of a target or just “fancy googling,” the GOSI certification
around them is very helpful
shows they have a strong foundation in OSINT.”
— Micah Hoffman, SEC487 Course Author and practical.”
• Open Source Intelligence Methodologies and Frameworks —Jamal Gumbs
• OSINT Data Collection, Analysis, and Reporting
• Harvesting Data from the Dark Web
Certification: GIAC Open Source Intelligence Certification(GOSI)

sans.org/sec497
giac.org/gosi • Discover how to take this course: Online, In-Person
24 sans.org/SEC595
SEC501: Advanced Security Essentials -
Enterprise Defender
SEC501: Advanced Security Essentials – GCED
Enterprise Defender
Enterprise Defender
giac.org/gced
6 38 Laptop Effective cybersecurity is more important than ever as attacks become stealthier, have a greater
Required
Day Program CPEs financial impact, and cause broad reputational damage. SEC501: Advanced Security Essentials –
Enterprise Defender builds on a solid foundation of core policies and practices to enable security
You Will Be Able To teams to defend their enterprise.
• Build a defensible network architecture by It has been said of security that “prevention is ideal, but detection is a must.” However, detection
auditing router configurations, launching
successful attacks against them, hardening
without response has little value. Network security needs to be constantly improved to prevent
devices to withstand those same attacks, as many attacks as possible and to swiftly detect and appropriately respond to any breach that
and using active defense tools to detect an does occur. This PREVENT - DETECT - RESPONSE strategy must be in place both externally and
attack and generate an alert
internally. As data become more portable and networks continue to be porous, there needs to be
• Perform detailed analysis of traffic using
various sniffers and protocol analyzers, and an increased focus on data protection. Critical information must be secured regardless of where it
automate attack detection by creating and resides or what paths it travels.
testing new rules for detection systems
• Identify and track attacks and anomalies in The primary way to PREVENT attacks begins with assuring that your network devices are optimally
network packets configured to thwart your adversary. This is done by auditing against established security
• Use various tools to assess systems and benchmarks, hardening devices to reduce their attack surface, and validating their increased
web applications for known vulnerabilities,
and exploit those vulnerabilities using
resilience against attack. Prevention continues with securing hostname resolution (an obvious
penetration testing frameworks and toolsets adversary target for establishing a Machine-in-the-Middle position) and goes even further with
• Analyze Windows systems during an incident securing and defending cloud infrastructure (both public and private) against compromise.
to identify signs of a compromise
Enterprises need to be able to DETECT attacks in a timely fashion. This is accomplished by
• Find, identify, analyze, and clean up
malware such as Ransomware using a understanding the traffic that is flowing on your networks, monitoring for indications of
variety of techniques, including monitoring compromise, and employing active defense techniques to provide early warning of an attack.
the malware as it executes and manually
reversing its code to discover its secrets Of course, despite an enterprise’s best efforts to prevent network attacks and protect its critical
data, some attacks will still be successful. Performing penetration testing and vulnerability
analysis against your enterprise to identify problems and issues before a compromise occurs is an
excellent way to reduce overall organizational risk.
Business Takeaways
Once an attack is identified, you must quickly and effectively RESPOND, activating your incident
response team to collect the forensic artifacts needed to identify the tactics, techniques, and
GCED
success of cybersecurity initiatives
• Build defensible networks that minimize procedures being used by your adversaries. With this information you can contain their activities,
Enterprise Defender
the impact giac.org/gced
of attacks ensure that you have scoped out all systems where they have had an impact, and eventually
• Identify your organization's exposure eradicate them from the network. This can be followed by recovery and remediation to PREVENT
GIAC Certified
points Enterprise
to ultimately Defender
prioritize and their return. Lessons learned through understanding how the network was compromised can then
fixGIAC
The the vulnerabilities, increasing
Certified Enterprise the
Defender
organization's overall security be fed back into more preventive and detective measures, completing the security lifecycle.
(GCED) certification builds on the security
skills measured by the GIAC Security It costs enterprises worldwide billions of dollars annually to respond to malware, and particularly
Essentials certification. It assesses more
advanced, technical skills that are needed
Ransomware, attacks. So it is increasingly necessary to understand how such software behaves.
to defend the enterprise environment Ransomware spreads very quickly and is not stealthy; as soon as your data become inaccessible
and protect an organization as a whole. and your systems unstable, it is clear something is amiss. Beyond detection and response, when
GCED certification holders have validated
knowledge and abilities in the areas of
prevention has failed, understanding the nature of malware, its functional requirements, and how
defensive network infrastructure, packet it achieves its goals is critical to being able to rapidly reduce the damage it can cause and the
analysis, penetration testing, incident costs of eradicating it.
handling and malware removal.
• Incident handling and computer crime Business Takeaways
investigation
• Computer and network hacker exploits
• Improve the effectiveness, efficiency, and success of cybersecurity initiatives
• Hacker tools (Nmap, Nessus, Metasploit • Build defensible networks that minimize the impact of attacks
and Netcat)
• Identify your organization’s exposure points to ultimately prioritize and fix the vulnerabilities,
increasing the organization’s overall security
Certification: GIAC Certified Enterprise Defender (GCED)

giac.org/gced
sans.org/SEC501 25
SEC503: Network Monitoring and Threat
Detection In-Depth
SEC503: Network Monitoring and GCIA
Threat Detection - In-Depth
Intrusion Analyst
giac.org/gcia
6 46 Laptop SEC503 is the most important course that you will take in your information security career – past
students describe it as the most difficult but most rewarding course they’ve ever taken. If you
want to be able to perform effective threat hunting to find zero-day activities on your network
You Will Be Able To before public disclosure, this is definitely the course for you.SEC503 is not for people looking to
understand alerts generated by an out-of-the-box network monitoring tool; rather, it is for those
• Configure and run Snort and Suricata
who want to deeply understand what is happening on their network today, and who suspect that
• Create and write effective and efficient
Snort, Suricata and FirePOWER rules there are very serious things happening right now that none of their tools are telling them about.
• Configure and run open-source Zeek to What sets SEC503 apart from any other course in this space is that we take a bottom-up approach
provide a hybrid traffic analysis framework
to teaching network monitoring and network forensics, which leads naturally to effective threat
• Create automated threat hunting
hunting. Rather than starting with a tool and teaching you how to use it in different situations,
correlation scripts in Zeek
this course teaches you how and why TCP/IP protocols work the way they do. The first two sections
• Understand TCP/IP component layers to
identify normal and abnormal traffic for present what we call “Packets as a Second Language,” then we move to presenting common
threat identification application protocols and a general approach to researching and understanding new protocols.
• Use traffic analysis tools to identify signs Throughout the discussion, direct application of this knowledge is made to identify both zero-day
of a compromise or active threat and known threats.
• Perform network forensics to investigate
traffic to identify TTPs and find active With this deep understanding of how network protocols work, we turn our attention to the most
threats important and widely used automated threat detection and mitigation tools in the industry. You
• Carve out files and other types of content will you learn how to develop efficient detection capabilities with these tools, and you’ll come
from network traffic to reconstruct events to understand what existing rules are doing and identify whether they are useful. The result is
• Create BPF filters to selectively examine a that you will leave this course with a clear understanding of how to instrument your network and
particular traffic trait at scale
perform detailed threat hunting, incident analysis, network forensics, and reconstruction.
• Craft packets with Scapy
• Use NetFlow/IPFIX tools to find network What makes SEC503 as important as we believe it is (and students tell us it is) is that we force you
behavior anomalies and potential threats to develop your critical thinking skills and apply them to these deep fundamentals. This results in
• Use your knowledge of network a much deeper understanding of practically every security technology used today. Preserving the
architecture and hardware to customize security of your network in today’s threat environment is more challenging than ever, especially as
placement of network monitoring sensors
and sniff traffic off the wire you migrate more and more services into the cloud. The security landscape is continually changing
from what was once only perimeter protection to protecting exposed and mobile systems that are
almost always connected and sometimes vulnerable.
GCIA
Some of the specific technical knowledge and hands-on training in SEC503 covers the underlying
theory of TCP/IP and the most used application protocols, such as DNS and HTTP, enabling you to
Intrusion Analyst
giac.org/gcia intelligently examine network traffic for signs of compromise or zero-day threat. You will get plenty
of practice learning to master a variety of tools, including tcpdump, Wireshark, Snort, Suricata, Zeek,
GIAC Certified Intrusion Analyst tshark, SiLK, and NetFlow/IPFIX. Daily hands-on exercises suitable for all experience levels reinforce
The GIAC Intrusion Analyst certification the course book material so that you can transfer knowledge to execution, and evening Bootcamp
validates a practitioner’s knowledge of sessions force you to apply the theory learned during the day to real-world problems immediately.
network and host monitoring, traffic
analysis, and intrusion detection. GCIA Basic exercises include assistive hints while advanced options provide a more challenging experience
certification holders have the skills for students who may already know the material or who have quickly mastered new material.
needed to configure and monitor intrusion
detection systems, and to read, interpret, SEC503 is most appropriate for students who monitor, defend, and conduct threat hunting on their
and analyze network traffic and related network, including security analysts and those who work in Security Operations Centers, although
log files. red team members often tell us that the course also ups their game, especially when it comes to
• Fundamentals of Traffic Analysis and avoiding detection.
Application Protocols
• Open-Source IDS: Snort and Bro
• Network Traffic Forensics and Monitoring
Certification: GIAC Certified Intrusion Analyst (GCIA)

sans.org/sec503
giac.org/gcia • Discover how to take this course: Online, In-Person
26 sans.org/SEC503
SEC505: Securing Windows and PowerShell
Automation
SEC505: Securing Windows and GCWN
Windows Security
PowerShell Automation Administrator

giac.org/gcwn
6 36 Laptop WINDOWS SECURITY AUTOMATION MEANS POWERSHELL

In this course you will learn how to:
• Write PowerShell scripts for Windows and Active Directory security automation
You Will Be Able To
• Safely run PowerShell scripts on thousands of hosts over the network
• Write PowerShell scripts for security
automation • Defend against PowerShell malware such as ransomware
• Execute PowerShell scripts on remote • Harden Windows Server and Windows 10 against skilled attackers
systems
• Harden PowerShell itself against abuse, In particular, we will use PowerShell to secure Windows against many of the attacks described in
and enable transcription logging for the MITRE ATT&CK matrix, especially stolen administrative credentials, ransomware, hacker lateral
your SIEM movement inside the LAN, and insecure Windows protocols, like RDP and SMB.
• Use PowerShell to access the WMI service
for remote command execution, searching You will leave this course ready to start writing your own PowerShell scripts to help secure your
event logs, reconnaissance, and more Windows environment. It’s easy to find Windows security checklists, but how do you automate
• Use Group Policy and PowerShell to grant those changes across thousands of machines? How do you safely run scripts on many remote
administrative privileges in a way that
boxes? In this course you will learn not just Windows and Active Directory security, but how to
reduces the harm if an attack succeeds
(assume breach) manage security using PowerShell.
• Block the lateral movement of hackers DON’T JUST LEARN POWERSHELL SYNTAX, LEARN HOW TO LEVERAGE POWERSHELL AS A FORCE
and ransomware using Windows Firewall,
IPsec, DNS sinkholes, admin credential MULTIPLIER FOR WINDOWS SECURITY
protections, and more
There is another reason why PowerShell has become popular: PowerShell is just plain fun! You
• Prevent exploitation using AppLocker and will be surprised at how much you can accomplish with PowerShell in a short period of time – it’s
other Windows OS hardening techniques
in a scalable way with PowerShell much more than just a scripting language, and you don’t have to be a coding guru to get going.
• Configure PowerShell remoting to use Learning PowerShell is also useful for another kind of security: job security. Employers are looking
Just Enough Admin (JEA) policies to
create a Windows version of Linux sudo for IT people with PowerShell skills. You don’t have to know any PowerShell to attend this course,
and setuid root we will learn it together during the labs.
• Configure mitigations against pass-the- You can learn basic PowerShell syntax on YouTube for free, but this course goes far beyond syntax.
hash attacks, Kerberos Golden Tickets,
Remote Desktop Protocol (RDP) man-in- In this course we will learn how to use PowerShell as a platform for managing security, as a “force
the-middle attacks, Security Access Token multiplier” for the Blue Team, and as a rocket booster for your Windows IT career.
abuse, and other attacks discussed in
SEC504 and other SANS hacking courses WE WILL WRITE A POWERSHELL RANSOMWARE SCRIPT AND DEFEND AGAINST IT
• Install and manage a full Windows Public
Unfortunately, PowerShell is being abused by hackers and malware authors, so in the last section
Key Infrastructure (PKI), including smart
cards, certificate auto-enrollment, Online of the course, we will write our own ransomware script to see how to defend against scripts like it.
Certificate Status Protocol (OCSP) web
responders, and detection of spoofed root This is a fun course and a real eye-opener, even for Windows administrators with years of
Certificate Authentications (CAs) experience. Come have fun learning PowerShell and Windows security at the same time.
• Harden essential protocols against
exploitation, such as SSL, RDP, DNS,
The course author, Jason Fossen, is a SANS Institute Fellow and has been writing and teaching for
PowerShell Remoting, and SMB SANS since 1998. In fact, SEC505 has had at least one day of PowerShell for more than 10 years,
and now PowerShell is the centerpiece of the course.
“In SEC505, real-life solutions are offered by someone who understands

the roadblocks in the way. This is information I could implement tomorrow
and make my network more secure.”
— Mary Becken, Egan Company
Certification: GIAC Certified Windows Security Administrator (GCWN)

giac.org/gcwn
sans.org/SEC505 27
SEC511: Continuous Monitoring and Security
Operations
SEC511: Continuous Monitoring and GMON
Security Operations
Continuous Monitoring
giac.org/gmon
6 46 Laptop Analyze Threats. Detect Anomalies. Stop Intrusions.

We continue to underestimate the tenacity of our adversaries! Organizations are investing a
significant amount of time and financial and human resources trying to combat cyber threats
You Will Be Able To and prevent cyber attacks, but despite this tremendous effort organizations are still getting
• Analyze a security architecture for compromised. The traditional perimeter-focused, prevention-dominant approach to security
deficiencies
architecture has failed to prevent intrusions. No network is impenetrable, a reality that
• Apply the principles learned in the course to
design a defensible security architecture
business executives and security professionals alike have to accept. Prevention is crucial, and
• Understand the importance of a detection-
we can’t lose sight of it as the primary goal. However, a new proactive approach to security is
dominant security architecture and Security needed to enhance the capabilities of organizations to detect threats that will inevitably slip
Operations Centers (SOC) through their defenses. SEC511 will teach you how to strengthen your skills to undertake that
• Identify the key components of Network proactive approach.
Security Monitoring (NSM)/Continuous
Diagnostics and Mitigation (CDM)/ The underlying challenge for organizations victimized by an attack is timely incident detection.
Continuous Monitoring (CM)
Industry data suggest that most security breaches typically go undiscovered for an average of
• Determine appropriate security monitoring
needs for organizations of all sizes seven months. Attackers simply have to find one way into most organizations, because they know
• Implement robust Network Security that the lack of visibility and internal security controls will then allow them to methodically carry
Monitoring/Continuous Security Monitoring out their mission and achieve their goals.
• Determine requisite monitoring capabilities
for a SOC environment The Defensible Security Architecture, Network Security Monitoring (NSM)/Continuous
While the above list briefly outlines the Diagnostics and Mitigation (CDM)/Continuous Security Monitoring (CSM) taught in this course
knowledge and skills you will learn, it barely will best position your organization or Security Operations Center (SOC) to analyze threats and
scratches the surface of what this course has detect anomalies that could indicate cybercriminal behavior. The payoff for this new proactive
to offer. Hands-on labs throughout the course
will reinforce key concepts and principles, approach would be early detection of an intrusion, or successfully thwarting the efforts of
as well as teach you how to use scripting to attackers altogether. The National Institute of Standards and Technology (NIST) developed
automate continuous monitoring. We look
forward to seeing you soon! guidelines described in NIST SP 800-137 for Continuous Monitoring (CM), and section five of this
course will greatly increase your understanding and enhance your skills in implementing CM
using the NIST framework.
SANS is uniquely qualified to offer this course. Course authors Eric Conrad (GSE #13) and Seth
GMON Misenar (GSE #28) hold the distinguished GIAC Security Expert Certification, and both are
Continuous Monitoring
giac.org/gmon experienced, real-world, practitioners who apply the concepts and techniques they teach in this
course on a daily basis. SEC511 will take you on quite a journey. We start by exploring traditional
GIAC Continuous Monitoring security architecture to assess its current state and the attacks against it. Next, we discuss and
Certification
discover modern security design that represents a new proactive approach to such architecture
Preventing all intrusions is impossible, but
early detection is a must for the security
that can be easily understood and defended. We then transition to how to actually build the
of your enterprise. The proper use of network and endpoint security, and then carefully navigate our way through automation,
Defensible Security Architecture, Network NSM/CDM/CSM. For timely detection of potential intrusions, the network and systems must
Security Monitoring (NSM)/Continuous
Diagnostics and Mitigation (CDM)/
be proactively and continuously monitored for any changes in the security posture that might
Continuous Security Monitoring will increase the likelihood that attackers will succeed.
support the hindrance of intrusions and
allow for early detection of anomalous Your SEC511 journey will conclude with one last hill to climb! The final section features a
activity. capture-the-flag competition that challenges you to apply the skills and techniques learned in
• Security Architecture and Security the course to detect and defend the modern security architecture that has been designed. The
Operations Centers (SOCs) competition has been designed to be fun, engaging, comprehensive, and challenging. You will
• Network Security Architecture and not be disappointed!
Monitoring
• Endpoint Security Architecture, With your training journey now complete and your skills enhanced and honed, it is time to go
Automation and Continuous Monitoring back to work and deliver on the SANS promise that you will be able to apply what you learn in
this course the day you return to the office.
Certification: GIAC Continuous Monitoring Certification (GMON)

giac.org/gmon
28 sans.org/SEC511
SEC530: Defensible Security Architecture and
Engineering: Implementing Zero Trust for the
HybridDefensible
SEC530: Enterprise
Security Architecture and GDSA
Defensible Security
Engineering: Implementing Zero Trust for Architecture

giac.org/gdsa
the Hybrid Enterprise

6 36 Laptop SEC530 is designed to help students establish and maintain a holistic and layered approach
Required
Day Program CPEs to security, while taking them on a journey towards a realistic ‘less trust’ implementation,
based on Zero Trust principles, pillars and capabilities. Effective security requires a balance
You Will Be Able To between detection, prevention, and response capabilities, but such a balance demands
• Analyze a security architecture for deficiencies that controls be implemented on the network, directly on endpoints, and within cloud
• Discover data, applications, assets and services, environments. The strengths and weaknesses of one solution complement another solution
and assess compliance state through strategic placement, implementation, and continuous fine-tuning.
• Implement technologies for enhanced
prevention, detection, and response capabilities
To address these issues, this course focuses on combining strategic concepts of infrastructure
• Comprehend deficiencies in security solutions
and tool placement while also diving into their technical application. We will discuss and identify
and understand how to tune and operate them what solutions are available and how to apply them successfully to reduce attack surface and
• Understand the impact of ‘encrypt all’ strategies implement adaptive trust. Most importantly, we’ll evaluate the strengths and weaknesses of
• Apply the principles learned in the course to various solutions and how to layer them cohesively to achieve a defensible security architecture.
design a defensible security architecture
SEC530 is a practical class, focused on teaching effective tactics and tools to architect and
• Determine appropriate security monitoring
needs for organizations of all sizes engineer for disruption, early warning detection, and response to most prevalent attacks,
• Maximize existing investment in security based on the experience of the authors, highly experienced practitioners with an extensive
architecture by reconfiguring existing career in cyberdefense. There will be a heavy focus on leveraging current infrastructure (and
technologies
investment), including switches, routers, next-gen firewalls, IDS, IPS, WAF, SIEM, sandboxes,
• Determine capabilities required to support
continuous monitoring of key Critical Security encryption, PKI and proxies, among others. Students will learn how to assess, re-configure
Controls and validate these technologies to significantly improve their organizations’ prevention,
• Configure appropriate logging and monitoring detection and response capabilities, augment visibility, reduce attack surface, and even
to support a Security Operations Center and
anticipate attacks in innovative ways. The course will also delve into some of the latest
continuous monitoring program
technologies and their capabilities, strengths, and weaknesses. You will come away with
• Design and Implement Zero Trust strategies
leveraging current technologies and investment recommendations and suggestions that will aid in building a robust security infrastructure,
layer by layer, across hybrid environments, as you embark on a journey towards Zero Trust.
While this is not a monitoring course, it will dovetail nicely with continuous security monitoring,
GDSA ensuring that your security architecture not only supports prevention but also provides the
Defensible Security critical logs that can be fed into behavioral detection and analytics systems, like UEBA or
Architecture
giac.org/gdsa
Security Information and Event Management (SIEM), in a Security Operations Center (SOC).
GIAC Defensible Security Architecture Multiple hands-on labs conducted daily will reinforce key points in the course and provide
“The GIAC Defensible Security Architecture actionable skills that students will be able to leverage as soon as they return to work.
(GDSA) certificate is an industry certification
that proves an individual is capable of Business Takeaways
looking at an enterprise defense holistically. A
GDSA no longer emphasizing security through • Identify and comprehend deficiencies in security solutions
a single control but instead applies multiple • Design and Implement Zero Trust strategies leveraging current technologies and investment
controls ranging from network security,
cloud security, and data-centric security • Maximize existing investment in security architecture by reconfiguring existing technologies
approaches to properly prevent, detect, and
• Layer defenses to increase protection time while increasing the likelihood of detection
respond. The end result is defense-in-depth
that is maintainable and works.” • Improved prevention, detection, and response capabilities
— Justin Henderson, SEC530 Course Author
• Reduced attack surface
• Defensible Security Architecture: network-
centric and data-centric approaches
• Network Security Architecture: hardening
applications across the TCP/IP stack “SEC530 provided an excellent understanding of
• Zero Trust Architecture: secure environment application attacks and how to protect against them.”
creation with private, hybrid or public clouds
— Shayne Douglass, AMEWAS Inc.

Certification: GIAC Defensible Security Architecture (GDSA)
giac.org/gdsa
sans.org/SEC530 29
SEC555: SIEM
cal Analytics with Tactical Analytics
GCDA
Detection Analyst
giac.org/gcda
GCDA
SEC555: SIEM with Tactical Analytics
Many organizations have logging capabilities but lack the people and processes to analyze
Detection Analyst
giac.org/gcda
them. In addition, logging systems collect vast amounts of data from a variety of data
sources that require an understanding of those sources for proper analysis. This class
is designed to 6 provide students 46 with the training,Laptop methods, and Many organizations
processes have logging capabilities but lack the people and processes to analyze
to enhance
Required
existing Day Program
logging solutions. The CPEs
class will also help you understand them. In theaddition,
when, what, logging
andsystems collect vast amounts of data from a variety of data
why behind the logs. This is a lab-heavy course that utilizes SOF-ELK, sources that require an understanding of those sources for proper analysis. This class
a SANS-sponsored
free Security Information
You Will Be Able and To Event Management (SIEM) solution, is designed to provide
to provide hands-on students with the training, methods, and processes to enhance
experience and the
• Deploy theSANSmindset
SOF-ELKforVMlarge-scale
in production data analysis. existing logging solutions. The class will also help you understand the when, what, and
environments why behind the logs. This is a lab-heavy course that utilizes SOF-ELK, a SANS-sponsored
Today, security operations do SIEMs
not suffer fromlaga “Big Data” problem but rather a “Data
• Demonstrate ways most commonly current free Security Information and Event Management (SIEM) solution, to provide hands-on
Analysis” open
problem.
sourceLet’s face(e.g.
solutions it, there
SOF-ELK) are multiple ways to store and process large amounts
experience and the mindset for large-scale data analysis.
of data without any real
• Bring students up emphasis
to speed on on SIEMgaining
use, insight into the information collected. Added
architecture, and best practices
to that is the daunting idea of an infinite list of systems fromToday, whichsecurity
one could operations do not suffer from a “Big Data” problem but rather a “Data
collect logs.
• Know what type of data sources to collect logs from
It is easy to get lost in the perils of data saturation. This classAnalysis” moves away problem.
fromLet’s face it, there are multiple ways to store and process large amounts
the typical
• Deploy a scalable logs solution with multiple ways to of dataactionable
without any real emphasis on gaining insight into the information collected. Added
churn-and-burn log systems and moves instead towards achieving
retrieve logs intelligence
and developing a tactical Security Operations Center (SOC). to that is the daunting idea of an infinite list of systems from which one could collect logs.
• Operationalize ordinary logs into tactical data
• Develop methodsto to demystify
handle billions
It is easy to get lost in the perils of data saturation. This class moves away from the typical
This course is designed theofSIEM
logs from
architecture and process by navigating
many disparate data sources churn-and-burn log systems and moves instead towards achieving actionable intelligence
the student through the steps of tailoring and deploying a SIEM to full SOC integration.
• Understand best practice methods for collecting logs and developing a tactical Security Operations Center (SOC).
The material will cover many bases in the “appropriate” use of a SIEM platform to enrich
• Dig into log manipulation techniques challenging
readily available
many SIEM log data in enterprise environments and extract
solutions This course
actionableis designed to demystify the SIEM architecture and process by navigating
intelligence.
Once the• Build
information
out graphs isand
collected,
tables that thecan
student to be shownthe
be usedwill how student
to presentthrough the steps of tailoring and deploying a SIEM to full SOC integration.
the gathered
input intodetect
usable adversary
formats activities
to aidand abnormalities
in eventual The material
correlation. Students will thenwill coverthrough
iterate many bases in the “appropriate” use of a SIEM platform to enrich
and events to analyze key components that will allow them to learn how in enterprise environments and extract actionable intelligence.
• Combine data into active dashboards that make
the log dataanalyst review more tactical
readily available log data
rich this •information is, how to correlate the data, how to start Once the information
investigating basedison collected,
the the student will be shown how to present the gathered
Utilize adversary techniques against them by using
aggregatefrequency
data, and finally, how to go
analysis in large data sets hunting with this newlyinput into
gained usable
knowledge. formats
They to aid in eventual correlation. Students will then iterate through
will also•learn
Develophow to deploy
baselines internal
of network post-exploitation
activity based on the log
tripwires and data and canaries
breach events totoanalyze key components that will allow them to learn how
users and devices
nimbly detect sophisticated intrusions. Throughout the course, richthe
thistext
information
and labs will is, how
not to correlate the data, how to start investigating based on the
• Develop baselines of Windows systems with the
only showability
howto todetect
manually aggregate data,
perform these actions, but also how to automate many of the and finally, how to go hunting with this newly gained knowledge. They
changes from the baseline
processes mentioned so students can employ will also learn how to deploy internal post-exploitation tripwires and breach canaries to
• Apply multiple forms of analysis such as longthese
tail tasks the day they return to the office.
analysis to find abnormalities nimbly detect sophisticated intrusions. Throughout the course, the text and labs will not
The underlying theme is to actively apply Continuous Monitoring and analysis techniques
• Correlate and combine multiple data sources to only show how to manually perform these actions, but also how to automate many of the
by utilizing modern morecyber threat attacks. Labs will involve replaying captured attack data
achieve complete understanding processes mentioned so students can employ these tasks the day they return to the office.
to provide real-world
• Provide contextresults andalerts
to standard visualizations.
to help
understand and prioritize them The underlying theme is to actively apply Continuous Monitoring and analysis techniques
• Use log data to establish security control by utilizing modern cyber threat attacks. Labs will involve replaying captured attack data
GCDA
effectiveness
• Implement log alerts that create virtual tripwires for
to provide real-world results and visualizations.
Detection Analyst
early breach detection
giac.org/gcda
• Understand how to handle container monitoring and
GIAC Certified Detection Analyst
log collection “This course GCDA uses real-
Detection Analyst
“The GIAC• Certified
BaselineDetection
and find unauthorized
Analyst (GCDA)changes in cloud
is an industry world events and hands-
giac.org/gcda
certificationenvironments
that proves an individual knows how to collect, analyze,
and tactically use modern
• Integrate network
and write andscripts
custom endpoint dataasources
against SIEM to on training to
GIAC Certified Detectionallow me to
Analyst
detect malicious or unauthorized activity. This certification shows
“This course uses real-
immediately
“The GIAC Certified improve my (GCDA) is an industry
Detection Analyst
individuals not only know how to wield tools such as Security
Business Takeaways world events and hands-
Information and Event Management (SIEM) but that they know how certification that proves
organization’s an individual knows how to collect, analyze,
security
• Use
to use tools log data
to turn to establish
attacker security
strengths controlweaknesses.”
into attacker and tactically use modern network and endpoint data sources to on training to allow me to
effectiveness stance.
detect Day or
malicious one back in activity.
unauthorized the This certification shows
— Justin Henderson, SEC555 Course Author
individuals not only know how to wield tools such as Security
immediately improve my
• Combine data into active dashboards that make office I was implementing
• SIEM Architecture and SOF-ELK Information and Event Management (SIEM) but that they know how organization’s security
analyst review more tactical
• Service Profiling, Advanced Endpoint Analytics, Baselining and User what
to I learned.”
use tools to turn attacker strengths into attacker weaknesses.”
• Simplify the handling and filtering of the large
Behavior Monitoring — Justin Henderson, SEC555 Course Author stance. Day one back in the
amount of data generated by both servers and — Frank Giachino, Bechtel
• Tactical SIEM Detection and Post-Mortem Analysis
workstations • SIEM Architecture and SOF-ELK office I was implementing
• Apply large data analysis techniques to sift through • Service Profiling, Advanced Endpoint Analytics, Baselining and User what I learned.”
massive ammounts of endpoint data Behavior Monitoring
— Frank Giachino, Bechtel
• Quickly detect and respond to the adversary • Tactical SIEM Detection and Post-Mortem Analysis
tch a preview of this course
cover how to take this course: Online, In-Person
Certification: GIAC Certified Detection Analyst (GCDA) • Watch a preview of this course
giac.org/gcda
30 sans.org/SEC555
SEC573: Automating Information Security
with Python
SEC573: Automating Information Security GPYC
with Python
Python Coder
giac.org/gpyc
6 36 Laptop Python is a simple, user-friendly language that is designed to make it quick and easy to automate
the tasks performed by security professionals. Whether you are new to coding or have been
coding for years, SANS SEC573: Automating Information Security with Python will have you creating
You Will Be Able To programs that make your job easier and your work more efficient. This self-paced course starts
• Leverage Python to perform routine tasks from the very beginning, assuming you have no prior experience or knowledge of programming.
quickly and efficiently We cover all of the essentials of the language up front. If you already know the essentials, you will
• Automate log analysis and packet analysis find that the pyWars lab environment allows advanced developers to quickly accelerate to more
with file operations, regular expressions,
and analysis modules to find evil advanced course material.
• Develop forensics tools to carve binary All security professionals, including penetration testers, forensics analysts, network defenders,
data and extract new artifacts
security administrators, and incident responders, have one thing in common: CHANGE. Change
• Read data from databases and the
Windows Registry
is constant. Technology, threats, and tools are constantly evolving. If we don’t evolve with them,
• Interact with websites to collect
we’ll become ineffective and irrelevant, unable to provide the vital defenses our organizations
intelligence increasingly require.
• Develop UDP and TCP client and server
Maybe your chosen Operating System has a new feature that creates interesting forensics artifacts
applications
that would be invaluable for your investigation, if only you had a tool to access it. Often for new
• Automate system processes and process
their output features and forensics artifacts, no such tool has yet been released. You could try moving your
case forward without that evidence or hope that someone creates a tool before the case goes
cold...or you can write a tool yourself.
Or perhaps an attacker bypassed your defenses and owned your network months ago. If existing
tools were able to find the attack, you wouldn’t be in this situation. You are bleeding sensitive data
and the time-consuming manual process of finding and eradicating the attacker is costing you
money and hurting your organization big time. The answer is simple if you have the skills: Write a
tool to automate your defenses.
GPYC
Python Coder If you are a penetration tester, you need to evolve as quickly as the threats you are paid to
giac.org/gpyc
emulate. What do you do when “off-the-shelf” tools and exploits fall short? If you’re good, you
GIAC Python Coder write your own tool.
The GIAC Python Coder (GPYC) certification SEC573 is designed to give you the skills you need to tweak, customize, or outright develop
validates a practitioner’s understanding
of core programming concepts, and your own tools. We put you on the path to create your own tools, empowering you to better
the ability to write and analyze working automate the daily routine of today’s information security professional and achieve more value
code using the Python programming in less time. Again and again, organizations serious about security emphasize their need for
language. GPYC certification holders have
demonstrated knowledge of common skilled tool builders. There is a huge demand for people who can understand a problem and
python libraries, creating custom tools, then rapidly develop prototype code to attack or defend against it. Join us and learn Python
collecting information about a system or in-depth and fully weaponized.
network, interacting with websites and
databases, and automating testing.
Business Takeaways
• Python essentials: variable and math
operations, strings and functions, and This course will help your organization:
compound statements
• Automate system processes and process their input quickly and efficiently
• Data structures and programming
concepts, debugging, system arguments, • Create programs that increase efficiency and productivity
and argparser
• Develop tools to provide the vital defenses our organizations need
• Python application development for pen
testing: backdoors and SQL injection
“SEC573 is excellent. I went from having almost no Python coding

ability to being able to write functional and useful programs.”
— Caleb Jaren, Microsoft
Certification: GIAC Python Coder (GPYC) • Watch a preview of this course

giac.org/gpyc
sans.org/SEC573 31
SEC586: Blue Team Operations: Defensive
PowerShell
SEC586: Security Automation with PowerShell
6 36 Laptop Effective Blue Teams work to harden infrastructure, minimize time to detection, and enable
Day Program CPEs Required real-time response to keep pace with modern adversaries. Automation is a key component to
facilitate these capabilities, and PowerShell can be the glue that holds together and enables
Author Statement the orchestration of this process across disparate systems and platforms to effectively act as
a force multiplier for Blue Teams. This course will enable Information Security professionals to
“My Information Security experience has
taught me that human analysis is a critical leverage PowerShell to build tooling that hardens systems, hunts for threats, and responds to
attribute of effective cyber defense. Yet, the attacks immediately upon discovery.
very people who are critical to preventing,
PowerShell is uniquely positioned for this task of enabling Blue Teams. It acts as an
discovering, and responding to threats are
often bogged down with manual work that, automation toolset that functions across platforms and it is built on top of the .NET framework
while it needs to be done, is done at the for nearly limitless extensibility. SEC586 maximizes the use of PowerShell in an approach
expense of more advanced efforts. At the based specifically on Blue Team use cases.
same time, we’re facing a critical personnel
and skills shortage in Information Security,
and many organizations are struggling to fill Students will learn:
open positions.
• PowerShell scripting fundamentals from the ground up in terms of PowerShell’s
The immediate answer to these problems is capabilities as a defensive toolset
automation. PowerShell is a cross-platform
automation engine that is uniquely positioned • Ways to maximize performance of code across dozens, hundreds, or thousands of systems
for this task. Blue Teams can transform their • Modern hardening techniques using Infrastructure-as-Code principles
everyday operations by automating wherever
possible. System auditing and hardening
• How to integrate disparate systems for multi-platform orchestration
tasks can be streamlined via configuration • PowerShell-based detection techniques ranging from Event Tracing for Windows to
as code and substantial automation, leaving baseline deviation and deception
room for professionals to interpret reporting
and work on higher-level tasks. Detection • Response techniques leveraging PowerShell-based automation
and response tasks can also be significantly This course is meant to be accessible to beginners who are new to the PowerShell scripting
improved. Data aggregation and analysis can
language as well as to seasoned veterans looking to round out their skillset. Language
be performed automatically, leaving analysts
with pre-filtered data of interest to aid in fundamentals are covered in-depth, with hands-on labs to enable beginning students to
detection. For response, a pre-built toolkit become comfortable with the platform. For skilled PowerShell users who already know
can enable near real-time response actions the basics, the material is meant to solidify knowledge of the underlying mechanics while
such as quarantining systems on the network, providing additional challenges to further this understanding.
interrogating suspicious hosts for more
information, capturing artifacts for forensic The PowerPlay platform built into the lab environment enables practical, hands-on drilling of
analysis, or even automatically remediating concepts to ensure understanding, promote creativity, and provide a challenging environment
common issues. for anyone to build on their existing skillset. PowerPlay consists of challenges and questions
SEC586 is designed to help teams raise the bar mapping back to and extending the course material.
and spend time on what will provide the most
value to their organizations. Deep automation Between the course material and the PowerPlay bonus environment, SEC586 students will
alongside capable professionals flips the leave the course well equipped with the skills to automate everyday cyber defense tasks.
script and makes organizations a dangerous You will return to work ready to implement a new set of skills to harden your systems and
target for their adversaries.” accelerate your capabilities to more immediately detect and respond to threats.
—Josh Johnson
Prerequisites
• Basic understanding of programming concepts
• Basic understanding of information security
principles

32 sans.org/SEC586
SEC587: Advanced Open-Source Intelligence
(OSINT) Gathering and Analysis
SEC587: Advanced Open-Source Intelligence (OSINT)
Gathering and Analysis
6 36 Laptop SANS SEC587 is an advanced Open-Source Intelligence (OSINT) course for those who
Required
Day Program CPEs already know the foundations of OSINT. The goal is to provide students with more in-depth
and technical OSINT knowledge. Students will learn OSINT skills and techniques that law
You Will Be Able To enforcement, intelligence analysts, private investigators, journalists, penetration testers and
• Take a dive more in-depth into finding, network defenders use in their investigations.
collecting, and analyzing information
found on the internet
Open-source intelligence collection and analysis techniques are increasingly useful in a world
• Debug, understand, alter, and create your
where more and more information is added to the internet every day. With billions of internet
own OSINT-focused Python scripts users sharing information on themselves, their organizations, and people and events they
• Move and pivot around safely on the have knowledge of, the internet is a resource-rich environment for intelligence collection.
Dark Web SEC587 is designed to teach you how to efficiently utilize this wealth of information for your
• Perform financial OSINT investigations own investigations.
SEC587 will take your OSINT collection and analysis abilities to the next level, whether you are
involved in intelligence analysis, criminal and fraud investigations, or just curious about how to
find out more about anything! SEC587 is replete with hands-on exercises, real-world scenarios,
and interaction with live internet and dark web data sources.
This course is also blended with all the fundamentals an OSINT analyst will need to learn and
understand and apply basic coding in languages such as Python, JSON, and shell utilities as well
as interacting with APIs for automating your OSINT processes.
SEC587 students will learn effective OSINT methods and techniques including:
• Structured intelligence analysis
• Rating the reliability of information and its sources
• Researching sensitive and secretive groups
• Practical and Advanced Image and video analysis and verification
“This would be a valuable • Dark web and criminal underground investigations.
course for any cybersecurity • Operational Security (OPSEC) for OSINT
professional. The subjects • Fact-checking and analysis of disinformation and misinformation
and tools in this class are
• Knowing cryptocurrency fundamentals and tracking
invaluable. I have not seen
• Using basic coding to facilitate information collection and analysis
navigating the Dark Web
• Interacting with APIs for data collection and filtering
being taught anywhere else.”
• Conducting internet monitoring
—Mark Styron
• Automation techniques to support OSINT processes
“Having a broad coverage over multiple areas of OSINT is really

helpful to reinforce the fundamentals and understand the diverse
applications of an open source investigator’s skills.”
—Dan Black
sans.org/SEC587 33
SEC595: Applied Data Science and Machine
Learning for Cybersecurity Professionals
SEC595: AI, Applied Data Science, and Machine Learning
for Cybersecurity Professionals
6 36 Laptop Data Science, Artificial Intelligence, and Machine Learning aren’t just the current buzzwords,
Required
Day Program CPEs they are fast becoming one of the primary tools in our information security arsenal. The
problem is that, unless you have a degree in mathematics or data science, you’re likely at
You Will Be Able To the mercy of the vendors. This course completely demystifies machine learning and data
• Apply statistical models to real world science. More than 70% of the time in class is spent solving machine learning and data science
problems in meaningful ways problems hands-on rather than just talking about them.
• Generate visualizations of your data
Unlike other courses in this space, this course is squarely centered on solving information
• Perform mathematics-based threat
hunting on your network
security problems. Where other courses tend to be at the extremes, teaching almost all
• Understand and apply unsupervised
theory or solving trivial problems that don’t translate into the real world, this course strikes
learning/clustering methods a balance. We cover only the theory and math fundamentals that you absolutely must know,
• Build deep learning Neural Networks and only in so far as they apply to the techniques that we then put into practice. The course
• Build and understand convolutional Neural progressively introduces and applies various statistic, probabilistic, or mathematic tools (in
Networks their applied form), allowing you to leave with the ability to use those tools. The hands-on
• Understand and build genetic search projects covered were selected to provide you a broad base from which to build your own
algorithms
machine learning solutions.
• Build AI anomaly detection tools
• Model information security problems in Major topics covered include:
useful ways
• Data acquisition from SQL, NoSQL document stores, web scraping,
• Build useful visualization dashboards
and other common sources
• Solve problems with Neural Networks
• Data exploration and visualization
• Descriptive statistics
Business Takeaways • Inferential statistics and probability
• Generate useful visualization dashboards
• Bayesian inference
• Solve problems with Neural Networks
• Unsupervised learning and clustering
success of cybersecurity initiatives • Deep learning neural networks
• Build custom machine learning solutions
for your organization’s specific needs • Autoencoders
• Loss functions
• Convolutional networks
• Embedding layers
Author Statement
“AI and machine learning are everywhere. How do the vendor solutions work? Is this really
black magic? I wrote this course to fill an enormous knowledge gap in our field. I believe that
if you are going to use a tool, you should understand how that tool works. If you don’t, you
don’t really know what the results mean or why you are getting them. This course provides you
a crash-course in statistics, mathematics, Python, and machine learning, taking you from zero
to...I’m reluctant to promise ‘Hero...’ Let’s say competent who-can-solve-real-problems-today
person!”
—David Hoelzer

34 sans.org/SEC595
Trust SANS to Bring Security
Awareness to Your Workforce
SANS is the most trusted and largest source for
information security training and security certification Cyber Risk Insight Suite™
in the world—leverage our best-in-class Security - Culture Assessment
Awareness solutions to transform your organization’s - Knowledge Assessment
ability to measure and manage human risk. - Behavioral Assessment
Expertly-created comprehensive training EndUser Training
builds a powerful program that embodies Phishing Platform
organizational needs and learning levels.
Specialized Training
- Developer Training
- ICS Engineering Training
- NERC CIP Training
- Healthcare Training
Thousands of Clients. Millions

of Learners. One Mission.
Reach out for a demo!

