Training
Featured CourseView All Courses

SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

SEC595Cyber Defense, Artificial Intelligence
SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
View course detailsRegister
Get a Free Hour of SANS Training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
NEW - AI Security Training
Can't find what you are looking for?

Let us help.

Contact us
Free Resources

SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

Customer Case Studies

Discover how organizations and individual cyber practitioners use SANS training and GIAC certifications

AI Risk & Readiness

Explore expert-driven guidance, training, and tools to help defend against AI-powered threats and adopt AI securely

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations

Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Contact Sales
Contact Sales
Beta

SEC665: Advanced Red Team Operations

SEC665Offensive Operations
  • 6 Days (Instructor-Led)
  • 36 Hours
Course authored by:
Jonathan ReiterKevin OttKarim Lalji
Jonathan Reiter, Kevin Ott & Karim Lalji
Register Now
SEC665
Course authored by:
Jonathan ReiterKevin OttKarim Lalji
Jonathan Reiter, Kevin Ott & Karim Lalji
Register Now
  • 36 CPEs

    Apply your credits to renew your certifications

  • In-Person or Virtual

    Attend a live, instructor-led class from a location near you or virtually from anywhere

  • Advanced Skill Level

    Course material is geared for cyber security professionals with hands-on experience

  • 18 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Jump to:

An intense advanced red team course focusing on advanced tradecraft: stealthy initial access, privesc, cloud/on-prem tradecraft, EDR internals and research.

Course Overview

SEC665 is an advanced red teaming course for experienced operators. It dives deep into stealthy tradecraft: covert infrastructure automation, AiTM phishing, EDR evasion, advanced privilege escalation, cloud/on-prem pivoting, kernel exploitation, custom tool development (BOFs, .NET), persistence, and advanced lateral movement.

What You’ll Learn

  • Design covert, automated red team infrastructure built to resist attribution and detection.
  • Execute advanced phishing, including AiTM and device code techniques to bypass MFA.
  • Evade modern EDR/NDR through unhooking, direct syscalls, and kernel callback bypasses.
  • Perform stealthy privilege escalation, lateral movement, and cloud/on-prem pivoting.
  • Exploit AD CS, CI/CD pipelines, and Entra ID for persistent, high-privilege access.
  • Develop custom BOFs, obfuscated .NET tools, and novel persistence mechanisms.
  • Apply all skills in a realistic full-day CTF against a hardened multi-domain environment.

Business Takeaways

  • Build red teams capable of operating effectively against hardened, modern environments.
  • Reduce organizational blind spots by emulating advanced, real-world adversary behavior.
  • Improve detection and response by stress-testing EDR, NDR, and identity controls.
  • Strengthen cloud and hybrid security by validating identity and access assumptions.
  • Increase red team ROI by developing sustainable, research-driven tradecraft.

Meet Your Authors

  • Slide 1 of 3
    Jonathan Reiter
    Jonathan Reiter

    Jonathan Reiter

    Certified Instructor

    Jonathan is an officer in the Maryland Air National Guard serving as a cyberspace capabilities developer. With expertise in Windows implant development and kernel research, he brings practical defensive and offensive cybersecurity experience to SANS.

    Read more about Jonathan Reiter
  • Slide 2 of 3
    Kevin Ott
    Kevin Ott

    Kevin Ott

    Certified Instructor Candidate

    Kevin is a seasoned red team professional experienced in running attack simulations across different industries, including finance, retail, manufacturing, and energy sectors. His focus is to develop offensive capabilities and tooling for engagements.

    Read more about Kevin Ott
  • Slide 3 of 3
    Karim Lalji
    Karim Lalji

    Karim Lalji

    Certified Instructor

    Karim brings 15+ years of hands-on offensive security experience, leading high-level teams across government and Fortune 500 environments. A SEC665 co-author and instructor for SEC565 and SEC588, he blends real-world insight with elite expertise.

    Read more about Karim Lalji
Slide 1 of 0

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in SEC665: Advanced Red Team Operations.

Section 1Section 1: Introduction and Initial Access

This module covers various topics required to build a successful initial access campaign for covert red team operations. From creating the infrastructure to building evasive payloads and delivery techniques, students will learn how to properly weaponize payloads for initial access.

Topics covered

  • Introduction to the course, Havoc C2, and Elastic Security
  • Designing resilient infrastructure and automating infrastructure deployments
  • Engineering evasive payloads
  • Modern payload delivery techniques
  • Phishing, social engineering, and creating convincing pretexts

Labs

  • Building automated infrastructure with Terraform and Ansible
  • Creating DLL sideloading payloads
  • Evading defenses with WebAssembly Smuggling
  • Executing a full initial access kill chain and enumerating the target

Section 2Privilege Escalation and Lateral Movement

This section covers advanced lateral movement techniques in modern environments as a follow-on from topics covered in intermediate red team operations courses. Focus areas include credential attacks against hardened systems, Windows authentication protocols, relays over C2, OPSEC-focused stealth lateral movement, EDR architecture, telemetry, and evasion.

