Hundreds of SANS Institute students have stepped up to the challenge and conquered. They’ve mastered the concepts and skills, beat out their classmates, and proven their prowess. These are the elite, the recipients of a SANS Challenge Coin, an award given to a select portion of the thousands of students that have taken any of theSANS courses.
The coins – more precisely, Round Metal Objects (RMO) – were initially created to recognize students who demonstrate exceptional talent and significantly contribute to, and lead, the cybersecurity profession and community. The coins are meant to be an honor; they're also intended to be rare. SANS Institute uses the coins to identify and honor those who excel at detecting and eradicating threats, those who understand the critical importance of cybersecurity and continually strive to further not only their own knowledge, but the knowledge of the entire cybersecurity field. These students actively share their experiences and encourage learning through participation in the community; they're typically leaders in the community.
The challenges through which students can earn a coin are typically held on the last day of class for a SANS course. Students compete in a Capture-the-Flag (CTF) or Capstone Challenge and must successfully overcome a number of obstacles to prove their proficiency during timed, hands-on incidents. The CTFs and Capstone Challenges are created by SANS’ top instructors – each one a cybersecurity practitioner, subject-matter expert, experienced teacher, and professional leader in their own right.
Each SANS Institute Curriculum features different coins:
Cyber Defense Curriculum
SANS Cyber Defense curriculum is broken down into Cyber Defense Essentials and Blue Team Operations courses.
SANS Cyber Defense Essentials
These courses build a solid foundation of core policies and practices to enable you and your security teams to practice proper incident response, then expand upon those crucial skills by adding advanced core techniques to help defend an enterprise from every angle.
Whether you’re new to security or need a broad overview of security topics, these courses support your effort to win the battle against the wide range of cyber adversaries that want to harm your environments.
Cyber Defense Essentials Course Challenge Coins
SEC501: Advanced Security Essentials - Enterprise Defender
SEC573: Automating Information Security with Python
Blue Team Operations
SANS Blue Team Operations courses teach the critical skills required to defend your organization against cyber-attacks and improve its overall security posture.
Blue Team Operations Course Challenge Coins
SEC450: Blue Team Fundamentals – Security Operations and Analysis
SEC487: Open-Source Intelligence (OSINT) Gathering and Analysis
SEC503: Intrusion Detection In-Depth
SEC505: Securing Windows and PowerShell Automation
SEC511: Continuous Monitoring and Security Operations
SEC530: Defensible Security Architecture and Engineering
SEC555: SIEM with Tactical Analysis
Offensive Operations Curriculum
SANS Offensive Operations leverages the vast experience of our esteemed faculty to produce the most thorough, cutting-edge offensive cyber security training content in the world. Our goal is to continually broaden the scope of our offensive-related course offerings to cover every possible attack vector.
SANS Offensive Operations Curriculum offers courses spanning topics ranging from introductory penetration testing and hardware hacking, all the way to advanced exploit writing and red teaming, as well as specialized training such as purple teaming, wireless or mobile device security, and more.
Offensive Operations Course Challenge Coins
SEC460: Enterprise Threat and Vulnerability Assessment
SEC504: Hacker Tools, Techniques, and Incident Handling
SEC542: Web App Penetration Testing and Ethical Hacking
SEC560: Enterprise Penetration Testing
SEC565: Red Team Operations and Adversary Emulation
SEC575: Mobile Device Security and Ethical Hacking
SEC588: Cloud Penetration Testing
SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses
SEC617: Wireless Penetration Testing and Ethical Hacking
SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking
SEC670: Red Teaming Tools - Developing Windows Implants, Shellcode, Command and Control
SEC699: Purple Team Tactics - Adversary Emulation for Breach Prevention & Detection
SEC760: Advanced Exploit Development for Penetration Testers
Digital Forensics & Incident Response Curriculum
Whether you're seeking to maintain a trail of evidence on host or network systems or hunting for threats using similar techniques, larger organizations are in need of specialized professionals who can move beyond first-response incident handling to analyze an attack and develop an appropriate remediation and recovery plan. The DFIR curriculum will teach you how to detect compromised systems, identify how and when a breach occurred, understand what attackers took or changed, and successfully contain and remediate incidents.