Visit sans.org/security-awareness-training/ email SSAInfo@sans.org
35
Offensive Operations
Organizations rely on offensive tactics

to discover and understand their system
vulnerabilities so that they can fix known
issues before bad guys attack.
As adversaries evolve and attacks become more
sophisticated, pen testers and Red Teams need to emulate
current real-world attack techniques, discover issues,
and properly report those findings in order to deliver
significant value to the security team.
Enhance your training with:
SANS Offensive Operations courses will teach you to:
• Core Netwars
• Emulate today’s most powerful and common attacks sans.org/netwars
• SANS Summit: HackFest
• Discover vulnerabilities in target systems sans.org/summit
• Free Resources:
• Exploit vulnerabilities under controlled circumstances Webcasts, blogs, research, and
other features like Slingshot linux
• Apply technical excellence to determine and document risk and distribution
sans.org/offensive-
potential business impact operations
• Conduct professional and safe testing according to a carefully designed
scope and rules of engagement cybersecurity programs, including
a Graduate Certificate in Pen
• Help an organization with its goal of properly prioritizing resources Testing & Ethical Hacking
sans.edu
“In one week, my instructor built a bridge from typical Offensive Operations Job Roles:
• System/Network Penetration Tester
vulnerability scanning to the true art of penetration • Application Penetration Tester
testing. Thank you SANS for making myself and my • Incident Handler
• Vulnerability Researcher
company much more capable in information security.” • Exploit Developer
• Red Teamer
—Mike Dozier, Savannah River Nuclear Solutions
• Mobile Security Manager
36
SEC460: Enterprise and Cloud Vulnerability
Assessment
SEC460: Enterprise and Cloud | GEVA
Enterprise
Threat and Vulnerability Assessment Vulnerability Assessor

giac.org/geva
6 36 Laptop Computer exploitation is on the rise. As advanced adversaries become more

Required
Day Program CPEs numerous, more capable, and much more destructive, organizations must become
more effective at mitigating their information security risks at the enterprise scale.
You Will Be Able To SEC460 is the premier course focused on building technical vulnerability assessment
• Perform end-to-end vulnerability assessments skills and techniques, while highlighting time-tested practical approaches to ensure
• Develop customized vulnerability discovery, management, true value across the enterprise. The course covers threat management, introduces
and remediation plans the core components of comprehensive vulnerability assessment, and provides the
• Conduct threat intelligence gathering and analysis to hands-on instruction necessary to produce a vigorous defensive strategy from day
create a tailored cybersecurity plan that integrates various one. The course is focused on equipping information security personnel from mid-
attack and vulnerability modeling frameworks
sized to large organizations charged with effectively and efficiently securing 10,000 or
• Implement a proven testing methodology using industry-
leading tactics and techniques more systems.
• Adapt information security approaches to target real-world SEC460 begins with an introduction to information security vulnerability assessment
enterprise challenges
fundamentals, followed by in-depth coverage of the Vulnerability Assessment
• Configure and manage vulnerability assessment tools to
limit risk added to the environment by the tester Framework. It then moves into the structural components of a dynamic and iterative
• Operate enumeration tools like Nmap, Masscan, information security program. Through a detailed, practical analysis of threat
Recon-ng, and WMI to identify network nodes, services, intelligence, modeling, and automation, students will learn the skills necessary to
configurations, and vulnerabilities that an attacker could
use as an opportunity for exploitation
not only use the tools of the trade, but also to implement a transformational security
• Conduct infrastructure vulnerability enumeration at scale
vulnerability assessment program.
across numerous network segments, in spite of divergent
network infrastructure and nonstandard configurations
SEC460 will teach you how to use real industry-standard security tools for
• Conduct web application vulnerability enumeration in
vulnerability assessment, management, and mitigation. It is the only course that
enterprise environments while solving complex challenges teaches a holistic vulnerability assessment methodology while focusing on challenges
resulting from scale faced in a large enterprise. You will learn on a full-scale enterprise range chock full of
• Perform manual discovery and validation of cybersecurity target machines representative of an enterprise environment, leveraging production-
vulnerabilities that can be extended to custom and unique
applications and systems ready tools and a proven testing methodology.
• Manage large vulnerability datasets and perform risk SEC460 takes you beyond the checklist, giving you a tour of the attackers’ perspective
calculation and scoring against organization-specific risks
that is crucial to discovering where they will strike. Operators are more than the
• Implement vulnerability triage and prioritize mitigation
scanner they employ. SEC460 emphasizes this personnel-centric approach by
examining the shortfalls of many vulnerability assessment programs in order to
provide you with the tactics and techniques required to secure networks against even
the most advanced intrusions.
We wrap up the first five sections of instruction with a discussion of triage, remediation,
GEVA and reporting before putting your skills to the test on the final day against an
Enterprise Vulnerability Assessor
giac.org/geva
enterprise-grade cyber range with numerous target systems for you to analyze and
explore. The cyber range is a large environment of servers, end-users, and networking
GIAC Enterprise Vulnerability Assessor gear that represents many of the systems and topologies used by enterprises. By
As advanced adversaries become more numerous, more adopting an end-to-end approach to vulnerability assessment, you can be confident
capable, and much more destructive, organizations must that your skills will provide much-needed value in securing your organization.
become more effective at mitigating their information
security risks at the enterprise scale. GIAC Enterprise
Vulnerability Assessor is the premier certification focused
on validating technical vulnerability assessment skills and
time-tested practical approaches to ensure security across
the enterprise. The GEVA-certified practitioner will be “SEC460 has provided me the knowledge to build a great
capable of handling threat management, comprehensively
assessing vulnerabilities, and producing a vigorous Vulnerability Management/Vulnerability Assessment
defensive strategy from day one.
Program that vendor courses couldn’t provide.”
— Eric Osmus, ConocoPhillips Company
Certification: GIAC Enterprise Vulnerability Assessor (GEVA)

sans.org/sec460
giac.org/geva
sans.org/SEC460 37
SEC467: Social Engineering for Security
Professionals
SEC467: Social Engineering for Security Professionals
2 12 Laptop Social engineering is an amazingly effective technique that has one important advantage over
Day Course CPEs Required many other attacks, it allows adversaries or testers to bypass many of the technological controls in
an environment by enabling them to act as, or with the assistance of, a trusted insider.
You Will Learn Any organization that employs humans is subject to risk. Social engineering allows the adversary
• The psychological underpinnings of social to achieve a foothold in environments where technical controls may have made gaining such
engineering
a foothold very difficult. Successful social engineering utilizes psychological principles and
• How to successfully execute your first
social engineering test in your company or
technical techniques to measure your success, manage the associated risk, and prepare an
as a consultant organization for social engineering attacks.
• Social engineering knowledge to develop SEC467: Social Engineering for Security Professionals provides the blend of knowledge required
new variations of attacks or increase your
snare rate to add social engineering skills to your penetration testing portfolio. The course provides tools
• How to manage some of the ethical and and techniques for testers to identify flaws in their environments that are vulnerable to social
risk challenges associated with social engineering attacks. Defenders taking this course will note common tools and techniques that
engineering engagements
will enable them to prepare responses and countermeasures within their organizations. SEC467
• How to enhance other penetration testing
disciplines by understanding human covers the principles of persuasion and the psychological foundations required to craft effective
behavior and how to exploit it attacks. It then bolsters that information with numerous examples of what works, drawing on the
experiences of both cyber criminals as well as the course authors. You will learn how to perform
recon on targets using a wide variety of sites and tools, create and track phishing campaigns, and
Who Should Attend develop media payloads that effectively demonstrate compromise scenarios. You will also learn
• Penetration testers looking to increase how to conduct pretexting exercises. We’ll wrap up the course with a fun Capture-the-Human
their testing breadth and effectiveness
exercise to put what you have learned into practice. This is the perfect course to open up new
• Security defenders looking to enhance
their understanding of attack techniques attack possibilities, better understand the human vulnerability in attacks, and practice snares that
to improve their defenses have proven themselves in tests time and time again.
• Staff responsible for security awareness
and education campaigns who want to
understand how cyber criminals persuade
their way through their defenses
Section Descriptions
Author Statement
“Social engineering has always been a SECTION 1: Social Engineering SECTION 2: Media Drops and
critical part of the cyber criminals’ toolkit
and has been at the core of innumerable Fundamentals, Recon, and Phishing Payloads, Pretexting, Physical
attacks over the years. Organizations Section one of the course introduces you to key social Testing, and Reporting
are taking significant interest in social engineering concepts, the goals of social engineering,
engineering as a part of penetration testing, Section 2 builds on the principles covered in the
and a myriad of reconnaissance tools to help prepare previous section to focus heavily on payloads for your
yet many penetration testers do not have you for successful campaigns. We complete the section
social engineering skills in their attack social engineering engagements. We will cover how
with exercises centered around the most popular and to avoid detection, limit the risk of your payloads
toolkit. We are passionate about changing
scalable form of social engineering: phishing. Each causing issues, and build a bespoke payload that works
that and opening up a new set of attack
exercise includes how to execute the attack, what works and looks the part of your selected snare. We will
possibilities. That being said, this is an area
filled with ethical challenges, risks, and even and what doesn’t, and how to report on the attack to then introduce another powerful skill with pretexting
legal landmines. So we’ve done our best to help the organization improve its defenses. and cover how it can be combined to get payloads
share our experiences in the course in a way TOPICS: Psychology of Social Engineering; Targeting and running. We end the section with a Capture-the-Human
that enables people to reap the benefits Recon; Secure and Convincing Phishing; Tracking Clicks; exercise in which students can apply their newly found
of our experiences without enduring the Secure Phishing Forms skills and with a look at the top do s and don ts in an
pitfalls we have dealt with over the years.” engagement.
—Dave Shackleford and James Leyte-Vidal TOPICS: USB and Media Drops; Building a Payload;
Clicks That Work; Successful Pretexting; Tailgating and
Physical Access; Social Engineering Reports; Social
Engineering: Where It All Fits; Risky Business
38 sans.org/SEC467
SEC504: Hacker Tools, Techniques, and Incident
Handling
SEC504: Hacker Tools, Techniques, GCIH
and Incident Handling
Incident Handler
giac.org/gcih
6 38 Laptop The goal of modern cloud and on-premises systems is to prevent compromise, but the reality is
Required
Day Program CPEs that detection and response are critical. Keeping your organization out of the breach headlines
depends on how well incidents are handled to minimize loss to the company.
You Will Learn In SEC504, you will learn how to apply a dynamic approach to incident response. Using indicators
• How to apply a dynamic approach to of compromise, you will practice the steps to effectively respond to breaches affecting Windows,
incident response
Linux, and cloud platforms. You will be able to take the skills and hands-on experience gained in
• How to identify threats using host,
network, and log analysis
the course back to the office and apply them immediately.
• Best practices for effective cloud incident A big focus in SEC504 is applying what you learn with hands-on exercises: 50% of the course
response
is hands-on where you will attack, defend, and assess the damage done by threat actors. You
• Cyber investigation processes using live
will work with complex network environments, real-world host platforms and applications, and
analysis, network insight, and memory
forensics complex data sets that mirror the kind of work you may be asked to do. You never lose access
• Defense spotlight strategies to protect to the lab exercises, and they can be repeated as often as you like. All lab exercises come with
critical assets detailed walkthrough video content to help reinforce the learning concepts in the course.
• Attacker techniques to evade endpoint
detection tools Understanding the steps to effectively conduct incident response is only one part of the equation.
• How attackers exploit complex cloud To fully grasp the actions attackers take against an organization, from initial compromise to
vulnerabilities internal network pivoting, you also need to understand their tools and techniques. In the hands-
• Attacker steps for internal discovery on environment provided by SEC504, you ll use the tools of the attackers themselves in order to
and lateral movement after an initial
compromise understand how they are applied and the artifacts the attackers leave behind. By getting into
• The most effective attacks to bypass the mindset of attackers, you will learn how they apply their trade against your organization, and
system access controls you ll be able to use that insight to anticipate their moves and build better defenses.
• The crafty techniques attackers use, and
how to stop them
SEC504 can be taken in Japanese language with Japanese textbooks.
Author Statement
“Attacker tools and techniques have changed, and we need to change our incident response
techniques to match. Since I took over as author of SEC504 in 2019, I have rewritten the entire
course to give you the skills you need to succeed at incident response. Whether the attacks
GCIH are Windows-focused or involve attacking critical database platforms or exploiting cloud
vulnerabilities, you’ll be prepared to effectively identify the attack, minimize the impact, and
Incident Handler
giac.org/gcih respond efficiently. With your knowledge of hacker tools and techniques, and by using defense
skills that dramatically improve security, you will be ready to become the subject-matter expert
GIAC Certified Incident Handler your organization needs to meet today’s cyber threats.”
The GIAC Incident Handler certification
validates a practitioner’s ability to detect, —Joshua Wright
respond, and resolve computer security
incidents using a wide range of essential
security skills. GCIH certification holders
have the knowledge needed to manage “SEC504 is a great class overall that is perfect for pen testers and defenders
security incidents by understanding common
attack techniques, vectors and tools, as alike. It has greatly helped me understand how attackers think, how they
well as defend against and respond to such gather information, and how they maintain and gain control of systems.”
attacks when they occur.
—Evan Brunk, Acuity Insurance
• Incident Handling and Computer Crime
Investigation
• Computer and Network Hacker Exploits
• Hacker Tools (Nmap, Nessus, Metasploit
and Netcat) “Great content! As a developer it is extremely useful to understand exploits
and how better coding practices help your security position.”
—Alex Colclough, Clayton Homes
Certification: GIAC Certified Incident Handler (GCIH)

sans.org/sec504
giac.org/gcih
sans.org/SEC504 39
SEC542: Web App Penetration Testing and
Ethical Hacking
SEC542: Web App Penetration Testing and GWAPT
Web Application
Ethical Hacking Penetration Tester

giac.org/gwapt
6 36 Laptop Web applications play a vital role in every modern organization. But, if your organization does not
Required
Day Program CPEs properly test and secure its web apps, adversaries can compromise these applications, damage
business functionality, and steal data. Unfortunately, many organizations operate under the mistaken
You Will Be Able To impression that a web application security scanner will reliably discover flaws in their systems.
• Apply OWASP’s methodology to your web SEC542 helps students move beyond push-button scanning to professional, thorough, high-value
application penetration tests to ensure they
are consistent, reproducible, rigorous, and
web application penetration testing.
under quality control
Customers expect web applications to provide significant functionality and data access. Even
• Analyze the results from automated web
beyond the importance of customer-facing web applications, internal web applications increasingly
testing tools to validate findings, determine
their business impact, and eliminate false represent the most commonly used business tools within any organization. Unfortunately, there is
positives no “patch Tuesday” for custom web applications, so major industry studies find that web application
• Manually discover key web application flaws flaws play a major role in significant breaches and intrusions. Adversaries increasingly focus on
• Use Python to create testing and exploitation these high-value targets either by directly abusing public-facing applications or by focusing on web
scripts during a penetration test
apps as targets after an initial break-in.
• Discover and exploit SQL Injection flaws to
determine true risk to the victim organization SEC542 enables students to assess a web application’s security posture and convincingly
• Understand and exploit insecure demonstrate the business impact should attackers exploit discovered vulnerabilities.
deserialization vulnerabilities with ysoserial
and similar tools Modern cyber defense requires a realistic and thorough understanding of web application security
• Create configurations and test payloads issues. Anyone can learn to sling a few web hacks, but effective web application penetration testing
within other web attacks
requires something deeper.
• Fuzz potential inputs for injection attacks
with ZAP, BurP’S Intruder and ffuf SEC542 gives novice students the information and skills to become expert penetration testers
• Explain the impact of exploitation of web with practice, and fills in all the foundational gaps for individuals with some penetration
application flaws
testing background.
• Analyze traffic between the client and the
server application using tools such as the Students will come to understand common web application flaws, as well as how to identify
Zed Attack Proxy and BurpSuite Pro to and exploit them with the intent of demonstrating the potential business impact. Along the way,
find security issues within the client-side
application code students follow a field-tested and repeatable process to consistently find flaws. Information security
• Manually discover and exploit Cross-Site professionals often struggle with helping their organizations understand risk in terms relatable
Request Forgery (CSRF) attacks to business. The goal of SEC542 is to better secure organizations through penetration testing, and
• Manually discover and exploit Server-Side not just show off hacking skills. The course will help students demonstrate the true impact of web
Request Forgery (SSRF) attacks
application flaws not only through exploitation but also through proper documenting and reporting.
• Use the Browser Exploitation Framework
(BeEF) to hook victim browsers, attack client SEC542 focuses heavily on in-depth, hands-on labs to ensure that students can immediately apply
software and the network, and evaluate the
potential impact that XSS flaws have within
all they learn.
an application
In addition to walking students through a web app penetration using more than 30 formal hands-on
• Use the Nuclei tool to perform scans of target
labs, the course culminates in a web application pen test tournament, powered by the SANS Netwars
web sites/servers
cyber range. This Capture-the-Flag event groups students into teams to apply their newly acquired
• Perform two complete web penetration
tests, one during the five sections of course command of web application penetration testing techniques in a fun way that hammers home
instruction, and the other during the lessons learned throughout the course.
Capture-the-Flag exercise
Business Takeaways:
• Apply a repeatable methodology to deliver high-value penetration tests
“Every day of SEC542 gives you
• Discover and exploit key web application flaws
invaluable information from
• Explain the potential impact of web application vulnerabilities
real-world testing you cannot
• Convey the importance of web application security to an overall security posture
find in a book.”
• Wield key web application attack tools more efficiently
—David Fava, The Boeing Company
• Write web application penetration test reports
Certification: GIAC Web Application Penetration Tester (GWAPT)

sans.org/sec542
giac.org/gwapt • Discover how to take this course: Online, In-Person
40 sans.org/SEC542
SEC554: Blockchain and Smart Contract
Security
FOR710:Blockchain
SEC554: and Smart Malware:
Reverse-Engineering Contract Security
Advanced Code Analysis
55 30
36 Laptop
Laptop In
As2008,
defenders
an anonymous
hone theirauthor,
analysis
under
skillsthe
and
pseudonym
automatedSatoshi
malwareNakamoto,
detectionpublished
capabilities
a white
improve,
Required
Required
Day
DayProgram
Program CPEs
CPEs paper
malwareoutlining
authors a public
have worked
transaction
harderledger
to achieve
for a decentralized
execution within
peer-to-peer
the enterprise.
payment
Thesystem
result
entitled
is modularBitcoin:
malware
A Peer-to-Peer
with multiple
Electronic
layers ofCash
obfuscation
System, which
that executes
is regardedin-memory
as the “birth”
to hinder
of
You Will Topics
Course Be Able To blockchain.
detection and Sinceanalysis.
then, the
Malware
use ofanalysts
blockchainmust
hasbeevolved
preparedbeyond
to tackle
its original
these advanced
implementation
capabilities
as
• •Compile
Code deobfuscation
and deploy smart contracts aand
cryptocurrency.
use automation It has
whenever
gained momentum
possible to handle
in recent
the
years,
volume,
beingvariety
adoptedandby
complexity
some of the
of the
largest
• •Exploit
Programvulnerable
executionsmart contracts, nodes, organizations
steady streaminofthe malware
world, targeting
including the
IBM,enterprise.
Amazon, PayPal, Mastercard, and Walmart. However, due
•and privateanalysis
keys to the relative newness of blockchain compared toFOR610:
more understood and traditional technologies,
Shellcode FOR710: Advanced Code Analysis continues where Reverse-Engineering Malware: Malware
• •Run automated security scans on smart its use is still hindered by speculation, confusion, uncertainty, and risk.
Steganography
contracts
Analysis Tools and Techniques course leaves off, helping students who have already attained
• Multi-stage malware
• Use the latest blockchain tools for
In
intermediate-level
SEC554: Blockchain malware
and Smart
analysis
Contract
capabilities
Security,takeyoutheir
will become
reversing
familiar
skills to
with
theessential
next level.topics
•development,
WinDbg Previewsecurity, auditing, and of
Authored
blockchain
by SANS
and smart
Certified
contract
Instructor
technology,
Anuj Soni,including
this course
its history,
prepares
design
malware
principles,
specialists
architecture,
to
•exploiting
Encryption algorithms business
dissect sophisticated
use cases, regulatory
Windowsenvironment,
executables, and suchtechnical
as thosespecifications.
that dominateThethe course
headlinestakes
and
• •Trace
Data and discover blockchain transaction
obfuscation apreoccupy
detailed look
incident
at theresponse
mechanicsteams
behind
acrossthethe
cryptography
globe. and the transactions that make
information
blockchain
Developingwork.
deepItreverse-engineering
provides exercises that
skillswill
teach you how topractice.
use toolsThis
to deploy,
course audit,
• Python scripting for malware analysis scan,
• Set up and protect a cryptocurrency wallet requires consistent not only
• Dynamic Binary Instrumentation (DBI) and exploit blockchain and smart contract assets. Hands-on labs and exercises
includes the necessary background and instructor-led walk throughs, but also provides students will enable you
• Crack partially exposed mnemonics keys
Frameworks
to interact with various blockchain implementations, such as ethereumscenarios
and bitcoin, and class.
you’ll be
• •Send
Binary emulation to
transactions blockchain
frameworks with numerous opportunities to tackle real-world reverse engineering during
provided with resources to take with you to further explore.
• •Set up a local
Payload ethereum
and config blockchain for
extraction FOR710 Advanced Code Analysis will prepare you to:
testing There have already been widespread security breaches, fraud, and hacks on blockchain platforms,
• Scripting with Ghidra • Tackle code obfuscation techniques that hinder static code analysis, including the use of
• Join a cryptocurrency mining pool, or resulting in billions of dollars in losses. These issues, along with growing scrutiny by government
•create
YARA rules
your own mining node steganography
• Yara-python
agencies to find malicious users abusing the technology, is tarnishing blockchain’s reputation.
• Run static analysis on EVM bytecode • Identify the key components of program execution to analyze multi-stage malware in memory
SEC554 approaches blockchain and smart contracts from an offensive perspective to inform
• •Interact
SMDA disassebler
• Locate and extract deobfuscated shellcode
they are during program execution
with cryptocurrency on main and
test networks students what vulnerabilities exist, how exploited, and how to defend against attacks that
• Investigate, install, and prevent crypto- are currently leveraged today. Some of the skills and techniques you willanalysis
• Develop comfort with non-executable file formats during malware learn are:
jackingYou
malware • Probe the structures and fields associated with a PE header
What Will Receive • How to interact with and get data from public blockchains
• •Protect
Windowsand10defend against
VM with privacy malware
pre-installed attacks • Use WinDBG Preview for debugging and assessing key process data structures in memory
on blockchain • How to exploit several types of smart contract vulnerabilities
analysis and reversing tools • Identify encryption algorithms in ransomware used for file encryption and key protection
• Real-world malware samples to examine ••How to test and
Recognize exploit
Windows weak
APIs thatcryptography/entropy
facilitate encryption and articulate their purpose
during and after class
••How to discover and re-create
Investigate data obfuscation in private keyspinpoint algorithm implementations, and decode
malware,
• Coursebooks and workbook with detailed
step-by-step exercise instruction underlying
• What contentdo and how to trace and track movements on blockchain
cryptojackers
• Create Python scripts to automate data extraction and decryption
• How to combat non-technical or social engineering types of attacks that adversaries use to
Buildand
•access rulessteal
to identify functionality in malware
from victims
• Use Dynamic Binary Instrumentation (DBI) frameworks to automate common reverse
We can see the many solutions blockchain technology can provide as a payment system, but as
engineering workflows
the technology is increasingly adopted, its attack surface will continue to grow. While there are
• Write Python scripts within Ghidra to expedite code analysis
some educational resources available for blockchain, there is relatively little educational content
“SEC554 gives an excellent • Use Binary Emulation frameworks to simulate code execution
around blockchain security. No other training provides the comprehensive level of blockchain
education on the next big testing, exercises and knowledge that is delivered in SEC554.
technological revolution, taught
by the folks on the front lines.” “As malware gets more complicated, malware analysis has as well. In
Author Statement
—Ravi Danesh, BMO Financial Group recent years, malware authors have accelerated their production of
“Blockchain is a revolutionary solution that solves multiple issues inherent in the social,
dangerous, undetected code using creative evasion techniques, robust
economic, and technological challenges we face today. Decentralization and self-sovereignty are
algorithms,
not and
just concepts, butiterative development
fundamental to improve
ideals that should be madeupon weaknesses.
available and accessible for all
Proficient reverse engineers must perform in-depth code
to benefit from. But those processes need to be carried out responsibly analysis and In order to
and securely.
drive adoption, security must be a priority for all developers, users, or
employ automation to peel back the layers of code, characterize high-risk speculators interacting with
blockchains or smart contracts. I’ve always thought
functionality and extract obfuscated indicators.” the best way to protect something is to learn
how to break it.”
—Anuj Soni, Course Author
—Steven Walbroehl
sans.org/sec554
sans.org/SEC554 41
SEC556: IoT Penetration Testing
SEC556: IoT Penetration Testing
3 18 Laptop A growing trend in recent years has seen small-form factor computing devices increasingly
Day Course CPEs Required accessing networks to provide connectivity to what typically used to be disconnected devices.
While we can debate if your home appliances truly need Internet access, there is no debate that
You Will Be Able To the Internet of Things (IoT) is here to stay. It allows for deeper connectivity of many devices that
• Assess IoT network-facing controls, web are indeed useful, with great benefits to homes and enterprises alike.
applications, and API endpoints with an
IoT focus Unfortunately, with this proliferation of connected technology, many of these devices do not
• Examine hardware to discover
consider or only minimally consider security in the design process. While we have seen this
functionality and find interaction points behavior in other types of testing as well, IoT is different because it utilizes and mixes together
and use them to obtain data from the many different technology stacks such as custom Operating System builds, web and API interfaces,
hardware
various networking protocols (e.g., Zigbee, LoRA, Bluetooth/BLE, WiFi), and proprietary wireless.
• Uncover firmware from hardware and
other means, and explore it for secrets This wide range of diverse, poorly secured technology makes for a desirable pivot point into
and implementation failures networks, opportunities for modification of user data, network traffic manipulation, and more.
• Sniff, interact with, and manipulate WiFi,
LoRA, and Zigbee wireless technologies SEC556 will familiarize you with common interfaces in IoT devices and recommend a process along
and understand security failures in with the Internet of Things Attack (IoTA) testing framework to evaluate these devices within many
implementation
layers of the Open Systems Interconnection (OSI) model. From firmware and network protocol
• Interact with Bluetooth Low Energy (BLE)
for device manipulation
analysis to hardware implementation issues and all the way to application flaws, we will give
• Automate recovery of unknown radio
you the tools and hands-on techniques to evaluate the ever-expanding range of IoT devices. The
protocols to perform replay attacks and course approach facilitates examining the IoT ecosystem across many different verticals, from
additional analysis automotive technology to healthcare, manufacturing, and industrial control systems. In all cases,
the methodology is the same but the risk model is different.
You Will Receive With This Course Once we have been empowered to understand each individual challenge, we can understand the
• BusPirate 3.6a and cable
need for more secure development and implementation practices with IoT devices.
• SPI Flash integrated circuit
• Solderless breadboard
Authors Statement
• HackRF One with antenna
• HackRF ANT500 antenna “It has been amazing to watch the progression and widespread adoption of what we now know as the Internet
of Things in both our homes and enterprises whether you realize it or not! However, while IoT-enabled
• USB Logic analyzer
technologies have arguably made our lives better by improving conveniences and our ability to obtain more
• Dupont wires accurate data about our environment, we unknowingly increase our attack surface through their use.”
• RaspberryPi 4 8G Vilros Kit (32 Gig SD “In other words, the benefits often come at a cost, in many cases because of lackluster development practices
card) (Note: this comes with a U.S. plug, so
international students will need to bring by many IoT manufacturers that fail to consider the entirety of the attack surface of their device ecosystem.
an adapter) This failure is largely seen as financial; baking security in from the start is an expense that reduces the already
• USB wireless adapter
low profit margins on IoT devices. Delays from adopting enhanced security measures can prevent a timely
push to market, further compounding profit-per-device issues.
• TP-Link Bluetooth Low Energy USB adapter
“With the increased adoption of IoT, attackers have also focused their efforts on IoT platforms. Techniques and
• 433Mhz IoT remote-controlled outlet
(110/120V only, EU and APAC students will tool capabilities have become exponentially more sophisticated, and they are often used for “good” to unlock
need to bring a voltage converter) additional features and capabilities. However, less-ethical attackers have gained the same sophistication with
• A pair of CC2531 custom-flashed USB their toolsets, giving them the upper hand in exploiting the technology we rely on for critical tasks. The IoT
Zigbee adapters adoption rate, in combination with the sophistication of attackers, paints a grave picture for the future of IoT
and the networks IoT devices are connected to unless we begin now to improve the security of all facets of the
• USB 3.0 4-port hub
IoT ecosystem.
• Ethernet cable
“We are very excited to deliver interactive, hands-on labs and a suite of hardware and software tools to equip
• Custom Slingshot Linux Virtual Machine
IoT analysts and developers with practical skills, methodologies, and thought processes that they can bring
• Custom Raspberry Pi image (PIoT.01) back to their organizations and apply on day one. The skills you will build in this class will be valuable for
today’s IoT technology and serve as a foundation for tomorrow’s advancements, regardless of your vertical,
application, or data.”
–Larry Pesce, James Leyte-Vidal, and Steven Walbroehl
42 sans.org/SEC556
SEC560: Enterprise Penetration Testing
GPEN
SEC560: Enterprise Penetration Testing Penetration Tester
giac.org/gpen
6 36 Laptop As a cybersecurity professional, you have a unique responsibility to identify

Required
Day Program CPEs and understand your organization s vulnerabilities and work diligently to
mitigate them before the bad actors pounce. Are you ready? SEC560, the
You Will Be Able To flagship SANS course for penetration testing, fully equips you to take this
• Properly plan and prepare for an enterprise penetration test task head-on.
• Perform detailed reconnaissance to aid in social engineering, In SEC560, you will learn how to plan, prepare, and execute a penetration
phishing, and making well-informed attack decisions
test in a modern enterprise. Using the latest penetration testing tools, you
• Scan target networks using best-of-breed tools to identify
systems and targets that other tools and techniques may
will undertake extensive hands-on lab exercises to learn the methodology of
have missed experienced attackers and practice your skills. You’ll then be able to take what
• Perform safe and effective password guessing to gain initial you’ve learned in this course back to your office and apply it immediately.
access to the target environment, or to move deeper into the
network This course is designed to strengthen penetration testers and further add
• Exploit target systems in multiple ways to gain access and to their skillset. The course is also designed to train system administrators,
measure real business risk defenders, and others in security to understand the mindset and methodology
• Execute extensive post-exploitation to move further into of a modern attacker. Every organization needs skilled information security
the network
personnel who can find vulnerabilities and mitigate their effects, and this
• Use Privilege Escalation techniques to elevate access on Windows
or Linux systems, or even the Microsoft Windows Domain entire course is specially designed to get you ready for that role. Both the
• Perform internal reconnaissance and situational awareness tasks offensive teams and defenders have the same goal: keep the real bad guys out.
to identify additional targets and attack paths
SEC560 is designed to get you ready to conduct a full-scale, high-value
• Execute lateral movement and pivoting to further extend access
to the organization and identify risks missed by surface scans penetration test, and at the end of the course you’ll do just that. After
• Crack passwords using modern tools and techniques to extend or building your skills in comprehensive and challenging labs, the course
escalate access culminates with a final real-world penetration test scenario. You’ll conduct
• Use multiple Command and Control (C2, C&C) frameworks to an end-to-end pen test, applying knowledge, tools, and principles from
manage and pillage compromised hosts throughout the course as you discover and exploit vulnerabilities in a
• Attack the Microsoft Windows domain used by most organizations realistic sample target organization.
• Execute multiple Kerberos attacks, including Kerberoasting,
Golden Ticket, and Silver Ticket attacks
Author Statement
• Conduct Azure reconnaissance
• Azure AD password spraying attacks “All security professionals need to understand modern attack tactics and
• Execute commands in Azure using compromised credentials principles. As a defender, incident responder, or forensic analyst, it is
• Develop and deliver high-quality reports
important to understand the latest attacks and the mindset of the attacker.
In this course, penetration testers, red teamers, and other offensive security
professionals will learn tools and techniques to increase the impact and
effectiveness of their work. As the lead author for this course, I’m proud
GPEN to bring my years of security experience (both offensive and defensive) as
well as network/system administration experience to the course. We aim to
Penetration Tester
giac.org/gpen provide a valuable, high-impact penetration testing course designed to teach
experienced pen testers new tips, help prepare new penetration testers, and
GIAC Penetration Tester
provide background to anyone dealing with penetration testers, Red Teams, or
The GIAC Penetration Tester certification validates a practitioner’s
ability to properly conduct a penetration test, using best practice
even malicious attackers. I personally enjoy teaching this course and sharing
techniques and methodologies. GPEN certification holders have my experience and real-life examples with you.”
the knowledge and skills to conduct exploits and engage in —Tim Medin
detailed reconnaissance, as well as utilize a process-oriented
approach to penetration testing projects.
• Comprehensive Pen Test Planning, Scoping, and Recon “I think if you genuinely want to learn how exploitation
• In-Depth Scanning and Exploitation, Post-Exploitation,
and Pivoting
techniques work and how to properly think like a hacker, it
• In-Depth Password Attacks and Web App Pen Testing would be silly not to attend SEC560.”
—Marc Hamilton, McAfee
Certification: GIAC Penetration Tester (GPEN) • Watch a preview of this course

sans.org/sec560
giac.org/gpen • Discover how to take this course: Online, In-Person
sans.org/SEC560 43
SEC565: Red Team Operations and Adversary
Emulation
SEC565: Red Team Operations and Adversary Emulation
6 36 Laptop Penetration testing is effective at enumerating vulnerabilities, but less effective in

Required
Day Program CPEs addressing personnel and processes on the defense side. This can leave Blue Teams or
defenders without sufficient knowledge of what offensive input to improve, in turn leaving
You Will Be Able To organizations stuck in a cyclical process of just focusing on vulnerabilities in systems rather
• Consume threat intelligence and plan a Red
than on maturing defenders to effectively detect and respond to attacks.
Team engagement
In SEC565, students will learn how to plan and execute end-to-end Red Teaming
• Set up the required infrastructure to have engagements that leverage adversary emulation, including the skills to organize a Red Team,
a successful operation taking into account
operational security consume threat intelligence to map against adversary tactics, techniques, and procedures
• Create weaponization that will allow you to (TTPs), emulate those TTPs, report and analyze the results of the Red Team engagement, and
infiltrate an organization ultimately improve the overall security posture of the organization. As part of the course,
• Enumerate and extract valuable data required students will perform an adversary emulation against a target organization modeled on an
to achieve your objectives using automated enterprise environment, including Active Directory, intelligence-rich emails, file servers, and
tooling, but also manually, if required
endpoints running in Windows and Linux.
• Move laterally and persist in a corporate
network SEC565 features six intensive course sections. We will start by consuming cyber threat
• Elevate privileges using a variety of attack intelligence to identify and document an adversary that has the intent, opportunity, and
vectors and misconfigurations that you will
capability to attack the target organization. Using this strong threat intelligence and proper
now be able to identify
planning, students will follow the Unified Kill Chain and multiple TTPs mapped to MITRE®
• Report your findings in a meaningful way to
bring maximum value to your client ATT&CK™(Adversarial Tactics, Techniques, and Common Knowledge) during execution.
During three course sections, students will be immersed in deeply technical Red Team
tradecraft ranging from establishing resilient and advanced attack infrastructure to abusing
Prerequisites Active Directory. After gaining initial access, students will thoroughly analyze each system,
The concepts and exercises in this course are pilfer technical data and target intelligence, and then move laterally, escalating privileges,
built on the fundamentals of offensive security. laying down persistence, and collecting and exfiltrating critically impactful sensitive data.
An understanding of general penetration The course concludes with an exercise analyzing the Blue Team response, reporting, and
testing concepts and tools is encouraged, and
a background in security fundamentals will remediation planning and retesting.
provide a solid foundation upon which to build
Red Team concepts.
In SEC565, you will learn how to show the value that Red Teaming and adversary emulations
bring to an organization. The main job of a Red Team is to make a Blue Team better. Offense
Many of the Red Team concepts taught in this
course are suitable for anyone in the security informs defense and defense informs offense. SEC565 develops Red Team operators capable
community. Both technical staff as well as of planning and executing consistent and repeatable engagements that are focused on
management personnel will be able to gain a training and on measuring the effectiveness of the people, processes, and technology used
deeper understanding of Red Team exercises
and adversary emulations. to defend environments.
You Will Learn How To:

