SANS Live Training is Available In-Person OR Live Online! Explore Upcoming Events.
No classes scheduled at this time.

TBT570: Team-Based Training - Blue Team and Red Team Dynamic Workshop New

Course Syllabus  ·  36 CPEs  ·   Laptop Requirements

TBT570: Team-Based Training - Blue Team / Red Team Dynamic Workshop is a unique course during which student teams of three to five participants work together as a Blue Team to battle an adversary in real time. The technical terrain, the SANS Cyber Range, is a realistic enterprise environment.

This interactive exercise is designed for people who learn by actually doing. You will not be spoon-fed through lectures or follow-along labs in this session. Instead, you will participate in a dynamic highly interactive exercise defending an environment under attack in real time as you build your skills working alongside your team. The course is designed to help students build team skills, leadership abilities, communication techniques, and technical expertise, all while under fire in a series of increasingly complex scenarios.

Student Blue Teams use a variety of enterprise tools to analyze and respond to Advanced Persistent Threats deeply embedded in the environment, defending against a series of offensive campaigns. In addition to learning from the instructors throughout the exercise, students are encouraged to share their own skills and techniques to cross-pollinate good ideas between the different Blue Teams represented in the room.

The various groups participating in the cyber range exercise include:

  • The Blue Teams, made up of student attendees and lead by a SANS instructor
  • The SANS Red Team, consisting of SANS offensive experts who will engage the Blue Team
  • The White Cell, the overall organizer and authority in the exercise
  • The SANS Cyber Range Ops team, who run the Cyber Range to ensure its operation and stability

A SANS instructor will direct the Blue Teams as they uncover the attacker's command-and-control channels and work to eradicate the adversary from compromised systems. SANS will provide skilled Red Team operators who will utilize the Tactics, Techniques, and Procedures to present various Indicators of Compromise from real-world APT cases throughout the workshop in order to challenge students to build their Blue Team skills.

The SANS White Cell oversees the exercise and ensures that it runs smoothly, while the SANS Ops team runs the underlying cyber range infrastructure. Each day finishes with a live hot-wash discussion during which the Red and Blue Teams review the activities from the day with the White Cell and each other to level-set and ensure that specific learning objectives have been met. These afternoon discussions will also allow Blue Team members from different organizations (including commercial companies, government agencies, military agencies, and more) to share their insights for dealing with such attacks.

The live, interactive battle will occur over five days, with a sixth and final day focused on the Blue Teams and the Red Team presenting their After Action Reviews describing lessons learned. These reports make up a deliverable that students can bring back to their organization improve its security stance.

Course Syllabus


On the first day we discuss the Tactics, Techniques, and Procedures (TTPs) of today's most dangerous adversaries. We then cover how organizations can utilize a team-based approach to effectively detect and eradicate such actors in their networks. We'll cover effective small team dynamics, along with inter-team communication techniques that are essential to handling attacks on a larger-scale environment. With a series of team-based exercises, students learn how to work together more effectively as members and leaders of a team, while mastering incredibly useful tips, tricks, and skills that they can utilize right away to better defend their environments.

CPE/CMU Credits: 6


On day 2, students get direct access to the TBT570 cyber range, along with a guided hands-on tour to orient them to the environment they'll be working in to engage adversaries through the rest of the course. The range represents the IT infrastructure of a realistic town, with several enclaves that host different components of that town, including computer servers, clients, network equipment, and Industrial Control System (ICS) devices. Using credentials and a network map, students explore the Windows Domain and its associated initial Group Policy, the SIM/SEM solution included in the range, the vulnerability scanning service, the trouble ticketing systems, and the management infrastructure.

CPE/CMU Credits: 6


On day 3, we up the ante by introducing a more advanced adversary into the environment, played by the Red Team instructor. The session starts with an intel in-briefing, describing the situation and what is currently known about the new Advanced Persistent Threat (APT) adversary and its goals. Students apply the tools and techniques learned in Days 1 and 2, along with any additional optional tools that they brought with them, to find and battle the adversary in real time. The Blue Team instructor and TA act as coaches and advisors, as students build their skills in a realistic scenario.

CPE/CMU Credits: 6


By day 4, TBT570 students are working together very effectively as a team of teams. And that's a very good thing, because we up the capabilities of the adversary in Campaign B. For this campaign, students will face a nation-state-level adversary, presenting Indicators of Compromise (IOCs) and TTPs of a specific APT. After an initial intel in-briefing, students hunt for this adversary, supported with the coaching and encouragement of the Blue Team instructor and TA. By analyzing the IOCs presented by the attacker, students will do research to attempt to attribute these actions to a specific adversary. They can then use this intelligence to anticipate the adversary's next moves and to identify other IOCs left by this actor. With this information, students can disrupt various components of the attacker's multiple Command and Control channels to thwart the adversary in the environment.

CPE/CMU Credits: 6


On day 5, we really throw everything we've got at the now much more experienced student Blue Team. Our most skilled and powerful adversary utilizes custom malware created just for this course to engage in Campaign C. Using a whole host of nation-state techniques to pillage, pilfer, and plunder, this subtle attacker undermines systems stealthily and uses numerous techniques to pivot through the environment to achieve a series of goals. All along the way, students use the hands-on skills and knowledge they've gained throughout the course to find and dispel this attacker. It's a fearsome battle, but armed with their skills and some tips, hints, and encouragement from the Blue Team instructor and TA, students will further build out their abilities as they defeat this adversary and then conduct the daily shot validation meeting.

