Sharpen your skills with interactive cyber security training In-Person or Live Online. Learn more.
No classes scheduled at this time.

SEC562: CyberCity Hands-on Kinetic Cyber Range Exercise

Course Syllabus  ·  36 CPEs  ·   Laptop Requirements

Computers, networks, and programmable logic controllers operate most of the physical infrastructure of our modern world, ranging from electrical power grids, water systems, and traffic systems all the way down to HVAC systems and industrial automation. Increasingly, security professionals need the skills to assess and defend these important infrastructures. In this innovative and cutting-edge course based on the SANS CyberCity kinetic range, you will learn how to analyze and assess the security of control systems and related infrastructures, finding vulnerabilities that could result in significant kinetic impact.


Preview Mission 2 of SEC562 - CyberCity:

You Will Learn:

  • How to analyze cyber infrastructures that control and impact kinetic infrastructures.
  • How to manipulate a variety of key industrial protocols, including Modbus, CIP, DNP3, Profinet, and other SCADA-related protocols.
  • How to rapidly prototype computer attack tools against specific vulnerabilities
  • How to discover security flaws in a variety of SCADA and Industrial Control Systems (ICSs) and thwart attacks against them.
  • How to conduct penetration tests and assessments associated with kinetic infrastructures.


Course Syllabus

  • Mission 1: Camera mission: Visualizing the battlespace.
  • Mission 2: Team-building mission: Recon, social networking, intel gathering, and controlling billboards.
  • Mission 3: Water Reservoir mission: Ensure the water reservoir Human Machine Interface and data historian properly reflect water records to prevent contamination.
  • Mission 4: Train Derailment mission: Interact with SCADA-controlled train switching junctions to prevent a disaster.

CPE/CMU Credits: 6

  • Mission 5: Street light mission: Restore streetlights through manipulating an Operator Interface Terminal.
  • Mission 6: Bank alarm mission: Control a bank alarm system using intel gained from assets across the city.
  • Mission 7: Traffic light mission: Manipulating and injecting Modbus for system control.

CPE/CMU Credits: 6

  • Mission 8: Radar tower mission: Malware analysis and escaping restricting environments.
  • Mission 9: City-wide power grid mission: Gain control of SCADA systems to restore power on a city-wide basis.
  • Mission 10: Landing strip mission: Neutralize a cyber attack to restore lighting to an airfield landing strip.
  • Mission 11: Rocket launcher mission: Retake control of a rocket launcher and discharge its weapons safely.

CPE/CMU Credits: 6

  • Mission 12: Gas pipeline mission: Crack crypto weaknesses to restore pressure in the gas pipeline to prevent catastrophe.
  • Mission 13: Residential power grid mission: Regain control of power grid systems to restore the residential infrastructure after a blackout.

CPE/CMU Credits: 6

  • Mission 14: Retailer HVAC mission: Prevent attackers from destroying a retailer who hacked via a contractor and left a time bomb.
  • Mission 15: ISP Infiltration: Perform a pen test on the ISP.

CPE/CMU Credits: 6


During the final day of SEC562, you'll apply the knowledge and skills you've built all week in SANS first ever course with a red-team/blue-team face off, all inside of CyberCity. Your team will defend your CyberCity turf against attackers while vying to expand your control over various portions of the city. The CyberCity power grid will light up to indicate your level of control over city assets and your progress through a variety of bonus missions as you adapt your skills to achieve even more.

CPE/CMU Credits: 6

Additional Information


To get the most value out of the course, students are required to bring their own laptop so that they can connect directly to the workshop network that we will create. It is the students' responsibility to make sure that the system is properly configured with all drivers necessary to connect to an Ethernet network.

Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion, along with a Windows guest virtual machine.


You are required to bring Windows 7 (Professional, Enterprise, or Ultimate), Windows Vista (Business, Enterprise, or Ultimate), Windows XP Pro, or Windows 2003 or 2008 Server, either a real system or a virtual machine. Windows 8 Pro is an acceptable option. Windows 7 Home, Windows Vista Home, Windows XP Home, and Windows 2000 (all versions) will NOT work for the class as they do not include all of the built-in capabilities we need for comprehensive analysis of the system.

The course includes a VMware image file of a guest Linux system that is larger than 2 GB. Therefore, you need a file system with the ability to read and write files that are larger than 2 GB, such as NTFS on a Windows machine.

IMPORTANT NOTE:You will also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that administrator password for your anti-virus tool.

Enterprise VPN clients may interfere with the network configuration required to participate in the class. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in class.