• Use threat intelligence to study adversaries for emulation
• Build an adversary emulation plan
• Map actions to MITRE® ATT&CK™ to aid in communicating with the Blue Team
• Establish resilient, advanced C2 infrastructure
• Maintain operational security throughout an engagement
• Leverage initial access to elevate and propagate through a network
• Enumerate and attack Active Directory
• Collect and exfiltrate sensitive data in a safe manner
• Close an engagement, deliver value, and plan for retesting
44 sans.org/SEC565
SEC575: Mobile Device Security and Ethical
Hacking
GMOB
SEC575: Mobile Device Security and Ethical Hacking Mobile Device
Security Analyst
giac.org/gmob
6 36 Laptop Imagine an attack surface that is spread across your organization and in the hands of every
Required
Day Program CPEs user. It moves regularly from place to place, stores highly sensitive and critical data, and sports
numerous, different wireless technologies all ripe for attack. Unfortunately, such a surface
Who Should Attend already exists today: mobile devices. These devices constitute the biggest attack surface in most
• Penetration testers organizations, yet these same organizations often don’t have the skills needed to assess them.
• Ethical hackers SEC575: Mobile Device Security and Ethical Hacking is designed to give you the skills to understand
• Auditors who need to build deeper technical the security strengths and weaknesses of Apple iOS and Android devices, including Android 12 and
skills
iOS 15. Mobile devices are no longer a convenience technology. They are an essential tool carried
• Security personnel whose job involves
assessing, deploying or securing mobile
or worn by users worldwide, often displacing conventional computers for everyday enterprise
phones and tablets data needs. You can see this trend in corporations, hospitals, banks, schools, and retail stores
• Network and system administrators across the world. Users rely on mobile devices today more than ever before and the bad guys do
supporting mobile phones and tablets too. SEC575 examines the full gamut of these devices.
Author Statement Learn How to Pen Test the Biggest Attack Surface in Your Entire Organization
The first iPhone was released in 2007, and it is With the skills you acquire in SEC575, you will be able to evaluate the security weaknesses
considered by many to be the starting point
of the smartphone era. Over the past decade, of built-in and third-party applications. You’ll learn how to bypass platform encryption and
we have seen smartphones grow from rather manipulate apps to circumvent client-side security techniques. You’ll leverage automated and
simplistic into incredibly powerful devices with manual mobile application analysis tools to identify deficiencies in mobile app network traffic,
advanced features such as biometrics, facial
recognition, GPS, hardware-backed encryption, file system storage, and inter-app communication channels. You’ll safely work with mobile
and beautiful high-definition screens. While malware samples to understand the data exposure and access threats affecting Android and
many different smartphone platforms have
been developed over the years, it is quite iOS devices, and you’ll learn how to bypass locked screens to exploit lost or stolen devices.
obvious that Android and iOS have come out
victorious. Corellium for Android and iOS Emulation
While smartphones provide a solid experience Throughout the course, students will use the innovative Corellium platform to experience iOS and
right out of the box, the app ecosystem is Android penetration testing in a realistic environment. Corellium allows users to create virtualized
probably the most powerful aspect of any
mobile operating system. Both the Google iOS and Android devices with full root access even on the latest versions. By using this platform,
Play and Apple App stores have countless SEC575 students can immediately test their skills right in their own browser, while still having full
applications that increase the usefulness of
their platforms and include everything from SSH/ADB capabilities and access to a range of powerful tools.
games to financial apps, navigation, movies,
music, and other offerings. Take a Deep Dive into Evaluating Mobile Apps and Operating Systems
and Their Associated Infrastructure
However, many smartphones also contain
an incredible amount of data about both the Understanding and identifying vulnerabilities and threats to mobile devices is a valuable skill, but
personal and professional lives of people.
Keeping those data secure should be a it must be paired with the ability to communicate the associated risks. Throughout the course,
primary concern for both the operating system you’ll review ways to effectively communicate threats to key stakeholders. You’ll learn how to use
and the mobile application developer. Yet,
many companies today have implemented industry standards such as the OWASP Mobile Application Security Verification Standard (MASVS)
a bring-your-own-device policy that allows to assess an application and understand all the risks so that you can characterize threats for
smartphones onto their network. These
managers and decision-makers.
devices are often not managed and thus bring
a new set of security threats to the company. Your Mobile Devices Are Going to Come Under Attack: Help Your Organization Prepare
This course will teach you about all the for the Onslaught
different aspects of mobile security, both at
a high level and down into the nitty-gritty Mobile device deployments introduce new threats to organizations, including advanced malware,
details. You will learn how to analyze mobile
applications, attack smartphone devices data leakage, and the disclosure to attackers of enterprise secrets, intellectual property, and
on the network, man-in-the-middle either personally identifiable information assets. Further complicating matters, there simply are not
yourself or others, and root/jailbreak your
enough professionals with the security skills needed to identify and manage secure mobile phone
device. You will also learn what kind of
malware may pose a threat to your company and tablet deployments. By completing this course, you’ll be able to differentiate yourself as
and your employees. someone prepared to evaluate the security of mobile devices, effectively assess and identify flaws
Mobile security is a lot of fun, and I hope you in mobile applications, and conduct a mobile device penetration test. These are all critical skills to
will join us for this course so that we can share
our enthusiasm with you! protect and defend mobile device deployments.
Certification: GIAC Mobile Device Security Analyst (GMOB)

sans.org/sec575
giac.org/gmob • Discover how to take this course: Online, In-Person
sans.org/SEC575 45
SEC580: Metasploit for Enterprise Penetration
Testing
SEC580: Metasploit Kung Fu for Enterprise Pen Testing
2 12 Laptop Many enterprises today face regulatory or compliance requirements that mandate regular
Day Course CPEs Required penetration testing and vulnerability assessments. Commercial tools and services for performing
such tests can be expensive. While really solid free tools such as Metasploit are available, many
Who Should Attend testers do not understand the comprehensive feature sets of these tools and how to apply them
• IT security engineers in a professional-grade testing methodology. Metasploit was designed to help testers confirm
• Penetration testers vulnerabilities using an open-source and easy-to-use framework. This course will help students
• Security consultants get the most out of this free tool.
• Vulnerability assessment personnel SEC580 will show students how to apply the incredible capabilities of the Metasploit Framework
• Vulnerability management personnel in a comprehensive penetration testing and vulnerability assessment regimen, and according to
• Network security analysts a thorough methodology for performing effective tests. Students who complete the course will
• Auditors have a firm understanding of how Metasploit can fit into their penetration testing and day-to-
• General security engineers day assessment activities. The course will provide an in-depth understanding of the Metasploit
• Security researchers Framework far beyond simply showing attendees how to exploit a remote system. The class will
cover exploitation, post-exploitation reconnaissance, anti-virus evasion, spear-phishing attacks,
and the rich feature set of the Meterpreter, a customized shell environment specially created to
exploit and analyze security flaws.
The course will also cover many of the pitfalls that a tester may encounter when using the Metasploit
Framework and how to avoid or work around them, making tests more efficient and safe.
Author Statement
“Metasploit is the most popular free exploitation tool available today. It is in widespread use by
penetration testers, vulnerability assessment personnel, auditors, and real-world threat actors.
However, most of its users rely on and understand only about 10 percent of its functionality,
not realizing the immensely useful other features that Metasploit offers. This course will enable
students to master the 10 percent they currently rely on (applying it in a more comprehensive and
safe manner), while unlocking the other 90 percent of features they can then apply to make their
“SEC580 is the best course tests more effective. By attending this course, students will learn how to make a free tool achieve
the power of many much more costly commercial tools.”
available on the planet
for in-depth knowledge of — Jeff McJunkin
Metasploit.”
— Tom Reeves, Northrup Grumman
sans.org/sec580
46 sans.org/SEC580
SEC588: Cloud Penetration Testing
GCPN
SEC588: Cloud Penetration Testing Cloud Penetration
Tester
giac.org/gcpn
6 36 Laptop Aim Your Arrows To The Sky And Penetrate The Cloud
You have been asked to perform a penetration test, security assessment, maybe an Attacker
Simulation or a red team exercise. The environment in question is mainly cloud-focused. It could
You Will Be Able To be entirely cloud-native for the service provider or Kubernetes-based. Perhaps the environment
• Conduct cloud-based penetration tests in question is even multi-cloud, having assets in both Amazon and Azure. What if you have to
• Assess cloud environments and bring assess Azure Active Directory, Amazon Web Services (AWS) workloads, serverless functions, or
value back to the business by locating
vulnerabilities
Kubernetes? SEC588: Cloud Penetration Testing will teach you the latest penetration testing
• Understand first-hand how cloud
techniques focused on the cloud and how to assess cloud environments.
environments are constructed and how to
scale factors into the gathering of evidence
Computing workloads have been moving to the cloud for years. Analysts predict that most, if not
all, companies will have soon have workloads in public and other cloud environments. While
• Assess security risks in Amazon and
Microsoft Azure environments, the two organizations that start in a cloud-first environment may eventually move to a hybrid cloud and
largest cloud platforms in the market today local data center solution, cloud usage will not decrease significantly. So when assessing risks
• Immediately apply what you have learned to an organization going forward, we need to be prepared to evaluate the security of cloud-
to your work
delivered services.
The most commonly asked questions regarding cloud security when it comes to penetration
testing are: Do I need to train specifically for engagements that are cloud-specific? and Can I
accomplish my objectives with other pen test training and apply it to the cloud? In cloud-service-
provider environments, penetration testers will not encounter a traditional data center design,
there will be new attack surface areas in the service (control) planes of these environments.
Learning how such an environment is designed and how you as a tester can assess what is in
it is a niche skill set that must be honed. What we rely on to be true in a classical data center
GCPN environment such as who owns the Operating System and the infrastructure and how the
Cloud Penetration
Tester applications are running will likely be very different. Applications, services, and data will be
giac.org/gcpn hosted on a shared hosting environment unique to each cloud provider.
GIAC Cloud Penetration Tester SEC588: Cloud Penetration Testing draws from many skill sets required to assess a cloud
“The GIAC Cloud Penetration Testing (GCPN) environment properly. If you are a penetration tester, the course will provide a pathway to
certification provides our industry with a first
focused exam on both cloud technologies understanding how to take your skills into cloud environments. If you are a cloud-security-
and penetration testing disciplines. This focused defender or architect, the course will show you how the attackers are abusing cloud
certification will require a mastery in infrastructure to gain a foothold in your environments.
assessing the security of systems, networks,
web applications, web architecture, cloud The course dives into topics of classic cloud Virtual Machines, buckets, and other new issues that
technologies, and cloud design. Those that
hold the GCPN have been able to cross these
appear in cloud-like microservices, in-memory data stores, files in the cloud, serverless functions,
distinct discipline areas and simulate the Kubernetes meshes, and containers. It also covers Azure and AWS penetration testing, which is
ways that attackers are breaching modern particularly important given that AWS and Microsoft account for more than half of the market.
enterprises.”
— Moses Frost, Course Author SEC588: Cloud
The goal is not to demonstrate these technologies but to teach you how to assess and report on
Penetration Testing the actual risk your organization could face if these services are left insecure.
• Cloud Penetration Testing Fundamentals,
Environment Mapping, and Service
Discovery “SANS course SEC588 taught me more than I expected. With the rapid
• AWS and Azure Cloud Services and Attacks development of new technologies offered by cloud providers, SEC588
• Cloud Native Applications with Containers has given me an important framework for cloud pen testing.”
and CI/CD Pipelines
—Jonus Gerrits, Phillips 66
“This emerging course perfectly complements the change in the

direction of red team engagement scopes.”
—Kyle Spaziani, Sanofi
Certification: GIAC Cloud Penetration Tester (GCPN)

sans.org/sec588
giac.org/gcpn • Discover how to take this course: Online, In-Person
sans.org/SEC588 47
SEC599: Defeating Advanced Adversaries - Purple
Team Tactics & Kill Chain Defenses
SEC599: Defeating Advanced Adversaries – GDAT
Defending Advanced
Purple Team Tactics & Kill Chain Defenses Threats

giac.org/gdat
6 46 Laptop You just got hired to help our virtual organization “SYNCTECHLABS” build out a cybersecurity
Required
Day Program CPEs capability. On your first day, your manager tells you: “We looked at some recent cybersecurity
trend reports and we feel like we’ve lost the plot. Advanced persistent threats, ransomware, denial
You Will Be Able To of service…We’re not even sure where to start!”
• Understand how recent high-profile Cyber threats are on the rise: ransomware tactics are affecting small, mid-size, and large
attacks were delivered and how they could
have been stopped enterprises alike, while state-sponsored adversaries are attempting to obtain access to your most
• Implement security controls throughout
precious crown jewels. SEC599: Defeating Advanced Adversaries – Purple Team Tactics & Kill Chain
the different phases of the Cyber Kill Defenses will arm you with the knowledge and expertise you need to overcome today’s threats.
Chain and the MITRE ATT&CK framework to Recognizing that a prevent-only strategy is not sufficient, we will introduce security controls
prevent, detect, and respond to attacks
aimed at stopping, detecting, and responding to your adversaries.
Course authors Stephen Sims and Erik Van Buggenhout (both certified as GIAC Security Experts)
Topics To Be Addressed are hands-on practitioners who have built a deep understanding of how cyber attacks work
• Leveraging MITRE ATT&CK as a “common through penetration testing and incident response. While teaching penetration testing courses,
language” in the organization they were often asked the question: “How do I prevent or detect this type of attack?” Well, this is
• Building your own Cuckoo sandbox it! SEC599 gives students real-world examples of how to prevent attacks. The course features more
solution to analyze payloads
than 20 labs plus a full-day Defend-the-Flag exercise during which students attempt to defend
• Developing effective group policies to
improve script execution (including our virtual organization from different waves of attacks against its environment.
PowerShell, Windows Script Host, VBA,
HTA, etc.) Our six-part journey will start off with an analysis of recent attacks through in-depth case studies.
• Highlighting key bypass strategies for We will explain what types of attacks are occurring and introduce formal descriptions of adversary
script controls (unmanaged Powershell, behavior such as the Cyber Kill Chain and the MITRE ATT&CK framework. In order to understand
AMSI bypasses, etc.)
how attacks work, you will also compromise our virtual organization “SYNCTECHLABS” in section
• Stopping 0-day exploits using
ExploitGuard and application whitelisting
one exercises.
• Highlighting key bypass strategies In sections two through five, we will discuss how effective security controls can be implemented to
in application whitelisting (focus on
AppLocker)
prevent, detect, and respond to cyber attacks. The topics to be addressed include:
• Detecting and preventing malware • Leveraging MITRE ATT&CK as a “common language” in the organization
persistence
• Building your own Cuckoo sandbox solution to analyze payloads
• Leveraging the Elastic stack as a central
log analysis solution • Developing effective group policies to improve script execution
• Detecting and preventing lateral (including PowerShell, Windows Script Host, VBA, HTA, etc.)
movement through Sysmon, Windows
event monitoring, and group policies • Highlighting key bypass strategies for script controls
• Blocking and detecting command and (Unmanaged Powershell, AMSI bypasses, etc.)
control through network traffic analysis
• Stopping 0-day exploits using ExploitGuard and application whitelisting
• Leveraging threat intelligence to improve
your security posture • Highlighting key bypass strategies in application whitelisting (focus on AppLocker)
• Detecting and preventing malware persistence
• Leveraging the Elastic stack as a central log analysis solution
• Detecting and preventing lateral movement through Sysmon, Windows event monitoring, and
group policies
• Blocking and detecting command and control through network traffic analysis
• Leveraging threat intelligence to improve your security posture
SEC599 will finish with a bang. During the Defend-the-Flag Challenge on the final course day, you
will be pitted against advanced adversaries in an attempt to keep your network secure. Can you
protect the environment against the different waves of attacks? The adversaries aren’t slowing
down, so what are you waiting for?
Certification: GIAC Defending Advanced Threats (GDAT)

sans.org/sec599
giac.org/gdat
48 sans.org/SEC599
SEC617: Wireless Penetration Testing and
Ethical Hacking
SEC617: Wireless Penetration Testing and GAWN
Assessing & Auditing
Ethical Hacking Wireless Networks

giac.org/gawn
6 36 Laptop This course is designed for professionals seeking a comprehensive technical ability to understand,
Required
Day Program CPEs analyze, and defend the various wireless technologies that have become ubiquitous in our
environments and, increasingly, key entrance points for attackers.
You Will Be Able To The authors of SEC617, as penetration testers themselves, know that many organizations overlook
• Identify and locate malicious rogue access wireless security as an attack surface, and therefore fail to establish required defenses and
points using free and low-cost tools monitoring, even though wireless technologies are now commonplace in executive suites,
• Conduct a penetration test against low- financial departments, government offices, manufacturing production lines, retail networks,
power wireless devices to identify control
system and related wireless vulnerabilities
medical devices, and air traffic control systems. Given the known risks of insecure wireless
• Identify vulnerabilities and bypass
technologies and the attacks used against them, SEC617 was designed to help people build the
authentication mechanisms in Bluetooth vital skills needed to identify, evaluate, assess, and defend against these threats. These skills are
networks ‘must-have’ for any high-performing security organization.
• Utilize wireless capture tools to extract
audio conversations and network traffic
For many analysts, “wireless” was once synonymous with “Wi-Fi,” the ever-present networking
from DECT wireless phones technology, and many organizations deployed complex security systems to protect these
• Implement a WPA2 Enterprise penetration networks. Today, wireless takes on a much broader meaning – not only encompassing the security
test to exploit vulnerable wireless client of Wi-Fi systems, but also the security of Bluetooth, Zigbee, Z-Wave, DECT, RFID, NFC, contactless
systems for credential harvesting
smart cards, and even proprietary wireless systems. To effectively evaluate the security of wireless
• Utilize Scapy to force custom packets
to manipulate wireless networks in new
systems, your skillset needs to expand to include many different types of wireless technologies.
ways, quickly building custom attack SEC617 will give you the skills you need to understand the security strengths and weaknesses of
tools to meet specific penetration test
requirements wireless systems. You will learn how to evaluate the ever-present cacophony of Wi-Fi networks
• Identify WiFi attacks using network packet and identify the Wi-Fi access points (APs) and client devices that threaten your organization. You
captures traces and freely available will learn how to assess, attack, and exploit deficiencies in modern Wi-Fi deployments using WPA2
analysis tools technology, including sophisticated WPA2 Enterprise networks. You will gain a strong, practical
• Identify and exploit shortcomings in the understanding of the many weaknesses in Wi-Fi protocols and how to apply that understanding to
security of proximity key card systems
modern wireless systems. Along with identifying and attacking Wi-Fi access points, you will learn to
• Decode proprietary radio signals using
Software-Defined Radio identify and exploit the behavioral differences in how client devices scan for, identify, and select APs,
• Mount a penetration test against with deep insight into the behavior of the Windows 10, macOS, Apple iOS, and Android Wi-Fi stacks.
numerous standards-based or proprietary A significant portion of the course focuses on Bluetooth and Bluetooth Low Energy (BLE) attacks,
wireless technologies
targeting a variety of devices, including wireless keyboards, smart light bulbs, mobile devices,
audio streaming devices, and more. You will learn to assess a target Bluetooth device, identify the
present (or absent) security controls, and apply a solid checklist to certify a device’s security for
use within your organization.
“SEC617 is great for someone Beyond analyzing Wi-Fi and Bluetooth security threats, analysts must also understand many
looking for a top-to-bottom other wireless technologies that are widely utilized in complex systems. SEC617 provides insight
rundown in wireless attacks.” and hands-on training to help analysts identify and assess the use of Zigbee and Z-Wave wireless
— Garret Picchioni, Salesforce systems used for automation, control, and smart home systems. The course also investigates the
security of cordless telephony systems in the worldwide Digital Enhanced Cordless Telephony
(DECT) standard, including audio eavesdropping and recording attacks.
Radio frequency identification (RFID), near field communication (NFC), and contactless smart card
systems are more popular than ever in countless applications such as point of sale systems and
“I have a better understanding
data center access control systems. You will learn how to assess and evaluate these deployments
of the technologies and using hands-on exercises to exploit the same kinds of flaws discovered in mass transit smart card
protocols in use and can now systems, hotel guest room access systems, and more.
perform more accurate risk In addition to standards-based wireless systems, we also dig deeper into the radio spectrum
assessments.” using software-defined radio (SDR) systems to scour for signals. Using SDR, you will gain new
— Shawn Pray, Accenture insight into how widely pervasive wireless systems are deployed. With your skills in identifying,
decoding, and evaluating the data these systems transmit, you will be able to spot vulnerabilities
even in custom wireless infrastructures.
Certification: GIAC Assessing and Auditing Wireless Networks (GAWN)

sans.org/sec617
giac.org/gawn • Discover how to take this course: Online, In-Person
sans.org/SEC617 49
SEC660: Advanced Penetration Testing, Exploit
Writing, and Ethical Hacking
SEC660: Advanced Penetration Testing, GXPN
Exploit Researcher &
Exploit Writing, and Ethical Hacking Advanced Pen Tester

giac.org/gxpn
6 46 Laptop This course is designed as a logical progression point for those who have completed SEC560:
Required
Day Program CPEs Network Penetration Testing and Ethical Hacking, or for those with existing penetration testing
experience. Students with the prerequisite knowledge to take this course will walk through
You Will Be Able To dozens of real-world attacks used by the most seasoned penetration testers. The methodology
• Perform fuzz testing to enhance your of a given attack is discussed, followed by exercises in a real-world lab environment to solidify
company’s SDL process advanced concepts and allow for the immediate application of techniques in the workplace.
• Exploit network devices and assess Each day includes a two-hour evening bootcamp to allow for additional mastery of the
network application protocols techniques discussed and even more hands-on exercises. A sample of topics covered includes
• Escape from restricted environments on weaponizing Python for penetration testers, attacks against network access control (NAC) and
Linux and Windows
VLAN manipulation, network device exploitation, breaking out of Linux and Windows restricted
• Test cryptographic implementations
environments, IPv6, Linux privilege escalation and exploit-writing, testing cryptographic
• Model the techniques used by attackers to
perform 0-day vulnerability discovery and implementations, fuzzing, defeating modern OS controls such as ASLR and DEP, return-oriented
exploit development programming (ROP), Windows exploit-writing, and much more!
• Develop more accurate quantitative and
qualitative risk assessments through Attackers are becoming more clever and their attacks more complex. In order to keep up
validation with the latest attack methods, you need a strong desire to learn, the support of others, and
• Demonstrate the needs and effects of the opportunity to practice and build experience. SEC660 provides attendees with in-depth
leveraging modern exploit mitigation
controls
knowledge of the most prominent and powerful attack vectors and an environment to perform
• Reverse-engineer vulnerable code to write
these attacks in numerous hands-on scenarios. This course goes far beyond simple scanning
custom exploits for low-hanging fruit, and shows penetration testers how to model the abilities of an advanced
attacker to find significant flaws in a target environment and demonstrate the business risk
associated with these flaws.
SEC660 starts off by introducing the advanced penetration concept, and provides an overview
to help prepare students for what lies ahead. The focus of section one is on network attacks,
an area often left untouched by testers. Topics include accessing, manipulating, and exploiting
the network. Attacks are performed against NAC, VLANs, OSPF, 802.1X, CDP, IPv6, VOIP, SSL, ARP,
GXPN SNMP, and others. Section two starts off with a technical module on performing penetration
Exploit Researcher &
Advanced Pen Tester testing against various cryptographic implementations. The rest of the section is spent on
giac.org/gxpn network booting attacks, escaping Linux restricted environments such as chroot, and escaping
GIAC Exploit Researcher and Windows restricted desktop environments. Section three jumps into an introduction of Python
Advanced Penetration Tester for penetration testing, Scapy for packet crafting, product security testing, network and
The GIAC Exploit Researcher and Advanced application fuzzing, and code coverage techniques. Sections four and five are spent exploiting
Penetration Tester certification validates programs on the Linux and Windows operating systems. You will learn to identify privileged
a practitioner’s ability to find and mitigate
significant security flaws in systems and
programs, redirect the execution of code, reverse-engineer programs to locate vulnerable
networks. GXPN certification holders have code, obtain code execution for administrative shell access, and defeat modern operating
the skills to conduct advanced penetration system controls such as ASLR, canaries, and DEP using ROP and other techniques. Local and
tests and model the behavior of attackers to
improve system security, and the knowledge
remote exploits, as well as client-side exploitation techniques, are covered. The final course
to demonstrate the business risk associated section is dedicated to numerous penetration testing challenges requiring you to solve
with these behaviors. complex problems and capture flags.
• Network Attacks, Crypto, Network Booting,
and Restricted Environments Among the biggest benefits of SEC660 is the expert-level hands-on guidance provided through
• Python, Scapy, and Fuzzing
the labs and the additional time allotted each evening to reinforce daytime material and
• Exploiting Windows and Linux for
master the exercises.
Penetration Testers
“SEC660 is the right balance between theory and practice;

it’s hands-on, not too hard, but also not too easy.”
— Anton Ebertzeder, Siemens AG
Certification: GIAC Exploit Researcher and aAdvanced Penetration Tester (GXPN)

sans.org/sec660
• Watch preview of this course
giac.org/gxpn
50 sans.org/SEC660
SEC661: ARM Exploit Development
SEC661: ARM Exploit Development
2 12 Laptop The Internet of Things (IoT) has taken over. Everywhere we look we see more systems coming
Day Course CPEs Required online, from routers to refrigerators. But as these systems become more and more integrated into
our home and business networks, how does their security posture keep up with their increasing
You Will Learn: popularity? The Advanced Reduced instruction set computing Machines architecture (ARM)
• Techniques for running ARM in an introduced a new family of computer processors that provide a robust platform that is ideal for
emulated environment running a wide variety of small, specialized systems.
• The fundamentals of ARM assembly
Unfortunately, the rapid expansion of new devices coming to market, along with accelerated
• How to write ARM exploits to leverage
stack-based buffer overflows
development lifecycles, mean that security is often an afterthought. The security posture of
• Exploit mitigations and common
many IoT devices is further restricted due to hardware limitations and the need to maintain low
workarounds production costs.
• How to work with ARM shellcode
Now more than ever, there is a demand for highly skilled security professionals who understand
• Return Oriented Programming (ROP)
IoT vulnerabilities and ARM exploitation. However, the complexity of exploit development and the
• How to exploit IoT devices in ARM difficulty of acquiring and analyzing the software that runs on IoT systems can create intimidating
• 64-bit ARM exploit development barriers to those wanting to enter this field.
SEC661: ARM Exploit Development is designed to break down those barriers. It has been built from
Prerequisites: the ground up to give students a solid foundation in exploit development on the ARM platform.
• Familiarity with some type of assembly The course starts by going over the fundamentals of the architecture and some basic ARM
language is recommended. We will cover assembly. Initial emphasis is placed on key data structures and how they work together so that
some of the basics in class, but any
students gain a better understanding of why certain vulnerabilities occur.
assembly experience would be a great
head start. Students are provided with the tools they need to set up and work in an ARM environment. From
• Working knowledge of the C programming there, we go through several hands-on labs that explore memory corruption vulnerabilities and
language
show how to craft custom input in order to gain control of execution. We will also cover common
• Familiarity with the Linux operating
system, including navigating the file exploit mitigations and techniques for bypassing them. Finally, students will demonstrate their
system and running basic commands, as understanding of the core concepts taught in this highly technical course by crafting their own
well as using a console-based editor such
as vim or nano. exploits against two emulated ARM routers.
• Ability to edit and run basic Python scripts
Author Statement
“If you have been looking to get into exploit development or are looking to grow and solidify your
skills, this course was designed for you. ARM is taking the world by storm. With billions of new
devices being introduced each year, understanding the fundamentals of security vulnerabilities
in ARM and how they can be exploited is a valuable skill that will continue to be in high demand
for years to come. My goal in writing this course is to ignite the passion within you and equip you
with the skills you need to take you to the next level.”
— John deGruyter
sans.org/sec661
sans.org/SEC661 51
SEC699: Purple Team Tactics - Adversary
Emulation for Breach Prevention & Detection
SEC699: Purple Team Tactics – Adversary Emulation
for Breach Prevention and Detection
5 30 Laptop SEC699 is SANS’ advanced purple team offering, with a key focus on adversary emulation for data
Required
Day Program CPEs breach prevention and detection. Throughout this course, students will learn how real-life threat
actors can be emulated in a realistic enterprise environment. In true purple fashion, the goal of
Business Takeaways the course is to educate students on how adversarial techniques can be emulated and detected.
• Build realistic adversary emulation plans A natural follow-up to SEC599, this is an advanced SANS course offering, with 60 percent of class
to better protect your organization
time spent on labs. Highlights of class activities include:
• Deliver advanced attacks, including
application whitelisting bypasses, cross- • A course section on typical automation strategies such as Ansible, Docker and Terraform. These
forest attacks (abusing delegation), and can be used to deploy a full multi-domain enterprise environment for adversary emulation at
stealth persistence strategies
the press of a button
• Building SIGMA rules to detect advanced
adversary techniques • Building a proper process, tooling, and planning for purple teaming
• Building adversary emulation plans that mimic real-life threat actors such as APT-28, APT-34,
and Turla in order to execute these plans using tools such as Covenant and Caldera
Prerequisites
• This is a fast-paced, advanced course that • In-depth techniques such as Kerberos Delegation attacks, Attack Surface Reduction/Applocker
requires a strong desire to learn advanced bypasses, AMSI, Process Injection, COM Object Hi-jacking and many more...
red and blue team techniques. The
following SANS courses are recommended • SIGMA rule-building to detect the above techniques
either prior to or as a companion to taking
this course: SEC599 and SEC560. Course authors Erik Van Buggenhout (the lead author SEC599) and James Shewmaker (the co-
• Experience with programming in any author SEC660) are both certified GIAC Security Experts (GSEs) and are hands-on practitioners who
language is highly recommended. At a have built a deep understanding of how cyber attacks work through both red team (penetration
minimum, students are advised to read up
on basic programming concepts. testing) and blue team (incident response, security monitoring, threat hunting) activities. In this
• You should also be well versed with the course, they combine these skill sets to educate students on adversary emulation methods for
fundamentals of penetration testing prior data breach prevention and detection.
to taking this course. Familiarity with
Linux and Windows is mandatory. A solid The SEC699 journey is structured as follows:
understanding of TCP/IP and networking
concepts is required. Please contact the • In Section 1, we will lay the foundations that are required to perform successful adversary
author at evanbuggenhout@nviso.be if emulation and purple teaming. As this is an advanced course, we will go in-depth on several
you have any questions or concerns about
the prerequisites. tools that we’ll be using and learn how to further extend existing tools.
• Sections 2–4 will be heavily hands-on lecturing a number of advanced techniques and their
defenses (focused on detection strategies). Section 2 focuses on Initial Access techniques,
Section 3 covers Lateral Movement and Privilege Escalation, while Section 4 deals with Persistence.
• Finally, in Section 5, we will build an emulation plan for a variety of threat actors. These
emulation plans will be executed in Covenant, Caldera, and Prelude Operator.
“I’ve been in this field a Author Statement

long time, and I’ve learned After the success of SEC599, I’m very excited to unleash this course offering upon the SANS
something new from each audience! SEC699 is an amazing course that came about because we listened to student requests
for a hands-on adversary emulation class leveraging an enterprise lab environment. This is it!
segment of SEC699. That’s not
something I’m used to at this SEC699 attendees will learn advanced red and blue team techniques for proper purple teaming
point in my career.” in an enterprise environment. Throughout the week we do not just focus on explaining tips and
tricks, but also empower students to build and adapt their own tooling for proper adversary
— Taya Steere, Lyft
emulation. This includes, for example, custom Caldera, SIGMA and Velociraptor development.
The SEC699 lab environment is fully built using Teraform playbooks and covers multiple domains
and forests that can be attacked! Students spin up the lab environment in their own AWS account
and can thus keep on practicing months (and years) after they took the class!
—Erik Van Buggenhout
sans.org/sec699
52 sans.org/SEC699
SEC760: Advanced Exploit Development for
Penetration Testers
SEC760: Advanced Exploit Development for Penetration Testers
6 46 Laptop Vulnerabilities in modern operating systems such as Microsoft Windows 7/8, Server 2012, and
Required
Day Program CPEs the latest Linux distributions are often very complex and subtle. Yet these vulnerabilities could
expose organizations to significant attacks, undermining their defenses when attacked by very
You Will Be Able To skilled adversaries. Few security professionals have the skill set to discover let alone even
• Discover zero-day vulnerabilities in
understand at a fundamental level why the vulnerability exists and how to write an exploit to
programs running on fully-patched modern compromise it. Conversely, attackers must maintain this skill set regardless of the increased
operating systems. complexity. SEC760: Advanced Exploit Development for Penetration Testers, the SANS Institute’s
• Use the advanced features of IDA Pro and only 700-level course, teaches the skills required to reverse-engineer 32- and 64-bit applications,
write your own IDAPython scripts.
perform remote user application and kernel debugging, analyze patches for one-day exploits,
• Perform remote debugging of Linux and
Windows applications.
and write complex exploits, such as use-after-free attacks, against modern software and
operating systems.
• Understand and exploit Linux heap
overflows. Some of the skills you will learn in SEC760 include:
• Fuzz closed-source applications
• How to write modern exploits against the Windows 7/8/10 operating systems
• Unpack and examine Windows update
packages • How to perform complex attacks such as use-after-free, kernel and driver exploitation,
• Perform patch diffing against programs, one-day exploitation through patch analysis, and other advanced attacks
libraries, and drivers to find patched
vulnerabilities. • How to effectively utilize various debuggers and plug-ins to improve vulnerability research
• Perform Windows Kernel debugging B and speed
• Reverse engineer and exploit Windows • How to deal with modern exploit mitigation controls aimed at thwarting success
kernel drivers
Authors’ Statement
What You Will Receive
• A four-month license to IDA Pro, which is “As a perpetual student of information security, I am excited to offer SEC760: Advanced Exploit
provided by Hex-Rays, is included in this Writing for Penetration Testers. Exploit development is a hot topic as of late and will continue to
course. In order to obtain the license,
you must agree to the terms, including
increase in importance moving forward. With all of the modern exploit mitigation controls offered
providing your name and an e-mail by operating systems such as Windows 7 and 8, the number of experts with the skills to produce
address, so that Hex-Rays may assign the working exploits is highly limited. More and more companies are looking to hire professionals
license. After the course ends, students
may choose to extend the license at a with the ability to conduct a Secure-SDLC process, perform threat modeling, determine if
discounted rate by contacting Hex-Rays. (If vulnerabilities are exploitable, and carry out security research. This course was written to help
you choose to opt-out, then you must bring
a copy of IDA Pro 7.4 advanced or later.) you get into these highly sought-after positions and to teach you cutting-edge tricks to thoroughly
evaluate a target, providing you with the skills to improve your exploit development.”
• Various preconfigured virtual machines,
such as Windows 10 —Stephen Sims
• Various tools on a course USB that are
required for use in class “Teaching and helping author SEC760: Advanced Exploit Writing for Penetration Testers has
• Access to the in-class Virtual Training Lab given me the opportunity to distill my past experiences in exploit writing and technical
with many in-depth labs systems knowledge into a format worth sharing. This course is meant to give you a look into a
• Access to recorded course audio to number of different exploitation techniques and serves as an amazing jumping-off point for
help hammer home important network exploitation of any modern application or system. Even if you don’t plan on having a career
penetration testing lessons
in exploit writing or vulnerability research, this course will be valuable in understanding the
thought process that goes into constructing an exploit and what technologies exist to stop an
exploit writer from being successful.”
—Jaime Geiger
sans.org/sec760
sans.org/SEC760 53
SANS TECHNOLOGY INSTITUTE
An NSA Center of Academic Excellence in Cyber Defense
DISCOVER
THE BEST
COLLEGE IN
CYBERSECURITY
BACHELOR'S &&MASTER’S
BACHELOR’S MASTER'SDEGREES
DEGREES || UNDERGRADUATE
UNDERGRADUATE&&GRADUATE
GRADUTE CERTIFICATES
CERTIFICATES
Find out if the if the SANS course you’re interested in

could count toward a certificate or degree.
Email info@sans.edu or call 301.241.7665.

Digital Forensics &
Incident Response (DFIR)
and Threat Hunting
Organizations of all sizes need personnel who can master
incident response techniques to properly identify compromised
systems, provide effective containment of the breach, and
rapidly remediate the incident.
Similarly, government and law enforcement agencies require skilled personnel to
perform media exploitation and recover key evidence from adversary systems and
devices. SANS Incident Response, Threat Hunting and Digital Forensics will teach
you to:
• Hunt for the adversary before and during an • Identify, extract, prioritize, and leverage cyber
incident across your enterprise threat intelligence from advanced persistent
threat (APT) intrusions
• Acquire in-depth digital forensics knowledge of
Microsoft Windows and Apple OSX operating systems • Recognize that a properly trained incident responder
could be the only defense an organization has
• Examine portable smartphone and mobile devices
during a compromise
to look for malware and digital forensic artifacts
• Properly identify, collect, preserve, and respond
• Incorporate network forensics into your
to data from a wide range of storage devices and
investigations, providing better findings and
repositories, ensuring that the integrity of the
getting the job done faster
evidence is beyond reproach
• Leave no stone unturned by incorporating
• Deal with the specifics of ransomware to prepare
memory forensics into your investigations
for, detect, hunt, respond to, and deal with the
• Triage, preserve, configure and examine new aftermath of ransomware
sources of evidence that only exist in the cloud and
• Hunt for threat intelligence within the cybercriminal
incorporate these new sources into your investigations
underground using Human Intelligence (HUMINT)
• Understand the capabilities of malware to derive elicitation techniques and blockchain analytics
threat intelligence, respond to information security tools to trace criminal cryptocurrency transactions
incidents, and fortify defenses
Enhance your training with: Digital Forensics & Incident Response

(DFIR) and Threat Hunting Job Roles:
• DFIR Netwars: sans.org/netwars
• Threat Hunter
• SANS Summits: DFIR; Threat Hunting and Incident Response; and Cyber Threat
• Digital Forensics Analyst
Intelligence sans.org/summit
• Malware Analyst
• Free Resources: Webcasts, blogs, research, and other features like SIFT Workstation • Cloud Security Analyst
and EZ Tools digital-forensics.sans.org • Incident Responder
• The SANS Technology Institute’s undergraduate and graduate cybersecurity • Media Exploitation Analyst
programs, including a Graduate Certificate in Incident Response sans.edu • Threat Intelligence Analyst
• Law Enforcement Professional
55
FOR498: Battlefield Forensics & Data Acquisition
GBFA
FOR498: Digital Acquisition and Rapid Triage Battlefield Forensics
and Acquisition
giac.org/gbfa
6 36 Laptop THE CLOCK IS TICKING. YOU NEED TO PRIORITIZE THE MOST VALUABLE EVIDENCE FOR PROCESSING.
Required
Day Program CPEs LET US SHOW YOU HOW.
The FOR498: Digital Acquisition and Rapid Triage course will help you to:
You Will Be Able To • Acquire data effectively from:
• Learn and master the tools, techniques, and
procedures necessary to effectively locate, - PCs, Microsoft Surface, and Tablet PCs
identify, and collect data no matter where they - Apple Devices, Mac, and Macbooks
are stored
- RAM and memory
• Handle and process a scene properly to
maintain evidentiary integrity - Smartphones and portable mobile devices
• Perform data acquisition from at-rest storage, - Cloud storage and services
including both spinning media and solid-state - Network storage repositories
storage
• Identify the numerous places that data for an • Produce actionable intelligence in 90 minutes or less
investigation might exist
The first step in any investigation is the gathering of evidence. Digital forensic investigations are
• Perform Battlefield Forensics by going from
evidence seizure to actionable intelligence in 90 no different. The evidence used in this type of investigation is data, and this data can live in many
minutes or less varied formats and locations. You must be able to first identify the data that you might need,
• Assist in preparing the documentation determine where that data resides, and, finally, formulate a plan and procedures for collecting
necessary to communicate with online entities
such as Google, Facebook, Microsoft, etc. that data.
• Understand the concepts and usage of large- With digital forensic acquisitions, you will typically have only one chance to collect data properly.
volume storage technologies, including JBOD,
RAID storage, NAS devices, and other large- If you manage the acquisition incorrectly, you run the risk of not only damaging the investigation,
scale, network-addressable storage but more importantly, destroying the very data that could have been used as evidence.
• Identify and collect user data within large
corporate environments where they are With the wide range of storage media in the marketplace today, any kind of standardized
accessed using SMB
methodology for all media is simply untenable. Many mistakes are being made in digital evidence
• Gather volatile data such as a computer
system’s RAM
collection, and this can cause the guilty to go free and, more importantly, the innocent to be
• Recover and properly preserve digital evidence incarcerated. The disposition of millions and millions of dollars can rest within the bits and bytes
on cellular and other portable devices that you are tasked with properly collecting and interpreting.
• Address the proper collection and preservation
of data on devices such as Microsoft Surface/ An examiner can no longer rely on “dead box” imaging of a single hard drive. In today’s cyber
Surface Pro, where hard-drive removal is not sphere, many people utilize a desktop, laptop, tablet, and cellular phone within the course of a
an option
normal day. Compounding this issue is the expanding use of cloud storage and providers, and the
• Address the proper collection and preservation
of data on Apple devices such as MacBook, proper collection of data from all these domains can become quite overwhelming.
MacBook Air, and MacBook Pro, where hard-
drive removal is not an option This in-depth digital acquisition and data handling course will provide first responders and
• Properly collect and effectively target email investigators alike with the advanced skills necessary to properly respond to, identify, collect, and
from Exchange servers, avoiding the old-school preserve data from a wide range of storage devices and repositories, ensuring that the integrity
method of full acquisition and subsequent
onerous data culling of the evidence is beyond reproach. Constantly updated, FOR498 addresses today’s need for
• Properly collect data from SharePoint widespread knowledge and understanding of the challenges and techniques that investigators
repositories require when addressing real-world cases.
• Access and acquire online mail stores such as
Gmail, Hotmail, and Yahoo Mail accounts Numerous hands-on labs throughout the course will give first responders, investigators, and
digital forensics teams practical experience needed when performing digital acquisition from hard
drives, memory sticks, cellular phones, network storage areas, and everything in between.
“In DFIR, things rarely go as During a digital forensics response and investigation, an organization needs the most skilled
planned. This course teaches responders possible, lest the investigation end before it has begun. FOR498: Battlefield Forensics
you about the options to & Acquisition will train you and your team to respond, identify, collect, and preserve data no
control when things aren’t matter where that data hides or resides.
working as expected.”
— J-Michael Roberts, Corvus Forensics
Certification: GIAC Battlefield Forensics

sans.org/for498 and
• Watch Acquisition
a preview (GBFA)
of this course
giac.org/gbfa
56 sans.org/FOR498
FOR500: Windows Forensic Analysis
GCFE
FOR500: Windows Forensic Analysis Forensic Examiner
giac.org/gcfe
6 36 Laptop MASTER WINDOWS FORENSICS – YOU CAN’T PROTECT THE UNKNOWN

All organizations must prepare for cybercrime occurring on computer systems and within
corporate networks. Demand has never been greater for analysts who can investigate
You Will Be Able To crimes such as fraud, insider threats, industrial espionage, employee misuse, and computer
• Perform in-depth Windows forensic analysis by applying intrusions. Corporations, governments, and law enforcement agencies increasingly require
peer-reviewed techniques focusing on Windows 7, trained forensics specialists to perform investigations, recover vital intelligence from
Windows 8/8.1, Windows 10, Windows 11, and Windows
Server products Windows systems, and ultimately get to the root cause of the crime. To help solve these
• Use state-of-the-art forensic tools and analysis methods cases, SANS is training a new cadre of the world’s best digital forensic professionals, incident
to detail nearly every action a suspect accomplished responders, and media exploitation experts capable of piecing together what happened on
on a Windows system, including who placed an artifact computer systems second by second.
on the system and how, program execution, file/folder
opening, geolocation, browser history, profile USB device FOR500: Windows Forensic Analysis focuses on building in-depth digital forensics knowledge
usage, cloud storage usage, and more of Microsoft Windows operating systems. You can’t protect what you don’t know about,
• Perform “fast forensics” to rapidly assess and triage and understanding forensic capabilities and available artifacts is a core component of
systems to provide quick answers and facilitate
informed business decisions information security. You will learn how to recover, analyze, and authenticate forensic data on
• Uncover the exact time that a specific user last executed Windows systems, track individual user activity on your network, and organize findings for use
a program through Registry and Windows artifact analysis, in incident response, internal investigations, intellectual property theft inquiries, and civil or
and understand how this information can be used to criminal litigation. You’ll be able to validate security tools, enhance vulnerability assessments,
prove intent in cases such as intellectual property theft,
hacker-breached systems, and traditional crimes identify insider threats, track hackers, and improve security policies. Whether you know it or
• Determine the number of times files have been opened by not, Windows is silently recording an unbelievable amount of data about you and your users.
a suspect through browser forensics, shortcut file analysis FOR500 teaches you how to mine this mountain of data and use it to your advantage.
(LNK), email analysis, and Windows Registry parsing
• Audit cloud storage usage, including detailed user
Proper analysis requires real data for students to examine. This continually updated
activity, identifying deleted files, signs of data course trains digital forensic analysts through a series of hands-on laboratory exercises
exfiltration, and even uncovering detailed information incorporating evidence found on the latest technologies, including Microsoft Windows
on files available only in the cloud versions 10 and 11, Office and Microsoft 365, Google Workspace (G Suite), cloud storage
• Identify items searched by a specific user on a Windows
providers, Microsoft Teams, SharePoint, Exchange, and Outlook. Students will leave the
system to pinpoint the data and information that the
suspect was interested in finding, and accomplish course armed with the latest tools and techniques and prepared to investigate even the most
detailed damage assessments complicated systems they might encounter. Nothing is left out – attendees learn to analyze
• Use Windows Shell Bag analysis tools to articulate every everything from legacy Windows 7 systems to just-discovered Windows 11 artifacts.
folder and directory a user or attacker interacted with
while accessing local, removable, and network drives FOR500: Windows Forensic Analysis will teach you to:
• Determine each time a unique and specific USB device • Conduct in-depth forensic analysis of Windows operating systems and media
was attached to the Windows system, the files and
folders accessed on it, and what user plugged it in by exploitation on Windows XP, Windows 7, Windows 8/8.1, Windows 10, Windows 11 and
parsing Windows artifacts such as Registry hives and Windows Server products
Event Log files
• Identify artifact and evidence locations to answer crucial questions, including
• Learn Event Log analysis techniques and use them to
determine when and how users logged into a Windows
application execution, file access, data theft, external device usage, cloud services,
system, whether via a remote session, at the keyboard, device geolocation, file transfers, anti-forensics, and detailed system and user activity
or simply by unlocking a screensaver
• Become tool-agnostic by focusing your capabilities on analysis instead of how to use a
• Mine the Windows Search Database to uncover a massive
collection of file metadata and even file content from
particular tool
local drives, removable media, and applications like • Extract critical findings and build an in-house forensic capability via a variety of
Microsoft Outlook, OneNote, SharePoint, and OneDrive
free, open-source, and commercial tools provided within the SANS Windows SIFT
• Determine where a crime was committed using Registry
data and pinpoint the geolocation of a system by
Workstation
examining connected networks and wireless access points FOR500 starts with an intellectual property theft and corporate espionage case taking over
• Use browser forensic tools to perform detailed web six months to create. You work in the real world, so your training should include real-world
browser analysis, parse raw SQLite and ESE databases,
and leverage session recovery artifacts to identify web practice data. Our instructor course development team used incidents from their own
activity, even if privacy cleaners and in-private browsing investigations and experiences to create an incredibly rich and detailed scenario designed
software are used to immerse students in an actual investigation. The case demonstrates the latest artifacts
• Parse Electron Application databases allowing the and technologies an investigator might encounter while analyzing Windows systems in the
investigation of hundreds of third-party applications
including most chat clients enterprise. The detailed workbook teaches the tools and techniques that every investigator
• Specifically determine how individuals used a system, should employ step by step to solve a forensic case. The tools provided for a complete
who they communicated with, and files that were forensic lab that can be used after the end of class.
downloaded, modified, and deleted
Certification: GIAC Certified Forensic Examiner (GCFE) • Watch a preview of this course
sans.org/for500
giac.org/gcfe • Discover how to take this course: Online, In-Person
sans.org/FOR500 57
FOR508: Advanced Incident Response, Threat
Hunting, and Digital Forensics
FOR508: Advanced Incident Response, Threat GCFA
Hunting, and Digital Forensics
Forensic Analyst
giac.org/gcfa
6 36 Laptop ADVANCED THREATS ARE IN YOUR NETWORK – IT’S TIME TO GO HUNTING!