Topics covered

  • Credential attacks and relaying in hardened Windows environments
  • Authentication protocols and ticketing attacks in modern Windows over C2
  • Advanced lateral movement techniques with OPSEC awareness
  • Windows access tokens and UAC
  • EDR architecture, telemetry sources, and evasion

Labs

  • Credential dumping and relaying on modern Windows hosts over C2
  • Modifying Impacket functionality for stealth lateral movement
  • COM/DCOM for lateral movement
  • EDR telemetry tampering and evasion

Section 3Entra ID and Advanced Lateral Movement

Section 3 introduces lesser-known techniques to achieve persistence on a compromised endpoint, cloud initial access, and lateral movement and attacks on AD CS and Configuration Manager (formerly known as SCCM). Students will understand how to leverage CI/CD pipelines to reach their objectives.

Topics covered

  • Advanced Persistence
  • Entra ID Initial Access
  • Entra ID Lateral Movement
  • Attacking Configuration Manager
  • Certificate Services Abuse

Labs

  • Cloud Kill Chain
  • Certifiably Broken
  • Abusing Configuration Manager

Section 4Red Team Engineering

This section focuses on advanced red team engineering and R&D, teaching operators to research defenses, master .NET tradecraft, obfuscation, develop BOFs, and discover novel persistence mechanisms.

Topics covered

  • Researching endpoint/network defenses like WDAC and Defender
  • Advanced .NET tradecraft and obfuscation
  • Beacon Object File (BOF) development and testing
  • Discovering novel Windows persistence via ProcMon and COM hijacking

Labs

  • Advanced BOF development and testing
  • Finding novel persistence vectors with ProcMon
  • COM hijacking for persistence/escalation

Section 5The Windows Kernel

Explore Windows kernel internals from a red team perspective, including EDR drivers, kernel callbacks, minifilters, and driver exploitation, to understand how modern defenses operate below user mode and where blind spots and evasion opportunities exist.

Topics covered

  • Windows kernel fundamentals and kernel debugging for red team operations
  • How EDR drivers, callbacks, and minifilters monitor system activity
  • Enumerating and analyzing EDR kernel components and communications
  • Identify potential EDR blind spots through reverse engineering
  • Risks, tradeoffs, and methods of kernel driver exploitation

Labs

  • Enumerate minifilter communication ports and inspect EDR traffic
  • Discover kernel callback registrations using WinDbg and automation
  • Identify EDR kernel components and hidden enforcement points
  • Reverse engineer an EDR minifilter to understand internals
  • Explore real-world driver exploitation techniques and constraints

Section 6Rogue One: The Operation Begins

Rogue One is a self-paced Capture the Flag (CTF) operation that will force you to put into place what you learned during training. You are the rebellion red team now and you must make your way through a labyrinth of networks as you try to gain access, persist, move, and exploit weaknesses along the way. Only a few will recover and escape with the plans.

Things You Need To Know

Relevant Job Roles

Purple Teamer

Offensive Operations

In this fairly recent job position, you have a keen understanding of both how cybersecurity defenses (“Blue Team”) work and how adversaries operate (“Red Team”). During your day-today activities, you will organize and automate emulation of adversary techniques, highlight possible new log sources and use cases that help increase the detection coverage of the SOC, and propose security controls to improve resilience against the techniques. You will also work to help coordinate effective communication between traditional defensive and offensive roles.

Explore learning path

Penetration Tester

European Cybersecurity Skills Framework

Assess the effectiveness of security controls, reveals and utilise cybersecurity vulnerabilities, assessing their criticality if exploited by threat actors.

Explore learning path

Red Teamer Training, Salary, and Career Path

Offensive Operations

Monitor and analyze activity across cloud environments, proactively detect and assess threats, and implement preventive controls and targeted defenses to protect critical business systems and data.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchasing Options?Contact Us
  • Location & instructor

    SANS Rocky Mountain 2026

    Denver, CO, US & Virtual (live)

    Date & Time
    Fetching schedule..
    Course price
    $6,585 USD*Prices exclude applicable local taxes
    Registration Options
    In-PersonVirtual
Showing 1 of 1

Benefits of Learning with SANS

Bryan Simon: Teacher Standing Next to Smartboard and Explaining Concept

Get feedback from the world’s best cybersecurity experts and instructors

OnDemand Mobile App

Choose how you want to learn - online, on demand, or at our live in-person training events

Close Up of Woman Holding a Pen and Documents

Get access to our range of industry-leading courses and resources