Training
Featured Course View All Courses
Get a Free Hour of SANS Training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
NEW - AI Security Training
Can't find what you are looking for?

Let us help.

Contact us
Free Resources

SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

Customer Case Studies

Discover how organizations and individual cyber practitioners use SANS training and GIAC certifications

AI Risk & Readiness

Explore expert-driven guidance, training, and tools to help defend against AI-powered threats and adopt AI securely

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations

Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Group Purchasing
Group Purchasing

The Trifecta: A Red Team Training Roadmap

Authored byJonathan Reiter
Jonathan Reiter

Which Red Team Course Should You Take?

The short answer:

  • If you’re new to Red Teaming, → SEC565: Red Team Operations and Adversary Emulation
  • If you’re an experienced operator seeking advanced tradecraft, → SEC665: Advanced Red Team Operations
  • If you’re a tool developer or aspiring Red Team Engineer, → SEC670: Red Teaming Tools - Developing Windows Implants, Shellcode, Command and Control

However, these three courses all work together:

  • In SEC565, you learn to run operations
  • In SEC665, you learn to operate in hardened environments
  • In SEC670, you learn to build the tools

Out of many courses in offensive security, this is the red team trifecta I consider to be the most important, and will build the strongest structure when looking into a red team career path. I’m guessing this is you!

While each course can stand on its own, they all intertwine with each other. Together, they provide a learning progression: from how to run operations, to operating effectively in hardened environments, to building the tooling that enables modern offensive campaigns.

A question that might be burning in your mind is “How much do they overlap?” This is a great question, but before we can jump into that, let us break down each course!

SEC565 vs. SEC665 vs. SEC670

I do not want to bore you to death by just telling you what you can already find on the course website, so instead, I will give you the BLUF.  This is the Bottom Line Up Front, to give you the clearest understanding and make the best use of your time.

SEC565: Red Team Operations and Adversary Emulation, in a Nutshell

BLUF: If you have never done Red Teaming before in your life, SEC565 is where it all begins. This is your first step to learn how to plan, execute, and adapt real-world adversary emulation operations across modern enterprise environments.

SEC565: Red Team Operations and Adversary Emulation is the foundation for students to start thinking and operating like a red teamer. This course will jumpstart your career journey into Red Team operations by launching you into five hard-core days of essential content.

You will consume CTI, build attack infrastructure, conduct reconnaissance, emulate adversary behavior, bypass modern defenses, and execute full-scope operations against realistic enterprise targets.

Recent course updates introduce modern offensive techniques to help you understand how emerging technologies can support adversary emulation without replacing operational judgment, such as artificial intelligence, where you learn to create AI workflows to tie LLMs into establishing C2 (command-and-control) frameworks like Empire and Cobalt Strike.

More than just a collection of tools and tactics, SEC565 teaches the process and mindset behind successful red team operations. It provides the operational foundation that will prepare you for the advanced tradecraft explored in SEC665 and the engineering depth covered in SEC670.

All of this is delivered to you by an amazing author team: Jean-François Maes and David Mayer. Both of them have incredible knowledge to share, and the best way to soak it all up is by attending an in-person offering.

Understand SEC565 by reading the full course syllabus here, and explore these free resources:

Get hands-on with webcasts and workshops

Consult on-the-go with posters and cheat sheets

SEC565 has to end somewhere, but where it ends, SEC665 begins.

SEC665: Advanced Red Team Operations, in a Nutshell

BLUF: This advanced red team operations course teaches experienced operators how to perform stealth operations against mature defenses using unconventional tradecraft, and shows you how to develop your own research and methodology process.

SEC665: Advanced Red Team Operations dives deeper into topics that were introduced in SEC565, but now with a focus on OPSEC and stealth. SEC665 focuses on hands-on detection-aware offense, advanced operation security, identity attacks, cloud and identity tradecraft, EDR evasion, kernel research, and red team engineering for experienced operators.

You begin by crafting initial access, adversary-in-the-Middle (AiTM) phishing with modern-day delivery. You then move to advanced lateral movement/persistence with a touch on EDR internals. Later, you dive into Entra ID, AD CS, the configuration manager, BOF development and unit testing, kernel research, and more.

Because this is geared toward senior roles, it is fair to assume you will have a comfortable level of experience with the following languages before coming to class:

  • Python, C++, C#, JavaScript

The reasoning behind this is that many of the job postings for senior red team operators list development skills as either a must-have or a nice-to-have. This class will aid in bringing you up to speed with what those positions might require you to do.

The best way to take this course is in person at an event near you. This course has an author team with nearly 30 years of combined experience: Jonathan Reiter, Kevin Ott, and Karim Lalji.

Understand SEC665 by reading the full course syllabus here, and explore these free resources:

Get hands-on with webcasts and workshops

Consult on the go with posters and cheat sheets

If you find yourself wanting more tool development, well, that is where SEC670 comes to the rescue.

SEC670: Red Teaming Tools - Developing Windows Implants, Shellcode, Command and Control, in a Nutshell

BLUF: The time to start building your own custom tools for red team operations is now!

If you don’t like copying/pasting code to build a tool, then this is your course. If you took SEC665 and wanted even more BOF development, more code injection code samples, and more stealth, then this course is for you. If you want to dive into making a C2 server and extending its capabilities, well, you know that answer… this course is for you.

In SEC565, you learned how to wield your sword. SEC665 taught you how to use your sword and not die, as well as how to customize some of your weapons. SEC670 teaches you how to set up your forge and make the weapons yourself for red team operators. Red team tool developers empower and equip the Red Team Operators!

Not to sound intimidating, but this course is not for the faint of heart. Since this course has you creating tools from scratch, there are some serious expectations before showing up on Day 1. If you need to learn the “hello world” of C++, first consider SANS workshops, like the 10-part Intro to C series, for example (link available below). In order to attend SEC670, you must know:

  • C/C++ fundamentals
  • Functions, pointers, and function pointers
  • Structs, classes, and RAII concepts

Understand SEC670 by reading the full course syllabus here, and explore these free resources:

Get hands-on with webcasts and workshops

Consult on the go with posters and cheat sheets

An exciting major course update for SEC670 is also well underway that will knock your socks off. With this next update, you will dive into custom loaders to load DLLs and object files (BOFs). You will see an emphasis on unit testing, evasion, PIC development, stealth, comms, EDR research, kernel driver development, network packet manipulation, MFT and USN Journal abuse, anti-forensics, and more!

How much do the courses overlap?

The short answer: less than you might expect. Better yet! Let’s switch to how much these three courses complement each other; each course focuses on a different stage of offensive maturity and develops a distinct set of skills.

SEC565 is for practitioners first learning red team operations. SEC665 is for more experienced operators seeking advanced tradecraft and detection-aware methodology. SEC670 is for professionals who want to build custom offensive tooling and Windows implants.

The good news is that you do not need to figure it all out today. Start with the course that aligns with your current goals, build your foundation, and continue advancing your skills over time. Red teaming is a journey, and this trifecta is just a step.

To explore additional courses, free resources, webcasts, workshops, posters, and upcoming training opportunities, visit the SANS Offensive Operations Focus Area website and continue building your roadmap.

Meet the Expert

Jonathan Reiter
Jonathan Reiter

Jonathan Reiter

Certified Instructor

Jonathan Reiter teaches advanced red team operations and Windows implant development through hands-on labs grounded in real-world experience.

Read more about Jonathan Reiter