Threat hunting and Incident response tactics and procedures have evolved rapidly over the past
several years. Your team can no longer afford to use antiquated incident response and threat
You Will Be Able To hunting techniques that fail to properly identify compromised systems, provide ineffective
• Learn and master the tools, techniques, containment of the breach, and ultimately fail to rapidly remediate the incident or contain
and procedures necessary to effectively
hunt, detect, and contain a variety of propagating ransomware. Incident response and threat hunting teams are the keys to identifying
adversaries and remediate incidents and observing malware indicators and patterns of activity in order to generate accurate threat
• Detect and hunt unknown live, dormant, intelligence that can be used to detect current and future intrusions. This in-depth incident response
and custom malware in memory across and threat hunting course provides responders and threat hunting teams with advanced skills to
multiple Windows systems in an enterprise
environment hunt down, identify, counter, and recover from a wide range of threats within enterprise networks,
• Hunt through and perform incident including APT nation-state adversaries, organized crime syndicates, and ransomware syndicates.
response across hundreds of unique
systems simultaneously using F-Response
FOR508: Advanced Incident Response and Threat Hunting Course will help you to:
Enterprise and the SIFT Workstation • Understand attacker tradecraft to perform compromise assessments
• Identify and track malware beaconing
outbound to its command and control (C2) • Detect how and when a breach occurred
channel via memory forensics, registry • Quickly identify compromised and infected systems
analysis, and network connection residue
• Determine how the breach occurred by • Perform damage assessments and determine what was read, stolen, or changed
identifying the beachhead and spear • Contain and remediate incidents of all types
phishing attack mechanisms
• Target advanced adversary anti-forensics • Track adversaries and develop threat intelligence to scope a network
techniques like hidden and time-stomped
malware, along with utility-ware used
• Hunt down additional breaches using knowledge of the adversary
to move in the network and maintain an • Build advanced forensics skills to counter anti-forensics and data hiding from technical subjects
attacker’s presence
• Use memory analysis, incident response, The course exercises and final challenges illustrate real attacker traces found via end point
and threat hunting tools in the SIFT artifacts, event logs, system memory, and more:
Workstation to detect hidden processes,
malware, attacker command lines, • Phase 1—Patient zero compromise and malware C2 beacon installation
rootkits, network connections, and more
• Phase 2—Privilege escalation, lateral movement to other systems, malware utilities download,
• Track user and attacker activity second-by-
second on the system you are analyzing
installation of additional beacons, and obtaining domain admin credentials
through in-depth timeline and super- • Phase 3—Searching for intellectual property, network profiling, business email compromise,
timeline analysis
dumping enterprise hashes
• Recover data cleared using anti-forensics
techniques via Volume Shadow Copy and • Phase 4—Find exfiltration point, collect and stage data for theft
Restore Point analysis
• Phase 5—Exfiltrate files from staging server, perform cleanup and set long-term persistence
• Identify lateral movement and pivots
within your enterprise, showing how mechanisms (alternatively this phase would be used to deploy ransomware)
attackers transition from system to system
without detection Business Takeaways
• Understand attacker tradecraft to perform proactive compromise assessments
• Upgrade detection capabilities via better understanding of novel attack techniques, focus on
“FOR508 exceeded my
critical attack paths, and knowledge of available forensic artifacts
expectations in every way.
• Develop threat intelligence to track targeted adversaries and prepare for future intrusion events
It provided me the skills,
• Build advanced forensics skills to counter anti-forensics and data hiding from technical
knowledge, and tools to
subjects for use in both internal and external investigations
effectively respond to and
handle APTs and other
enterprise-wide threats.”
— Josh M., U.S. Federal Agency
Certification: GIAC Certified Forensic• Analyst (GCFA)of this course

Watch a preview
giac.org/gcfa
58 sans.org/FOR508
FOR509: Enterprise Cloud Forensics and
Incident Response
FOR509: Enterprise Cloud Forensics and GCFR
Cloud Forensics
Incident Response Responder

giac.org/gcfr
6 36 Laptop Find the Storm in the Cloud

FOR509: Enterprise Cloud Forensics and Incident Response will help you:
• Understand forensic data only available in the cloud
Course Topics • Implement best practices in cloud logging for DFIR
• Cloud Infrastructure and IR data sources
• Learn how to leverage Microsoft Azure, AWS and Google Cloud Platform resources
• Microsoft 365 and Graph API Investigations
to gather evidence
• Azure Incident Response
• Understand what logs Microsoft 365 and Google Workspace have available
• AWS Incident Response
for analysts to review
• Google Workspace Investigations
• GCP Incident Response
• Learn how to move your forensic processes to the cloud for faster data processing
With FOR509: Enterprise Cloud Forensics and Incident Response, examiners will learn how each
You Will Be Able To of the major cloud service providers (Microsoft Azure, Amazon AWS and Google Cloud Platform)
• Learn and master the tools, techniques, are extending analysts capabilities with new evidence sources not available in traditional on-
and procedures necessary to effectively premise investigations. From cloud equivalents of network traffic monitoring to direct hypervisor
locate, identify, and collect data no matter
where it is located interaction for evidence preservation, forensics is not dead. It is reborn with new technologies
• Identify and utilize new data only available and capabilities.
from cloud environments
Incident response and forensics are primarily about following breadcrumbs left behind by
• Utilize cloud-native tools to capture and
extract traditional host evidence
attackers. These breadcrumbs are primarily found in logs. Your knowledge of the investigation
• Quickly parse and filter large data sets
process is far more important than the mechanics of acquiring the logs.
using scalable technologies such as the
Elastic Stack
This class is primarily a log analysis class to help examiners come up to speed quickly with
cloud based investigation techniques. It’s critical to know which logs are available in the
• Understand what data is available in
various cloud environments cloud, whether they are turned on by default, and how to interpret the meaning of the events
they contain.
What You Will Receive Numerous hands-on labs throughout the course will allow examiners to access evidence
• SOF-ELK(R) Virtual Machine – a publicly generated based on the most common incidents and investigations. Examiners will learn where
SOF-ELK(R) Virtual Machine - a publicly
available appliance running the Elastic to pull data from and how to analyze it to find evil. The data will be available in your VM rather
Stack and the course author’s custom than accessed directly via the cloud to ensure a consistent lab experience.
set of configurations and lab data. The
VM is preconfigured to ingest cloud logs
from Microsoft 365, Azure, AWS, Google Business Takeaways
Workspace and GCP. It will be used during
the class to help students wade through • Understand digital forensics and incident response as it applies to the cloud
the large number of records they are likely • Identify malicious activities within the cloud
to encounter during a typical investigation.
• Cost-effectively use cloud-native tools and services for DFIR
• Case data to examine during class.
• Electronic workbook with detailed step-
• Ensure the business is adequately prepared to respond to cloud incidents
by-step instructions and examples to help • Decrease adversary dwell time in compromised cloud deployments
you master cloud forensics
“FOR509 was absolutely

awesome! The depth of “Thanks a lot for FOR509 course. I believe this course provides a great way
knowledge is unparalleled. to get a really compressed introduction into the different cloud service
I see this becoming a very providers and what is forensically possible there.”
popular class in the future.” —Marc Stroebel, HvS-Consulting AG
—Terrie Myerchin, AT&T
Certification: GIAC Cloud Forensics Responder (GCFR)

sans.org/for509
giac.org/gcfr • Discover how to take this course: Online, In-Person
sans.org/FOR509 59
FOR518: Mac and iOS Forensic Analysis and
Incident Response
FOR518: Mac and iOS Forensic Analysis and GIME
iOS and macOS
Incident Response Examiner

giac.org/gime
6 36 Laptop Digital forensic investigators have traditionally dealt with Windows machines, but what if they find
Required
Day Program CPEs themselves in front of a new Apple Mac or iDevice? The increasing popularity of Apple devices
IMPORTANT NOTE: can be seen everywhere, from coffee shops to corporate boardrooms, yet most investigators are
MAC HARDWARE REQUIRED familiar with Windows-only machines.
This consistently updated FOR518 course provides the techniques and skills necessary to take
You Will Be Able To on any Mac or iOS case without hesitation. The intense hands-on forensic analysis and incident
• Parse the HFS+ file system by hand, using response skills taught in the course will enable analysts to broaden their capabilities and gain the
only a cheat sheet and a hex editor
confidence and knowledge to comfortably analyze any Mac or iOS device. In addition to traditional
• Determine the importance of each file
system domain investigations, the course presents intrusion and incident response scenarios to help analysts
• Conduct temporal analysis of a system by learn ways to identify and hunt down attackers that have compromised Apple devices.
correlating data files and log analysis
FORENSICATE DIFFERENTLY!
• Profile individuals’ usage of the system,
including how often they used it, what FOR518: Mac and iOS Forensic Analysis and Incident Response will teach you:
applications they frequented, and their
personal system preferences • Mac and iOS Fundamentals: How to analyze and parse the Hierarchical File System (HFS+)
• Determine remote or local data backups, and Apple File System (APFS) by hand and recognize the specific domains of the logical file
disk images, or other attached devices system and Mac-specific file types.
• Find encrypted containers and FileVault
volumes, understand keychain data, and • User and Device Activity: How to understand, profile, and conduct advanced pattern-of-life on
crack Mac passwords users and they devices through their data files and preference configurations.
• Analyze and understand Mac metadata and
their importance in the Spotlight database,
• Advanced Intrusion Analysis and Correlation: How to determine how a system has been used
Time Machine, and Extended Attributes or compromised by using the system and user data files in correlation with system log files.
• Develop a thorough knowledge of the Safari • Apple Technologies: How to understand and analyze many Mac and iOS-specific
Web Browser and Apple Mail applications
technologies, including Time Machine, Spotlight, iCloud, Document Versions, FileVault,
• Identify communication with other users
and systems through iChat, Messages, Continuity, and FaceTime.
FaceTime, Remote Login, Screen Sharing,
and AirDrop FOR518: Mac and iOS Forensic Analysis and Incident Response aims to train a well-rounded
• Conduct an intrusion analysis of a Mac for investigator by diving deep into forensic and intrusion analysis of Mac and iOS. The course
signs of compromise or malware infection focuses on topics such as the HFS+ and APFS file systems, Mac-specific data files, tracking of user
• Acquire and analyze memory from Mac activity, system configuration, analysis and correlation of Mac logs, Mac applications, and Mac-
systems exclusive technologies. A computer forensic analyst who completes this course will have the skills
• Acquire iOS and analyze devices in-depth needed to take on a Mac or iOS forensics case.
GIME
iOS and macOS
Examiner
giac.org/gime “It was very interesting to learn that certain ‘forensic’ tools could report
GIAC Cloud Forensics Responder data as being encrypted even though one could still get other data.”
The GIME certification validates a — Gary Titus; Stroz Friedberg LLC
practitioner’s knowledge of Mac and iOS
computer forensic analysis and incident
response skills. GIME-certified professionals
are well-versed in traditional investigations
as well as intrusion analysis scenarios for
compromised Apple devices.
“Within the first two days or training, I had enough knowledge
• Mac and iOS File Systems, System Triage,
User and Application Data Analysis to go back to work and solve two outstanding issues.”
• Mac and iOS Incident Response, Malware, — Beau G., Information Systems Solutions
and Intrusion Analysis
• Mac and iOS Memory Forensics and Timeline
Analysis
Certification: GIAC iOS and macOS Examiner (GIME)of this course

• Watch a preview
giac.org/gime
60 sans.org/FOR508
FOR528: Ransomware for Incident
Responders
FOR528: Ransomware for Incident Responders
4 24 Laptop Learning to thwart the threat of human-operated ransomware once and for all!
The term “Ransomware” no longer refers to a simple encryptor that locks down
resources. The advent of Human-Operated Ransomware (HumOR) along with the
Who Should Attend evolution of Ransomware-as-a-Service (RaaS) have created an entire ecosystem that
• Information security professionals who want to learn thrives on hands-on the keyboard, well-planned attack campaigns. It is a rapidly growing
how to collect, parse, and analyze forensic artifacts in
support of ransomware incident response threat that has evolved from being a single machine infection following an ill-advised
• Incident response team members who need to
mouse click to becoming a booming enterprise capable of crippling large and small
use deep-dive digital forensics to help solve their networks alike.
Windows data breach and intrusion cases, perform
damage assessments, and develop indicators of Organizations are at risk of losing their data and information to these attacks,
compromise which can lead to revenue losses, reputational damage, theft of employee time and
• Incident triage analysts such as those working in productivity, and inability to function normally. It is now common to see these large-
a Security Operations Center, Computer Incident
Response Team, or similar scale sophisticated attacks where the ransomware actors first establish persistence and
• Managed Services Provider (MSP) and Managed execute tools on their target, then move laterally throughout the organization, ultimately
Security Services Providers (MSSPs) analysts who may exfiltrating data before deploying their ransomware payloads.
need to aid in ransomware incident response
• Law enforcement officers, federal agents, and Even though payments to ransomware actors slowed down in 2022 as compared to
detectives who want to become deep subject-matter previous years, that same year there were over 2,600 posts made to extortion sites
experts on ransomware investigations
related to ransomware. This number does not include an unknown quantity of incidents
• Medical and hospitality IT staff who may need to
that were resolved through communication and/or negotiation behind the scenes prior
response to ransomware events
to public notification. Of the reported incidents from 2022, the following are the top 10
• Anyone interested in a deep understanding of
Ransomware-specific Incident Response who has sectors in terms of compromise:*
a background in information systems, information • Construction • Automotive
security, computers
• Hospital and Health Care • Financial Services
You Will Be Able To • Government Administration • Higher Education
• Ransomware Evolution and History • IT Services and IT Consulting • Insurance
• Windows Forensics Artifacts Critical to Ransomware • Law Practice • Real Estate
Incident Response
The FOR528: Ransomware for Incident Responders course teaches students how to deal
• Evidence Acquisition Tools and Techniques
with the specifics of ransomware to prepare for, detect, hunt, respond to, and deal with
• Initial Access
the aftermath of ransomware. The class features a hands-on approach to learning using
• Execution and Defense Evasion
real-world data and includes a full-day Capture-the Flag-challenge to help students
• Persistence
solidify their learning. The four-day class teaches students what artifacts to collect, how
• Privilege Escalation and Credential Access
to collect them, how to scale out your collection efforts, how to parse the data, and how
• Lateral Movement
to review the parsed results in aggregate.
• Active Directory Attacks
• Data Access The course also provides in-depth details along with detection methods for each phase
• Data exfiltration of the ransomware attack lifecycle. These phases include initial access, execution,
• Archive creation and data staging defense evasion, persistence, attacks on active directory, privilege escalation, credential
• Data exfiltration routes access, lateral movement, data access, data exfiltration, and payload deployment.
• Backup and Recovery tampering Unfortunately, many businesses will find themselves falling victims to ransomware
• Payload deployment attacks because they feel they are not in danger. No matter if you are a small, medium,
• Encryption specifics including source code review or large organization, every internet-connected network is at risk, and the threat is not
• Decryptors going away any time soon.
• Cobalt Strike architecture, components, and payloads
The time to be proactive about ransomware is now!
• Dealing with an active threat
• Conti ransomware operations case study *Statistics from ecrime.ch
• Hunting methods and techniques

sans.org/FOR528 61
FOR532: Enterprise Memory Forensics In-Depth
FOR532: Enterprise Memory Forensics In-Depth
4 24 Laptop ATTACKER TRACES ARE MOST VULNERABLE IN MEMORY. TIME TO GO HUNTING!

Memory forensics is an integral part of successful incident response investigations. Over the
last year, incident response procedures have grown from investigating single computer images
You Will Be Able To at time to investigating hundreds of thousand machines all at once. In the beginning of every
• Integrate Memory forensics into their investigation, the attacker is way ahead. Incident responders need to find ways to get ahead of
investigation workflow
the attackers quickly and kick them out of our networks. While there has been a lot of light shed
• Acquire Memory on single machines with
Linux, Windows and MacOS
on scaling hard drive artifact-based investigations to large numbers of endpoints, the memory
• Acquire interesting Memory parts from
forensics part has been the neglected part of classical forensics for a while. This rapidly changes
many machines as many attacks are way more lilkely to be uncovered when looking into memory than with more
• Understand how Memory works classical means. Memory forensics ties into many disciplines in cyber investigations. From the
• Identify the key Memory structures classical law enforcement investigations that focus on user artifacts via malware analysis to
• Effortlessly walk through the memory large-scale hunting, memory forensics has several applications that for many teams are still terra
using volshell to identify even more traces incognita. The FOR532 Enterprise Memory Forensics In-Depth class strives to change that and
of an attack and better understand how
malware can hide speed up your incident response, your threat hunting, and your malware analysis significantly.
• Find malware using a standardized A major step to get started with memory forensics is to understand, that memory can be
process
complex at times, but in a nutshell analyzing memory just means knowing what bytes at specific
• Uncover malware capabilities and
configurations locations mean. In other terms, the better you can read the street map of memory, the more
• Understand which attacker actions lead to you can get out of it. For that reason, we will spend some time understanding how memory
which traces in Memory works. You will become familiar with key memory structures and what they mean.A clear
• Understand DKOM (direct kernel object understanding will help you understand how the different presented tools work and what their
manipulation)
advantages and limitations are.
• Understand advanced detection
countermeasures that attackers apply In memory forensics, the saying “A fool with a tool is still a fool” is even more important than in
to beat EDRs and other detection classical forensics. Memory being a very dynamic kind of dataset can be easily misinterpreted
mechanisms
which in real investigations can lead to false-negatives or send you down a rabbit hole quickly.
• Extract memory artifacts needed for the
investigation For that reason, it is important to understand how the various tools work. Not every aspect you
• Extract and understand user artifacts that might need for an investigation will already be covered by a tool. Another aspect of the class is to
tell you what happened on a system understand what you need and how to use easy measures to get your hands on the data.
• Counter ransomware actors by identifying
exfiltration credentials Finally, when you understand memory on one machine, it is time to scale your investigation to a
• Analyze Memory dumps of single larger number of machines. Both structured analysis as well as with unstructured analysis matter.
processes with windbg We will use cutting edge toools to scale memory forensics in a unique way.
• Use volatility 2 and 3 to find analyze
Memory images The digital evidence we leverage in the labs is designed to resemble real cases the author came
• Understand what options malware authors across in his career. You will be working on the evidence a significant amount of time in many
have to hide the presence of malware or different labs. As it is important to understand how attackers leave certain traces, every now and
make investigations harder then you will be asked to switch sides and attack a system that you later analyze. This approach
• Analyze Memory in structured and enables incident responders to have a 360 degree view on modern incident response analysis.
unstructured ways
• Analyze Memory in a team approach In the second half of Section 4 you can put your newly acquired knowledge into action in a
(using centralized analysis servers) scoreboard-style capture the flag. You will be presented with new evidence that was built based
• Write your own tools to fill the gaps of on real-world cases and score points for correctly answered questions. Regardless of how new you
current tools
are to memory forensics, there will be interesting traces for you to find in the evidence.
• Write your own volatility plugin
• Scale Memory forensics to thousands of The main goal of the class is to demonstrate, that memory forensics is not as complicated as it
machines seems at first. You will get a set of techniques and tools to add a lot of value to your investigations
• Automate parts of Memory forensics by saving time and resources as well as rendering results you would not have gotten by using
• Leverage frequency of occurence analysis classical IR tactics. Add memory forensics to your toolchest now to battle evil faster and more
(stacking) to single out machines that
need a closer look efficiently even at scale.
62 sans.org/FOR532
FOR572: Advanced Network Forensics: Threat
Hunting, Analysis, and Incident Response
FOR572: Advanced Network Forensics: Threat GNFA
Hunting, Analysis, and Incident Response
Network Forensic Analyst
giac.org/gnfa
6 36 Laptop Take your system-based forensic knowledge onto the wire. Incorporate network evidence into your
Required
Day Program CPEs investigations, provide better findings, and get the job done faster.
It is exceedingly rare to work any forensic investigation that doesn’t have a network component.
You Will Be Able To Endpoint forensics will always be a critical and foundational skill for this career but overlooking
• Extract files from network packet captures their network communications is akin to ignoring security camera footage of a crime as it was
and proxy cache files, allowing follow-on
malware analysis or definitive data loss
committed. Whether you handle an intrusion incident, data theft case, employee misuse scenario,
determinations or are engaged in proactive adversary discovery, the network often provides an unparalleled view
• Use historical NetFlow data to identify of the incident. Its evidence can provide the proof necessary to show intent, uncover attackers
relevant past network occurrences, that have been active for months or longer, or may even prove useful in definitively proving a
allowing accurate incident scoping
crime actually occurred.
• Reverse engineer custom network
protocols to identify an attacker’s FOR572 was designed to cover the most critical skills needed for the increased focus on network
command-and-control abilities and
actions communications and artifacts in today’s investigative work, including numerous use cases. Many
• Decrypt captured SSL/TLS traffic to investigative teams are incorporating proactive threat hunting to their skills, in which existing
identify attackers’ actions and what data evidence is used with newly-acquired threat intelligence to uncover evidence of previously-
they extracted from the victim
unidentified incidents. Others focus on post-incident investigations and reporting. Still others
• Use data from typical network protocols to
increase the fidelity of the investigation’s
engage with an adversary in real time, seeking to contain and eradicate the attacker from the victim’s
findings environment. In these situations and more, the artifacts left behind from attackers’ communications
• Identify opportunities to collect can provide an invaluable view into their intent, capabilities, successes, and failures.
additional evidence based on the existing
systems and platforms within a network In FOR572, we focus on the knowledge necessary to examine and characterize communications
architecture that have occurred in the past or continue to occur. Even if the most skilled remote attacker
• Examine traffic using common network compromised a system with an undetectable exploit, the system still has to communicate
protocols to identify patterns of activity
or specific actions that warrant further over the network. Without command-and-control and data extraction channels, the value of a
investigation compromised computer system drops to almost zero. Put another way: Bad guys are talking –
• Incorporate log data into a comprehensive we’ll teach you to listen.
analytic process, filling knowledge gaps
that may be far in the past This course covers the tools, technology, and processes required to integrate network evidence
• Learn how attackers leverage meddler-in- sources into your investigations, with a focus on efficiency and effectiveness. You will leave
the-middle tools to intercept seemingly this week with a well-stocked toolbox and the knowledge to use it on your first day back on the
secure communications
job. We will cover the full spectrum of network evidence, including high--evel NetFlow analysis,
• Examine proprietary network protocols to
determine what actions occurred on the low-level pcap-based dissection, ancillary network log examination, and more. We cover how to
endpoint systems leverage existing infrastructure devices that may contain months or years of valuable evidence as
• Analyze wireless network traffic to find well as how to place new collection platforms while an incident is underway.
evidence of malicious activity
• Learn how to modify configuration on Whether you are a consultant responding to a client’s site, a law enforcement professional
typical network devices such as firewalls assisting cybercrime victims and seeking prosecution of those responsible, an on-staff forensic
and intrusion detection systems to
increase the intelligence value of their
practitioner, or a member of the growing ranks of threat hunters, this course offers hands-on
logs and alerts during an investigation experience with real-world scenarios that will help take your work to the next level. Previous SANS
• Apply the knowledge you acquire during SEC curriculum students and other network defenders will benefit from the FOR572 perspective
the week in a full-day capstone lab, on security operations as they take on more incident response and investigative responsibilities.
modeled after real-world nation-state
intrusions and threat actors SANS DFIR alumni can take their existing operating system or device knowledge and apply it
directly to the network-based attacks that occur daily. In FOR572, we solve the same caliber of
real-world problems without the use of disk or memory images.
FOR572 is an advanced course – we hit the ground running on day one. Bring your entire
bag of skills: forensic techniques and methodologies, full-stack networking knowledge
(from the wire all the way up to user-facing services), Linux shell utilities, and everything
in between. They will all benefit you throughout the course material as you
FIGHT CRIME. UNRAVEL INCIDENTS...ONE BYTE (OR PACKET) AT A TIME
Certification: GIAC Network Forensic Analyst (GNFA)

sans.org/for572
giac.org/gnfa
sans.org/FOR572 63
FOR578: Cyber Threat Intelligence
GCTI
FOR578: Cyber Threat Intelligence Cyber Threat Intelligence
giac.org/gcti
6 36 Laptop THERE IS NO TEACHER BUT THE ENEMY!

All security practitioners should attend FOR578: Cyber Threat Intelligence to sharpen their
analytical skills. This course is unlike any other technical training you have ever experienced. It
You Will Be Able To focuses on structured analysis in order to establish a solid foundation for any security skillset and
• Develop analysis skills to better to amplify existing skills.
comprehend, synthesize, and leverage
complex scenarios It is common for security practitioners to call themselves analysts. But how many of us have
• Identify and create intelligence taken structured analysis training instead of simply attending technical training? Both are
requirements through practices such as
threat modeling
important, but very rarely do analysts focus on training on analytical ways of thinking. This course
• Understand and develop skills in tactical,
exposes analysts to new mindsets, methodologies, and techniques to complement their existing
operational, and strategic-level threat knowledge and help them establish new best practices for their security teams. Proper analysis
intelligence skills are key to the complex world that defenders are exposed to on a daily basis.
• Generate threat intelligence to detect,
respond to, and defeat focused and The analysis of an adversary’s intent, opportunity, and capability to do harm is known as cyber
targeted threats threat intelligence. Intelligence is not a data feed, nor is it something that comes from a tool.
• Learn the different sources to collect Intelligence is actionable information that addresses an organization’s key knowledge gaps,
adversary data and how to exploit and
pivot off of it pain points, or requirements. This collection, classification, and exploitation of knowledge about
• Validate information received externally to adversaries gives defenders an upper hand against adversaries and forces defenders to learn and
minimize the costs of bad intelligence evolve with each subsequent intrusion they face.
• Create Indicators of Compromise (IOCs) in
formats such as YARA, OpenIOC, and STIX
Cyber threat intelligence thus represents a force multiplier for organizations looking to establish
• Move security maturity past IOCs into
or update their response and detection programs to deal with increasingly sophisticated threats.
understanding and countering the Malware is an adversary’s tool, but the real threat is the human one, and cyber threat intelligence
behavioral tradecraft of threats focuses on countering those flexible and persistent human threats with empowered and trained
• Establish structured analytical techniques human defenders.
to be successful in any security role
Knowledge about the adversary is core to all security teams. The red team needs to understand
adversaries’ methods in order to emulate their tradecraft. The Security Operations Center
needs to know how to prioritize intrusions and quickly deal with those that need immediate
attention. The incident response team needs actionable information on how to quickly scope
GCTI and respond to targeted intrusions. The vulnerability management group needs to understand
Cyber Threat Intelligence which vulnerabilities matter most for prioritization and the risk that each one presents. The threat
giac.org/gcti
hunting team needs to understand adversary behaviors to search out new threats.
GIAC Cyber Threat Intelligence In other words, cyber threat intelligence informs all security practices that deal with adversaries.
The GCTI certification proves practitioners have FOR578: Cyber Threat Intelligence will equip you, your security team, and your organization with
mastered strategic, operational, and tactical
the level of tactical, operational, and strategic cyber threat intelligence skills and tradecraft
cyber threat intelligence fundamentals and
application. required to better understand the evolving threat landscape and accurately and effectively
• Strategic, operational, and tactical counter those threats.
cyber threat intelligence application &
fundamentals
• Open source intelligence and campaigns
“I could take this course five times more and get something new
• Intelligence applications and intrusion
analysis each time! So much valuable info to take back to my organization.”
• Analysis of intelligence, attribution, collecting —Charity Willhoite, Armor Defense, Inc.
and storing data sets
• Kill chain, diamond model, and courses of
action matrix
• Malware as a collection source, pivoting, and “This course is terrific! Class discussion and relevant case studies
sharing intelligence are extremely helpful for better understanding the content.”
—Larci Robertson, Epsilon
Certification: GIAC Cyber Threat Intelligence (GCTI) • Watch a preview of this course
giac.org/gcti
64 sans.org/FOR578
FOR585: Smartphone Forensic Analysis In-Depth
GASF
FOR585: Smartphone Forensic Analysis In-Depth Advanced Smartphone
Forensics
giac.org/gasf
6 36 Laptop SMARTPHONES HAVE MINDS OF THEIR OWN. DON’T MAKE THE MISTAKE OF REPORTING
Required
Day Program CPEs SYSTEM EVIDENCE, SUGGESTIONS, OR APPLICATION ASSOCIATIONS AS USER ACTIVITY.
IT’S TIME TO GET SMARTER!
You Will Be Able To A smartphone lands on your desk and you are tasked with determining if the user was
• Select the most effective forensic tools, techniques, at a specific location at a specific date and time. You rely on your forensic tools to dump
and procedures to effectively analyze smartphone data and parse the data. The tools show location information tying the device to the place of
• Reconstruct events surrounding a crime using interest. Are you ready to prove the user was at that location? Do you know how to take
information from smartphones, including
timeline development and link analysis (e.g., who this further to place the subject at the location of interest at that specific date and time?
communicated with whom, where, and when) Tread carefully, because the user may not have done what the tools are showing!
• Understand how smartphone file systems store data,
how they differ, and how the evidence will be stored on
Mobile devices are often a key factor in criminal cases, intrusions, IP theft, security
each device threats, accident reconstruction, and more. Understanding how to leverage the data from
• Interpret file systems on smartphones and locate the device in a correct manner can make or break your case and your future as an expert.
information that is not generally accessible to users FOR585: Smartphone Forensic Analysis In-Depth will teach you those skills.
• Identify how the evidence got onto the mobile device
- we’ll teach you how to know if the user created the Every time the smartphone “thinks” or makes a suggestion, the data is saved. It’s
data, which will help you avoid the critical mistake of easy to get mixed up in what the forensic tools are reporting. Smartphone forensics
reporting false evidence obtained from tools
is more than pressing the “find evidence” button and getting answers. Your team
• Incorporate manual decoding techniques to recover
cannot afford to rely solely on the tools in your lab. You have to understand how to
deleted data stored on smartphones and mobile
devices use them correctly to guide your investigation, instead of just letting the tool report
• Tie a user to a smartphone on a specific date/time and what it believes happened on the device. It is impossible for commercial tools to parse
at various locations everything from smartphones and understand how the data was put on the device.
• Recover hidden or obfuscated communication from Examination and interpretation of the data is your job and this course will provide you
applications on smartphones
and your organization with the capability to find and extract the correct evidence from
• Decrypt or decode application data that are not parsed
by your forensic tools smartphones with confidence.
• Detect smartphones compromised by malware and This in-depth smartphone forensic course provides examiners and investigators with
spyware using forensic methods advanced skills to detect, decode, decrypt, and correctly interpret evidence recovered
• Decompile and analyze mobile malware using open- from mobile devices. The course features 31 hands-on labs, a forensic challenge, and
source tools
a bonus take-home case that allows students to analyze different datasets from smart
• Handle encryption on smartphones and bypass, crack,
and/or decode lock codes manually recovered from devices and leverage the best forensic tools, methods, and custom scripts to learn how
smartphones, including cracking iOS backup files that smartphone data hide and can be easily misinterpreted by forensic tools. Each lab is
were encrypted with iTunes
designed to teach you a lesson that can be applied to other smartphones. You will gain
• Understand how data are stored on smartphone
components (SD cards) and how encrypted data can be experience with the different data formats on multiple platforms and learn how the data
examined by leveraging the smartphone are stored and encoded on each type of smart device. The labs will open your eyes to
• Extract and use information from smartphones and what you are missing by relying 100% on your forensic tools.
their components, including Android, iOS, BlackBerry
10, Windows Phone, Chinese knock-offs, and SD FOR585 is continuously updated to keep up with the latest smartphone operating
cards (bonus labs available focusing on BlackBerry, systems, third-party applications, acquisition short-falls, extraction techniques
BlackBerry backups, Nokia [Symbian], and SIM card
decoding)
(jailbreaks and roots), malware and encryption. This intensive six-day course offers
• Perform advanced forensic examinations of data
the most unique and current instruction on the planet, and it will arm you with mobile
structures on smartphones by diving deeper into device forensic knowledge you can immediately apply to cases you’re working on the day
underlying data structures that many tools do not you leave the course.
interpret
• Analyze SQLite databases and raw data dumps from Smartphone technologies are constantly changing, and most forensic professionals
smartphones to recover deleted information are unfamiliar with the data formats for each technology. Take your skills to the next
• Perform advanced data-carving techniques on level: it’s time for the good guys to get smarter and for the bad guys to know that their
smartphones to validate results and extract missing or
deleted data
smartphone activity can and will be used against them!
• Apply the knowledge you acquire during the course SMARTPHONE DATA CAN’T HIDE FOREVER – IT’S TIME TO OUTSMART THE MOBILE DEVICE!
to conduct a full-day smartphone capstone event
involving multiple devices and modeled after real-
world smartphone investigations
Certification: GIAC Advanced Smartphone Forensics (GASF) • Watch a preview of this course
giac.org/gasf
sans.org/FOR585 65
FOR608: Enterprise-Class Incident Response &
Threat Hunting
FOR608: Enterprise-Class Incident Response and Threat Hunting
6 36 Laptop Enterprises today have thousands, maybe even hundreds of thousands – of

systems ranging from desktops to servers, from on-site to the cloud. Although
geographic location and network size have not deterred attackers in breaching
You Will Be Able To their victims, these factors present unique challenges in how organizations
• Understand when incident response requires in-depth host can successfully detect and respond to security incidents. Our experience has
interrogation or light-weight mass collection shown that when sizeable organizations suffer a breach, the attackers seldom
• Deploy collaboration and analysis platforms that allow teams to compromise one or two systems. Without the proper tools and methodologies,
work across rooms, states, or countries simultaneously
security teams will always find themselves playing catch-up, and the attacker
• Collect host- and cloud-based forensic data from large
environments will continue to achieve success.
• Discuss best practices for responding to Azure, M365, and AWS FOR608: Enterprise-Class Incident Response and Threat Hunting focuses
cloud platforms
on identifying and responding to incidents too large to focus on individual
• Learn analysis techniques for responding to Linux and Mac
operating systems
machines. The concepts are similar: gathering, analyzing, and making decisions
• Analyze containerized microservices such as Docker containers
based on information from hundreds of machines. This requires the ability to
• Correlate and analyze data across multiple data types and
automate and the ability to quickly focus on the right information for analysis.
machines using a myriad of analysis techniques By using example tools built to operate at enterprise-class scale, students will
• Conduct analysis of structured and unstructured data to identify learn the techniques to collect focused data for incident response and threat
attacker behavior hunting. Students will then dig into analysis methodologies, learning multiple
• Enrich collected data to identify additional indicators of approaches to understand attacker movement and activity across hosts of
compromise
varying functions and operating systems by using timeline, graphing, structured,
• Develop IOC signatures and analytics to expand searching
capabilities and enable rapid detection of similar incidents in the and unstructured analysis techniques.
future
• Track incidents and indicators from beginning to end using built- Business Takeaways
for-purpose incident response engagement tooling
• Reduce financial and reputational impact of a breach by more efficiently and
Who Should Attend precisely managing the response
This course is aimed at digital forensics, incident response, • Learn IR management techniques that optimize resource usage during an
intrusion detection, and threat hunting professionals in medium investigation
to large organizations, who constantly face battles with enterprise
scale and complexity. • Deploy collaboration and analysis platforms that allow teams to work across
Please note that FOR608 is an advanced course that skips over rooms, states, or countries simultaneously
introductory material of Windows host- and network-based forensics
• Understand and hunt for techniques attackers use to hide from EDR and
and incident response. Although this class is not necessarily more
technical than our 500-level classes, it does assume that prior application control tools on Windows systems
knowledge so that topics and concepts are not repeated.
• Learn analysis techniques for responding to compromised Linux and macOS
systems
• Cyber Defense Incident Responder (OPM 531)
• Be able to respond and analyze containerized microservices such as Docker
• Cyber Crime Investigator (OPM 221)
containers
• Law Enforcement /CounterIntelligence Forensics Analyst (OPM 211) • Discuss best practices for responding to the most popular cloud
• Cyber Defense Forensics Analyst (OPM 212) environments—specifically Microsoft365/AzureAD, and AWS
Prerequisites
FOR608 is an advanced level course that skips over introductory
material of Windows host- and network-based forensics and
incident response. This class is not necessarily more technical than “The course content covers a lot of important topics focused on
our 500-level classes, but it does assume that knowledge so that
topics and concepts are not repeated. detection and response. I enjoyed the sections on Threat Driven
Students must have multiple years of DFIR experience and/or have Intelligence and TimeSketch for creating incident timelines.”
taken classes such as:
—Reggie M., Amazon
• FOR500: Windows Forensics Analysis, and/or
• FOR508: Advanced Digital Forensics, Incident
Response, and Threat Hunting

66 sans.org/FOR608
FOR610: Reverse-Engineering Malware: Malware
Analysis Tools and Techniques
FOR610: Reverse-Engineering Malware: GREM
Reverse Engineering
Malware Analysis Tools and Techniques Malware

giac.org/grem
6 36 Laptop Learn to turn malware inside out! This popular reversing course explores malware analysis
Required
Day Program CPEs tools and techniques in depth. FOR610 training has helped forensic investigators, incident
responders, security engineers, and IT administrators acquire the practical skills to examine
You Will Be Able To malicious programs that target and infect Windows systems.
• Build an isolated, controlled laboratory Understanding the capabilities of malware is critical to your ability to derive threat intelligence,
environment for analyzing code and behavior
of malicious programs respond to cybersecurity incidents, and fortify enterprise defenses. This course builds a strong
• Employ network and system-monitoring
foundation for reverse-engineering malicious software using a variety of system and network
tools to examine how malware interacts with monitoring utilities, a disassembler, a debugger, and many other freely available tools.
the file system, registry, network, and other
processes in a Windows environment The course begins by establishing the foundation for analyzing malware in a way that
• Uncover and analyze malicious JavaScript and dramatically expands upon the findings of automated analysis tools. You will learn how to
VBScript components of web pages, which are set up a flexible laboratory to examine the inner workings of malicious software, and how to
often used by exploit kits for drive-by attacks
use the lab to uncover characteristics of real-world malware samples. You will also learn how
• Control relevant aspects of the malicious
program’s behavior through network traffic to redirect and intercept network traffic in the lab to explore the specimen’s capabilities by
interception and code patching to perform interacting with the malicious program.
effective malware analysis
• Use a disassembler and a debugger to The course continues by discussing essential assembly language concepts relevant to reverse
examine the inner workings of malicious engineering. You will learn to examine malicious code with the help of a disassembler and a
Windows executables
debugger in order to understand its key components and execution flow. In addition, you will
• Bypass a variety of packers and other
learn to identify common malware characteristics by looking at suspicious Windows API patterns
defensive mechanisms designed by malware
authors to misdirect, confuse and otherwise employed by malicious programs.
slow down the analyst
Next, you will dive into the world of malware that thrives in the web ecosystem, exploring
• Recognize and understand common assembly-
level patterns in malicious code, such as DLL methods for assessing suspicious websites and de-obfuscating malicious JavaScript to
injection and anti-analysis measures understand the nature of the attack. You will also learn how to analyze malicious Microsoft
• Assess the threat associated with malicious Office, RTF, and PDF files. Such documents act as a common infection vector as a part of
documents, such as PDF and Microsoft
Office files mainstream and targeted attacks. You will also learn how to examine “file-less” malware and
• Derive Indicators of Compromise (IOCs) from malicious PowerShell scripts.
malicious executables to strengthen incident
response and threat intelligence efforts
Malware is often obfuscated to hinder analysis efforts, so the course will equip you with the
skills to unpack executable files. You will learn how to dump such programs from memory with
the help of a debugger and additional specialized tools, and how to rebuild the files’ structure
to bypass the packer’s protection. You will also learn how to examine malware that exhibits
• Cyber Defense Incident Responder (OPM 531)
rootkit functionality to conceal its presence on the system, employing code analysis and memory
• Cyber Crime Investigator (OPM 221)
forensics approaches to examining these characteristics.
• Law Enforcement/CounterIntelligence
Forensics Analyst(OPM 211) FOR610 malware analysis training also teaches how to handle malicious software that attempts to
• Cyber Defense Forensics Analyst (OPM 212) safeguard itself from analysis. You will learn how to recognize and bypass common self-defensive
measures, including code injection, sandbox evasion, flow misdirection, and other measures.
The course culminates with a series of Capture-the-Flag challenges designed to reinforce the
techniques learned in class and provide additional opportunities to learn practical, hands-on
malware analysis skills in a fun setting.
“This is a truly a step-by-step
Hands-on lab exercises are a critical aspect of this course. They enable you to apply malware
mentorship course. The content
analysis techniques by examining malicious software in a controlled and systemic manner. When
is immediately applicable to
performing the exercises, you will study the supplied specimens behavioral patterns and examine
DFIR job roles.” key portions of their code. To support these activities, you will receive pre-built Windows and
—Chad Reams, Parsons Inc. Linux virtual machines that include tools for examining and interacting with malware.
Certification: GIAC Reverse Engineering Malware (GREM)

giac.org/grem
sans.org/FOR610 67
FOR710: Reverse-Engineering Malware: Advanced
Code Analysis
FOR710: Reverse-Engineering Malware: Advanced Code Analysis
5 36 Laptop As defenders hone their analysis skills and automated malware detection capabilities improve,
Required
Day Program CPEs malware authors have worked harder to achieve execution within the enterprise. The result
is modular malware with multiple layers of obfuscation that executes in-memory to hinder
Course Topics detection and analysis. Malware analysts must be prepared to tackle these advanced capabilities
• Code deobfuscation and use automation whenever possible to handle the volume, variety and complexity of the
• Program execution steady stream of malware targeting the enterprise.
• Shellcode analysis FOR710: Advanced Code Analysis continues where FOR610: Reverse-Engineering Malware: Malware
• Steganography Analysis Tools and Techniques course leaves off, helping students who have already attained
• Multi-stage malware intermediate-level malware analysis capabilities take their reversing skills to the next level.
• WinDbg Preview Authored by SANS Certified Instructor Anuj Soni, this course prepares malware specialists to
• Encryption algorithms dissect sophisticated Windows executables, such as those that dominate the headlines and
• Data obfuscation preoccupy incident response teams across the globe.
• Python scripting for malware analysis
Developing deep reverse-engineering skills requires consistent practice. This course not only
• Dynamic Binary Instrumentation (DBI)
Frameworks includes the necessary background and instructor-led walk throughs, but also provides students
• Binary emulation frameworks with numerous opportunities to tackle real-world reverse engineering scenarios during class.
• Payload and config extraction FOR710 Advanced Code Analysis will prepare you to:
• Scripting with Ghidra • Tackle code obfuscation techniques that hinder static code analysis, including the use of
• YARA rules steganography
• Yara-python • Identify the key components of program execution to analyze multi-stage malware in memory
• SMDA disassebler
• Locate and extract deobfuscated shellcode during program execution
• Develop comfort with non-executable file formats during malware analysis
• Probe the structures and fields associated with a PE header
• Windows 10 VM with pre-installed malware • Use WinDBG Preview for debugging and assessing key process data structures in memory
analysis and reversing tools • Identify encryption algorithms in ransomware used for file encryption and key protection
• Real-world malware samples to examine • Recognize Windows APIs that facilitate encryption and articulate their purpose
during and after class
• Investigate data obfuscation in malware, pinpoint algorithm implementations, and decode
• Coursebooks and workbook with detailed
step-by-step exercise instruction underlying content
• Create Python scripts to automate data extraction and decryption
• Build rules to identify functionality in malware
• Use Dynamic Binary Instrumentation (DBI) frameworks to automate common reverse
engineering workflows
• Write Python scripts within Ghidra to expedite code analysis
• Use Binary Emulation frameworks to simulate code execution
“As malware gets more complicated, malware analysis has as well. In

recent years, malware authors have accelerated their production of
dangerous, undetected code using creative evasion techniques, robust
algorithms, and iterative development to improve upon weaknesses.
Proficient reverse engineers must perform in-depth code analysis and
employ automation to peel back the layers of code, characterize high-risk
functionality and extract obfuscated indicators.”
—Anuj Soni, Course Author
68 sans.org/FOR710
Cybersecurity Leadership
As the threat landscape continues to evolve,

cybersecurity has become more valuable to
organizations than ever before. Business leaders
now understand the importance of securing
high-value information assets and the significant
risk associated with a breach or attack.
Organizations need cybersecurity leaders and managers who can
pair their technical knowledge with essential leadership skills so
they can effectively lead projects, teams, and initiatives in support of
business objectives.
The Cybersecurity Leadership focus area delivers applicable and practical
approaches to managing cyber risk. This series of hands-on, interactive
courses helps current and aspiring cybersecurity leaders take their
management skills to the level of their technical knowledge.
SANS Cybersecurity Leadership courses will teach you to: Enhance your training with:
• Go Beyond Good Enough.

