Two Days Left to Get a Free GIAC Certification Attempt or Take $350 Off with OnDemand or vLive Training!

SEC564: Red Team Exercises & Adversary Emulation New

SEC564 was an excellent base to develop a workflow for a red team.

Lesly D., U.S. Federal Government Military

SEC564 is perfect for penetration testers looking to move to red teams.

Tim Maletic, D & B

Red Teaming is the process of using tactics, techniques, and procedures (TTPs) to emulate real-world adversaries in order to train and measure the effectiveness of the people, processes, and technology used to defend organizations. SEC564 will provide you with the skills to manage and operate a Red Team, conduct Red Team exercises and adversary emulations, and understand the role of the team and its importance in security testing.

Built on the fundamentals of penetration testing, Red Team exercises use a comprehensive approach to gain a holistic view of an organization's security posture in order to improve its ability to detect, respond, and recover from an attack. When properly conducted, Red Team exercises significantly improve an organization's security posture and controls, hone its defensive capabilities, and measure the effectiveness of its security operations.

Red Team exercises require a different approach from a typical security test and rely heavily on well-defined TTPs, which are critical to successfully emulating a realistic adversary. The Red Team exercises and adversary emulation results exceed a typical list of penetration test vulnerabilities, provide a deeper understanding of how an organization would perform against a real adversary, and identify where security strengths and weaknesses exist across people, processes, and technology.

Whether you support a defensive or offensive role in security, understanding how Red Team exercises can be used to improve security is extremely valuable. This intensive two-day course will explore Red Team concepts in-depth, provide the required fundamentals of adversary emulation, and help you improve your organization's security posture.

Course Syllabus


Day 1 begins by introducing you to Red Team exercises and adversary emulations to show how they differ from other security testing types such as vulnerability assessments, penetration tests, and purple teaming. You will be introduced to a number of industry frameworks (including the Cyber Kill Chain, Extended Kill Chain, and ATT&CK, among others) for Red Team exercises and adversary emulations. Threat Intelligence is a main factor and trigger to performing Red Team exercises and will be covered early in the class. A successful Red Teamer needs to know how to obtain and consume threat intelligence to successfully plan and execute an adversary emulation. Red Team exercises require substantial planning, and you will learn what triggers an exercise and how to define objectives and scope and set up attack infrastructure. You'll also learn about roles and responsibilities, including those of the trusted agents (White Team or Cell), and about establishing the rules of engagement. With a strong plan, an exercise execution phase can begin. You will learn how to perform the steps to emulate an adversary and provide a high-value Red Team exercise. The day will conclude with a hands-on lab emulating a chosen adversary against the fictional SEC564 target organization.

  • Consuming Threat Intelligence
  • Attack Infrastructure and an Introduction to Class-long Exercise
  • Recon, Weaponization, Delivery, Exploitation (via Social Engineering), and C2

CPE/CMU Credits: 6

  • About the Course
  • Defining Terms
  • Motivation and Introduction
  • Frameworks and Methodologies
  • Threat Intelligence
  • Planning
    • Triggers, Objectives, and Scope
    • Attack Infrastructure
    • Trusted Agents (White Team or White Cell)
    • Roles and Responsibilities
    • Rules of Engagement
  • Red Team Exercise Execution
    • Reconnaissance
    • Weaponization
    • Delivery
    • Social Engineering
    • Exploitation
    • Basic Command and Control (C2)

Day 2 continues with Red Team exercise execution and wraps up with exercise closure activities. The day is filled with exercises that walk students through the class-long adversary emulation Red Team exercise. Multiple Red Team exercise phases are explored that use realistic TTPs to ultimately meet the emulated adversary objective. During the exercises, you perform discovery of the target network from patient zero, attempt privilege escalation, create advanced command and controls channels, and establish persistence. These exercises reinforce the lecture portion of the course. You will learn various methods for defense evasion and execution, credentials access, and lateral movement and pivoting techniques to then perform them in the exercises and obtain the emulated adversary's objective. Finally, you will complete the exercise by performing the various closure activities that are discussed.

  • Discovery, Privilege Escalation, Advanced C2, and Persistence
  • Defense Evasion and Execution, Credential Access, and Lateral Movement and Pivoting
  • Action on Objectives: Collection, Exfiltration, Target Manipulation, and Obtaining Objectives
  • Exercise Closure

CPE/CMU Credits: 6

  • Red Team Exercise Execution
    • Discovery
    • Privilege Escalation
    • Advanced Command and Control (C2)
    • Persistence
    • Defense Evasion and Execution
    • Credential Access
    • Lateral Movement and Pivoting
    • Target Manipulation, Collection, and Exfiltration
  • Exercise Closure
    • Analysis and Response
    • Reporting
    • Remediation and Action Plan

Additional Information

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

It is critical that you back-up your system before class. it is also strongly advised that you do not bring a system storing any sensitive data.