CPE/CMU Credits: 6


Throughout the previous five days of the course, instructors and TAs encouraged students to maintain a daily log of useful lessons they learned in class and will be able to apply when they get back to the office. On day 6, student teams work to create an After-Action Review/Post Mortem presentation. Using a presentation template we provide, students write up the lessons they learned in each campaign and reflect on how they'll apply those lessons when they get back to the office. The Blue Team instructor and TA provide useful tips in developing and presenting the review information. Students then present their results to the rest of the class, so everyone benefits from the lessons learned by each student.

CPE/CMU Credits: 6

Additional Information


To get the most value out of this course, students are required to bring their own laptop so that they can connect directly to the workshop network we will create. It is the students' responsibility to make sure the system is properly configured with all drivers necessary to connect to an Ethernet network.

Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion, along with a Windows guest virtual machine.


You are required to bring Windows 10 (Professional or Enterprise), 8, or 8.1 (Professional, Enterprise, or Ultimate), or Windows 7 (Professional, Enterprise, or Ultimate), either a real system or a virtual machine.

The course includes a VMware image file of a guest Linux system that is larger than 20 GB. Therefore, you need at least 20 gigs free in your file system.

IMPORTANT NOTE: You will also be required to disable your anti-virus tools temporarily for some labs, so make sure you have the anti-virus administrator privileges to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function, even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that administrator password for your anti-virus tool.

Enterprise VPN clients may interfere with the network configuration required to participate in the course. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in course.


You will use VMware to run Windows and Linux operating systems simultaneously when performing exercises in the course. You must have either the free VMware Player 6 or later or the commercial VMware Workstation 10 or later installed on your system prior to coming to class. You can download VMware Player for free here.

Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation Pro here. VMware will send you a time-limited license number for VMware Workstation Pro if you register for the trial on its website. No license number is required for VMware Player.

We will give you a USB full of attack tools to experiment with during the course and to keep for later analysis. We will also provide a Linux image with all of our tools pre-installed that runs within VMware.


You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware. The course does not support Virtual Box, HyperV, or other non-VMware virtualization products.

Mandatory Laptop Hardware Requirements:

  • x64-compatible 2.0 GHz CPU minimum or higher
  • 4 GB RAM minimum with 8 GB or higher recommended
  • Ethernet adapter (a wired connection is required in class; if your laptop supports only wireless, please make sure to bring a USB Ethernet adapter with you)
  • 20 GB available hard-drive space
  • Any Patch level is acceptable for Windows 10, 8, 8.1, or Windows 7

During the workshop, you will be connecting to one of the most hostile networks on Earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the course attacks it in the workshop.

By bringing the right equipment and preparing in advance, you can maximize what you will see and learn, as well as have a lot of fun.

If you have additional questions about the laptop specifications, please contact

  • SOC Analysts
  • Hunt Team members
  • Blue Team members
  • Incident responders
  • Red Teamers looking to better understand Blue Team operations

Students are expected to have moderate to deep cyber security skills in cyber defense, digital forensics, and incident response. Such expertise can be gained from three or more years in a technical role as a security analyst, incident responder, or cyber defender, or through taking three or more 500-level SANS courses in those topics.

  • Analyzing network traffic for malfeasance
  • Identifying attacker artifacts and activities on a variety of different enterprise systems
  • Collecting and analyzing intel associated with the attack
  • Analyzing the malware used by attackers
  • Eradicating the attackers' presence from the environment
  • Thwarting the attacker's plot to disrupt the enterprise mission

TBT570 is the best course I have ever seen that gives someone an understanding of what battling an advanced attacker is really like, and the coordination that must occur between numerous teams to effectively eliminate the compromise. - Matthew Bainter, Caterpillar

TBT570 is 90% hands-on, which makes it unique among course offerings. The cyber labs were realistic and hearing from the red team each day was valuable. - Edward Tanner, Booz Allen Hamilton

SANS provides an immersive cyber range experience that is extremely applicable to real-world cybersecurity incidents. - Andy Scally, Secure-24

TBT570 provided the best Red Team type engagement I've been a part of. - John Moran, Rackspace

TBT570 training was valuable because it showed me my strengths and weaknesses, and how I personally fit in a team-based, dynamic environment. - Olivia Lomax, Kaiser Permanente

In TBT570, I learned the importance of good leadership and communication, and got to feel the panic and confusion that goes on during an incident response. - Carrie Roberts, Walmart

Great content. Like nothing you can get anywhere else - unless you have a real-world compromise. - Tim Gruber, Disney

TBT570 is very relevant to my work role as a threat hunter. There are not many chances where skills can be tested against an 'actual' adversary. Having a skilled red teamer with knowledge of APT tactics was very useful to test detection capabilities. - Andrew, Government Official

Author Statement

The SANS Blue Team / Red Team Dynamic Workshop course can really take an organization's skills to the next level. Whenever we've run this session, the take-aways have been INCREDIBLE - participants' skills and capabilities grow massively as they learn to function as an efficient team. And, the level-setting that we do at the end of each day helps ensure that the operations tempo remains vivid and exciting while learning occurs. This course is really an incredible opportunity for people who already have three or more years' experience and are looking to really ramp up their skills to be game changers in their organizations.

- Ed Skoudis, SANS Fellow