• Develop your management • Effectively engage and Become A Transformational
and leadership skills communicate with key Cybersecurity Leader or an
business stakeholders Operational Cybersecurity
• Understand and analyze risk Executive.
sans.org/cybersecurity-
• Measure the impact of leadership/triads
• Create effective
your security program • We are growing a diverse
cybersecurity policy
community of next generation
• Establish and mature your cybersecurity leaders. Join the
• Build a vulnerability security culture conversation in our new Discord
management program channel.
sansurl.com/leadership-discord
• Protect and lead enterprise and
• Develop strategic security plans cloud environments
that incorporate business and
cybersecurity programs, including
organizational goals a certificate in Cybersecurity
Management sans.edu
Cybersecurity Leadership Job Roles:

• CISO
• CIO
“This training applies to all aspects of my job, from • Director
network management to project management.” • Security Manager
• SOC Manager
—David Chaulk, Enbridge
• Auditor
• Lawyer
• Privacy Officer
69
SEC405: Business Finance Essentials
SEC405: Business Finance Essentials
1 6 Laptop Turn Your Financial Uncertainty into Financial Clarity!

Day Course CPEs Required
SEC405: Business Finance Essentials will:
• Increase your business financial literacy
You Will Be Able To
• Improve your understanding and awareness of business financial health
• Fully understand what your Chief Financial
Officer (CFO) and finance team are saying • Prepare you to partner with your organization’s finance team
• Stand out as an engaged partner in shared
business success
• Provide you with the skills and knowledge to serve as a trusted financial advisor to your
• Follow a repeatable eight-step Finance
organization
Framework that helps you understand and What would it feel like to have confidence in navigating your business financials before dedicating
communicate finance more effectively
another hour to cybersecurity work or spending another dollar of your cybersecurity budget?
• Discover and successfully interpret an
organization’s financial goals This course will give you the confidence and clarity to understand and effectively communicate
• Better align the cybersecurity program to financial stewardship. The knowledge and skills you learn in SEC405 will contribute to your
the strategic priorities of the organization own success as well as the success of the cybersecurity team you are privileged to lead, and,
• Better understand the business side of an ultimately, the success of your organization.
enterprise, including business decisions
and tradeoffs In Business Finance Essentials you will learn the importance of a clear business case by creating
• Improve partnerships with key leaders one yourself during a course exercise. Need to design a multi-year budget? No problem! We will
• Achieve alignment of your cybersecurity talk about the rationale for that design and then undertake an exercise to create such a budget.
program
You’ll be able to use these examples as templates later when you need to do these tasks yourself!
Who Should Attend What will the Chief Financial Officer notice after you take this course and apply the concepts
• CISOs you’ve learned?
• Information Security Officers • You ask better questions of your CFO, Controller, and Finance team
• Information Security Directors
• You can interpret common financial statements
• Information Security Managers
• Information Security Leaders
• You demonstrate strong financial stewardship
• All those who aspire to become an • You are able to create a multi-year budget
effective information security leader
• You make a greater effort to work with finance colleagues
Topics What strategies can build a meaningful relationship with your Chief Financial Officer?
• What you must know about finance • Understand what is important to your CFO
• A clear business case
• Demonstrate the interest, skills, and knowledge that make you stand out
• Financial stewardship
• A multi-year budget
• More specifically, be able to interpret a balance sheet, cash flow statement, and income
• How we do this work
statement
How can you demonstrate financial stewardship?

• Think through and assess such concepts as “before the next dollar is spent” and “before the
• Electronic courseware for learning how to
understand business finance next hour is spent”
• Course book • Ensure that your efforts are definitively focused on the highest risks
• Lab workbook with completed examples
• MP3 audio files of the complete course What does a Chief Information Security Officer need to know about finance to be successful?
lecture • How to successfully navigate the mysterious realm of business finance
• An enabling and repeatable eight-step
Finance Framework created to help you • How to secure multi-year funding for cybersecurity projects
understand and communicate finances
• How to create a business case
more effectively

70 sans.org/SEC405
LDR414: SANS Training Program for the CISSP
Certification
LDR414: SANS Training Program for GISP
Information Security
CISSP® Certification Professional

giac.org/gisp
6 52 Laptop Need training for the CISSP® exam?

Day Program CPEs Not Needed
SANS LDR414: SANS Training Program for CISSP® Certification is an accelerated review course that
is specifically designed to prepare students to successfully pass the Certified Information Systems
You Will Be Able To Security Professional (CISSP®) exam.
• Understand the eight domains of
knowledge that are covered on the LDR414 focuses solely on the eight domains of knowledge as determined by (ISC)2 that form
CISSP® exam a critical part of the CISSP® exam. Each domain of knowledge is dissected into its critical
• Analyze questions on the exam and be components, and those components are then discussed in terms of their relationship with one
able to select the correct answer
another and with other areas of information security.
• Apply the knowledge and testing skills
learned in class to pass the CISSP® exam
• Understand and explain all of the
concepts covered in the eight domains After completing the course, students will have:
of knowledge
• Apply the skills learned across the eight • Detailed coverage of the eight domains of knowledge
domains to solve security problems when • The analytical skills required to pass the CISSP® exam
you return to work
• The technical skills required to understand each question
• The foundational information needed to become a Certified Information Systems Security
What You Will Receive Professional (CISSP®)
• Electronic courseware for each of the
eight domains
• 320 questions to test knowledge and
preparation for each domain External Product Notice:
• MP3 audio files of the complete course The CISSP® exam itself is not hosted by SANS. You will need to make separate arrangements to
lectures
take the CISSP® exam. Please note as well that the GISP exam offered by GIAC is NOT the same
as the CISSP® exam offered by (ISC)2.
Course Authors’ Statement

“The CISSP® certification has been around for nearly 25 years. The exam is designed to test
your understanding of the Common Body of Knowledge, which may be thought of as the
universal language of information security professionals. It is often said to be a mile wide
and two inches deep. The CISSP® exam covers a lot of theoretical information that is critical
“This course really pulls a lot for a security professional to understand. However, this material can be dry, and since most
together for me and it has students do not see the direct applicability to their jobs, they find it boring. The goal of this
been hugely valuable. I know course is to bring the eight domains of knowledge of the CISSP® to life. The practical workings
parts of this are going to of this information can be discovered by explaining important topics with stories, examples,
impact my approach to my and case studies. We challenge you to attend the SANS CISSP® training course and find the
exciting aspect of the eight domains of knowledge!”
work from the first day back.”
—Eric Conrad and Seth Misenar
— Merewyn Boak, Apple
Certification: GIAC Information Security

• WatchProfessional (GISP)
a preview of this course
sans.org/LDR414 • Discover how to take this course: Online, In-Person
giac.org/gisp
sans.org/MGT414 71
LDR415: A Practical Introduction to Cyber Security
Risk Management
LDR415: A Practical Introduction to Cyber Security Risk Management
2 12 Laptop In this course students will learn the practical skills necessary to perform regular risk assessments
Day Course CPEs Required for their organizations. The ability to perform risk management is crucial for organizations hoping
to defend their systems. There are simply too many threats, too many potential vulnerabilities that
You Will Be Able To could exist, and simply not enough resources to create an impregnable security infrastructure.
• Perform a complete risk assessment Therefore every organization, whether they do so in an organized manner or not, will make priority
• Inventory an organization’s most critical decision on how best to defend their valuable data assets. Risk management should be the
information assets foundational tool used to facilitate thoughtful and purposeful defense strategies.
• Assign a data owner and custodian to an
information asset
• Assign classification values to critical Author Statement
information assets
• Prioritize risk remediation efforts as a Most every time we talk with an organization, whether that be a private company or a government
result of performing a risk assessment agency, we meet people who want to use risk assessment as a tool, but are not actually using it
• Evaluate risk management models for use as they could. No organization has enough resources to do everything they would like to defend
in their own organization
themselves. At some point a priority decision has to be made. We either make those decisions
individually based on whatever need seems to be the most pressing in from of us today, or
we take a methodical approach, getting as much input from the business as possible. Risk
Who Should Attend
management is the tool we have available for taking the methodical path.
• Any security engineers, compliance
directors, managers, auditors – basically This course has been written with practicality and usability in mind. Risk models and learning
any SANS alumni potentially
ALE to pass a certification test is fine. But to defend our systems, we need practical skills in risk
• Auditors
assessment. This course will teach students the hands-on skills necessary to immediately start
• Directors of security compliance
using risk assessment as a tool to defend their organization.
• Information assurance management
• System administrators – James & Kelli Tarala

• Electronic courseware for learning how to
perform risk management “Excellent introduction to the area of risk assessment.”
• A unique course spreadsheet tool for — Ernie H., U.S. Military
performing risk management
• Open source tools for performing risk
management
• MP3 audio files of the complete course
lecture
SECTION 1: A Practical Introduction to SECTION 2: A Practical Introduction to
Assessing Cyber Security Risk Managing Cyber Security Risk
TOPICS: Understanding Risk; How to Perform a Simple TOPICS: Control Focused Risk Management; Event
Risk Assessment; Risk Assessment Case Study; Formal Focused Risk Management; Presenting Risk to Business
Risk Management Models & Tools Owners; Risk Remediation & Response; Tracking Long
Term Risk

72 sans.org/MGT415
LDR433: Managing Human Risk
SSAP
LDR433: Managing Human Risk Secururity Awareness
Professional
giac.org/ssap
3 18 Laptop People have become the primary attack vector. Manage your human risk.
Learn the key lessons and the roadmap to build a mature awareness program that will truly
engage your workforce, change their behavior and ultimately manage your human risk. Apply
This Course Will Prepare You to: models such as the BJ Fogg Behavior Model, AIDA Marketing funnel, and Golden Circle, and
• Master how to map and benchmark your learn about the Elephant vs. the Rider. Concepts include how to assess and prioritize your top
program’s maturity against your peers’ human risks and the behaviors that manage those risks, how to engage, train and secure your
• Understand the Security Awareness Maturity workforce by changing their behaviors and culture, and how to measure the impact and value
Model and how to leverage it as the roadmap of that change.
for your program
• Ensure compliance with key standards and
The course content is based on lessons learned from hundreds of programs from around the
regulations world. You will learn not only from your instructor, but from extensive interaction with your
• Implement models for learning theory, peers. Finally, through a series of labs and exercises, you will develop your own custom plan to
behavioral change, and cultural analysis implement as soon as you return to your organization.
• Define human risk and explain the three
different variables that constitute it
Business Takeaways:
• Explain risk assessment processes
• Leverage the latest in Cyber Threat Intelligence • Align your security awareness program with your organization’s strategic security priorities
and describe the most common tactics, • Effectively identify, prioritize and manage your organization’s top human risks.
techniques, and procedures used in today’s
human-based attacks • More closely integrate your security awareness efforts with your security team’soverall risk
• Identify, measure, and prioritize your human management efforts.
risks and define the behaviors that manage
those risks • Make the most of your investment by sustaining your program long term, going beyond
• Define what security culture is and the changing behavior to embedding a strong security culture
common indicators of a strong security culture
• Communicate and demonstrate the value of the change to your senior leadership in
• Explain your organization’s overall
culture and how to most effectively align
business terms
cybersecurity with and embed into your
organization’sculture
Hands-On Training:
• Measure the impact of your program,
track reduction in human risk, and how to A big part of the course is not only learning but applying what you learn working as groups
communicate to senior leadership the value of with your peers. Not only does this provide you a far better understanding and application of
the program
course content, but enables you to interact and learn from others. This three section course
has eight interactive labs. Each lab is approximately 30 minutes to complete as a team, with
another 20-30 minutes of group discussion.
• Section 1: Determine Your Program’sMaturity Level, Creating an Advisory Board, Identify and
Prioritize the Top Human Risks to Your Organization
“I think the course is really • Section 2: Identify and Prioritize the Key Behaviors that Manage Your Top Human Risks, Leverage
engaging and works at two the AIDA Model to Sell MFA, Putting it All Together, Creating an Engagement Plan
levels: (1) It would provide • Section 3: Define Your Organization’sCulture, Measuring a Key Human Risk and Behaviors that
someone starting out with a solid Manage that Risk
foundational knowledge, (2) It
Additional Free Resources
allows an existing program to
benchmark and get new ideas, to • Security Awareness Roadmap: Managing Your Human Risk, poster
supplement the existing work.” • Annual Security Awareness Report™: Managing Human Risk
—Brian Wright, • Career Developoment for Security Awareness, Engagement, and Culture Professionals
Student Loans Company Unlimited (For those of you who are looking to get involved in this field, or are already involved but
looking to grow, consider reading this blog on how to develop your career path.

sans.org/LDR433
Certification: SANS Security Awareness Professional
• Discover how to take(SSAP)
this course: Online, In-Person
sans.org/MGT433 73
SEC440: CIS Critical Controls: A Practical
Introduction
SEC440: CIS Critical Controls: A Practical Introduction
2 12 Laptop Introduction to Critical Security Controls

Cybersecurity attacks are increasing and evolving so rapidly that it is more difficult than ever to
prevent and defend against them. Does your organization have an effective method in place to
You Will Be Able To detect, thwart, and monitor external and internal threats to prevent security breaches? Does your
• Understand a security framework and its organization need an on-ramp to implementing a prioritized list of technical protections?
controls based on recent and evolving
threats facing organizations In February of 2016, then California Attorney General, Vice President Kamala Harris recommended
• Prepare you to interpret a security that “The 20 controls in the Center for Internet Security’s Critical Security Controls identify a
framework based on data from publicly
known attacks, breach reports, and large
minimum level of information security that all organizations that collect or maintain personal
scare data analytics from the Verizon Data information should meet. The failure to implement all the Controls that apply to an organization’s
Breach Investigation Report (DBIR), along environment constitutes a lack of reasonable security.”
with data from the Multi-State Information
Sharing and Analysis Center® (MS-ISAC®) SANS has designed SEC440 as an introduction to the CIS Critical Controls, in order to provide
• Understand the importance of each students with an understanding of the underpinnings of a prioritized, risk-based approach to
control, how it is compromised if
ignored, and explain the defensive goals security. The technical and procedural controls explained in the CIS Controls were proposed,
accomplished with each control debated and consolidated by various private and public sector experts from around the world.
• Identify tools that implement controls Previous versions of the CIS Controls were prioritized with the first six CIS Critical Controls labeled
through automation
as “cyber hygiene” and now the CIS Controls are now organized into Implementation Groups for
• Learn how to create a scoring tool for
prioritization purposes.
measuring the effectiveness of each
controls the effectiveness of each control The Controls are an effective security framework because they are based on actual attacks
• Identify specific metrics to establish a launched regularly against networks. Priority is given to Controls that (1) mitigate known attacks (2)
baseline and measure the effectiveness of
security controls address a wide variety of attacks, and (3) identify and stop attackers early in the compromise cycle.
The course introduces security and compliance professionals to approaches for implementing
the controls in an existing network through cost-effective automation. For auditors, CIOs, and risk
officers, the course is the best way to understand how you will measure whether the Controls are
effectively implemented.
SECTION 1: Introduction and Critical Controls 1–9 SECTION 2: Critical Controls 10–18 and
Section 1 will introduce you to Critical Controls 1–9, Conclusion
“The 20 Critical Security including the name, purpose, and why each matters in the Section 2 will introduce you to Critical Controls 10–18,
bigger picture of cybersecurity.
Controls provide updated/ including the name, purpose, and why each matters
• CIS Critical Control 1: Inventory and Control of in the bigger picture of cybersecurity.
current trends in InfoSec. The Enterprise Assets • Critical Control 10: Malware Defenses
course provided an excellent • CIS Critical Control 2: Inventory and Control of • Critical Control 11: Data Recovery
Software Assets
explanation of the controls • Critical Control 12: Network Infrastructure
• CIS Critical Control 3: Data Protection Management
and how to apply them.” • CIS Critical Control 4: Secure Configuration of Enterprise • Critical Control 13: Network Monitoring and Defense
— Dan Sherman, RIC Audit FRB Assets and Software
• Critical Control 14: Security Awareness and
• CIS Critical Control 5: Account Management Skills Training
• CIS Critical Control 6: Access Control Management • Critical Control 15: Service Provider Management
• CIS Critical Control 7: Continuous Vulnerability • Critical Control 16: Application Software Security
Management
• Critical Control 17: Incident Response Management
• CIS Critical Control 8: Audit Log Management
• Critical Control 18: Penetration Testing
• CIS Critical Control 9: Email and Web Browser Protections

74 sans.org/SEC440
SEC474: Building A Healthcare Security &
Compliance Program
SEC474: Building A Healthcare Security & Compliance Program
2 12 Laptop One of the challenges organizations face in complying with the Health Insurance Portability and
Day Course CPEs Required Accountability Act (HIPAA) is that the act’s regulatory and privacy standards are not prescriptive
enough to help organizations successfully build an effective security and compliance program.
You Will Be Able To Audit and assessment engagements with government agencies such as the Office of Civil Rights
• Tackle the challenges at hand – many (OCR) and with state attorney generals during and after reportable data breaches or privacy-
HIPAA compliance regulations run counter related security incidents can be overwhelming for organizations to navigate without previous
to business objectives, so we will explore
knowledge or experience.
why this is and how to overcome the issue
• Interpret the Security Rule text in-depth, To address tight budget restrictions, many healthcare organizations promote security and
including an analysis of every line item of compliance team members from within the organization in order to cultivate and retain talent
the regulation and what it means to your
organization internally. These professionals have a wide range of experience and skill sets. The SANS SEC474
• Draft sound policy that supports business course can help organizations level-set and prepare healthcare compliance and security by
as well as compliance objectives sharing first-hand knowledge and experiences.
• Perform a risk assessment, enumerate
threat data, analyze vulnerabilities, and The goal of this course is to show that HIPAA compliance in itself is neither an antidote nor
select proper safeguards to lower risk a cure for the shortcoming of an organization’s healthcare security. The ultimate goal is to
• Define the value of the compliance develop, maintain, and demonstrate a secure environment for the organization by implementing
program for the organization
repeatable processes based on industry best practices. When that is achieved, evidence of HIPAA
• Create a culture of compliance
compliance is a result of those efforts.
• Establish lines of communication and
reporting channels Healthcare organizations in the United States face two major challenges: first, to properly
• Understand the value of internal secure the organization from tactical risk, and second, to achieve compliance with the array of
monitoring and auditing by learning the government regulations known as HIPAA. This course will help students develop the skills to make
key components of a continuous monitor
reporting and improvement program measurable improvements to the overall security posture of their organization’s IT infrastructure
• Promote a culture of compliance while also building and maintaining a compliance program. Using the safeguards of the HIPAA
Security Rule along with the NIST Framework 800-66 to identify and assess risk, students will learn
how to report progress on their compliance activities and their security value in support of the
Who Should Attend organization’s mission.
• Healthcare CSO/CIO/CISOs
Students will gain skills and knowledge in SEC474 that they will be able to use on their first day
• Information security managers/ back at work. Students will leave the classroom knowing what it takes to establish and nurture a
administrators
culture of compliance where both compliance and business objectives are promoted as a singular
• IT security analysts/managers/directors
goal. They will be able not only to assess compliance, but also to measure the maturity and
• HIPAA compliance officers
effectiveness of compliance activities.
• Compliance analysts
• Medical records supervisors This course will prepare you to:
• Compliance auditors • Take steps to meet compliance standards, particularly those of the Health Insurance Portability
• Healthcare security consultants and Accountability Act of 1996 (HIPAA), and Health Information Technology for Economic and
• IT managers in healthcare organizations Clinical Health Act (HITECH)
• Protect your healthcare organization from cyber-threats, unintended data disclosures, and
What You Will Receive mishandling of data in the enterprise
• Physical and digital workbooks • Understand the most prevalent security concerns specifically around the healthcare industry
• Virtual machine tailored to the course such as data disclosures, ransomware, unauthorized access and modification, incident
• HIPAA-based risk assessment tool response, and business continuity planning
• Apply the HIPAA Security Rule in practice
• Build an organizational security plan
• Understand the job roles in a compliance program
sans.org/SEC474 75
AUD507: Auditing Systems, Applications, and the
Cloud
AUD507: Auditing Systems, Applications, GSNA
Systems and
and the Cloud Network Auditor

giac.org/gsna
6 36 Laptop Controls That Matter – Controls That Work

This course is organized specifically to provide a risk-driven method for tackling the enormous
task of designing an enterprise security validation program, covering systems, applications, and
You Will Be Able To the cloud. After covering a variety of high-level audit issues and general audit best practices,
• Apply risk-based decision making to the students will have the opportunity to delve into the technical “how-to” for determining the key
task of auditing enterprise security
controls that can be used to provide a high level of assurance to an organization. Real-world
• Understand the different types of controls
(e.g., technical vs. non-technical) essential
examples provide students with tips on how to verify these controls in a repeatable way, as well
to performing a successful audit as many techniques for continuous monitoring and automatic compliance validation. These same
• Conduct a proper risk assessment of an real-world examples help the students learn how to be most effective in communicating risk to
enterprise to identify vulnerabilities and management and operations staff.
develop audit priorities
• Establish a well-secured baseline for Students will leave the course with the know-how to perform effective tests of enterprise
computers and networks as a standard to security in a variety of areas including systems, applications, and the cloud. The combination
conduct audit against
of high-quality course content, provided audit checklists, in-depth discussion of common audit
• Perform a network and perimeter audit
using a repeatable process challenges and solutions, and ample opportunities to hone their skills in the lab provides a
• Audit virtualization hosts and container unique setting for students to learn how to be an effective enterprise auditor.
environments to ensure properly
deployment and configuration
Business Takeaways
• Utilize vulnerability assessment tools
effectively to provide management with • Gain confidence in whether you have the correct security controls and they are working well
the continuous remediation information
necessary to make informed decisions • Lower your audit costs with effective, efficient security audits
about risk and resources
• Improve relevance of IT audit reporting, allowing the organization to focus on what really matters
• Audit a web application’s configuration,
authentication, and session management to • Improve security compliance while reducing compliance and security risks, protecting your
identify vulnerabilities attackers can exploit reputation and bottom line
• Utilize automated tools to audit Windows
and Linux systems
• Audit Active Directory Domains
Hands-On Training
This course goes beyond simply discussing the tools students could use; we give them the
experience to use the tools and techniques effectively to measure and report on the risk in
their organizations. AUD507 uses hands-on labs to reinforce the material discussed in class and
develop the “muscle memory” needed to perform the required technical tasks during audits. In
sections 1-5, students will spend about 25% of their time in lab exercises. The final section of the
“Today’s NetWars was definitely course is a full-day lab that lets students challenge themselves by solving realistic audit problems
a challenge and for me I using and refining what they have learned in class.
needed the team so we could Students learn how to use technical tests to develop the evidence needed to support their findings
all use our strengths. Excellent and recommendations. Each section affords students opportunities to use the tools and techniques
discussed in class, with labs designed to simulate real-world enterprise auditing challenges and to
coverage of everything we’ve
allow the students to use appropriate tools and techniques to solve these problems.
learned without repeating
exact exercises we had done
in the week. Good way to
know I did understand what “The hands-on labs reinforce the learning from the book. I learn
we’ve been learning all week. best when I can touch and feel the material being taught.”
The workbook was a good —Rodney Newton, SAP
reference to return to.”
—Carmen P., U.S. Government
Certification: GIAC Systems and Network

• Watch Auditor
a preview (GSNA)
of this course
sans.org/aud507 • Discover how to take this course: Online, In-Person
giac.org/gsna
76 sans.org/AUD507
LDR512: Security Leadership Essentials for
Managers
GSLC
LDR512: Security Leadership Essentials for Managers Security Leadership
giac.org/gslc
5 30 Laptop Leading Security Initiatives to Manage Information Risk

Take this course to learn the key elements of any modern security program. LDR512 covers a
wide range of security topics across the entire security stack. Learn to quickly grasp critical
You Will Be Able To information security issues and terminology, with a focus on security frameworks, security
• Make sense of different cybersecurity architecture, security engineering, computer/network security, vulnerability management,
frameworks
cryptography, data protection, security awareness, application security, DevSecOps, cloud
• Understand and analyze risk
security, and security operations.
• Understand the pros and cons of different
reporting relationships The course uses the Cyber42 leadership simulation game to put you in real-world scenarios that
• Manage and lead technical teams and spur discussion and critical thinking of situations that you will encounter at work. Throughout
projects
the class you will participate in twenty-three Cyber42 activities.
• Build a vulnerability management program
• Inject security into modern DevOps This course will help your organization:
workflows • Develop leaders that know how to build a modern security program
• Strategically leverage a SIEM
• Anticipate what security capabilities need to built to enable the business and
• Lead a Security Operations Center (SOC)
mitigate threats
• Change behavior and build a security-
aware culture • Create higher performing security teams
• Effectively manage security projects
• Enable modern security architectures and Hands-On Training
the cloud
LDR512 uses case scenarios, group discussions, team-based exercises, in-class games, and a
• Build security engineering capabilities
using automation and Infrastructure as security leadership simulation to help students absorb both technical and management topics.
Code (IaC) About 60–80 minutes per day is dedicated to these learning experiences using the Cyber42
• Get up to speed quickly on information leadership simulation game. This web application based game is a continuous tabletop exercise
security issues and terminology where students play to improve security culture, manage budget and schedule, and improve
• Establish a minimum standard of security security capabilities at a fictional organization. This puts you in real-world scenarios that spur
knowledge, skills, and abilities
discussion and critical thinking of situations that you will encounter at work.
• Speak the same language as technical
security professionals
Course Author Statement
“Technical professionals who are thrust into management roles need to learn how to
convey security concepts in ways that non-technical people can understand. At the same
time, managers who are new to security need to learn more about the different domains of
“This course was very cybersecurity. In both cases, there is a need to learn about the work of managing security. That
relevant to my new role as is why this course focuses on the big picture of securing the enterprise, from governance all
Director of IT.” the way to the technical security topics that serve as the foundation for any security manager.
— Brian Harris, Jackson EMC
Ultimately, the goal of the course is to ensure that you, the advancing manager, can make
informed choices to improve security at your organization.”
—Frank Kim
GIAC Security Leadership • Cryptography concepts and applications

“LDR512 is valuable because GSLC The GIAC Security Leadership (GSLC) for managers, networking concepts and
Security Leadership monitoring for managers
it is relevant/current to the giac.org/gslc
certification validates a practitioner’s
understanding of governance and • Managing a security operations center,
security landscape from my technical controls focused on application security, negotiations and
protecting, detecting, and responding vendors, and program structure
management vantage point.”
to security issues. GSLC certification • Managing security architecture, security
— Michael Bradley, Prudential Financial holders have demonstrated awareness, security policy, and system
knowledge of data, network, host, security
application, and user controls along • Risk management and security
with key management topics that frameworks, vulnerability management,
address the overall security lifecycle. incident response and business continuity
Certification: GIAC Security Leadership (GSLC)

giac.org/gslc
sans.org/MGT512 77
LDR514: Security Strategic Planning, Policy, and
Leadership
LDR514: Security Strategic Planning, Policy, GSTRT
Strategic Planning,
and Leadership Policy & Leadership

giac.org/gstrt
5 30 Laptop Aligning Security Initiatives with Strategy

As security professionals, we have seen the landscape change. Cybersecurity is now more
vital and relevant to the growth of your organization than ever before. As a result, information
You Will Be Able To security teams have more visibility, more budget, and more opportunity. However, with this
• Develop security strategic plans that increased responsibility comes more scrutiny. This course gives you tools to become a security
incorporate business and organizational
drivers business leader who can build and execute strategic plans that resonate with other business
• Develop and assess information security
executives, create effective information security policy, and develop management and
policy leadership skills to better lead, inspire, and motivate your teams.
• Use management and leadership
techniques to motivate and inspire your
Policy is a manager’s opportunity to express expectations for the workforce, set the boundaries
teams of acceptable behavior, and empower people to do what they ought to be doing. These policies
must be aligned with an organization’s culture. In LDR514, we break down the steps to policy
development so that you have the ability to design and assess policies that can successfully
guide your organization.
Leadership is a skill that must be learned, exercised, and developed to better ensure
organizational success. Strong leadership is brought about primarily through selfless devotion
to the organization and staff, tireless effort in setting the example, and having the vision to
“This course is great content see and effectively use available resources toward the end goal. Effective leadership entails
for leaders within the field. It persuading team members to accomplish their objectives, removing the obstacles preventing
pushes people to stop always them from doing it, and maintaining the well-being of the team in support of the organization’s
mission. LDR514 will teach you to use management tools and frameworks to better lead,
focusing on the technical
inspire, and motivate your teams.
aspects of cybersecurity
and really understand what Hands-On Training
the business needs from its
LDR514 uses business case studies, fictional companies, and the Cyber42 leadership simulation
security function as a whole
game to put you in real-world scenarios that spur discussion and critical thinking of situations that
to enable the business” you will encounter at work. This web application-based game is a continuous tabletop exercise
—Alexander Walker, TechVets where students play to improve security culture, manage budget and schedule, and improve
security capabilities at a fictional organization. This puts you in real-world scenarios that spur
discussion and critical thinking of situations that you will encounter at work.
The course also uses case studies from Harvard Business School, case scenarios, team-based
exercises, and discussions that put students in real-world situations. You will be able to use these
same activities with your own team members at work.
“The knowledge gained in

class will directly translate to
an increased maturity in my
organization’s security policy
as topics and principles “I loved the labs and exercises. They were exactly what I was
discussed are implemented.” looking for as the new marketplace security PM on my team.”
— Mike Parkin, Chapters Health System
—Rebecca Gaudet, Microsoft
Certification:
sans.org/LDR514GIAC Strategic Planning, Policy,
• Watch and of
a preview Leadership
this course (GSTRT)
giac.org/gstrt
78 sans.org/MGT514
LDR516: Managing Security Vulnerabilities:
Enterprise and Cloud
LDR516: Building and Leading Vulnerability
Management Programs
5 30 Laptop Stop Treating Symptoms. Cure the Disease.
Whether your vulnerability management program is well established or you are just getting
started, this course will help you think differently about vulnerability management. You will
You Will Be Able To learn how to move past the hype to successfully prioritize the vulnerabilities that are not
• Create, implement, and mature your blocked, then clearly and effectively communicate the risk associated with the rest of the
vulnerability management program and get
buy-in from your stakeholders vulnerabilities in your backlog that, for a variety of reasons, cannot currently be remediated.
• Implement techniques for building and
You’ll also learn what mature organizations are doing to ease the burden associated with
maintaining an accurate and useful inventory vulnerability management across both infrastructure and applications as well as across both
of IT assets in the enterprise and the cloud their cloud and non-cloud environments. LDR516 is based on the Prepare, Identify, Analyze,
• Identify processes and technologies that Communicate, and Treat (PIACT) Model.
are effective across both infrastructure and
applications and know how to configure them LDR516 helps you think strategically about vulnerability management in order to mature
appropriately
your organization’s program, but it also provides tactical guidance to help you overcome
• To be aware of common false positives or false
negatives in your identification arsenal common challenges. By understanding and discussing solutions to typical issues that many
• Prioritize unblocked vulnerabilities for organizations face across both traditional and cloud operating environments, you will be better
treatment based on a variety of techniques prepared to meet the challenges of today and tomorrow. Knowing that many organizations are
• Effectively report and communicate adopting cloud services in addition to continuing to manage their more traditional operating
vulnerability data within your organization
environments, we’ll also look at different cloud service types throughout the course and how
• Identify and report on the risk associated with
vulnerabilities that are blocked and cannot
they impact the program both positively and negatively. We will highlight some of the tools
currently be prioritized for remediation and processes that can be leveraged in each of these environments and present new and
• Have a better understanding of modern emerging trends.
treatment capabilities and how to better
engage with treatment teams Hand-On Training
• Make vulnerability management more fun and
engaging for all those involved LDR516 uses the Cyber42 leadership simulation game, critical thinking labs based on outlined
• Differentiate how to deal with application scenarios, and demonstrations to provide you with the information you need to skillfully
layer vulnerabilities versus infrastructure fight the VM battle. Cyber42 helps students absorb and apply the content throughout the
vulnerabilities
course. In this web-based continuous tabletop exercise, students play to improve security
• Understand how your strategies and
techniques might change as you move to the culture, manage budget and schedule, and improve specific vulnerability management
cloud, implement private cloud, or roll out capabilities at the fictional organization, the “Everything Corporation” or “E Corp.” This puts
DevOps within your organization
you in real-world scenarios that require you to think through various options for improving
the organization’s maturity by responding to specific events.
Business Takeaways
• Understand what is working and what is not
working in modern day vulnerability programs
• Anticipate and plan for the impacts related to
cloud operating environments “This course is essential for both well-established and
• Realize why context matters and how to developing vulnerability management teams.”
gather, store, maintain, and utilize contextual
data effectively —Robert Adams, CBC
• Effectively and efficiently communicate
vulnerability data and its associate risk to key
stakeholders
• Determine how to group vulnerabilities
meaningfully to identify current obstacles or
deficiencies
“A great course to utilize if new to cloud vulnerability management.”
• Know which metrics will drive greater adoption
and change within the organization —Amaan Mughal
• Understand what remediation capabilities
are available to assist technology teams in
resolving vulnerabilities and proactively

sans.org/MGT516 79
LDR520: Leading Cloud Security Design and
Implementation
MGT520: Leading Cloud Security Design and Implementation
3 18 Laptop Building and Leading a Cloud Security Program

