Final Week to Get an iPad Mini, Chromebook Flip, or $250 Off with OnDemand and vLive Training!

TBT570: Team Based Training - Blue Team and Red Team Dynamic Workshop Beta

TBT570 is the best course I have ever seen that gives someone an understanding of what battling an advanced attacker is really like, and the coordination that must occur between numerous teams to effectively eliminate the compromise.

Matthew Bainter, Caterpillar

TBT570 is 90% hands-on, which makes it unique among course offerings. The cyber labs were realistic and hearing from the red team each day was valuable.

Edward Tanner, Booz Allen Hamilton

TBT570: Team Based Training - Blue Team / Red Team Dynamic Workshop is a unique team-based training course. Student teams of three to five participants function together as part of a Blue team battling an adversary in real-time over multiple days and campaigns. The technical terrain is a realistic enterprise environment: The SANS Red/Blue Cyber Range.

This interactive exercise is designed for people who learn by actually doing. You will not be spoon-fed through lectures or follow-along labs in this session. Instead, you will participate in a dynamic, highly interactive exercise defending an environment under attack in real-time as you build your skills working alongside your team. The course is designed to help students build team skills, leadership abilities, and communication techniques, along with technical expertise, all while under fire in a series of increasingly complex scenarios.

Student Blue Teams use a variety of enterprise tools to analyze and respond to Advanced Persistent Threats deeply embedded in the environment, defending against a series of offensive campaigns. In addition to learning from the instructors and TAs throughout the exercise, students are encouraged to share their own skills and techniques to cross-pollinate good ideas between the different Blue Teams represented in the room.

During the course, the Blue team will build skills along a variety of fronts, including:

  • Analyzing network traffic for malfeasance
  • Identifying attacker artifacts and activities on a variety of different enterprise systems
  • Collecting and analyzing intel associated with the attack
  • Analyzing the malware used by attackers
  • Eradicating the attackers' presence from the environment
  • Thwarting the attacker's plot to disrupt the enterprise mission

The various groups participating in the exercise include:

  • The Blue Teams, made up of student attendees and lead by a SANS instructor
  • The SANS Red Team, consisting of SANS offensive experts who will engage the Blue Team
  • The White Cell, the overall organizer and authority in the exercise
  • The SANS Cyber Range Ops team, who run the Cyber Range to ensure its operation and stability

A SANS instructor will direct the Blue teams as they uncover the attacker's command-and-control (C2) channels and work to eradicate the adversary from compromised systems. SANS will provide skilled Red Team operators who will utilize the Tactics, Techniques, and Procedures (TTPs) to throw various Indicators of Compromise (IOCs) from real-world APT cases throughout the class as they work through a detailed Red Team campaigns designed to build skills of the Blue Team.

The SANS White Cell oversees the exercise and ensures that it runs smoothly, while the SANS Ops team runs the underlying cyber range infrastructure. Each day finishes with a live hot-wash discussion where the Red and Blue Teams review the activities from the day with the White Cell and each other to level-set and ensure specific learning objectives have been met. These afternoon discussions will also allow Blue Team members from different organizations (including commercial companies, government agencies, military groups, and more) to share their prospective and insights for dealing with such attacks.

The live, interactive battle will occur over five days, with a sixth and final day focused on the Blue Teams and the Red Team presenting their After Action Reviews (AARs) describing lessons learned. These reports make up a deliverable that students can bring back to their organization to share lessons learned and improve the security stance of their organization.


This course is in Beta. If you would like to learn more about this Beta opportunity and upcoming team-based training options, please send an email to

Course Syllabus


To get the most value out of this course, students are required to bring their own laptop so that they can connect directly to the workshop network we will create. It is the students' responsibility to make sure the system is properly configured with all drivers necessary to connect to an Ethernet network.

Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion, along with a Windows guest virtual machine.


You are required to bring Windows 10 (Professional or Enterprise), 8, or 8.1 (Professional, Enterprise, or Ultimate), or Windows 7 (Professional, Enterprise, or Ultimate), either a real system or a virtual machine.

The course includes a VMware image file of a guest Linux system that is larger than 20 GB. Therefore, you need at least 20 gigs free in your file system.

IMPORTANT NOTE: You will also be required to disable your anti-virus tools temporarily for some labs, so make sure you have the anti-virus administrator privileges to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function, even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that administrator password for your anti-virus tool.

Enterprise VPN clients may interfere with the network configuration required to participate in the course. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in course.


You will use VMware to run Windows and Linux operating systems simultaneously when performing exercises in the course. You must have either the free VMware Player 6 or later or the commercial VMware Workstation 10 or later installed on your system prior to coming to class. You can download VMware Player for free here.

Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation Pro here. VMware will send you a time-limited license number for VMware Workstation Pro if you register for the trial on its website. No license number is required for VMware Player.

We will give you a USB full of attack tools to experiment with during the course and to keep for later analysis. We will also provide a Linux image with all of our tools pre-installed that runs within VMware.


You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware. The course does not support Virtual Box, HyperV, or other non-VMware virtualization products.

Mandatory Laptop Hardware Requirements:

  • x64-compatible 2.0 GHz CPU minimum or higher
  • 4 GB RAM minimum with 8 GB or higher recommended
  • Ethernet adapter (a wired connection is required in class; if your laptop supports only wireless, please make sure to bring a USB Ethernet adapter with you)
  • 20 GB available hard-drive space
  • Any Patch level is acceptable for Windows 10, 8, 8.1, or Windows 7

During the workshop, you will be connecting to one of the most hostile networks on Earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the course attacks it in the workshop.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn, as well as have a lot of fun.

If you have additional questions about the laptop specifications, please contact

Students are expected to have moderate to deep cyber security skills in cyber defense, digital forensics, and incident response. Such expertise can be gained from three or more years in a technical role as a security analyst, incident responder, or cyber defender, or through taking three or more 500-level SANS courses in those topics.

Author Statement

The SANS Blue Team / Red Team Dynamic Workshop course can really take an organization's skills to the next level. Whenever we've run this session, the take-aways have been INCREDIBLE - participants' skills and capabilities grow massively as they learn to function as an efficient team. And, the level-setting that we do at the end of each day helps ensure that the operations tempo remains vivid and exciting while learning occurs. This course is really an incredible opportunity for people who already have three or more years' experience and are looking to really ramp up their skills to be game changers in their organizations.

0 Training Results
Sorry, this course is not currently available.