You will use VMware to run Windows and Linux operating systems simultaneously when performing exercises in class. You must have either the free VMware Player 3 or later or the commercial VMware Workstation 6 or later installed on your system prior to coming to class. You can download VMware Player for free here.

Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation here. VMware will send you a time- limited license number for VMware Workstation if you register for the trial at their Web site. No license number is required for VMware Player.

We will give you a DVD full of attack tools to experiment with during the class and take home for later analysis. We will also provide a Linux image with all of our tools pre-installed that runs within VMware Player or VMware Workstation.


You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware Workstation or VMware Player. The class does not support VirtualPC or other non-VMware virtualization products.

Mandatory Laptop Hardware Requirements

  • x86- or x64-compatible 1.5 GHz CPU Minimum or higher
  • DVD Drive (not a CD drive)
  • 2 GigaByte RAM minimum with 4 GB or higher recommended
  • Ethernet adapter (A wired connection is required in class. If your laptop supports only wireless, please make sure to bring an Ethernet adapter with you.)
  • 5 GigaByte available hard drive space
  • Any Service Pack level is acceptable for Windows 8, Windows 7, Windows Vista, or Windows XP Pro

During the workshop, you will be connecting to one of the most hostile networks on planet Earth! Your laptop might be attacked. Do not have any sensitive data stored on the system. SANS is not responsible for your system if someone in the class attacks it in the workshop.

By bringing the right equipment and preparing in advance, you can maximize what you'll see and learn as well as have a lot of fun.

If you have additional questions about the laptop specifications, please contact

  • Red & Blue team members
  • Cyber warriors
  • Incident handlers
  • Penetration testers
  • Ethical hackers
  • Other security personnel who are first responders when systems come under attack.

  • At least one of the following courses: 560, 561, 542, or 575
Other Courses People Have Taken

Courses that Lead-in

Courses that are Pre-reqs

Courses that are good follow-ups

  • Course DVD with virtual machines for all course labs
  • Course book with technical briefings for all missions
  • Challenges, hints, and answer sheets for all missions
  • In-class access to the CyberCity environment to build skills while conducting missions
  • Streaming video in-class to see the impact on CyberCity of all actions taken during missions
  • Scan for and discover the details associated computer, network, and ICS assets.
  • Analyze and manipulate commonly used, very powerful, but often less-well-understood protocols such as Profinet, DNP3, Modbus, and more.
  • Work as part of a team analyzing attacker actions and preventing kinetic impacts against industrial control systems.
  • Look for vulnerabilities in systems associated with electrical power distribution, water systems, traffic systems, and other infrastructures.
  • Use a variety of hands-on tools for analyzing and interacting with target systems, including Wireshark, tcpdump, Nmap, Metasploit, and much more.
  • Control various Human Machine Interfaces and Operator Interface Terminals widely used by SCADA and other Industrial Control Systems (ICSs)
  • Prevent attackers from wreaking havoc by manipulating computers that control physical infrastructures

  • Interact with SCADA-controlled train switching junctions to prevent a disaster.
  • Ensure the water reservoir Human Machine Interface and data historian properly reflect water records to prevent contamination.
  • Regain control of power grid systems to restore the residential infrastructure after a blackout.

"I will be promoting the 562 course as part of our advanced CPT training for within the AF/ANG CPT community." - Anonymous

"This course should be thought of as THE capstone, pinnacle course/event for any cyber operations professional." - Anonymous

"I attended the 6-day SEC562 course. The benefit from this course is the experience in tinkering with industry standard hardware control systems such as PLCs and software SCADA systems. No other class seems to target this up-and-coming subject area." - Phillip A. Smith

Ed Skoudis is the SANS Pen Test Curriculum Lead and the director of the SANS CyberCity project, an innovative training ground and cyber range.

Listen to the full story of CyberCity on this episode of NPR's New Tech City.

Author Statement

The world faces a critical shortage of individuals with the skills needed to defend the computer systems and network infrastructures that control our physical world. We built this course to help fill that gap, teaching cyber warriors how to analyze, control, and defend countless control systems, protocols, and other kinetic infrastructures they will increasingly face in the future. The course is chock full of practical skills that security professionals can use in their own practice. The coolest part of the course is the fact that students can actually see the impact on the city of their hands-on lab work through real-time streaming video to the classroom. For example, when you restore the power grid, you will actually see the lights in the city turn back on (and a newspaper article get published in real-time about the end of the blackout). Nearly every mission in the course provides visual impacts, which inspire and excite students and instructors alike.

-- Ed Skoudis, Josh Wright, and Tim Medin

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.