Cloud adoption is popular across all types of industry, and many organizations are
taking strategic advantage of the cost and speed benefits of transitioning to the cloud.
You Will Be Able To Organizations are migrating mission-critical workloads and sensitive data to private and
• Define a strategy for securing a workload in the public cloud solutions. However, an organization ‘s cloud transition requires numerous
cloud for medium-size and large enterprises that
key decisions.
can support their business objectives
• Establish a security roadmap based on the security This course focuses on what managers, directors, and security leaders need to know to
strategy that can support a fast-paced cloud develop their cloud security roadmap, to manage the implementation of cloud security
adoption and migration path while maintaining a
high degree of security assurance capabilities. Making the right security decisions when adopting the cloud requires
• Understand the security basics of the cloud understanding the technology, process, and people related to the cloud environment. This
environment across different types of service complements traditional IT management techniques that managers are accustomed to and
offerings, then explain and justify to other helps with making the appropriate informed decisions. We will cover the key objectives
stakeholders the decisions within the security
roadmap of security controls in the cloud environment, including planning, deploying, and running
• Build an effective plan to mature a cloud security the environment from the starting point to a progressively more mature state. There will
posture over time, leveraging security capabilities be a focus on locking down the environment, securing the data, maintaining compliance,
offered by cloud providers to leapfrog in security
capabilities
enhancing security visibility to the operations, and managing the security response on a
continuous basis. Students will learn the essentials to lead the security effort for the cloud
• Explain the security vision of the organization in
the cloud domain to your Board Directors and transition journey.
executives, collaborate with your peers, and engage
your workforce, driving the security culture change
required for the cloud transformation Business Takeaways:
• Establish cloud security program supporting the fast pace business transformation
• Make informed decisions on cloud security program
• Anticipate the security capabilities and guardrails to build for the securing the cloud
environment
• Safeguard the enterprise data as workloads are migrated to the cloud
Author Statement
“Cloud transition is common in many organizations these days, but many security
“This type of training, i.e., leaders feel overwhelmed and underprepared for the security aspects of the cloud. When
cloud security from a organizations accept security as an integral part of the transformation path, they can
management perspective, is not only achieve the same level of security as their in-house IT environment, but also
take advantage of a huge opportunity to leapfrog in security using cloud capabilities. In
rare and the quality of this
MGT520, we discuss industry-proven techniques to plan for the security aspects of cloud
one is definitely amazing.” transformation. This course will arm students with the necessary information to confidently
—Benoit Ramillon, UEFA lead their organization towards securing the cloud workload and leveraging cloud
capabilities to further enhance their security maturity in the IT environment.”
—Jason Lam

sans.org/mgt520 • Discover how to take this course: Online, In-Person
80 sans.org/MGT520
LDR521: Leading Cybersecurity Change: Building a
Security-Based Culture
LDR521: Leading Cybersecurity Change:
Building a Security-Based Culture
5 30 Laptop Build and Measure a Strong Security Culture
Drawing on real-world lessons from around the world, the SANS LDR521 course will teach you how
to leverage the principles of organizational change in order to develop, maintain, and measure
You Will Be Able To a security-driven culture. Through hands-on instruction and a series of interactive labs and
• More effectively communicate the business exercises, you will apply these concepts to a variety of different real-world security initiatives and
value of cybersecurity to your Board
of Directors and executives, improve quickly learn how to embed cybersecurity into your organization’s culture immediately.
collaborate with your peers, and more
effectively engage your workforce
Apply findings from Daniel Kahneman’s Nobel prize-winning research, Thayler and Sunstein’s
• Explain what organizational culture is, its
Nudge Theory, and Simon Sinek’s Golden Circle. Learn how Spock, Homer Simpson, the Elephant
importance to cybersecurity, and how to map and Rider and the Curse of Knowledge all are keys to building a strong cybersecurity culture at
and measure both your organization’s overall your company.
culture and security culture
• Align your cybersecurity culture to your Business Takeaways
organization’s strategy, including how to
leverage different security frameworks and • Create a far more secure workforce, both in their attitudes about cybersecurity and also in
maturity models
employee behaviors
• Explain what organizational change is,
identify different models for creating change, • Enable the security team to create far stronger partnerships with departments and regions
and learn how to apply those models throughout the organization
• Enable and secure your workforce by • Dramatically improve the ROI of cybersecurity initiatives and projects through increased
integrating cybersecurity into all aspects of
your organization’s culture success and impact
• Dramatically improve both the effectiveness • Improve communication between the cybersecurity team and business leaders
and impact of your security initiatives, such
as DevSecOps, Cloud migration, Vulnerability • Create stronger and more positive attitudes, perceptions and beliefs about the
Management, Security Operations Center and cybersecurity team
other related security deployments
• Create and effectively communicate business Hands-On Training
cases to leadership and gain their support
for your security initiatives This five-section course includes 16 interactive labs that walk you through exercises and apply
• How to measure your security culture and the lessons learned to a variety of typical real-world security situations and challenges. Many of
how to present the impact of a strong
security culture to leadership the labs are carried out as teams, ensuring that you learn not only from the course materials but
• Leverage numerous templates and resources from other students and their experiences. Finally, the last section is a capstone event as you
from the Digital Download Package and work through a series of case studies to see which team can create the strongest security culture.
Community Forum that are part of the course Culture is a very human and global challenge, and as such we want to expose you to as many
and which you can then build on right away
different situations and perspectives as possible.
Notice to Students
The course is recommended for more senior and/or more experienced cybersecurity managers,
officers, and awareness professionals. If you are new to cybersecurity, we recommend some of
SANS’ more basic courses, such as SEC301, SEC401, or LDR433.
“I am just so happy with this material focusing on embedding secure

values into our global culture – exactly what my company needs
help with NOW.”
—Lindsay O’Bannon, Deloitte Global

sans.org/MGT521 81
LEG523: Law of Data Security and Investigations
GLEG
LEG523: Law of Data Security and Investigations Law of Data Security
& Investigations
giac.org/gleg
5 30 Laptop LEG523 is constantly updated to address changing trends and current events, including:
CPEs Not Needed
Day Program • Supply chain terms and conditions
• The rising influence of the European Union’s General Data Protection Regulation (GDPR) in
You Will Be Able To interpretation of cybersecurty law in the United States and around the world
• Work better with other professionals at your • Understanding cyber insurance for a ransomware event
organization who make decisions about the • Facing a cyber crisis? Filing a lawsuit in the courts of another country
law of data security and investigations
• The arrest and criminal indictment of two Coalfire penetration testers in Iowa
• Exercise better judgment on how to comply
with privacy and technology regulations, • How to balance the right to data privacy versus the right to data security under GDPR and the new
both in the United States and in other California Consumer Privacy Act
countries • Adopt peer review of cybersecurity program to better evidence legal compliance
• Evaluate the role and meaning of contracts
• Video demonstration of how technical expert witnesses can handle adversarial cross-examination
for technology, including services, software,
and outsourcing in a live online court hearing
• Help your organization better explain its • Creative insertion of terms, comments, and conditions in blockchain to influence commercial
conduct to the public and to legal authorities relationships such as contracts for technology services
• Anticipate cyber law risks before they get out • How to make better legal records of digital assets and trading platforms
of control
New law on privacy, e-discovery, and data security is creating an urgent need for professionals who
• Implement practical steps to cope with
can bridge the gap between the legal department and the cybersecurity team. SANS LEG523 provides
technology law risk
this unique professional training, including skills in the analysis and use of contracts, policies, and
• Better explain to executives what your
organization should do to comply with
insurance security questionnaires.
information security and privacy law This course covers the law of crime, policy, contracts, liability, compliance, cybersecurity, and active
• Better evaluate technologies, such as digital defense – all with a focus on electronically stored and transmitted records. It also teaches investigators
archives and signatures, to comply with the how to prepare credible, defensible reports, whether for cyber crimes, forensics, incident response,
law and serve as evidence human resource issues, or other investigations.
• Make better use of electronic contracting
techniques to get the best terms and
The Global Information Assurance Certification (GLEG) associated with LEG523 demonstrates to
conditions employers that you have absorbed the sophisticated content of this course and are ready to put it to
• Exercise critical thinking to understand the
use. This coveted GIAC certification distinguishes any professional – whether a cybersecurity specialist,
practical implications of technology laws and auditor, lawyer, or forensics expert – from the rest of the pack. It also strengthens the credibility of
industry standards (such as the Payment forensics investigators as witnesses in court and can help a forensics consultant win more business.
Card Industry Data Security Standard). And the value of the certification will only grow in the years to come as law and security issues become
even more interconnected.
The course also provides training and continuing education for many compliance programs under
information security and privacy mandates such as GLBA, HIPAA, FISMA, GDPR, and PCI-DSS.
Each successive section of this course builds upon lessons from the earlier sections in order to
comprehensively strengthen your ability to help your public or private sector enterprise cope with
illegal hackers, botnets, malware, phishing, unruly vendors, data leakage, industrial spies, rogue or
uncooperative employees, or bad publicity connected with cybersecurity. We cover topical stories, such
as Home Depot’s legal and public statements about its payment card breach and lawsuits against QSA
“LEG523 provides a great security vendor Trustwave filed by cyber insurance companies and credit card issuers (third parties with
which Trustwave had no relationship!).
foundation and introduction
Recent updates to the course address hot topics such as legal tips on confiscating and interrogating
to the legal issues involving mobile devices, the retention of business records connected with cloud computing and social networks
cybersecurity.” like Facebook and Twitter, and analysis and response to the risks and opportunities surrounding open-
— Tracey Kinslow, TN Air National Guard
source intelligence gathering.
Over the years this course has adopted an increasingly global perspective. Professionals from outside
the United States attend LEG523 because there is no training like it anywhere else in the world. For
example, a lawyer from the national tax authority in an African country took the course because
electronic filings, evidence, and investigations have become so important to her work. International
students help the instructor, U.S. attorney Benjamin Wright, constantly revise the course and include
more content that crosses borders.
One thing that sets this course apart is its emphasis on ethics. The course teaches practical lessons on
ethical performace by cyber defenders and digital investigators.
Certification: GIAC Law of Data Security & Investigations (GLEG)

sans.org/leg523 • Discover how to take this course: Online, In-Person
giac.org/gLEG
82 sans.org/LEG523
LDR525: Managing Cybersecurity Initiatives and
Effective Communication
LDR525: Managing Cybersecurity Initiatives and GCPM
Effective Communication
Project Manager
giac.org/gcpm
5 30 Laptop Meet and exceed your security program’s goals.

Day Program CPEs Not Needed
SANS LDR525: Managing Security Initiatives and Effective Communication provides the
training necessary to maintain the Project Management Professional (PMP)® and other
You Will Be Able To professional credentials. SANS Institute is a PMI® authorized training partner.
• Understand predictive/waterfall,
adaptive/agile development approaches This course is focused on delivering bottom line value from security initiatives while
and how they interact with product and following modern adaptive, agile, iterative, and predictive development approaches and
project life cycles.
leveraging the benefits of increased effective organizational communication. During this
• Learn how to use and implement lean/
agile tools, complexity models, root cause
class students learn how to improve project planning methodology and project task
analysis scheduling to get the most out of critical IT resources. We utilize cyber security project
• Recognize the top failure mechanisms case studies to increase practical understanding of real-world issues. LDR525 follows
related to security projects, so that your the basic methodologies and principles from the updated PMBOK® Guide, also providing
projects can avoid common pitfalls
specific implementation techniques for success. Throughout the five sections, all aspects
• Create a project charter which increases
stakeholder engagement of leading security initiatives—from project business justification analysis, selecting
• Document project requirements and the appropriate development approach that fits your stakeholder and organizational
create requirements traceability matrix structure using predictive, adaptive, and hybrid implementations tailored to drive value—
to track changes throughout the project
lifecycle
are covered. We focus on planning for and managing cost, time, quality, and risk while
• Clearly define the scope of a project in
your project is active, to completing, closing, and documenting as your project finishes. A
terms of cost, schedule, and technical copy of the PMBOK® Guide Seventh edition is provided to all participants. Students can
deliverables reference the PMBOK® Guide and use course material along with the knowledge gained
• Develop a project schedule, including in class to prepare for the GIAC Certified Project Manager Exam (GCPM) and earn PDUs/
critical path tasks and milestones
CPEs to maintain the Project Management Professional (PMP)® and other professional
• Cultivate user stories to drive adaptive
sprint cycles credentials.
• Create accurate project cost and time Project management methodologies and frameworks are highlighted that can be
estimates
applied across any product life cycle, in any industry. Although our primary focus is
• Develop planned and earned value
metrics for your project deliverables and the application of security initiatives, our approach is transferable to any projects that
automate reporting functions create and maintain services as well as general product development. We cover in-depth
• Effectively manage conflict situations how cost, time, quality, risk, and compliance aspects affect the services we provide to
and build communication skills with your
others. We will also address practical human resource management as well as effective
project team
communication and conflict resolution. You will learn specific tools to bridge the
• Analyze project risks in terms of
probability and impact, assign triggers and communications gap between managers and technical staff.
risk response responsibilities
NOTE: PMP® and PMBOK® are registered marks of the Project Management Institute, Inc. PMP® exams are not
• Create project earned value baselines
and project forecasts based on actual hosted by SANS. You will need to make separate arrangements to take the PMP® exam and this course is not an
performance official PMP® prep class.
• Communicate effectively with

stakeholders, technical staff, and
management teams Course Author Statement
“Managing projects to completion, with an alert eye on quality, cost, and time, is
something most of us need to do on an ongoing basis. In this course, we break
down project management into its fundamental components and galvanize your
“LDR525 offers tools and
understanding of the key concepts with an emphasis on practical application and
techniques that will directly execution of service-based IT and InfoSec projects. Since project managers spend the
improve the planning, vast majority of their time communicating with others, throughout the week we focus
execution, and closing of your on traits and techniques that enable effective technical communication. As people
projects.” are the most critical asset in the project management process, effective and thorough
communication is essential.”
— Michael Long, ARCYBER
—Jeff Frisk
Certification: GIAC Certified Project Manager (GCPM)

sans.org/LDR525
giac.org/gcpm
sans.org/MGT525 83
LDR551: Building and Leading Security Operations
Centers
LDR551: Building and Leading Security GSOM
Security Operations
Operations Centers Manager

giac.org/gsom
5 30 Laptop Managers must show alignment to the business and demonstrate real value – a
Required
Day Program CPEs challenge when the threats are constantly changing and sometimes unseen.
Managing a security operations center (SOC) requires a unique combination of
You Will Be Able To technical knowledge, management skills, and leadership ability. LDR551 bridges
• Collect the most important logs and network data gaps by giving students the technical means to build an effective defense and
• Build, train, and empower a diverse team the management tools to build an effective team. Common questions SOC
• Create playbooks and manage detection use cases leaders face are:
• Use threat intelligence to focus your budget and • How do we know our security teams are aligned to the unique threats
detection efforts facing our organization?
• Utilize threat hunting and active defense strategies
• How do we get consistent results and prove that we can identify and
• Implement efficient alert triage and investigation
workflow respond to threats in time to minimize business impact?
• Implement effective incident response planning and • How can we build an empowering, learning environment where analysts can
execution be creative and solve problems while focusing on the mission at hand?
• Choose metrics and a long-term strategy to improve
the SOC Whether you are looking to build a new SOC or take your current team to the next
• Implement team member training, retention, and level, LDR551 will super-charge your people, tools, and processes. Each section of
prevention of burnout LDR551 is packed with hands-on labs and introductions to some of the industry’s
• Understand SOC assessment through capacity planning, best free and open source tools, and each day concludes with Cyber42 SOC
purple team testing, and adversary emulation
leadership simulation exercises. Students will learn how to combine SOC staff,
processes, and technology in a way that promotes measurable results and covers
all manner of infrastructure and business processes. Most importantly, students
will learn how to keep the SOC growing, evolving, and improving over time.
“There are so many [organizations] Business Takeaways

that seem to be trying to reinvent the • Strategies for aligning cyber defense to organizational goals
wheel. All they need to do is invest in • Tools and techniques for validating security tools and processes
this course for real-world, actionable
• Methodologies for recruiting, hiring, training, and retaining talented defenders
information that can put them on a and effective management and leadership techniques for technical teams
solid path toward building, staffing, • Practical approaches to optimizing security operations that can be applied
and leading their own SOC.” immediately
—Brandi Loveday-Chesley
Hands-On Training
While this course is focused on management and leadership, it is by no means
limited to non-technical processes and theory. The course uses the Cyber42
interactive leadership simulation game to put you in real-world scenarios that
“I would recommend this course to spur discussion and critical thinking of situations that you will encounter at
anyone running a security operations work. Throughout the five days of instruction, students will work on fifteen
team. I’d further recommend it to more hands-on exercises covering everything from playbook implementation to
use case database creation, attack and detection capability prioritization
experienced analysts so they can begin
and visualization, and purple team planning, threat hunting, and reporting.
to see the bigger picture.”
Attendees will leave with a framework for understanding where their SOC should
—Robert Wilson, University of South Carolina be focusing its efforts, how to track and organize defensive capabilities, and
how to drive, verify, and communicate SOC improvements.
Certification:
sans.org/LDR551GIAC Security Operations Manager
• Watch a preview(GSOM)
of this course
giac.org/gsom
84 sans.org/MGT551
LDR553: Cyber Incident Management
LDR553: Cyber Incident Management
5 30 Laptop What is Cyber Incident Management?

Cyber Incident Management (IM) sits above Incident Response (IR) and is tasked to manage
incidents that get too big for the Security Operations Center (SOC) and IR. These tend to be the
You Will Be Able To more impactful or larger incidents that IR is not scaled to handle as it requires significant liaison
• Implement various incident response with internal and external partners to coordinate the investigation, forensics, planning, recovery,
frameworks
remediation, and to brief the corporate comms, C-level staff and board as needed. Less technical
• Scope incidents correctly
and more business focused, the IM team will take the output from IR and relay it to the necessary
• Define the incident management team’s
objectives
teams as they coordinate wider investigations and hardening, hygiene and impact assessment as
• Effectively manage a team under extreme
they plan towards recovery. A strong IR lead may fulfill the IM role, but during critical incidents IRs
pressure are often shoulder deep in malware, systems, logs and images to process to the point where all
• Be aware of human responses to facing technically capable IR staff are kept focused on technical tasks. IMs are more business focused and
catastrophically impactful urgent changes IR is more technically focused.
• Structure, manage, and deliver briefings to
upper management and the Board Open in Case of Emergency
• Plan and control communications when LDR553 looks at all the common and major cyber incident types, explains what the key issues are,
managing a serious incident
and how plan a recovery. Whilst you may have a full team of technical staff standing by to find,
• Communicate with attackers about the
pros and cons thereof understand, and remove the attackers, they need information, tasking, managing, supporting, and
• Know where and how to track the incident listening to maximize their utilization and effectiveness. We focus on building a team to remediate
• Plan, coordinate, and execute counter the incident, on managing that team, on distilling the critical data for briefing, and how to run that
compromise activities briefing. We look at communication at all levels from the hands-on team to the executives and
• Master incident reports both during and Board, investigative journalists, and even the attackers.
post closure
• Understand the steps to close the incident This course empowers you to become an effective incident management team member or leader;
and return to business as usual ensuring you fully understand the different issues facing incident commanders in the immediate,
• Understand the constraints of third-party short and medium term. As well as becoming comfortable with terminology, you will understand
or supply-chain incidents
what preparatory work you can undertake at different stages to help you get ahead of the
• Plan for and deal with a compromised
situation. LDR553 was developed to ensure efficient management of a diverse range of incidents
supply-chain organization
with a focus on cyber; however, the methodology, concepts and guidance will apply to many
• Foster better cyber incident management
support in other departments through regular major and critical incidents.
combined training and exercises
• Plan, setup, and run cyber incident Business Takeaways
management training exercises • Develop staff that know how to lead or contribute to a cyber incident management team
• Integrate Cyber Threat Intelligence to the • Manage your incidents more effectively
IM team and capabilities
• Resolve incidents quicker
• Understand how bug bounties can be
supported and how they can cause major • Understand the gaps in your security incident plans and response strategies
incidents • Create higher performing security incident teams
• Develop the team to be able to investigate • Plan ahead to handle some of the most devastating potential attacks
cloud attacks
• Support the Legal team in Business Email
Compromise attacks and the nuances of
types
• Track and improve the IM team’s capability
with playbooks and runbooks
• Comprehend the value and risks that AI “Brilliant insight. Excellent content. An absolute must course
could bring to the overall IR and IM process
for anyone dealing with incident management.”
• Improve readiness for ransomware attacks
via simulated exercises —Gary Smith
sans.org/ldr553 • Discover how to take this course: Online, In-Person
sans.org/MGT553 85
SEC566: Implementing and Auditing Security
Frameworks and Controls
SEC566: Implementing and Auditing GCCC
Security Frameworks and Controls
Critical Controls
giac.org/gccc
5 30 Laptop Building and Auditing Critical Security Controls

Cybersecurity attacks are increasing and evolving so rapidly that it is more difficult than ever to
prevent and defend against them. Does your organization have an effective method in place to
You Will Be Able To detect, thwart, and monitor external and internal threats to prevent security breaches?
• Apply a security framework based on
actual threats that is measurable, scalable, In addition to defending their information systems, many organizations have to comply with
and reliable in stopping known attacks a number of cybersecurity standards and requirements as a prerequisite for doing business.
and protecting organizations’ important
information and systems
Dozens of cybersecurity standards exist throughout the world and most organizations must
• Understand the importance of each
comply with more than one such standard. Is your organization prepared to comply and remain in
control and how it is compromised if compliance?
ignored, and explain the defensive goals
that result in quick wins and increased In February of 2016, then California Attorney General, Vice President Kamala Harris stated that “the
visibility of networks and systems 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level
• Identify and utilize tools that implement of information security that all organizations that collect or maintain personal information should
controls through automation
meet. The failure to implement all the Controls that apply to an organization’s environment
• Learn how to create a scoring tool for
measuring the effectiveness of each control constitutes a lack of reasonable security.”
• Employ specific metrics to establish a The Center for Internet Security (CIS) Critical Controls are specific security controls that CISOs,
baseline and measure the effectiveness of
security controls CIOs, IGs, systems administrators, and information security personnel can use to manage and
• Understand how the Critical Controls map
measure the effectiveness of their defenses. They are designed to complement existing standards,
to standards such as NIST 800-53, ISO frameworks, and compliance schemes by prioritizing the most critical threat and highest payoff
27002, the Australian Top 35, and more defenses, while providing a common baseline for action against risks that we all face.
• Audit each of the Critical Security
Controls, with specific, proven templates, As threats and attack surfaces change and evolve, an organization’s security should as well. To
checklists, and scripts provided to enable your organization to stay on top of this ever-changing threat scenario, SANS has designed
facilitate the audit process
a comprehensive course on how to implement the CIS Critical Controls, a prioritized, risk-based
approach to security. Designed by private and public sector experts from around the world, the
CIS Critical Controls are the best way to block known attacks and mitigate damage from successful
Notice to Students
attacks. They have been adopted by international governments, the U.S. Department of Homeland
The CIS released version 8 of the Controls
in May 2021. This course content is updated Security, state governments, universities, and numerous private firms.
to reflect the changes in the CIS Controls, as
well as the most recent versions of the NIST SEC566 will enable you to master the specific and proven techniques and tools needed to
SP 800-171 and the Cybersecurity Maturity implement and audit Version 8 of the CIS Controls as documented by the Center for Internet
Model Certification (CMMC).
Security (CIS), as well as those defined by NIST SP 800-171 and the Cybersecurity Maturity Model
Certification (CMMC). Students will learn how to merge these various standards into a cohesive
strategy to defend their organization and comply with industry standards.
SANS’ in-depth, hands-on training will teach security practitioners to understand not only how to
stop a threat, but why the threat exists, and how to ensure that security measures deployed today
will be effective against the next generation of threats. SEC566 shows security professionals how
to implement the controls in an existing network through cost-effective automation. For auditors,
CIOs, and risk officers, this course is the best way to understand how you will measure whether
the Controls and other standards are effectively implemented.
“Loved this course. It provides a method of measuring your

security posture and applying the concept to any organization.”
—John M., U.S. Military
Certification: GIAC Critical Controls Certification (GCCC)

giac.org/gccc
86 sans.org/SEC566
An exclusive networking and knowledge-sharing
opportunity for security leaders
SANS supports the cyber security community through the provision of world-leading training, certification, skills
development programmes and through a vast array of free resources.
In addition, we have created a networking group for senior security professionals.
Our aim is to help ease the pressure of working as a security decision-maker by providing an environment in which
ideas and lessons-learned can be shared amongst a peer group of influencers and thought leaders.
The network is open exclusively to security leaders at the highest level and connects a unique group of professionals
who have the appetite and the authority to make a meaningful difference. By sharing ideas and lessons learnt from
a wide variety of industries, the SANS CISO Network provides its members with a platform to influence our digital
future and make the world a safer place.
SANS CISO Networking Events

• Listen to presentations from SANS Instructors and other global experts
• Take part in closed-door Q&A sessions
• Hear case studies and threat landscape updates from real-world practitioners
• Network with like-minded CISOs
• Address key topics and share knowledge on current challenges that face CISOs today
• Learn about the SANS Institute’s initiatives and gain access to SANS Instructors
• Be among the first to receive access to newly created SANS resources
• Exclusive access to our online CISO Community platform
SANS CISO Network Advisory Board
James Lyne
James Lyne is the Chief of Innovation at SANS Institute. James has worked with many
organisations on security strategy, handled a number of severe incidents and is a frequent
industry advisor. He is a certified instructor at the SANS Institute and is often a headline
presenter at industry conferences.
Frank Kim
Founder of ThinkSec, a security consulting and CISO advisory firm. Previously, as CISO at the
SANS Institute, Frank led the information risk function for the most trusted source of computer
security training and certification in the world. With the SANS Institute, Frank continues to lead
the CISO and cloud security curricula, helping to develop the next generation of security leaders.
Join the SANS CISO Network

Apply to join this exclusive network today and see the list of upcoming events by visiting sans.org/ciso-network
87
Range Selection
LESS SENIOR & MORE SENIOR &

LESS SPECIALIZED MORE SPECIALIZED
Bootup CTF
ENTRY LEVEL
Q&A basics for all Netwars
practitioners to keep up on
SPECIALTY SPECTRUM
MINI & HEALTHCARE > CORE >>
CYBER DEFENSE, DFIR & ICS >>> GRID
FOR ALL LEVELS

Challenge and scenario-based,
with a wide variety of disciplines
and a broad range of specialties
Cyber42
Specific to cybersecurity
leadership
Cyber City
ELITE TIER
Specific to public defenders
– infrastructure
Grow Your Expertise
There is a natural progression from one Cyber STX
range to another as the disciplines increase ELITE TIER
in specialty, complexity, seniority, and risk. Specific to gov and military
Ranges are built upon each other to form – kinetic cyber combat
a holistic and complete practice portfolio
for our customers to experience.
Learn more about SANS Cyber Ranges,

upcoming range events, pricing, and
more at sans.org/cyber-ranges
88
Cloud Security
Cloud computing represents the most

transformational technology of our era, and
cloud security will play a pivotal role in its
adoption. Cloud security must be focused
on where the cloud is going, not where it is
today. The future demands in-depth technical
cloud capabilities coupled with knowledge
of the security and service features for each
of the major cloud service providers (CSPs).
Begin your journey to become a Cloud
Security Ace.
Our curriculum has been developed through an industry consensus
process and is a holistic, hands-on approach to address public cloud
security, which includes multicloud and hybrid-cloud scenarios for the
enterprise and developing organizations alike. Learn how various CSPs
interact and the nuances among them rather than merely learning the
ins-and-outs of one platform.
Get your hands dirty in cloud security training by teaching you how to: Enhance your training with:
• Harden and configure public your DevOps toolchain • We are building a diverse
community of cloud security
cloud services from AWS, Azure, professionals. Join us in our new
and Google Cloud Platform (GCP) • Securely build, deploy, and Discord channel.
manage containers and sansurl.com/cloud-discord
• Automate security and Kubernetes • SANS Cloud Ace podcast has now
compliance best practices launched. Stay tuned in at
• Discover vulnerabilities and sans.org/podcasts/cloud-ace
• Use cloud services to securely weaknesses in your cloud • The SANS Technology Institute’s
build and deploy systems and environments cybersecurity programs, including
applications a certificate in Cloud Security
• Find attacker activity in your sans.edu
• Inject security seamlessly into cloud logs
“The world has shifted to the cloud and we, as security Cloud Security Job Roles:
• Cloud Security Analyst
professionals, have to make the same shift.” • Cloud Security Engineer
—Daniel Harrison, Capital One • Cloud Security Architect
• Cloud Security Manager
• DevOps Professionals
89
SEC488: Cloud Security Essentials
GCLD
SEC488: Cloud Security Essentials Cloud Security
Essentials
giac.org/gcld
6 36 Laptop License to Learn Cloud Security

Research shows that most enterprises have strategically decided to deploy a
multicloud platform, including Amazon Web Services (AWS), Azure, Google Cloud
You Will Be Able To Platform (GCP), other cloud service providers. Mature CSPs have created a variety
• Navigate your organization through the security of security services that can help customers use their products in a more secure
challenges and opportunities presented by cloud
manner, but only if the customer knows about these services and how to use them
services
properly. This course covers real-world lessons using security services created by
• Identify the risks of the various services offered by
cloud service providers (CSPs) the Big 3 CSPs, as well as open-source tools. Each section of the course features
• Select the appropriate security controls for a given hands-on lab exercises to help students hammer home the lessons learned. We
cloud network security architecture progressively layer multiple security controls in order to end the course with a
• Evaluate CSPs based on their documentation, security functional security architecture implemented in the cloud.
controls, and audit reports
This course will equip you to implement appropriate security controls in the
• Confidently use the services of any of the leading CSPs
cloud, often using automation to “inspect what you expect.” We will begin by
• Protect secrets used in cloud environments
diving headfirst into one of the most crucial aspects of cloud - Identity and Access
• Leverage cloud logging capabilities to establish
accountability for events that occur in the cloud
Management (IAM). From there, we’ll move on to securing the cloud through
environment discussion and practical, hands-on exercises related to several key topics to defend
• Identify the risks and risk control ownership based on various cloud workloads operating in the different CSP models of: Infrastructure
the deployment models and service delivery models as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS), and
of the various products offered by cloud service
providers (CSPs). Functions as a Service (FaaS).
• Evaluate the trustworthiness of CSPs based on their
security documentation, service features, third- Hands-On Training
party attestations, and position in the global cloud
ecosystem. SEC488: Cloud Security Essentials reinforces the training material via multiple
• Secure access to the consoles used to access the CSP hands-on labs in each section of the course. Labs are performed via a browser-
environments. based application rather than virtual machine. Each lab is designed to impart
• Implement network security controls that are native to practical skills that students can bring back to their organizations and apply on
both AWS and Azure.
the first day back in the office. The labs go beyond the step-by-step instructions by
• Follow the penetration testing guidelines put forth by
AWS and Azure to invoke your “inner red teamer”to providing the context of why the skill is important and instilling insights as to why
compromise a full stack cloud application the technology works the way it does.
Business Takeaways
• Understand the current cloud deployment
• Protect cloud-hosted workloads, services, and virtual
machines
• Cost-effectively select appropriate services and
GCLD
Cloud Security Essentials
configure properly to adequately defend cloud giac.org/gcld
resources
• Get in front of common security misconfigurations GIAC Cloud Security Essentials
BEFORE they are implemented in the cloud “The GIAC Cloud Security Essentials (GCLD) certification • Evaluation of cloud service
• Ensure business is aligning to industry regulations and proves that the certificate holder understands many of the provider similarities, differences,
laws when operating in the cloud security challenges brought forth when migrating systems and challenges, and opportunities
applications to cloud service provider (CSP) environments. • Planning, deploying, hardening,
• Decrease adversary dwell time in compromised cloud
Understanding this new threat landscape is only half the battle. and securing single and multi-
deployments
The GCLD certification goes one step further – proving that the cloud environments
defender can implement preventive, detective, and reactionary
• Basic cloud resource auditing,
techniques to defend these valuable cloud-based workloads.”
security assessment, and
—Ryan Nicholson, SANS SEC488 Course Author incident response
Certification: GIAC Cloud Security Essentials (GCLD) • Watch a preview of this course
giac.org/gcld
90 sans.org/SEC488
SEC510: Public Cloud Security: AWS, Azure, and GCP
GPCS
SEC510: Public Cloud Security: AWS, Azure, and GCP Public Cloud Security
giac.org/gpcs
5 38 Laptop Multiple clouds require multiple solutions.

SEC510 provides cloud security practitioners, analysts, and researchers with an in-depth
understanding of the inner workings of the most popular public cloud providers: Amazon Web
You Will Be Able To Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Students will learn industry-
• Understand the inner workings of cloud renowned standards and methodologies, such as the MITRE ATT&CK Cloud Matrix and CIS
services and Platform as a Service (PaaS) /
Infrastructure as a Service (IaaS) offerings in Cloud Benchmarks, then apply that knowledge in hands-on exercises to assess a modern web
order to make more informed decisions in application that leverages the cloud native offerings of each provider. Students will launch
the cloud unhardened services, analyze the security configuration, validate that they are insufficiently
• Understand the design philosophies that secure, deploy patches, and validate the remediation. Through this process students will learn the
undergird each provider and how these have
influenced their services in order to properly philosophies that undergird each provider and how these have influenced their services and will
prescribe security solutions for them leave the course confident that they have the knowledge they need when adopting services and
• Discover the unfortunate truth that many Platform as a Service (PaaS) / Infrastructure as a Service (IaaS) offerings in each cloud.
cloud services are adopted before their
security controls are fully fleshed out The Big 3 cloud providers alone provide more services than any one company can consume. As
• Understand Amazon Web Services (AWS), security professionals, it can be tempting to limit what the developers use to the tried-and-true
Azure, and Google Cloud Platform (GCP) in
depth.
solutions of yesteryear. Unfortunately, this approach will inevitably fail as the product development
• Understand the intricacies of Identity
organization sidelines a security entity that is unwilling to change. Functionality drives adoption, not
and Access Management, one of the most security, and if a team discovers a service offering that can help get its product to market quicker
fundamental concepts in the cloud and yet than the competition, it can and should use it. SEC510 gives you the ability to provide relevant and
one of the last understood
modern guidance and guardrails to these teams to enable them to move both quickly and safely.
• Understand cloud networking and how
locking it down is a critical aspect of
defense-in-depth in the cloud Hands-On Training
• Analyze how each provider handles SEC510: Public Cloud Security: AWS, Azure, and GCP consolidates all of the concepts discussed in
encryption at rest and in transit in order to
prevent sensitive data loss the lectures through hands-on labs. In the labs, students will assess a modern web application
• Apply defense-in-depth techniques to written with Next.js, React, and Sequelize that leverages the cloud native offerings of each
protect data in cloud storage provider. Each lab includes step-by-step guide as well as a no-hints option for students who want
• Compare and contrast the serverless to test their skills without further assistance. This allows students to choose the level of difficulty
platforms of each provider
that is best for them and fall back to the step-by-step guide as needed.
• Explore the service offering landscape to
discover what is driving the adoption of SEC510 also offers students an opportunity to participate in CloudWars Bonus Challenges each
multiple cloud platforms and to assess the
security of services at the bleeding edge,
day in a gamified environment, while also providing more hands-on experience with the cloud
such as serverless platforms security and relevant tools.
• Utilize multicloud IAM and cloud Single Sign-
On to provide secure access to resources Course Authors’ Statement
across cloud accounts and providers
• Automate security and compliance checks
“The move to leveraging multiple public cloud providers introduces new challenges and
using cloud-native platforms and open- opportunities for security and compliance professionals. As the service offering landscape is
source solutions constantly evolving, it is far too easy to prescribe security solutions that are not accurate in all
• Understand Terraform Infrastructure-as-Code cases. While it is tempting to dismiss the multicloud movement or block it at the enterprise level,
well enough to share it with your engineering
team as a starting point for implementing this will only make the problem harder to control.
the controls discussed in the course
“Why do teams adopt additional cloud solutions in the first place? To make their jobs easier or
more enjoyable. Developers are creating products that make money for the business, not for the
central security team. If a team discovers a service offering that can help get its product to market
“The course content has
quicker than the competition, it can and should use it. Security should embrace the inevitability of
been very well put together, the multicloud movement and take on the hard work of implementing guardrails that enable the
well researched, and is very organization to move quickly and safely.
applicable.” “The multicloud storm is coming, whether you like it or not.”
—Dan Van Wingerden, Radiology Partners
— Brandon Evans and Eric Johnson
Certification: GIAC Public Cloud Security (GPCS) • Watch a preview of this course
giac.org/gpcs
sans.org/SEC510 91
SEC522: Application Security: Securing Web Apps,
APIs, and Microservices
SEC522: Application Security: Securing Web Apps, GWEB
Web Application
APIs, and Microservices

Defender
giac.org/gweb
6 36 Laptop It’s not a matter of “if” but “when.” Be prepared for a web attack. We’ll teach you how.
During the course, we demonstrate the risks of web applications and the extent of sensitive
data that can be exposed or compromised. From there, we offer real world solutions on how to
You Will Be Able To mitigate these risks and effectively evaluate and communicate residual risks.
• Defend against the attacks specified in
OWASP Top 10 After attending the class, students will be able to apply what they learned quickly and bring
• Infrastructure security and configuration back techniques to not only better secure their applications, but also do so efficiently by adding
management security early in the software development life cycle, shifting left security decisions and testing,
• Securely integrating cloud components thus saving time, money, and resources for the organization.
into a web application
• Authentication and authorization
mechanisms, including single sign-on
Business Takeaways
patterns • Comply with PCI DSS 6.5 requirements
• Cross-domain web request security
• Reduce the overall application security risks, protect company reputation
• Protective HTTP headers
• Defending SOAP, REST and GraphQL APIs
• Adopt the Shifting left mindset where security issues addressed early and quickly. This avoids
• Securely implement Microservice
the costly rework.
architecture • Ability to adopt modern apps with API and microservices in a secure manner
• Defending against input related flaws such
as SQL injection, XSS and CSRF • This course prepares students for the GWEB certification
Hands-on Training
The provided VM lab environment contains realistic application environment to explore the
“Labs were fun and challenging.” attacks and the effects of the defensive mechanisms. The exercise is structured in a challenge
—Linh Sithihao, Dignity Health format with hints available along the way. The practical hands-on exercises help students gain
experience to hit the ground running back at the office. There are 20 labs in section 1 to section 5
of the class and in the last section, there is a capstone exercise called Defending the Flag where
there is 3–4 hours of dedicated competitive exercise time.
“[Labs are] thought out and easy • SECTION 1: HTTP Basics, HTTP/2 traffic inspection and spoofing, Environment isolation, SSRF
to follow with good practical and credential-stealing
knowledge learned.” • SECTION 2: SQL Injection, Cross Site Request Forgery, Cross Site Scripting, Unicode and File
—Barbara Boone, CDC Upload
• SECTION 3: Authentication vulnerabilities and defense, Multifactor authentication, Session
vulnerabilities and testing, Authorization vulnerabilities and defense, SSL
vulnerabilities and testing, Proper encryption use in web application
“Lots of good hands-on exercises • SECTION 4: WSDL enumerations, Cross Domain AJAX, Front End Features and CSP (Content
using real-world examples.” Security Policy), Clickjacking
—Nicolas Kravec, Morgan Stanley • SECTION 5: Deserialization and DNS rebinding, GraphQL, API gateways and JSON,
SRI and Log review
• SECTION 6: Defending the Flag capstone exercise
“The exercises are a good

indicator of understanding
the material. They worked
flawlessly for me.”
—Robert Fratila, Microsoft
Certification: GIAC Certified Web Application Defender

• Watch a preview of this (GWEB)
course
giac.org/gweb
92 sans.org/SEC522
SEC540: Cloud Security and DevSecOps Automation
GCSA
SEC540: Cloud Security and DevSecOps
GCSA Automation Cloud Security
d DevSecOps Automation
Automation
Cloud Security
giac.org/gcsa
Automation
giac.org/gcsa
5 38 Laptop The Cloud Moves Fast. Automate to Keep Up.