Baseline Hardware Requirements

  • CPU

    • 64-bit Intel i5/i7 2.0+ GHZ processor
  • BIOS

    • Enabled "Intel-VT"
  • USB

    • USB3.0 Type-A port
  • RAM

    • 16 GB RAM (8GB min)
  • Hard Drive Free Space

    • 60 GB Free space
  • Operating System

    • Windows 10 Pro or macOS 10.12+

Additional Hardware Requirements

The requirements below are in addition to baseline requirements provided above. Prior to the start of class, you must install virtualization software and meet additional hardware and software requirements as described below. If you do not carefully read and follow these instructions, you will leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course.

Network, Wireless Connection

A wireless 802.11 B, G, N, or AC network adapter is required. This can be the internal wireless adapter in your system or and external USB wireless adapter. A wireless adapter allows you to connect to the network without any cables. If you can surf the Internet on your system without plugging in a network cable, you have wireless.

Additional Software Requirements

Adobe Acrobat or other PDF reader application

You will need Adobe Acrobat or other PDF reader application.

Microsoft Office or OpenOffice

Install Microsoft Office (any version) w/Excel or OpenOffice on your host. Note: you can download Office Trial Software online (free for 60 days). OpenOffice is a free product that can be downloaded from the here.

VMware Player

Install VMware Player 15, VMware Fusion 11, or VMware Workstation 15.

Older Versions will not work for this course. Choose the version compatible with your host OS. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site. VMware Workstation Player is a free download that does not need a commercial license but has fewer features than Workstation. THIS IS CRITICAL: Other virtualization products, such as Hyper-V and VirtualBox, are not supported and will not work with the course material.

System Configuration Settings

Local Admin

Some of the tools used in the course will require local admin access. This is absolutely required. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different system.

If you have additional questions about the laptop specifications, please contact

  • Security professionals interested in expanding their knowledge of Red Team exercises in order to understand how they are different from other types of security testing
  • Penetration testers and Red Team members looking to better understand their craft
  • Blue Team members, defenders, and forensic specialists looking to better understand how Red Team exercises can improve their ability to defend by better understanding offensive methodologies, tools, tactics, techniques, and procedures
  • Auditors who need to build deeper technical skills and/or meet regulatory requirements
  • Information security managers who need to incorporate or participate in high-value Red Team exercises

The concepts and exercises in this course are built on the fundamentals of offensive security. An understanding of general penetration testing concepts and tools is encouraged, and a background in security fundamentals will provide a solid base upon which to build Red Team concepts.

Many of the Red Team concepts taught in this course are suitable for anyone in the security community. Both technical staff as well as management personnel will be able to gain a deeper understanding of Red Team exercises and adversary emulations.

  • A course USB with Red Team attack infrastructure loaded with numerous tools used for all exercises
  • Details on Red Team use of common tools
  • A variety of sample documents used in threat intelligence, planning, executing, and reporting of Red Team exercises

Leverage Red Team exercises and adversary emulations to obtain a holistic view of an organization's security posture, and to measure, train, and improve people, processes, and technology

"I loved SEC564. Hands down, the most practical course available." - James Taliento, Cursive Security

"The content from SEC564 is great and I will be able to implement it in my organization right away!" - Kirk Hayes, Rapid 7

"SEC564 is perfect for penetration testers looking to move to red teams." - Tim Maletic, D & B

"Formalizing the process of red teaming and of automating the testing of defensive security capabilities is an accelerator to any security program." - Michael Machado, Ring Central, Inc.

"SEC564 provides a way to 'measure' red team maturity." - Robert Lee Smith, Intel Corporation

Author Statement

"Organizations are continually investing more and more in securing their digital assets. Whether investing in talent or technology, most organizations are maturing in their approach to security. While many organizations are performing basic security testing, few are performing end-to-end, threat intelligence-led adversary emulation Red Team exercises. These exercises provide a holistic view of an organization's security posture by emulating a realistic adversary to test security assumptions, measure the effectiveness of people, processes, and technology, and ultimately improve the overall security posture of the organization."

- Jorge Orchilles

Additional Resources

SANS SEC564 Red Team Exercises and Adversary Emulation Wiki:

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.

5 Training Results
Type Topic Course / Location / Instructor Date Register

Penetration Testing
Mar 10, 2020 -
Mar 11, 2020

Training Event
Penetration Testing
SANS 2020
Orlando, FL
Apr 3, 2020 -
Apr 4, 2020

Training Event
Penetration Testing
May 6, 2020 -
May 7, 2020

Training Event
Penetration Testing
Washington, DC
Jun 13, 2020 -
Jun 14, 2020

Private Training
All Private Training Course of Your Choice Your Choice  

*Course contents may vary depending upon location, see specific event description for details.