DFIR Course Challenge Coins
FOR308: Digital Forensics Essentials
Scientia Vincit – Knowledge is Key
FOR498: Battlefield Forensics & Data Acquisition
Consector Scientia Intro Strepitus – Seek Knowledge in the Noise
FOR500: Windows Forensic Analysis
Ex Umbra in Solem – From the Shadows into the Light
FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
Non Potestis Celare – You Cannot Hide
FOR509: Enterprise Cloud Forensics and Incident Response
Inveniere Nubes Tempestate – Find the Storm in the Cloud
FOR518: Mac and iOS Forensic Analysis and Incident Response
Impera magis. Aliter cogita – Command more. Think differently
FOR528: Ransomware for Incident Responders
Venator Repetundarum – Extortion Hunter
FOR532: Enterprise Memory Forensics In-Depth
Memento Omnia – Remember All
FOR585: Smartphone Forensic Analysis In-Depth
Omnis Tactus Vestigium Relinquit – Every Contact Leaves a Trace
FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
Malum Loquitur, Bonum Auscultat – Evil Must Talk, So Good Must Listen
FOR578: Cyber Threat Intelligence
Hominem unius libri timeo – I Fear the Man of One Book
FOR608: Enterprise-Class Incident Response & Threat Hunting
Challenges Abound - Knowledge to Overcome
FOR610: Reverse-Engineering Malware
R.E.M. – Reverse-Engineering Master
FOR710: Reverse-Engineering Malware: Advanced Code Analysis
Dive Deeper! – Deobfuscate, Automate, Correlate
Industrial Control Systems (ICS)
The SANS ICS curriculum provides hands-on training courses focused on attacking and defending ICS environments. These courses equip both security professionals and control system engineers with the knowledge and skills they need to safeguard our critical infrastructures.
Industrial Control Systems Course Challenge Coins
ICS410: ICS/SCADA Security Essentials
"Defend Critical Infrastructure"
ICS456: Essentials for NERC Critical Infrastructure Protection
"Develop and maintain a defensible compliance program"
ICS515: ICS Active Defense and Incident Response
"Defense is Doable"
ICS612: ICS Cybersecurity In-Depth
"Hands On Cyber Physical"
Cybersecurity Leadership
Security leaders need both technical knowledge and management skills to gain the respect of technical team members, understand what technical staff are actually doing, and appropriately plan and manage security projects and initiatives. This is a big and important job that requires an understanding of a wide array of security topics. The SANS Cybersecurity Leadership curriculum develops cyber leaders who have the practical skills to build and lead security teams, communicate with technical and business leaders alike, and develop capabilities that build your organization’s success.
Cybersecurity Leadership Course Challenge Coins
AUD507: Auditing & Monitoring Networks, Perimeters, and Systems
Controls that Matter. Controls that Work.
MGT512: Security Leadership for Managers
One Coin to Lead Them All
MGT514: Security Strategic Planning, Policy, and Leadership
Decipher, Develop, Deliver
MGT516: Managing Security Vulnerabilities: Enterprise & Cloud
Stop Treating the Symptoms. Cure the Disease.
MGT551: Building and Leading Security Operations Centers
Prevent. Detect. Respond. | People. Process. Technology.
Cloud Security Curriculum
SANS Cloud Security curriculum ingrains security into the minds of cloud, architecture, operations, and software engineers by providing world-class educational resources to design, develop, build, deploy, and monitor cloud resources.
Cloud Security Course Challenge Coins
SEC488: Cloud Security Essentials
License to Learn Cloud Security
SEC510: Public Cloud Security: AWS, Azure, & GCP
Multiple Clouds Require Multiple Solutions
SEC522: Application Security: Securing Web Apps, APIs, and Microservices
Not a matter of "if" but "when". Be prepared for a web attack. We'll teach you how.
SEC540: Cloud Security and DevSecOps Automation
The cloud moves fast. Automate to keep up.
SEC541: Cloud Security Monitoring and Threat Detection
Attackers can run by not hide. Our radar sees all threats.
Those who are awarded SANS Challenge coins are also bestowed special privileges and recognition, including participation in the well-regarded “coin check” challenge and response.
A coin check typically begins by a challenger holding his or her coin in the air or slamming it on a table and yelling “coin check!” All those within earshot must respond by showing their coins to the challenger within 10 seconds. Anyone who fails to do so must buy those who successfully returned the coin check a round of drinks. If all the challenged coin holders produce their coin, the challenger must buy the round of drinks. (Also, if anyone accidentally drops their coin and it makes an audible sound on impact, they have "accidentally" initiated a coin check. There are no exceptions to the rules -- get those coins out or you're buying!)