CPEsUp. Required
Moves Fast.
DayAutomate
Program to Keep Common security challenges for organizations struggling with the DevOps culture include issues
ecurity challenges for organizations struggling with thesuch as: culture include issues
DevOps
You Will Be Able To • Upfront peer code reviews and security approvals may not occur for change approval and
• Understand how DevOps works and
nt peer code reviews and security approvals may not occur audit requirements
for change approval and
identify keys to success
requirements • Missing infrastructure and application scanning can allow attackers to find an entry point and
• Wire security scanning into automated CI/
ng infrastructure and application
CD pipelines compromise
and workflowsscanning can allow attackers to find an the system
entry point and
romise the• Build
systemcontinuous monitoring feedback • Cloud security misconfigurations may publicly expose sensitive data or introduce new data
loops from production to engineering
exfiltration
security misconfigurations may publicly expose sensitive data pathsnew data
or introduce
• Automate configuration management
ation pathsusing Infrastructure as Code (IaC) Security teams can help organizations prevent these issues such as using DevOps tooling
• Secure
ams can help container technologies
organizations (such asissues such and
prevent these cloud-first
as using DevOps best practices. This course provides development, operations, and security
tooling
Docker and Kubernetes)
-first best practices. This course provides development,professionals
operations, andwith a deep understanding of and hands-on experience with the DevOps
security
• Use native cloud security services and
als with a deep understanding
third-party of systems
tools to secure and hands-on
and methodology
experience with the used
DevOpsto build and deliver cloud infrastructure and software. Students learn how
ogy used toapplications to attack Students
build and deliver cloud infrastructure and software. and then learn
hardenhowthe entire DevOps workflow, from version control to continuous
nd then harden the
• Securely entiresecrets
manage DevOps workflow, from version
for Continuous integration
control toand running cloud workloads. Each step of the way, students explore the security
continuous
Integration servers and applications controls,explore
configuration, and tools required to improve the reliability, integrity, and security of on-
n and running cloud workloads. Each step of the way, students the security
• Integrate cloud logging and metrics premise and and
cloud-hosted
onfiguration, and tools required to improve the reliability, integrity, security ofsystems.
on- Students learn how to implement more than 20 DevSecOps
• Perform continuous compliance and security controls toDevSecOps
build, test, deploy, and monitor cloud infrastructure and services.
nd cloud-hosted systems. Students learn how to implement more than 20
security policy scanning
ntrols to build, test, deploy, and monitor cloud infrastructure and services.
Business Takeaways
Authors’ Statement
Takeaways • Build a security team that understands modern cloud security and DevSecOps practices
“DevOps and the cloud are radically
a securitychanging
team that
theunderstands modern
way that organizations cloud security and
design, DevSecOps
• Partner practices
with DevOps and engineering teams to inject security into automated pipelines
build, deploy, and operate online systems.
er with DevOps and engineering teams to inject security into automated
• Leverage pipelines
cloud services and automation to improve security capabilities
Leaders like Amazon, Etsy, and Netflix are
age cloud able
services andhundreds
to deploy automation to thousands
or even improve security capabilities
• Ensure your organization is ready for cloud migration and digital transformation initiatives
of changes every day, continuously learning,
e your organization is ready
improving, and growingfor cloud
- and migration
leaving - and digital transformation initiatives
their competitors far behind. Now DevOps Hands-On Training
Training and the cloud are making their way from SEC540 goes well beyond traditional lectures and immerses students in hands-on application of
Internet ‘Unicorns’ and cloud providers into
es well beyond traditional lectures and immerses students
enterprises. techniques duringapplication
in hands-on each section of of the course. Each lab includes a step-by-step guide to learning
s during each section of the course. Each lab
“Traditional approaches to security can’t includes aand applying
step-by-step hands-on
guide to techniques,
learning as well as a “no hints” approach for students who want to
ng hands-oncometechniques, as well
close to keeping as this
up with a “no stretch
ratehints” approach their skills
for students whoand see to
want how far they can get without following the guide. This allows students,
of accelerated
eir skills and see how far change.
theyEngineering and
can get without followingregardless
the guide. of background,
This to choose the level of difficulty they feel is best suited for them -always
allows students,
operations teams that have broken
of background,
down theto“walls
choose the level” in
of confusion oftheir with
difficulty they feel a frustration-free
is best suited for them fallback path. Immersive hand-on labs ensure that students not only
-always
tration-free fallback path.
organizations Immersive
are increasingly hand-on labs ensure
leveraging understand theory,not
that students butonly
how to configure and implement each security control.
newhow
d theory, but kindsto
of configure
automation,and
including
implement each security control.
Infrastructure as Code, Continuous Delivery The SEC540 lab environment simulates a real-world DevOps environment, with more than 10
0 lab environment simulates
and Continuous a real-world
Deployment, automated
DevOps environment,
microservices, pipelines
with responsible
more than 10 for building DevOps container images, cloud infrastructure,
containers, and cloud service platforms. The
d pipelinesquestion
responsible for building DevOps container automating
images, cloud gold image creation, orchestrating containerized workloads, executing security
infrastructure,
is: Can security take advantage of
g gold image creation,
the tools orchestrating
and automation containerized
to better secure scanning,
workloads, and enforcing
executing compliance standards. Students are challenged to sharpen their technical
security
and enforcing compliance standards. Students are challenged
its systems? skills and
to automate more
sharpen their than 20 security-focused challenges using a variety of command line
technical
automate “Security
more than must 20besecurity-focused tools,
challenges using
reinvented in a DevOps programming
a variety languages,
of command line and markup templates.
ramming and cloud world.”
languages, and markup templates. The SEC540 course labs come in both AWS and Azure versions. Students will choose one cloud
— Ben Allen, Jim Bird, Eric Johnson,
0 course labs come
and Frankin provider
both AWS and Azure versions. Students
Kim at choose
will the beginning of class to use for the duration of the course. Students are welcome to
one cloud
do labsStudents
t the beginning of class to use for the duration of the course. for bothare
cloud providers
welcome to on their own time once they finish the first set of labs.
both cloud providers on their own time once they finish the first set of labs.
For advanced students, 2 hours of CloudWars Bonus Challenges are available during extended
hours
ced students, 2 hours of CloudWars Bonus Challenges are each day.
available These
during CloudWars challenges provide additional opportunities for hands-on
extended
experience with
h day. These CloudWars challenges provide additional opportunities for the cloud and DevOps toolchain.
hands-on
e with the cloud and DevOps toolchain.
Certification: GIAC Cloud Security Automation (GCSA)• Watch a preview of this course
sans.org/sec540
preview ofgiac.org/gcsa
this course • Discover how to take this course: Online, In-Person
r how to take this course: Online, In-Person
sans.org/SEC540 93
SEC541: Cloud Security Attacker Techniques,
Monitoring, and Threat Detection
SEC541: Cloud Security Attacker Techniques, GCTD
Monitoring, and Threat Detection
Cloud Threat Detection
giac.org/gctd
5 30 Laptop Attackers can run but not hide. Our radar sees all threats.
SEC541 is a cloud security course that investigates how attackers are operating against Amazon Web
Services (AWS) and Microsoft Azure environments, the attacker’s characteristics, and how to detect
You Will Be Able To and investigate suspicious activity in your cloud infrastructure. You will learn how to spot the
• Research attacks and threats to cloud malice and investigate suspicious activity in your cloud infrastructure. In order to protect against
infrastructure and how they could affect
you cloud environment attacks, an organization must know which types of attacks are most likely to
• Break down a threat into detectable happen in your environment, be able to capture the correct data in a timely manner, and be able
components to analyze that data within the context of their cloud environment and overall business objectives.
• Effectively use AWS and Azure core logging
services to detect suspicious behaviors SEC541 starts each day by walking through a real-world attack campaign against a cloud
• Make use of cloud native API logging as
infrastructure. We will break down how it happened, what made it successful, and what could
the newest defense mechanism in cloud have been done to catch the attackers in the act. After dissecting the attacks, we learn how to
services leverage cloud native and cloud integrated capabilities to detect, threat hunt, or investigate
• Move beyond the cloud-provided Graphic similar attacks in a real environment, and building our arsenal of analytics, detections and best
User Interfaces to perform complex analysis
practices. The course dives into the AWS and Azure services, analyzing logs and behaviors and
• Perform network analysis with cloud-
provided network logging building analytics that the students can bring back to their own cloud infrastructure.
• Understand how application logs can be
collected and analyzed inside the cloud Business Takeaways
environment
• Decrease the average time an attacker is in your environment
• Effectively put into practice the AWS and
Azure security specific services • Demonstrate how to automate analytics, thus reducing time
• Integrate container, operating system, and • Help your organization properly set up logging and configuration
deployed application logging into cloud
logging services for more cohesive analysis • Decreases risk of costly attacks by understanding and leveraging cloud specific security services
• Centralize log data from across your • Lessen the impact of breaches that do happen
enterprise for better analysis
• Perform inventory of cloud resources and
• Learn how to fly the plane, not just the ability to read the manual
sensitive data using scripts and cloud
native tooling Hands-on Training
• Analyzing Microsoft 365 activity to uncover The labs in this course are hands-on explorations into AWS and Azure logging and monitoring
threats
services. About 75% of labs are AWS and 25% Azure. Each lab will start by researching a particular
• Ability to leverage cloud native architecture
to automate response actions to attacks threat and the data needed to detect it. In most labs, the students will conduct the attack against
their accounts, generating the logs and data needed to perform analysis. Students will use native
Authors’ Statement AWS and Azure services and open-source products to extract, transform, and analyze the threat.
The course lecture coupled with the labs will give students a full picture of how those services
“Cloud service providers are giving us
within AWS & Azure work, the data they produce, common ways to analyze the data, and walk
new tools faster than we can learn how to
away with the ability to discern and analyze similar attacks in their own cloud environment.
use them. As with any new and complex
tool, we need to get past the surface-level • SECTION 1: SEC541 environment deployment, analyzing cloud API logs with CloudTrail, parsing
1how-to in order to radically reshape our JSON-formatted logs with JQ, network analysis
infrastructure. This course is an overview • SECTION 2: Environment setup, application/OS log lab with OpenCanary, CloudWatch agent
of the elements of AWS and Azure that
and customization, strange ECS behavior, finding data exfiltration
we may have used before but are ready
to truly explore. By the end of the class, • SECTION 3: Metadata services and GuardDuty, cloud inventory, discovering sensitive data in
you ll be confident knowing that you have unapproved location with Macie, vulnerability assessment with Inspector, data
the skills to start looking for the threats centralization with Graylog
and building a true threat detection • SECTION 4: Microsoft 365 Exchange investigation, introduction to Kusto Query Language, log
program in AWS and Azure.”
analytics analysis using Azure CLI, Microsoft Defender for Cloud and Sentinel,
—Shaun McCullough and Azure network traffic analysis
Ryan Nicholson
• SECTION 5: Setup the automate forensics workflow, analyze the results, participate in the
CloudWars Challenge
Certification: GIAC Cloud Threat Detection (GCTD)

giac.org/gctd
94 sans.org/SEC541
SEC549: Enterprise Cloud Security Architecture
SEC549: Enterprise Cloud Security Architecture
5 30 Laptop Design it Right from the Start

Without a mental model for threats in the cloud, architects attempt to strong-arm design patterns
intended for the on-premise world onto cloud systems, hindering the speed of cloud adoption
You Will Be Able To and modernization. Worse yet, failure to identify trust boundaries in the cloud results in missing
• Enable business through secure cloud security controls at the identity or network-planes and poor security outcomes. SEC549 introduces
architectural patterns
students to security architecture as it applies to the cloud. Students take away from this course
• Connect the dots between architectural
patterns and real-life infrastructure
a clear mental model of the cloud and the controls available to them, allowing students to shift
• Build a secure, scalable identity foundation
their threat models to this new, vastly different world with distributed perimeters and unfamiliar
in the cloud trust boundaries.
• Centralize your organization’s workforce
It’s inevitable that even the most mature organizations will have their security posture challenged,
identity to prevent sprawl
therefore in this course we dive deep into architectures which enable Security Operation Centers
• Build micro-segmented networks using hub
and spoke patterns to monitor, detect, respond and recover from incidents in the cloud. Students learn how to
• Configure centralized network firewalls for effectively support business goals with robust logging of cloud telemetry and centralization of
inspecting north-south and east-west traffic events and insights gathered at the edge. This course empowers the Architect to ensure adequate
• Learn how to incorporate both network- logging is configured in cloud environments and develop recovery strategies emphasizing the
based and identity-based controls
need to design for availability.
• Ability to create data perimeters for cloud-
hosted data repositories SEC549 is constructed around the cloud migration journey of a fictional company and the challenges
• Centralize and share Key Management they encounter along the way. Students are tasked with phasing in a centralized identity plan,
Service (KMS) resources across an
organization building large scale micro-networks, and designing big data services for cloud-hosted applications.
• Enable Security Operations to respond in Both network-layer and identity-layer controls are covered in-depth as complementary
the Cloud mechanisms for securing access to distributed resources. The importance of centralizing identity
• Understand the telemetry and logging is a core take-away of this course as showcased through the discussion of fragmented identity
available across service models (IaaS, PaaS and its perils, especially with the rise of the Cloud and the adoption of multiple cloud service
and SaaS)
providers. Students are taught the foundational concepts used when designing for phased
• Design recovery processes leveraging break-
glass accounts identity consolidation so they can confidently tackle similar challenges on the job.
• Strategically approach a phased cloud
migration Business Takeaways:
• Mitigate the risk posed by nascent cloud technologies and their rapid adoption
• Decrease the risk of cloud migrations by planning for phased approach
“I would recommend this course. • Help your organization prevent identity sprawl and tech debt through centralization
It hits many core aspects of • Enable business growth by creating high-level guardrails
secure design. Additionally, lack • Prevent costly anti-patterns from becoming entrenched
of Cloud Security Architecture
• Move your organization towards a Zero-Trust posture through the uplifting of existing access patterns
and Strategy, and Insecure
Design have been highlighted Hands-On Training:
as a top risk by organizations
The hands-on portion of the course is unique and especially suited to the student who wants
like Cloud Security Alliance to architect for the cloud. Each lab is performed by observing and correcting an anti-pattern
and OWASP. Cloud security presented as an architectural diagram. The “correct” version of each diagram is implemented as
architecture topics need to live infrastructure in AWS and made available to the student to explore the configurations. In this
have more attention and focus course, the students have access to an enterprise-scale AWS Organization and can observe all
in general.” details discussed in the labs and throughout the course.
—Greg Lewis, SAP Each of the sections of the course discusses security design considerations for all three major
clouds, however there is an emphasis on working with AWS and labs are structured around
concepts in AWS.
sans.org/SEC549 95
SEC588: Cloud Penetration Testing
GCPN
SEC588: Cloud Penetration Testing Cloud Penetration
Tester
giac.org/gcpn
6 36 Laptop Aim Your Arrows To The Sky And Penetrate The Cloud
You have been asked to perform a penetration test, security assessment, maybe an Attacker
Simulation or a red team exercise. The environment in question is mainly cloud-focused. It could
You Will Be Able To be entirely cloud-native for the service provider or Kubernetes-based. Perhaps the environment
• Conduct cloud-based penetration tests in question is even multi-cloud, having assets in both Amazon and Azure. What if you have to
• Assess cloud environments and bring assess Azure Active Directory, Amazon Web Services (AWS) workloads, serverless functions, or
value back to the business by locating
vulnerabilities
Kubernetes? SEC588: Cloud Penetration Testing will teach you the latest penetration testing
• Understand first-hand how cloud
techniques focused on the cloud and how to assess cloud environments.
environments are constructed and how to
scale factors into the gathering of evidence
Computing workloads have been moving to the cloud for years. Analysts predict that most, if not
all, companies will have soon have workloads in public and other cloud environments. While
• Assess security risks in Amazon and
Microsoft Azure environments, the two organizations that start in a cloud-first environment may eventually move to a hybrid cloud and
largest cloud platforms in the market today local data center solution, cloud usage will not decrease significantly. So when assessing risks
• Immediately apply what you have learned to an organization going forward, we need to be prepared to evaluate the security of cloud-
to your work
delivered services.
The most commonly asked questions regarding cloud security when it comes to penetration
testing are: Do I need to train specifically for engagements that are cloud-specific? and Can I
accomplish my objectives with other pen test training and apply it to the cloud? In cloud-service-
provider environments, penetration testers will not encounter a traditional data center design,
there will be new attack surface areas in the service (control) planes of these environments.
Learning how such an environment is designed and how you as a tester can assess what is in
it is a niche skill set that must be honed. What we rely on to be true in a classical data center
GCPN environment such as who owns the Operating System and the infrastructure and how the
Cloud Penetration
Tester applications are running will likely be very different. Applications, services, and data will be
giac.org/gcpn hosted on a shared hosting environment unique to each cloud provider.
GIAC Cloud Penetration Tester SEC588: Cloud Penetration Testing draws from many skill sets required to assess a cloud
“The GIAC Cloud Penetration Testing (GCPN) environment properly. If you are a penetration tester, the course will provide a pathway to
certification provides our industry with a first
focused exam on both cloud technologies understanding how to take your skills into cloud environments. If you are a cloud-security-
and penetration testing disciplines. This focused defender or architect, the course will show you how the attackers are abusing cloud
certification will require a mastery in infrastructure to gain a foothold in your environments.
assessing the security of systems, networks,
web applications, web architecture, cloud The course dives into topics of classic cloud Virtual Machines, buckets, and other new issues that
technologies, and cloud design. Those that
hold the GCPN have been able to cross these
appear in cloud-like microservices, in-memory data stores, files in the cloud, serverless functions,
distinct discipline areas and simulate the Kubernetes meshes, and containers. It also covers Azure and AWS penetration testing, which is
ways that attackers are breaching modern particularly important given that AWS and Microsoft account for more than half of the market.
enterprises.”
— Moses Frost, Course Author SEC588: Cloud
The goal is not to demonstrate these technologies but to teach you how to assess and report on
Penetration Testing the actual risk your organization could face if these services are left insecure.
• Cloud Penetration Testing Fundamentals,
Environment Mapping, and Service
Discovery “SANS course SEC588 taught me more than I expected. With the rapid
• AWS and Azure Cloud Services and Attacks development of new technologies offered by cloud providers, SEC588
• Cloud Native Applications with Containers has given me an important framework for cloud pen testing.”
and CI/CD Pipelines
—Jonus Gerrits, Phillips 66
“This emerging course perfectly complements the change in the

direction of red team engagement scopes.”
—Kyle Spaziani, Sanofi
Certification: GIAC Cloud Penetration Tester (GCPN)

sans.org/sec588
giac.org/gcpn
96 sans.org/SEC588
MGT516: Managing Security Vulnerabilities:
Enterprise and Cloud
MGT516: Building and Leading Vulnerability
Management Programs
5 30 Laptop Stop Treating Symptoms. Cure the Disease.
Whether your vulnerability management program is well established or you are just getting
started, this course will help you think differently about vulnerability management. You will
You Will Be Able To learn how to move past the hype to successfully prioritize the vulnerabilities that are not
• Create, implement, and mature your blocked, then clearly and effectively communicate the risk associated with the rest of the
vulnerability management program and get
buy-in from your stakeholders vulnerabilities in your backlog that, for a variety of reasons, cannot currently be remediated.
• Implement techniques for building and
You’ll also learn what mature organizations are doing to ease the burden associated with
maintaining an accurate and useful inventory vulnerability management across both infrastructure and applications as well as across both
of IT assets in the enterprise and the cloud their cloud and non-cloud environments. MGT516 is based on the Prepare, Identify, Analyze,
• Identify processes and technologies that Communicate, and Treat (PIACT) Model.
are effective across both infrastructure and
applications and know how to configure them MGT516 helps you think strategically about vulnerability management in order to mature
appropriately
your organization’s program, but it also provides tactical guidance to help you overcome
• To be aware of common false positives or false
negatives in your identification arsenal common challenges. By understanding and discussing solutions to typical issues that
• Prioritize unblocked vulnerabilities for many organizations face across both traditional and cloud operating environments, you
treatment based on a variety of techniques will be better prepared to meet the challenges of today and tomorrow. Knowing that many
• Effectively report and communicate organizations are adopting cloud services in addition to continuing to manage their more
vulnerability data within your organization
traditional operating environments, we’ll also look at different cloud service types throughout
• Identify and report on the risk associated with
vulnerabilities that are blocked and cannot
the course and how they impact the program both positively and negatively. We will highlight
currently be prioritized for remediation some of the tools and processes that can be leveraged in each of these environments and
• Have a better understanding of modern present new and emerging trends.
treatment capabilities and how to better
engage with treatment teams Hand-On Training
• Make vulnerability management more fun and
engaging for all those involved MGT516 uses the Cyber42 leadership simulation game, critical thinking labs based on
• Differentiate how to deal with application outlined scenarios, and demonstrations to provide you with the information you need
layer vulnerabilities versus infrastructure to skillfully fight the VM battle. Cyber42 helps students absorb and apply the content
vulnerabilities
throughout the course. In this web-based continuous tabletop exercise, students play to
• Understand how your strategies and
techniques might change as you move to the improve security culture, manage budget and schedule, and improve specific vulnerability
cloud, implement private cloud, or roll out management capabilities at the fictional organization, the “Everything Corporation” or
DevOps within your organization
“E Corp.” This puts you in real-world scenarios that require you to think through various
options for improving the organization’s maturity by responding to specific events.
Business Takeaways
• Understand what is working and what is not
working in modern day vulnerability programs
• Anticipate and plan for the impacts related to
cloud operating environments “This course is essential for both well-established and
• Realize why context matters and how to developing vulnerability management teams.”
gather, store, maintain, and utilize contextual
data effectively —Robert Adams, CBC
• Effectively and efficiently communicate
vulnerability data and its associate risk to key
stakeholders
• Determine how to group vulnerabilities
meaningfully to identify current obstacles or
deficiencies
“A great course to utilize if new to cloud vulnerability management.”
• Know which metrics will drive greater adoption
and change within the organization —Amaan Mughal
• Understand what remediation capabilities
are available to assist technology teams in
resolving vulnerabilities and proactively

sans.org/MGT516 97
MGT520: Leading Cloud Security Design and
Implementation
MGT520: Leading Cloud Security Design and Implementation
3 18 Laptop Building and Leading a Cloud Security Program

Cloud adoption is popular across all types of industry, and many organizations are
taking strategic advantage of the cost and speed benefits of transitioning to the cloud.
You Will Be Able To Organizations are migrating mission-critical workloads and sensitive data to private and
• Define a strategy for securing a workload in the public cloud solutions. However, an organization ‘s cloud transition requires numerous
cloud for medium-size and large enterprises that
key decisions.
can support their business objectives
• Establish a security roadmap based on the security This course focuses on what managers, directors, and security leaders need to know to
strategy that can support a fast-paced cloud develop their cloud security roadmap, to manage the implementation of cloud security
adoption and migration path while maintaining a
high degree of security assurance capabilities. Making the right security decisions when adopting the cloud requires
• Understand the security basics of the cloud understanding the technology, process, and people related to the cloud environment. This
environment across different types of service complements traditional IT management techniques that managers are accustomed to and
offerings, then explain and justify to other helps with making the appropriate informed decisions. We will cover the key objectives
stakeholders the decisions within the security
roadmap of security controls in the cloud environment, including planning, deploying, and running
• Build an effective plan to mature a cloud security the environment from the starting point to a progressively more mature state. There will
posture over time, leveraging security capabilities be a focus on locking down the environment, securing the data, maintaining compliance,
offered by cloud providers to leapfrog in security
capabilities
enhancing security visibility to the operations, and managing the security response on a
continuous basis. Students will learn the essentials to lead the security effort for the cloud
• Explain the security vision of the organization in
the cloud domain to your Board Directors and transition journey.
executives, collaborate with your peers, and engage
your workforce, driving the security culture change
required for the cloud transformation Business Takeaways:
• Establish cloud security program supporting the fast pace business transformation
• Make informed decisions on cloud security program
• Anticipate the security capabilities and guardrails to build for the securing the cloud
environment
• Safeguard the enterprise data as workloads are migrated to the cloud
Author Statement
“Cloud transition is common in many organizations these days, but many security
“This type of training, i.e., leaders feel overwhelmed and underprepared for the security aspects of the cloud. When
cloud security from a organizations accept security as an integral part of the transformation path, they can
management perspective, is not only achieve the same level of security as their in-house IT environment, but also
take advantage of a huge opportunity to leapfrog in security using cloud capabilities. In
rare and the quality of this
MGT520, we discuss industry-proven techniques to plan for the security aspects of cloud
one is definitely amazing.” transformation. This course will arm students with the necessary information to confidently
—Benoit Ramillon, UEFA lead their organization towards securing the cloud workload and leveraging cloud
capabilities to further enhance their security maturity in the IT environment.”
—Jason Lam

98 sans.org/MGT520
Voucher Program
The SANS Voucher Program allows
organizations to:
• Efficiently purchase training in bulk using a
VOUCHER
single procurement process as compared to
employees individually procuring courses
• Centrally administer use of training funds and
monitor investments for optimal budgeting
using the SANS Admin Tool
• Track and measure student course progress,
final test scores and earned certifications
Training Investments &

Reduced Pricing Flexibility & Control
To open a Voucher Account, an organization The online SANS Admin Tool allows organizations
pays an agreed-upon training investment. Based to manage their training at anytime from anywhere.
on the amount of the training investment, that
organization could be eligible for reduced pricing. With the SANS Admin Tool, the Administrator can:
• Approve and manage student enrollment
Investment and reduced pricing:
• View fund usage and balance in real time
• Can be applied to any live, OnDemand or
online SANS training course, SANS Summit, • View students’ certification status and test results
GIAC certification, or certification renewal* • Obtain OnDemand course progress by student
• Balance can be increased at any time by per course
making additional investments
• Need to be utilized within 12 months; however, Get Started
the term can be extended by investing
additional funds before the end of the Visit sans.org/group-purchasing and submit
12-month term the contact request form to have a SANS
representative in your region call or email you
*Current exceptions are the Partnership Program, Security within 24 business hours. Within as little as one
Awareness Training, and SANS workshops hosted at week of purchase, your employees can begin
events run by other companies. their training.
sans.org/group-purchasing
99
Industrial Control Systems
(ICS) Security
The current landscape presents a diverse and

chaotic picture of the threats facing industrial
control system owners and operators.
Attacks that cause physical damage or impact physical processes are
no longer limited to theory or speculation. We are now seeing incidents
where malicious actors successfully intrude, cause system damage, and
impact operations using ICS-tailored malware. You need to be prepared
to defend your control systems against increasingly sophisticated
adversaries.
SANS ICS Security courses will teach you to:
Enhance your training with:
• Recognize ICS components, purposes, deployments, significant • Grid Netwars, ICS Netwars
drivers, and constraints sans.org/netwars
• SANS Summit:
• Identify ICS assets and their network topologies and how to monitor ICS Security Summit & Training
ICS hotspots for abnormalities and threats sans.org/summit
• Free Resources:
• Understand approaches to system and network defense architectures Webcasts, blogs, forums, research,
and techniques and more ics.sans.org
• Perform ICS incident response focusing on security operations and undergraduate and graduate
prioritizing the safety and reliability of operations a Graduate Certificate in Industrial
Control Systems
• Implement effective cyber and physical access controls sans.edu
“The training starts with theory and quickly progresses Industrial Control Systems Job Roles:
• ICS/OT Security Assessment Consultant
into full hands-on interaction with all components. • ICS Security Engineer
This experience is not easy to find.” • ICS Security Analyst
• Control Systems Engineer
—Bassem Hemida, Deloitte • ICS Cybersecurity Engineer
• ICS/OT Security Manager
100
ICS410: ICS/SCADA Security Essentials
GICSP
ICS410: ICS/SCADA Security Essentials Industrial Cyber
Security Professional
giac.org/gicsp
6 36 Laptop SANS has joined forces with industry leaders to equip security professionals and control system
Required
Day Program CPEs engineers with the cybersecurity skills they need to defend national critical infrastructure. ICS410:
ICS/SCADA Security Essentials provides a foundational set of standardized skills and knowledge
for industrial cybersecurity professionals. The course is designed to ensure that the workforce
You Will Be Able To
involved in supporting and defending industrial control systems (ICS) is trained to keep the
• Better understand various industrial control
systems and their purpose, application, operational environment safe, secure, and resilient against current and emerging cyber threats.
function, and dependencies on network IP
and industrial communications The course will provide you with:
• Work with control network infrastructure • An understanding of ICS components, purposes, deployments, significant drivers,
design (network architecture concepts, and constraints
including topology, protocols, and
components) and their relation to IEC 62443 • Hands-on lab learning experiences to control system attack surfaces, methods, and tools
and the Purdue Model.
• Control system approaches to system and network defense architectures and techniques
• Run Windows command line tools to analyze
the system looking for high-risk items • Incident-response skills in a control system environment
• Run Linux command line tools (ps, ls, • Governance models and resources for industrial cybersecurity professionals
netstat, ect) and basic scripting to automate
the running of programs to perform When examining the greatest risks and needs in critical infrastructure sectors, the course authors
continuous monitoring of various tools
looked carefully at the core security principles necessary for the range of tasks involved in
• Work with operating systems (system supporting control systems on a daily basis. While other courses are available for higher-level
administration concepts for Unix/Linux
and/or Windows operating systems) security practitioners who need to develop specific skills such as industrial control system
• Better understand the systems’ security penetration testing, vulnerability analysis, malware analysis, forensics, secure coding, and red
lifecycle team training, most of these courses do not focus on the people who operate, manage, design,
• Better understand information assurance implement, monitor, and integrate critical infrastructure production control systems.
principles and tenets (confidentiality,
integrity, availability, authentication, non- With the dynamic nature of industrial control systems, many engineers do not fully understand
repudiation) the features and risks of many devices. In addition, IT support personnel who provide the
• Use your skills in computer network communications paths and network defenses do not always grasp the systems’ operational
defense to detect host and network-
based intrusions via intrusion detection
drivers and constraints. This course is designed to help traditional IT personnel fully understand
technologies the design principles underlying control systems and how to support those systems in a
• Implement incident response and handling manner that ensures availability and integrity. In parallel, the course addresses the need for
methodologies control system engineers and operators to better understand the important role they play in
• Map different ICS technologies, attacks, cybersecurity. This starts by ensuring that a control system is designed and engineered with
and defenses to various cybersecurity cybersecurity built into it, and that cybersecurity has the same level of focus as system reliability
standards including the NIST Cyber Security
Framework, ISA/IEC 62443, ISO/IEC 27001, throughout the system lifecycle.
NIST SP 800-53, the Center for Internet
Security Critical Security Controls, and When these different groups of professionals complete this course, they will have developed
COBIT 5 an appreciation, understanding, and common language that will enable them to work together
to secure their industrial control system environments. The course will help develop cyber-
secure-aware engineering practices and real-time control system IT /OT support carried out by
professionals who understand the physical effects of actions in the cyber world.
Author Statement
“A mix of hands-on and “This course provides students with the essentials for conducting cybersecurity work in industrial
theoretical class, being driven control system environments. After spending years working with industry, we believe there is
by a highly skilled instructor, a gap in the skill sets of industrial control system personnel, whether it be cybersecurity skills
makes this the best training in for engineers or engineering principles for cybersecurity experts. In addition, both information
ICS security.” technology and operational technology roles have converged in today’s industrial control system
—Rafael Issa, Technip
environments, so there is a greater need than ever for a common understanding between the
various groups who support or rely on these systems. Students in ICS410 will learn the language,
the underlying theory, and the basic tools for industrial control system security in settings across
a wide range of industry sectors and applications.”
– Justin Searle
Certification: Global Industrial Cyber Security Professional (GICSP)

sans.org/ics410 • Discover how to take this course: In-Person, Live Online, or OnDemand
giac.org/gicsp
sans.org/ICS410 101
ICS418: ICS Security Essentials for Managers
ICS418: ICS Security Essentials for Managers
2 12 Laptop ICS security is an ever-changing field requiring practitioners to continually adapt defense
Required
Day Course CPEs strategies to meet new challenges and threats. To compound the issue, any security changes
need to be thoroughly tested to maintain the safety and reliability of industrial operations.
You Will Be Able To Globally, “critical infrastructure” and “operators of essential services” represent hundreds of
• Articulate the value of ICS security and tie thousands – if not millions—of industrial organizations. Some of them are the lifelines to our
cyber risk to business risk decisions
modern society, like water, energy, food processing, and critical manufacturing—but every
• Trend current and future technology changes
to address business needs
industrial facility deserves to know their process is secure and safe. With increased threats,
• Measure successes in industrial cyber risk
new technology trends, and evolving workforce demands, it is vital for security managers in
management, complete with metrics for operational technology (OT) to be trained in techniques to defend their facilities and their teams.
executives and boards
• Use best practices to enable ICS security
The two-day ICS418 fills the identified gap amongst leaders working across critical
incident detection and response for their infrastructure and OT environments. It equips new or existing managers responsible for
teams OT/ICS, or converged IT/OT cybersecurity. The course provides the experience and tools to
• Leverage external information, including address industry pressures to manage cyber risk to prioritize the business—as well as the
threat intelligence, to guide their ICS security
program safety and reliability of operations. ICS leaders will leave the course with a firm understanding
• Provide governance, oversight, execution, of the drivers and constraints that exist in these cyber-physical environments and will
and support across industrial facilities for ICS obtain a nuanced understanding of how to manage the people, processes, and technologies
security initiatives and projects
throughout their organizations.
• Apply the differences between IT and ICS
security for an effective control system
cybersecurity program Authors’ Statement
• Develop their security workforce to address
gaps in hiring, training, and retention
“Now, more than ever, it is important to train and equip ICS security leaders with the skills
• Apply advanced techniques to help shape and
and knowledge they need to protect critical infrastructure. This course is the culmination of
shift their organization’s culture of security decades of experience in building and managing OT/ICS security teams—and it is the course
we wish was available to us when we started on our ICS security journey. We’ve drawn across
our roles in different industrial sectors and teams—as former company executives, team
Who Should Attend leads, incident responders, and managers—to create a course empowering leaders facing the
ICS418 is aimed at managers of staff who are
responsible for securing the day to day running
greatest challenge of our time: industrial control system cybersecurity.”
of operational technology and industrial control
—Jason D. Christopher & Dean C. Parsons
system environments across an organization—
this includes distributed control systems (DCS)
and supervisory control and data acquisition
(SCADA) systems. Managers of these teams often
come from a diverse background with either SECTION 1: ICS Security Manager Core SECTION 2: ICS Security Team
a focus on management skills and minimal
understanding of ICS environments, or technical Development and Responsibilities Development Focus
individuals who rise in the ranks to a leader with Industrial control systems (ICS) security managers must The second section of this course builds on
minimal management skill development. be able to create and sustain cybersecurity programs the concepts around building an ICS security
The course was designed to bridge the gap with challenging constraints. These leaders must be program and explores the workforce needs to
between those two skill sets, “raising the water able to manage industrial cyber risks, plan for evolving manage the day-to-day tasks, planning, and
level for all ships” when it comes to ICS security technologies, and incorporate ICS-specific security reporting required to minimize cyber risk.
managers, including: standards. On the first day, students will learn the Students will be equipped with a common
• Manager asked to “Step-Over” differences between traditional information technology (IT) understanding of the ICS security and safety
Traditional information technology (IT) security and operational technology (OT) systems, as well as the culture, the skills required to perform various
manager that must create, lead, or refine an associated threats, vulnerabilities, and potential impacts job functions, and both company-wide and
ICS Security program from ICS-specific cyber attacks. Once these elements of team-specific security controls.
industrial cyber risk are established, students will explore TOPICS: Governance, Oversight, Execution,
• Practitioner to Manager: “Step-Up”
using industry best practices, guidelines, and standards to and Support; Dedicated ICS Security Efforts
Industrial engineer, operator, or ICS security
assess and measure ICS security programs. and Measuring Value; Organization Roles and
practitioner promoted to a manager position
to create, lead, or refine an ICS security TOPICS: Overview of ICS and Critical Infrastructure; Attack Responsibilities; Key Performance Indicators;
program History & Modern Adversaries; Cybersecurity Risk, Impacts, Building and Maturing Effective ICS Security
• Manager Development: “In-Place” Goals and Safety; ICS Technology Trends; IT and OT Security Teams; Building and Maturing ICS Cyber
An existing ICS security manager that is looking Differences; ICS Incident Response Management; Industrial Defense Programs; ICS Security Awareness
to further develop their leadership skills, Cyber Risk Management; ICS Policy, Frameworks, Regulations and Safety Culture; Executive Metrics and
specific to industrial security and Compliance; Strategy Planning and Tactical Priorities Communications
sans.org/ics418 • Discover how to take this course: In-Person or Live Online
102 sans.org/ICS410
ICS456: Essentials for NERC Critical
Infrastructure Protection
ICS456: Essentials for NERC Critical GCIP
Critical Infrastructure
Infrastructure Protection Protection

giac.org/gcip
5 31 Laptop This course empowers students with knowledge of the “what” and the “how” of the version 5/6
standards. The course addresses the role of the Federal Energy Regulatory Commission (FERC),
North American Reliability Corporation (NERC), and the Regional Entities, provides multiple
You Will Be Able To approaches for identifying and categorizing Bulk Electric System (BES) cyber systems, and helps
• Understand the cybersecurity objectives of asset owners determine the requirements applicable to specific implementations. Additionally,
the NERC Critical Infrastructure Protection the course covers implementation strategies for the version 5/6 requirements with a balanced
(CIP) standards
practitioner approach to both cybersecurity benefits, as well as regulatory compliance.
• Understand the NERC regulatory
framework, its source of authority, and the This course goes far beyond other NERC Critical Infrastructure Protection (CIP) courses that only
process for developing CIP standards, as
well as their relationship to the other Bulk teach what the standards are by providing information that will help you develop and maintain
Electric System (BES) reliability standards a defensible compliance program and achieve a better understanding of the technical aspects
• Speak fluent NERC CIP and understand of the standards. Our 25 hands-on labs utilize three provided virtual machines that enable
how seemingly similar terms can have students to learn skills ranging from securing workstations to performing digital forensics and
significantly different meanings and
impacts on your compliance program lock picking. Our students consistently tell us that these labs reinforce the learning and prepare
• Break down the complexity to more easily them to do their jobs better.
identify and categorize BES cyber assets
and systems
• Develop better security management
controls by understanding what makes You Will Learn:
for effective cybersecurity policies and
procedures • BES cyber system identification and strategies for lowering their impact rating
• Understand physical and logical controls • Nuances of NERC-defined terms and the applicability of CIP standards and how subtle changes
and monitoring requirements
in definitions can have a big impact on your program
• Make sense of the CIP-007 system
management requirements and their • The significance of properly determining cyber system impact ratings and strategies for
relationship to CIP-010 configuration minimizing compliance exposure
management requirements, and
understand the multiple timelines • Strategic implementation approaches for supporting technologies
for assessment and remediation of
vulnerabilities • How to manage recurring tasks and strategies for CIP program maintenance
• Determine what makes for a sustainable • Effective implementations for cyber and physical access controls
personnel training and risk assessment
program • How to break down the complexity of NERC CIP in order to communicate with your leadership
• Develop strategies to protect and recover
BES cyber system information • What to expect in your next CIP audit, how to prepare supporting evidence, and how to avoid
• Know the keys to developing and common pitfalls
maintaining evidence that demonstrates
• How to understand the most recent Standards Development Team’s efforts and how that may
compliance and be prepared to be an
active member of the audit support team. impact your current CIP program
• Sharpen your CIP Ninja!
“This is best-in-class NERC CIP training. The courseware

provides valuable compliance approaches and software tools
for peer collaboration to build consent on implementation.”
— Jeff Mantong, WAPA
Certification: GIAC Critical Infrastructure Protection (GCIP)

giac.org/gcip
sans.org/ICS456 103
ICS515: ICS Visibility, Detection, and Response
GRID
ICS515: ICS Visibility, Detection, and Response Response and
Industrial Defense
giac.org/grid
6 36 Laptop ICS515: ICS Visibility, Detection, and Response will help you gain visibility and asset
Required
Day Program CPEs identification in your Industrial Control System (ICS)/Operational Technology (OT)
networks, monitor for and detect cyber threats, deconstruct ICS cyber attacks to
You Will Be Able To extract lessons learned, perform incident response, and take an intelligence-driven
• Analyze ICS-specific threats and take proper courses of approach to executing a world-leading ICS cybersecurity program to ensure safe and
action to defend the industrial control systems reliable operations.
• Establish collection, detection, and response strategies
for your ICS networks
The course will empower students to understand their networked ICS environment,
• Use proper procedures during ICS incident response
monitor it for threats, perform incident response against identified threats, and learn
• Examine ICS networks and identify the assets and
from interactions with the adversary to enhance network security. This approach is
their data flows in order to understand the network important to being able to counter sophisticated threats such as those seen with
information needed to identify advanced threats malware including STUXNET, HAVEX, BLACKENERGY2, CRASHOVERRIDE, TRISIS/TRITON,
• Use active defense concepts such as threat intelligence and ransomware. In addition, the efforts are also critical to understanding and running
consumption, network security monitoring, malware
analysis, and incident response to safeguard the ICS a modern day complex automation environment and achieving root cause analysis for
• Build your own Programmable Logic Controller using non cyber-related events that manifest over the network. Students can expect to come
the SANS ICS515 Student Kit, which you retain after the out of this course with core skills necessary for any ICS cybersecurity program.
class ends
• Gain in-depth knowledge on ICS targeted threats and The course uses a hands-on approach with numerous technical data sets from ICS
malware including STUXNET, HAVEX, BLACKENERGY2, ranges and equipment with emulated attacks and real world malware deployed in the
CRASHOVERRIDE, TRISIS/TRITON, and EKANS
ranges for a highly simulated experience detecting and responding to threats. Students
• Leverage technical tools such as Shodan, Wireshark,
Zeek, Suricata, Volatility, FTK Imager, PDF analyzers, PLC
will also interact with and keep a programmable logic controller (PLC), physical kit
programming software, and more emulating electric system operations at the generation, transmission, and distribution
• Create indicators of compromise (IOCs) in YARA level, and virtual machine set up as a human machine interface (HMI) and engineering
• Take advantage of models such as the Sliding Scale workstation (EWS).
of Cybersecurity, the Active Cyber Defense Cycle, the
Collection Management Framework, and the ICS Cyber Students will spend roughly half the course performing hands on skills across
Kill Chain to extract information from threats and use more than 25 technical exercises and an all day technical capstone. Students
it to encourage the long-term success of ICS network
security will gain a practical and technical understanding of defining an ICS cybersecurity
strategy, leveraging threat intelligence, performing network security monitoring, and
performing incident response. Frameworks such as the ICS Cyber Kill Chain, Collection
Management Framework, and Active Cyber Defense Cycle will be taught to give
GRID students repeatable frameworks and models to leverage post class.
Response and Industrial Defense
giac.org/grid The strategic and technical skills presented in this course serve as a basis for ICS
organizations looking to show that ICS defense is do-able.
GIAC Response and Industrial Defense
The GRID certification is for professionals who want
to demonstrate that they can perform Active Defense
Author Statement
strategies specific to and appropriate for an Industrial “This class was developed from my experiences in the U.S. intelligence community, at
Control System (ICS) network and systems. Candidates
are required to demonstrate an understanding of the Dragos and within the control system community dealing with advanced adversaries
Active Defense approach, ICS-specific attacks and how targeting industrial control systems. It is the class I wish I would have had available to
these attacks inform mitigation strategies. Candidates me while protecting infrastructure against these adversaries. It is exactly what you’ll
must also show an understanding of the strategies and
fundamental techniques specific to core subjects with need to maintain secure and reliable operations in the face of determined threats.
an ICS-focus such as network security monitoring (NSM), ICS515 will empower you to prove that defense is do-able.”
digital forensics and incident response (DFIR).
• Active Defense Concepts and Application, Detection
– Robert M. Lee
and Analysis in an ICS environment
• Discovery and Monitoring in an ICS environment, ICS- “This course was like a catalyst. It not only boosted my knowledge about
focused Digital Forensics, and ICS-focused Incident
Response the threats facing ICS environments and provided me with a framework
• Malware Analysis Techniques, Threat Analysis in an ICS to actively defend these threats, it also inspired me to learn more.”
environment, and Threat Intelligence Fundamentals
—Srinath Kannan, Accenture
Certification: GIAC Response and Industrial Defense (GRID) • Watch a preview of this course
giac.org/grid
104 sans.org/SEC515
ICS612: ICS Cybersecurity In-Depth
ICS612: ICS Cybersecurity In-Depth
5 30 Laptop ICS-AWARE MALWARE AND ATTACKS ON CRITICAL INFRASTRUCTURE ARE INCREASING IN FREQUENCY
Required
Day Program CPEs AND SOPHISTICATION. YOU NEED TO IDENTIFY THREATS AND VULNERABILITIES AND METHODS TO
SECURE YOUR ICS ENVIRONMENT. LET US SHOW YOU HOW!
You Will Be Able To The ICS612: ICS Cybersecurity In-Depth course will help you:
• Gain hands-on experience with typical
assets found within an industrial
• Learn active and passive methods to safely gather information about an ICS environment
environment, including Programmable • Identify vulnerabilities in ICS environments
Logic Controller (PLC), operator interfaces
for local control, Human Machine Interface • Determine how attackers can maliciously interrupt and control processes and how to
(HMI) servers, Historian server, switches, build defenses
routers, and firewall(s).
• Gain an understanding of PLC execution • Implement proactive measures to prevent, detect, slow down, or stop attacks
through hands-on exercises.
• Understand ICS operations and what “normal” looks like
• Identify security methods that can be
applied to real-time control and Input/ • Build choke points into an architecture and determine how they can be used to detect and
Output systems. respond to security incidents
• Understand the pros and cons of
various PLC and HMI architectures with
• Manage complex ICS environments and develop the capability to detect and respond to ICS
recommendations for improving security security events
postures of these real-time control
systems. The course concepts and learning objectives are primarily driven by the hands-on focused
• Identify where critical assets exist within labs. The in-classroom lab setup was developed to simulate a real-world environment where
an industrial environment. a controller is monitoring/controlling devices deployed in the field along with a field-mounted
• Understand the role and design of an touchscreen Human Machine Interface (HMI) available for local personnel to make needed
Industrial Demilitarized Zone (IDMZ).
process changes. Utilizing operator workstations in a remotely located control center, system
• Gain hands-on experience with firewalls
placed within the industrial zone operators use a SCADA system to monitor and control the field equipment. Representative of a
to achieve cell-to-cell isolation and real ICS environment, the classroom setup includes a connection to the enterprise, allowing for
perimeter restrictions.
data transfer (i.e., Historian), remote access, and other typical corporate functions.
• Dissect multiple industrial protocols to
understand normal and abnormal traffic The labs move students through a variety of exercises that demonstrate how an attacker can
used in the operational control of assets. attack a poorly architected ICS (which, sadly, is not uncommon) and how defenders can secure
• Gain an understanding of the role of IT and manage the environment.
network services within ICS and identify
security methods that can be applied.
• Use the RELICS virtual machine for asset
and traffic identification.
• Troubleshoot configuration errors within “I loved that this course was lab heavy. I feel 100% more
an operational environment.
• Understand adversary approaches in
comfortable around OT equipment now. That’s saying a lot since
targeting and manipulating industrial my background and experience has been strictly IT.”
control systems.
—Jim J., Pilot Flying J
“The pods and student kits offered provide a powerful, hands-on learning
experience that exceeded expectations far beyond what any software
simulation or slide-based lecture could do. Step-by-step instructions are
good, but I really enjoyed when we had exercises that didn’t have all the
answers and forced the student to think critically about how to solve the
problem. That’s where real learning occurred for me.”
—Joseph P., Deloitte & Touche LLP
sans.org/ics612 • Discover how to take this course: In-Person
sans.org/ICS612 105
Purple Team
Bring your teams together to test, measure, and improve your

organization's people, processes, and technologies. Security
professionals are most effective when they understand that
offense informs defense and defense informs offense.
Featured Purple Team Training and Certifications
SEC598 Security Automation for Offense, SEC599 Defeating Advanced Adversaries –

