Don't Miss Pen Test Hackefest Summit & Training, November 2-9 near DC!

MGT535: Incident Response Team Management

This course brings hands-on and very relevant information for everyone establishing or being part of an incident response team.

Geir Lossius, Sparebanken Vest

Since I am fresh out of college this was a definite eye opener. This course was very valuable in that it gives a view of most tools available for auditing networks.

Ryan Awai, SANS Student

This course discusses the often-neglected topic of managing an incident response team. Given the frequency and complexity of today's cyber attacks, incident response is a critical function for organizations. Incident response is the last line of defense.

Detecting and efficiently responding to incidents requires strong management processes, and managing an incident response team requires special skills and knowledge. A background in information security management or security engineering is not sufficient for managing incidents. On the other hand, incident responders with strong technical skills do not necessarily become effective incident response managers. Special training is necessary.

The course has been updated to address current issues such as advanced persistent threat, incident response in the cloud, and threat intelligence.


You Will Learn:

  • Fundamentals of incident response
  • How to establish requirements
  • How to set up operations
  • Communications
  • How to make operations work
  • Legal and regulatory issues
  • Training, education, and awareness


Course Content Overlap Notice:

Please note that course material for MGT517 and MGT535 overlaps. Days 4 and 5 of MGT517 contain material that is covered in MGT535. We recommend MGT517 for those interested in managing security operations overall in addition to incident response. MGT535 only covers managing incident response.

Course Syllabus

CPE/CMU Credits: 6

  • Incident Response - 6 Steps
  • Creating Incident Response Requirements
  • Developing Incident Handling Capabilities
  • Reporting, SLAs, Cost of Incidents
  • Setting up Operations

CPE/CMU Credits: 6

  • Managing Daily Operations
  • Navigating Executive Management
  • Advanced Persistent Threat
  • The Cloud
  • Legal and Regulatory Issues
  • Awareness and Outreach

Additional Information

Laptop requirements:

  • Modern web browser
  • Office software for document editing and spreadsheets

If you have additional questions about the laptop specifications, please contact

  • Information security engineers and managers
  • IT managers
  • Operations managers
  • Risk management professionals
  • IT/system administration/network administration professionals
  • IT auditors
  • Business continuity and disaster recovery staff

No specific prerequisites are required for this course, but knowledge of technical terms is beneficial and will facilitate participation in class discussions. Prior to attending the course, it would be useful to gather statistics from your organization such as those listed below:

  • Incidents per month
  • Average time to detection
  • Lost devices per quarter
  • Average cost per incident
  • Annual expenditure on loss-prevention capabilities

  • Course book
  • MP3 audio files of the complete course lecture

"Since I am fresh out of college this was a definite eye opener. This course was very valuable in that it gives a view of most tools available for auditing networks." - Ryan Awai, SANS student

"Valuable information to take back to work with me, as well as hands-on testing examples." - Carol Jones, SANS student

"Very good info that I will take back and try to implement at my workplace. Great use of outside resources." - David Bennett, BNBI

Author Statement

Incident response management is a dynamic and challenging endeavor fraught with high personnel turnover, rapid technology shifts, minimal funding, and a nearly impossible objective of defending an organization from every conceivable threat. I have managed incident response teams and created incident response capabilities where none existed before. Incident response is the most challenging position to hold in Information Assurance, as you are the team that is called upon at the worst time, to fight the hardest battles. Through this course, I intend to equip each one of you to navigate difficult political environments, understand complicated technology, analyze the data and information provided by technical staff, and translate this information into business relevant information that will make the organization more resilient for the long term.

- Chris Crowley

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.

*CPE/CMU credits not offered for the SelfStudy delivery method

7 Training Results
Type Topic Course / Location / Instructor Date Register

Training Event
Management Oct 31, 2016 -
Nov 1, 2016

Training Event
SANS Sydney 2016
Sydney, Australia
Nov 3, 2016 -
Nov 4, 2016

Training Event
Management Dec 10, 2016 -
Dec 11, 2016

Training Event
Management May 17, 2017 -
May 18, 2017

Community SANS
Management Nov 21, 2016 -
Nov 22, 2016


Private Training
All Private Training Course of Your Choice Your Choice  

*Course contents may vary depending upon location, see specific event description for details.