Defense, and Cloud Purple Team Tactics & Kill Chain Defenses
SEC598 uses real-world examples of how to automate GDAT GIAC Defending Advanced Threats
tasks within complex environments to prepare you
Get equipped with the knowledge and expertise
for applying automation to resolve cybersecurity
you need to overcome today’s threats. Recognizing
challenges in prevention, detection, and response
that a prevent-only strategy is not sufficient, we
when facing security incidents.
will introduce security controls aimed at stopping,
sans.org/SEC598
detecting, and responding to your adversaries through
a Purple Team strategy.
sans.org/SEC599
SEC699 Purple Team Tactics – Adversary Emulation

for Breach Prevention & Detection
This course is SANS’ advanced Purple Team offering,

Enhance your • The SANS Technology Institute’s with a key focus on adversary emulation for data
training with: undergraduate and graduate breach prevention and detection. Throughout this
a Purple Team Operations grad
course, students will learn how real-life threat actors
certificate program can be emulated in a realistic enterprise environment,
sans.edu including multiple AD forests. In true purple fashion,
• The threat landscape is ever-evolving the goal of the course is to educate students on how
with new vulnerabilities emerging
adversarial techniques can be emulated (manual
daily. SANS’ commitment to helping
you stay ahead of risks is not and automated) and detected (use cases/rules and
limited to courses. Engage with the anomaly-based detection). A natural follow-up to
cybersecurity community and discover
emerging trends and cutting-edge SEC599, this is an advanced SANS course offering, with
concepts via our webcasts, blogs, 60 percent of class time spent on labs!
tools, and research at
sans.org/SEC699
sans.org/purple-team
Review full course descriptions and demos at sans.org/courses

Learn about newest courses in development at
sans.org/new-sans-courses
106
SANS
SANSFaculty
Faculty
SANS Instructors are a select group of highly skilled practitioners

who have earned respect and recognition as being among the top
minds in cybersecurity. Not only have these individuals proven
their expertise in the field, they have demonstrated extraordinary
ability to train others to progress their own capabilities.
SANS Faculty at a Glance

150+ Instructors 16+ Years 40+ Books
Each of our 120+ certified SANS faculty spend an average SANS faculty members have
instructors is a highly skilled of more than 16 years as authored more than 40 books
professional currently working cybersecurity practitioners on information security.
in cybersecurity. before being selected to become
SANS Certified Instructors.
150+ Tools 3,500+ Resources

More than 150 open-source SANS faculty members have
cybersecurity tools have been produced more than 3,500 research
created by SANS Instructors. List of papers and webcasts on
tools available at sans.org/free. information security topics.
Commitment
SANS instructors are committed to providing Their goal is your success, and we promise
engaging and active learning environments that you will be able to apply what you learn
focused on key skills, taught through lecture, as soon as you return to work.
immersive hands-on labs and interactive
discussions. “Passionate” is a word many use Meet the SANS faculty:
to describe a Certified SANS instructor. sans.org/instructors
107
Security Awareness
Security awareness training
allows organizations of any
size to build cyber-resilient
workforces. SANS uses a
comprehensive, engaging, and
human-centric approach to
training that will help everyone
in your organization better
manage human risk.
Backed by proven learning principles, SANS Security Awareness
programs combine content from hundreds of the world’s best
cybersecurity practitioners, security awareness officers, and learning-
behavior specialists to reflect real-world cyber attacks. These
dynamic programs engage and educate participants, empowering
them to contribute to cultural change and prevent attacks.
SANS Security Awareness supports your entire organization in the following ways:
• Support Every Employee • Support Your Leadership • Support Focused

with EndUser Training and with Services that Shine Responsibilities with
Phishing Simulation With SANS, your security leaders Specialized Training
Culturally relevant, effective, have access to the resources Not all learners are created
and easy to implement, EndUser required to ensure success. equal and many job functions
Training provides the training From the world’s largest security require additional instruction.
required to move beyond awareness online community SANS delivers role-based and
compliance and build a truly to the industry-leading SANS progressive training paths
mature awareness program. Security Awareness Maturity targeted for IT practitioners
Supplement this with a phishing Model™ and a Client Success and organizations with
platform designed by experts team backed by industry experts, industrial control or power
and deployed using a unique SANS focuses on driving your utility functions.
tiered-template methodology to program maturity.
advance learners at any level.
“The ‘Who’ and ‘What’ of training and awareness is just

what I needed to take back home.”
—David N., U.S. Federal Department
108
Featured Security Awareness Training and Certifications
MGT433 Managing Human Risk: Mature Security MGT521: Leading Cybersecurity Change: Building a
Awareness Programs Security-Based Culture
SANS Security Awareness Professional (SSAP) Learn how to build, manage, and measure a
strong security culture by leveraging the latest
Learn the key lessons and the roadmap to build a
in organizational change and real-world lessons
mature awareness program that your workforce will
learned. Apply findings from Daniel Kahneman’s
love and that has an impact you can measure. Apply
Nobel prize-winning research, Nudge Theory, and the
models such as the BJ Fogg Behavior Model, AIDA
Golden Circle. Learn how Spock, Homer Simpson, and
Marketing funnel, and Golden Circle, and learn about
Newton’s First Law all are keys to building a strong
the Elephant vs. the Rider.
cybersecurity culture.
sans.org/MGT433
sans.org/MGT521
Featured EndUser Training Modules

Security Essentials—Social Engineering; Malware; Email & Phishing; Passwords; Targeted
Attacks; Social Networks; Mobile Devices
Role-specific Training—Insider Threat; Help Desk; Privileged Access; International Travel;
Sr. Leadership; 3rd-party Risk Management
Distributed Workforce—Working Remotely; Cyber Secure Homes; Protecting Kids Online;
Virtual Conferencing
Digital Transformation—Cloud Services; Cloud Computing; IaaS and PaaS; Office 365 and
Google Workspace
Compliance—GDPR; PCI DSS; PII; FERPA; FCPA; GLBA; HIPAA; ITAR; CCPA; CUI
SANS Security Awareness EndUser Modules cover over 60 topics and support 34 languages
Featured Specialized Training Modules

IT Administrator Training—12 modules covering Security Program Management; Attack
Mitigation Technologies; Securing Web Servers; Supply Chain Attacks; and more!
Developer Training—OWASP Top-10; Mobile App Security; SDLC; Secure Coding Principles;
Top Design Flaws; Threat Awareness; Classic Issues
Industrial Control System (ICS) Training—ICS Attack Surfaces; Server Security; Network
Security; Information Assurance; Incidence Handling
NERC CIP training—NERC CIP Policy Requirements; Asset Identification; BES Cyber System
Recovery; CIP-014 Overview; Incident Response
109
Live Training
Train In-Person or Live Online
with industry experts at
dynamic, live training events
sans.org/find-training
Benefits of In-Person Training Benefits of Live Online Training

In-Person training offers great destinations to Live Online training offers access without travel
choose from or a venue close to home. to the same world-class SANS faculty via live
• E
ngage with our unparalleled faculty, comprised streaming, and delivers the same learning results
of the industry’s top cybersecurity practitioners as SANS In-Person training.
• E
njoy networking opportunities to meet, share, • Interactive Q&A with instructors and peers
and learn from your peers • Real-time support from virtual Technical Assistants
• P
ractice hands-on information security • Hands-on labs in a virtual environment
challenges in classroom labs • C
ourseware delivered both electronically and
• U
se courseware delivered both electronically and in print
in print, including MP3 course archives that are • E
xtended access to class recordings, to review
downloadable to review following the event topics on your own time
• M
eet with emerging solution providers as they • Dedicated chat channels using Slack for networking
reveal the latest tools and technologies critical
for you to master information security • Practice your skills with SANS virtual cyber ranges
“The combination of highly relevant material,

hands-on exercises and instructors who “The Live Online delivery platform ensures
supplemented the material with real- students are able to access content, virtual
world stories and examples made the machines, labs, resources, and chat 24
course material come alive in a way hours a day...Additionally, after the course
no other delivery method could.” ends, access is still available! Priceless!!”
—Ted Nichols, Blue Cross Blue Shield of South Carolina —Britni T., U.S. federal agency
Certify the Skills and Knowledge You Learn in SANS Training

www.giac.org
110
Train at your own pace
Train at your own pace
anytime, anywhere
anytime, with
anywhere with
SANS OnDemand
SANS OnDemand
sans.org/ondemand
sans.org/ondemand
SANSSANS OnDemand
OnDemand offers
offers our
our world-classcybersecurity
world-class cybersecurity training
training in
inaaself-paced
self-pacedonline
online
training format, with four months of extended access to your course and
training format, with four months of extended access to your course and labs. Enjoylabs. Enjoy the
the
ultimate learning flexibility with OnDemand – rewind and revisit your training
ultimate learning flexibility with OnDemand – rewind and revisit your training content content soso
youyou
cancan reinforce
reinforce thethe materialand
material andimprove
improveretention.
retention.
With complete control over the pace of learning,

With complete control over the pace of learning,
SANS OnDemand fits every learning style.
SANS OnDemand fits every learning style.
Students
S tudents can control the pace, learning environment, “I don’t think I would get
Students can control the pace, learning environment,
and schedule “nearly
I don’tasthink I would get
and schedule much out of this
IInstructor
nstructor lectures, class exercises, and virtual nearlyifasI did
course muchnotout
getof
thethis
Instructor
labs arelectures,
availableclass exercises,
for four months and virtual course if I diddelivered
not get the
class material
labs are available for four months
Repeatable
R epeatable hands-on labs and quizzes help you class
via thematerial
OnDemand delivered
Repeatable hands-on
prepare for labs and
40+ different GIACquizzes
exams help you via the OnDemand
platform. It’s an excellent
prepare for 40+ different GIAC exams
No
N Travel
o travel Budget,
budget, Noproblem.
no Problem. Learnfrom
Learn fromanywhere.
anywhere. platform.
way It’scontent
to replay an excellent
and
No Home,
Travel office
Budget, Nothe
or on Problem.
road Learn from anywhere. way totopics.”
critical replay content and
Home,
On
O office
Your
n your or on
Own,
own, butthe
but notroad
not alone. SANS
alone. SANSsubject-matter
subject-matter critical topics.”
—Kenneth Huss, Cisco
On experts available
are
Your Own, toalone.
available
but not answer youryour
to answer
SANS questions
questions
subject-matter —Kenneth Huss, Cisco
experts available to answer your questions
Limited-Time SANS Online Training Specials
Options include tablets, laptops, or discounts. For more information visit:
Limited-Time SANS Online Training Specials
sans.org/ondemand
Options include tablets, laptops, or discounts. For more information visit:
sans.org/ondemand
New SANS OnDemand Training App

Allows You to Take
Cybersecurity Training
Anywhere, Anytime.
111
SANS Summits BREAKING CONTENT
YOUR Community – NEVER BEFORE SEEN RESEARCH

Working TOGETHER to Solve
Cybersecurity Challenges TODAY SOLUTIONS YOU CAN USE
Online Free for the Global Community

OR
In-Person with Exclusive Benefits
SANS Summits bring the community together to harness industry minds, leaders, novices,
and associate groups to discuss the most challenging cybersecurity problems today.
When new challenges come up (and they always do), where do practitioners go to help
discuss what to do, how to approach, and what works? How will they solve problems
that do not have solutions yet?
SANS Summits are designed to help those in need and tackle new ideas, test, debate,
and challenge existing practices and improve upon them. SANS Summits also support
those just starting to find their footing by giving them a place to help explore, learn,
and connect with the larger community of professionals.
These Summits are more than a group to help solve problems. This is the community
focused on each niche area of cybersecurity from DFIR, Offensive Operations, Blue
Team Operations, Cyber Threat Intelligence, New to Cyber, and more. Every group of
cybersecurity practitioners, leaders, and those just starting will find their home at a
SANS summit. We are there to tackle the unknown – tackle new challenges – learn
together – and we might have fun doing it.
“I’ve managed to learn something I didn’t

know from nearly every session, and I’ve
been made aware of additional tools or
methodologies that will help.”
—Dallas M., PepsiCo
112
“The free, Live Online Summits this year were a welcome
way to get high-quality knowledge, inspiration, and
networking while working remotely. It enabled me
to share training opportunities and experiences
with teammates that I would not have been
able to share otherwise.”
—Jen Fox, Information Security
Program Specialist
Top 5 Reasons to Attend

#1 In-depth technical talks on “First Release” or ZERO DAY skills and techniques
#2 Interactive panel discussions from industry experts
#3 Networking with leading experts, and your peers tackling the same hard-to-solve problems
#4 Access to Summit recordings and presentations
#5 As an attendee, you’ll walk away from your Summit experience with a fresh perspective, a
better connection with the community and new tools that you can immediately leverage in
your work.
Visit sans.org/summits for the latest 2023 schedule
113
SANS INSTITUTE sans.org/tools
Labs & Ranges
Develop Skills with Hands-on Labs and Ranges

Our labs provide hands-on experience that reinforces course concepts and learning
objectives. Students learn the HOW along with the WHAT/WHY through a combination of
lab instructions with a step-by-step electronic workbook directly tied to the material to
develop skills in a hands-on environment.
Our hands-on labs are interactive and auto-updating, sometimes in multiple environments
(AWS, Azure, etc.). Not point-and-click, but actual interactive labs that update in real time.
Relevant Tools
Students must use proper cybersecurity and analysis tools to complete a lab. In many
cases, multiple devices and multiple steps are needed. Each student is armed with a virtual
machine (VM) or tools that do not require complex installation. Many VM environments are
set up so that you can use the same tools when back in your environments on similar complex
scenarios you might encounter daily.
The SIFT Workstation is a Eric Zimmerman’s Tools

collection of free and open-source These open source digital
incident response and forensic forensics tools can be used in
tools designed to perform detailed a wide variety of investigations
digital forensic examinations in including cross validation of
a variety of settings. It can match tools, providing insight into
any current incident response technical details not exposed by
and forensic tool suite. other tools, and more.
Slingshot is an Ubuntu-based REMnux® is a Linux toolkit for

Linux distribution with the MATE reverse-engineering and analyzing
Desktop Environment built malicious software. REMnux
for use in the SANS Offensive provides a curated collection of free
Operations curriculum and tools created by the community.
beyond. Designed to be stable, Analysts can use it to investigate
reliable and lean, Slingshot is malware without having to find,
built with Vagrant and Ansible. install, and configure the tools.
“The course material is backed up with very

SANS instructors offer more than 100
well-crafted labs that give you an opportunity
free popular workstations and tools
to actually use and interact with the tools and
techniques covered in the course.”
enhancing and enabling practitioners
across the cybersecurity community
—Michael R., Palo Alto Networks
114
sans.org/cyber-ranges
Real-World Scenarios
Authors design labs based on current and real-world challenges they encounter daily
in their jobs, investing months creating complex, believable, and realistic scenarios
using existing threat actors. SANS interactive ranges and threat-based attack data are
built from the ground up, mimicking organizations and entities that come under attack
weekly. These environments are so believable that SANS instructors are often asked how
we received permission to use “real” attack data to teach students in class.
Self-Correcting Instructions
The labs include self-correcting instructions
with a step-by-step online workbook to walk
students through complex labs. If you get stuck,
an intricate hint and learning system with
embedded videos is built to explain each step
thoroughly. If needed, the student can unhide
the exact command to input or utilize the tool to
complete the step.
Skills Assessment and

Practical Application
SANS Cyber Ranges focus on practical
application and skills assessment,
offering insight into what you and
your team are excelling at and what
skills warrant additional training and
practice. Range participants problem-
solve and develop skills through
interactive, story-driven exercises
that bring real-world context to
the challenges at hand. SANS Cyber
Ranges cover a broad spectrum of
disciplines and the full range of
difficulty levels, from beginner to
expert.
115
SANS PREPARES YOU FOR
Threats From Every Angle
Get Started in Cybersecurity

Cybersecurity is an exciting career choice within everyone’s reach. Utilize SANS resources to get
started on your journey:
• O
ur New2Cyber curriculum helps non-technical professionals enter cybersecurity by building foundational
knowledge and skills for entry-level roles. sans.org/cybersecurity-careers
• Earn an accredited degree or certificate to launch your cybersecurity career. sans.edu
Scholarship Academies: Scholarship programs empower underrepresented groups and bring more talent
into critical roles. sans.org/scholarship-academies
Bachelor’s Degrees in Applied Cybersecurity (BACS): Bring in 70 credits from any accredited community
college or four-year college and earn a bachelor’s degree after completing 50 credits at SANS.edu.
sans.edu/bacs-degree
Develop & Retain

g & Certifications
Trainin
e Hands-O
Onlin g Challeng n
n in
Lear es
n GIA
erso mand NetWar C
-P
OnDe s
In
CyberRan
Live Online ges
Holiday H
ing
Inte
De
ts ack
en rm
Ev ed
ing
gr
Ad iat
n is
t e
ild
ai van
mm
ee
Tr
SA In
ce
Su Exp d
nt
m e
NS sti
Bu
ert
t
Pr
lop rc
en
me
ve fo
og
Te ute
Un
eam
De ork
de
lop
ch
ram
rg
es
Gr
s
ra
Lea
t
i
ad
nt
no
du
W
me
de
ua
eve
Ma
ate
a
te
s
ss
ste
Ac
T
log
m
t
se
Ce
Ce
r
r's
ra
ion
ta
d
As
rti
rtifi
rce D
og
erS
ss &
De
gra hip
ers
fic
Pr
y
cat
GSE
Cyb
gre
Instructors
ate
Pro ers
Imm
er
e
e
in
ch
s
rtn
in
Vou
Tra
Pa
Workfo
Awarene
te
R
Certifi
ess
va
Awaren y
Pri
Securit
and Sim areness

ing
GIAC
inin l
y
a
S
es
g
nit
Awarene Technic
e
n
Train
Certifi
curity ion
ulatio
ou
Core
mu
Lorem ipsum
ss Tra
Gold
ents
Aw
cation
risk
EndUser
rce
cat
Expert
d
Phishing
Com
Assessm
Specialize
Cyber-
Curricula
s
Digital Forensics &

Cyber Defense & Offensive Incident Response Cloud Industrial Control Cybersecurity
New2Cyber
Blue Team Ops Operations (DFIR) and Security Systems Leadership
•
Threat Hunting
116
Build an Outcome-Driven
Cybersecurity Workforce
Recruit
Recruit the right cyber talent with SANS CyberTalent: Talent assessments
and Immersion Academies for women, veterans, and minorities
sans.org/hire-cyber-talent
Develop
Training Roadmap: Create a plan to develop the skills for you or your “The SANS Institute is
team’s cybersecurity skill development
sans.org/cyber-security-skills-roadmap
renowned and respected
Create a cyber-resilient workforce with SANS Security Awareness:

for its world-class
Comprehensive security awareness training tools to better manage cyber training. CACI is
human risk
sans.org/awareness
pleased to team with
Summits: SANS hosts highly focused, expert-led conferences throughout
SANS on this critical
the year that feature presentations and discussions on leading issues workforce development
sans.org/summit
initiative, which will
GIAC Certifications: 40+ cybersecurity certifications are available in cyber
defense, offensive operations, digital forensics, ICS/SCADA, and more help fill a pressing
giac.org need for cybersecurity
Cyber Ranges: A suite of live and online hands-on interactive scenario experts in industry and
challenges to help you master a wide range of skills
government.”
—Mike Mourelatos, CACI Vice
Retain President and Chief Technology
Officer - National Services
SANS Technology Institute: Advanced degrees designed to build a strong
cybersecurity workforce
sans.edu
GSE: GIAC Security Expert: The cybersecurity industry’s most prestigious

certification validates that an individual has truly mastered the skills
required to excel in this field
giac.org/get-certified/giac-security-expert
Leadership Development: Develop the next generation of world-class

cybersecurity leaders
sans.org/cybersecurity-leadership
117
SANS INSTITUTE
Mission & Initiatives
2,671
Academy Students in
94,435 the past two years
493
Free Tool Downloads
on sans.org/tools Students upskilled
(57K from SIFT through Partnerships
Workstation)
2,046 SANS 200+

Active Honeypot Institute Mission Students training
submissions to the as part of Upskill in
Internet Storm Since 2015, SANS and our partners, Cyber UK
Center
SANS and our partners have provided
many training and certification scholarships
as well as free gamified competitions to
empower career changers and students
kickstarting careers in cybersecurity. In
34,800 addition, here’s the impact that we’ve
had on the community in just the
23,629
Participants in the College students in
Holiday Hack past few years.
Cyber FastTrack
Challenge
45,427 7,664
People watching free Kids trained at
7,682
CyberAces training SANS CyberCamp
Security Awareness
Toolkit users
*Number reflect Jan 2020 forward sans.org/mission
118
MISSION | INTEGRITY | COLLABORATION
Internet Storm Center HBCU Programs Cyber Academies

Global incident alert Summits, cyber range SANS’ women’s, veterans,
network with more than challenges, and other and diversity academies
15,000 global target IPs and events and training are now help more underrepresented
250–300 active submitters being offered in support of groups to launch new
watching for new data. HBCU cyber programs. cyber careers every year.
VETERAN CYBER Upskill in Cyber

UK
CYBER RESKILLING
ACADEMY ACADEMY
AUS B A H R AIN
T R A LIA
Veteran Cyber Cyber Reskilling Upskill in Cyber UK

Academy Australia Program Bahrain SANS, in partnership with HM
SANS, in partnership with SANS, in partnership with Government, launched Upskill
Allectum, has created an Tamkeen, are set to launch in Cyber. The programme aims
intensive and immersive 16 the Cyber Reskilling Program to identify and rapidly reskill
week training program, the Bahrain, which aims to identify individuals for roles in cyber
Academy aims to encourage and rapidly re-skill individuals security, in just ten weeks.
and develop potential new for roles in cybersecurity
cybersecurity professionals. in just eight weeks.
“SANS Academy allowed me to gain

knowledge in a new career area I couldn’t Cyber FastTrack
have afforded myself. Also, its (SANS Cyber Identifying up-and-coming
Academy) receptions with employers cyber talent through

collegiate competition.
landed me my first job in cybersecurity.”
—Amy R., Mid Cybersecurity Engineer
119
Partnerships
and Solutions
Working with businesses and
governments, to create bespoke
training and development solutions that
directly support specific operational
requirements.
SANS frequently works with organisations to create bespoke skills
development solutions. We consult, advise, and then build tailored
packages for corporate and government partners looking to enhance
their cyber security capability. We also provide tools that allow
organisations to measure and model the effectiveness of these
unique solutions.
SANS has the experience and knowledge to deliver solutions across

employee assessment, recruitment selection, team development,
and intense technical training.
“We work with governments and enterprises across different HMG Cyber Schools Programme
countries, cultures, and continents,” explains Jan Pieter Spaans,
Managing Director Mainland Europe. “Our services include direct SANS was selected to devise and run the first extracurricular
solutions, like providing SANS training courses privately.” cyber security learning programme for schools in the UK.
Cyber Discovery is a multi phase programme that uses an
All of SANS’ cyber security training courses can be delivered privately, assessment tool and gamified learning platform developed by
in an organisation’s training facility or HQ. SANS Private Training SANS as well as online and face to face initiatives to enhance
is delivered by a qualified SANS Instructor with the utmost of the cyber security skills and knowledge of young people.
discretion. SANS can, of course, provide security cleared Instructors Stephen Jones, SANS Managing Director for UK and Nordics
as required. says, “We are proud to be delivering this vital training
programme in support of the UK’s National Cyber Security
“Our services go beyond training, though. We also assist security Strategy and look forward to seeing a great increase in the
managers in ensuring their team’s skills are kept up to date,” says number of young people taking an interest in cyber security
Jan Pieter Spaans. “We can build and deploy programmes that as a future career choice. By assessing, selecting and training
increase staff retention through skills development or assess an students with a natural flair for cyber we intend to help close
organisation’s needs and then deliver bespoke solutions that deliver the skills gap that remains a challenge to all nations.”
across recruitment, on boarding and training.”
HMG’s Cyber Schools Programme launched in in Autumn 2017
and falls within the UK government’s CyberFirst initiative.
Begin a discussion with SANS SANS has experience of delivering similar training programmes
for school students in other nations.
For an initial discussion with a SANS Institute Director, contact SANS
via emea@sans.org or +44 203 384 3470. Alternatively contact:
Upskill in cyber Programme
Cyber security is rapidly becoming a top global priority for
governments and businesses. Even though the UK has a
world-class cyber security sector, there is still currently a
significant shortage of skilled cyber security professionals.
Stephen Ned Jan-Pieter Suresh SANS, in partnership with HM Government, launched Upskill
M Jones Baltagi Spaans Mustapha in Cyber. The HM Government funded programme aims to
Managing Director Managing Director Managing Director Regional Managing identify and rapidly re-skill individuals for roles in cyber
Director SANS security, in just ten weeks. 200 students undertake two
UK & Nordics ME & GCC Regions Mainland Europe
sjones@sans.org nbaltagi@sans.org jspaans@sans.org Asia Pacific & SANS training courses. In addition, they receive soft skills
Latin-America development, to ensure they are immediately deployable
smustapha@sans.org within the cyber security workforce. Successful graduates will
complete the programme with two GIAC certifications - GFACT
and GSEC.
120
Bespoke Assessment Assessing Team Training
Training and Candidate Strengths and Programmes
Solutions Selection Weaknesses
SANS is experienced in building
Private training is ideal for SANS works regularly with SANS CyberTalent and other residential training programmes
organisations that need an organisations, helping them to bespoke solutions extend beyond for many different types of
entire team to take a particular streamline their recruitment candidate selection. SANS works organisation – governments,
SANS course. However, often an processes and procedures. closely with many organisations, enterprises, and military bodies
organisation needs to implement helping them to ensure their - spanning different geographic
“The traditional mode of
a bespoke training programme security team keeps developing regions and business cultures.
candidate selection generally
that incorporates several SANS and evolving. These programmes vary in
relies on sifting CVs,” explains
training courses. scale and focus, and are
Ned Baltagi, Director, SANS ME “Security teams must change
SANS works closely with & GCC Regions. “Organisations and adapt – new attack vectors designed to precisely meet a
organisations, taking time to tell us regularly that this is time emerge, technologies evolve client’s requirements. SANS
understand their specific training consuming and doesn’t provide and businesses themselves Cyber Academy is a cyber
needs. After a consultation the reliable - and predictable - change,” states Jan Pieter Spaans. security training programme
process, a unique training and results they need when selecting “Training is an integral part of that demonstrates this
development solution is created front-line cyber security staff.” this development process… but capability.
that meets these needs – based training needs vary across a team. “SANS first identifies candidates
SANS CyberTalent is one such
on courses from across the SANS Training just isn’t a one size-fits- with the potential to succeed in
selection product. It is a suite of
Cyber Security Training Curriculum all business.” cyber security using CyberTalent
assessment tools that improves
and additional SANS products. Aptitude Assessments."
the effectiveness of a cyber To support managers in
Uniquely, we are able to provide security recruitment and selection developing and improving their “Successful applicants
training recommendations, and process. team, SANS provides assessment are undertaking two SANS
then deliver that programme products such as SANS NetWars, training courses. The training
SANS CyberTalent products use
ourselves. SANS Private Ranges and SANS prepares them for security
psychometric and skills testing
CyberTalent. These allow Security roles by introducing them to
to assess candidates’ aptitude
and HR managers to achieve fundamental cyber security
and suitability for particular roles.
a clear understanding of their principles. Our students are
The online assessments leverage
team’s strengths, weaknesses and taught using material from
SANS’ experience in the field of
training needs. SANS’ training courses, through
cyber security training and GIAC
certification to gauge technical SANS then builds a unique real-life, practical simulations
skills and knowledge. training programme that and team exercises.”
focusses on addressing a team or
CyberTalent provides managers
individual’s specific requirements.
and HR teams with a deeper
understanding of candidates’ Career development also aids
technical and conceptual makeup. staff retention and ensures a
security team remains effective.
SANS helps employers create
bespoke training programmes
using the extensive SANS training
curriculum.
Following a consultation process,
SANS delivers programmes that
meet business needs and also
offer security professionals a
career roadmap.
121
TAILORED GROUP TRAINING OPTIONS
SANS Institute’s Private Information Security Training options allow you to create a custom training program for any
group of 25 students or more, anywhere in the world.
With options for commercial groups and government organizations, private information security training will be
specifically designed to meet your needs using SANS’ top technology and instruction. We’ll provide you with SANS’ world-
class courses and Certified Instructors live onsite, online or a combination of both via our Live Online training format.
SANS Private Training Benefits include: Group Purchasing

• A Certified SANS Instructor Manage your team’s training budget, track student’s
• Confidential, live in-class discussion regarding the progress and save money and track from a single
courseware and viable real world examples for Voucher Account.
your industry The SANS Voucher Program allows an organization
• Limit the health risk and avoid the complications to manage their training budget from a single SANS
associated with current travel restrictions Voucher Account. Once the Account is opened, the
organization can utilize funds from their Account for
• Sensitive Topics. Organisations turn to the Private
SANS training and certifications for their employees
Training program so they can have classes
via their online SANS Admin Tool. Through the Admin
where students can discuss topics freely and the
Tool, the organization’s Program Administrator can also
instructor can focus on material that may pertain
approve training and view usage reports.
to a sensitive matter or recent breach
• Courses are offered globally and delivered onsite By creating a SANS Voucher Account your organization can:
at your preferred location.
• Simplify the procurement process with a single
invoice and payment
“The SANS OnSite program has been advantageous for our
security training program. The ‘cost savings’ have been
• Lock-in your hard fought training budget and utilize
within a 12 month term
astronomical... The instructors have been great and the
students enjoy being in class with colleagues that share
• Control how, where, and for whom funds are spent
concerns and duties for ongoing security projects.” • Allow employees to register for training while
managing approvals centrally
- Tonya Henderson, Health & Human Services
• Easily change course attendees if previous plans
change
If you are interested in learning more about developing and training your team, please reach out
to us at emea@sans.org or asiapacific@sans.org
122
Experience the SANS
training In Person
experience.
“I have always loved this stuff. Stepping into the deep
end with world class instructors is a dream come
true. There is no time to reinvent the wheel, so this
experience is priceless”
- Keith Dunnigan,
Best Western Hotels & Resorts
Find the best course and

training event for you:
sans.org/upcomingevents
123
Customer Reviews
SANS is the most-trusted source for cybersecurity training, certifications, degrees, and
research. But don’t just take our word for it – here’s what our students have to say.
“SANS is the best information “The course material is backed

security training you’ll find up with very well-crafted labs
anywhere. World-class that give you an opportunity to
instructors, hands-on instruction, actually use and interact with the
actionable information you can tools and techniques covered in
really use, and NetWars.” the course.”
—Jeff S., NetJets, Inc. —Michael R., Palo Alto Networks
“SANS courses are fully aligned to what is happening in the

industry. Course materials are continuously updated based on
new developments in cybersecurity. It is rigorous, challenging,
and relevant.”
—Karim Lalji, Managing Security Consultant, TELUS
“Something that I think is perhaps underrated

about SANS courses is, as everyone knows, you
come along and drink from an information fire
hose on attacks and tools, but along the way
you gain a level of comfort and intuition around
broad sets of technologies, which is really handy
when navigating the world of InfoSec.”
—James S.
124
“Excellent. All of this was well “The labs from all SANS courses
presented, handled, and are always top notch. I have
delivered. The platform that taken SANS training since 2007
was utilized was perfect. For a and it has always maintained the
distance learning option, it was highest level/standards, without
very interactive and well worth question the best training
the time.” content on the planet.”
—Terrie M., AT&T —Nicolas Stevens
“As usual, SANS has produced a great course and learning

experience. I loved SEC540 content, and the labs brought
together everything we learned. Once again, I’ll be back
again next year.”
—Daniel Bachrach, Deloitte
“Our instructor was great. When “Nobody else in the industry is

we were stuck, he really helped as comprehensive as SANS or as
us understand and kept us all up-to-date and knowledgeable. If
engaged. He answered every you want to learn how to do your
question immediately and job right, I don’t think there’s any
completely and finished all the better training out there.”
dangling threads.” —Ronald C., S-RM
—Stephen K., NAVSUP
125
Free Cybersecurity Resources
Free Training and Events Free Cybersecurity Resources
Test Drive SANS Courses Internet Storm Center
Identify the right course for you by using our A free analysis and warning service
free one-hour course previews to explore subjects and isc.sans.edu
verify materials that match your skill level
sans.org/course-preview Free Tools
150+ open-source tools from
Summits SANS Instructors
Immersive training experiences that arm attendees with sans.org/tools
deep knowledge and actionable information and have a
lasting impact on their careers and their organizations’ Whitepapers
security programs Top-of-mind papers
sans.org/summits sans.org/white-papers
Summit Presentations Posters & Cheat Sheets

Top-of-mind presentations sans.org/posters
sans.org/presentations
Webcasts
Solutions Forums & Event Tracks Live web broadcasts combining knowledgeable speakers
Engage, connect, and learn from invited speakers who with presentation slides
showcase their products and current capabilities using sans.org/webcasts
specific examples relevant to the industry
sans.org/sponsorship/events Blogs
Top-of-mind topics for the SANS community
SANS Cyber Aces Online sans.org/blog
This free online course teaches the core concepts needed
to assess and protect information security systems Security Policy Templates
cyberaces.org Security policy templates from information security
subject-matter experts and leaders for your use
SANS Workshops sans.org/information-security-policy
Hands-on virtual training that give you the opportunity
to dive into course material CIS Controls v8
sans.org/workshops sans.org/blog/cis-controls-v8
Cyber Ranges Annual Security Awareness Report

Prepare for real-world IT and cybersecurity roles with Utilize data-driven actions to manage your human
interactive learning scenarios risk and push your program into the future of security
awareness
go.sans.org/lp-wp-2022-sans-security-awareness-report
NICE Framework
Podcasts Use the NICE Framework as a guide to advance your
career with recognized cybersecurity certifications
Blueprint from GIAC
Advancing cyber defense skills giac.org/workforce-development/government/niceframework
sans.org/podcasts/blueprint
SANS Holiday Hack Challenge
Cloud Ace The SANS Holiday Hack Challenge is a FREE annual game
Future of cloud security of new, fun, high-quality, and hands-on cybersecurity
isc.sans.edu/podcasts/cloud-ace challenges where you learn new skills, help Santa defeat
cybersecurity villains, and save the whole holiday season
GIAC: Trust Me, I’m Certified from treachery.
Industry leaders in cybersecurity sans.org/mlp/holiday-hack-challenge
giac.org/podcasts/trust-me-im-certified
Internet Storm Center

Daily InfoSec threat updates
isc.sans.edu/podcast.html
126
sans.org/free
SANS Cyber Academies Social Media

VetSuccess Academy Find us at @SANSInstitute, and connect
sans.org/scholarship-academies/vetsuccess with us to stay informed on the latest
SANS resources
Women’s Immersion Academy
New2Cyber @new_2_cyber
sans.org/scholarship-academies/womens-academy
Blue Team @SANSDefense
Cyber Workforce Academy Offensive Ops @SANSOffensive
sans.org/scholarship-academies/cyber-workforce DFIR @sansforensics
Leadership @secleadership
Cyber Diversity Academy
sans.org/scholarship-academies/diversity-academy Cloud @SANSCloudSec
ICS @SANSICS
HBCU Academy Security Awareness @SANSAwareness
sans.org/scholarship-academies/hbcu-cyber-academies/
Newsletters Join the SANS.org

NewsBites Community for Free
A semiweekly executive summary of the most important
Membership in the SANS.org Community
cybersecurity news articles published recently
grants you access to cutting-edge resources
sans.org/newsletters/newsbites
that our expert instructors contribute to daily
@Risk and that can’t be found elsewhere including
A weekly summary of newly discovered attack vectors, cybersecurity news, training, and free tools.
vulnerabilities with active new exploits, and other Go to sans.org/account/create to create your
valuable data free account today and gain access to the above
sans.org/newsletters/at-risk available resources and more!
OUCH!
A free monthly security awareness newsletter designed
for the common computer user, in over 20 languages
sans.org/newsletters/ouch
127
www.sans.org
For the most up-to-date Training

Calendar visit www.sans.org/events v0623

2023 Training Catalogue Q2 Single v7 2023

Uploaded by

Copyright:

Available Formats

2023 Training Catalogue Q2 Single v7 2023

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2023 Training Catalogue Q2 Single v7 2023

Uploaded by

Copyright:

Available Formats

85+

The proven industry standard for

Technology may have changed in that The SANS Promise

Improve your ability to Mitigate risk and

Your best cyber defense requires everyone in your

SANS builds experts who outsmart cyber threats.

Real Expertise Real Skills Real Protection

Introducing CyberLive GIAC develops and administers premier,

Offensive Operations Cyber Defense & Blue Team Ops

The Highest Standard in Cybersecurity Education

Multiple Training Formats

Private Courses Summits Ranges

The SANS Promise

40,000+ 85+ 40+ 150+

Analyze (AN) Industrial Control Systems (NICE 2020)

NICE Specialty Recommended Course Manager

Baseline Skills Focused Job Roles Specific Skills, Specialized Roles

CLOUD SECURITY ESSENTIALS DIGITAL FORENSICS, MALWARE ANALYSIS,

TECHNICAL TRAINING FROM SANS SECURITY AWARENESS

All professionals entrusted with hands-on

• Deploy a toolbox of strategies security program focused on

“This training has given me a great overview of New2Cyber Job Roles:

Technology, and Security Technologies

Certification: GIAC Foundational Cybersecurity Technologies (GFACT)

“FOR308 is packed with technical information and covers aspects

• Watch a preview of this course

Certification: GIAC Information Security Fundamentals (GISF)

3 18 Laptop Ground School for Cloud Security

sans.org/sec388 • Discover how to take this course: Online, In-Person

“SEC401 gives you a fantastic knowledge base to build on,

Certification: GIAC Security Essentials (GSEC) • Watch a preview of this course

“Outstanding course. It provides a writing framework/rubric

• Watch a preview of this course

What is included with SANS Foundations?

What will Students learn in this course?

Who should take this course?

The term Blue Team comes from the world of

needed to defend your networks to Network Security • Cyber Defense Netwars

Diagnostics and Mitigation • SANS Summits:

Cyber Defense & Blue Team Ops Job Roles:

Certification: GIAC Security Operations Certified (GSOC)

6 36 Laptop SEC497 is a comprehensive training course on Open-Source Intelligence (OSINT) written by an

Certification: GIAC Open Source Intelligence Certification(GOSI)

Certification: GIAC Certified Enterprise Defender (GCED)

Certification: GIAC Certified Intrusion Analyst (GCIA)

PowerShell Automation Administrator

6 36 Laptop WINDOWS SECURITY AUTOMATION MEANS POWERSHELL

“In SEC505, real-life solutions are offered by someone who understands

Certification: GIAC Certified Windows Security Administrator (GCWN)

6 46 Laptop Analyze Threats. Detect Anomalies. Stop Intrusions.

Certification: GIAC Continuous Monitoring Certification (GMON)

Engineering: Implementing Zero Trust for Architecture

the Hybrid Enterprise

• Watch a preview of this course

“SEC573 is excellent. I went from having almost no Python coding

Certification: GIAC Python Coder (GPYC) • Watch a preview of this course

• Watch a preview of this course

“Having a broad coverage over multiple areas of OSINT is really

sans.org/sec587 • Discover how to take this course: Online, In-Person

• Watch a preview of this course