SEC501: Advanced Security Essentials - Enterprise Defender

GIAC Certified Enterprise Defender (GCED)
GIAC Certified Enterprise Defender (GCED)
  • In Person (6 days)
  • Online
38 CPEs

Become an Enterprise Defender! Enhance your knowledge and skills in the specific areas of network architecture defense, penetration testing, security operations, digital forensics and incident response, and malware analysis. SEC501: Advanced Security Essentials - Enterprise Defender is an essential course for members of security teams of all sizes. That includes smaller teams where you wear several (or all) hats and need a robust understanding of many facets of cybersecurity, and larger teams where your role is more focused, and gaining skills in additional areas adds to your flexibility and opportunities. This course concentrates on showing you how to examine the traffic that is flowing on your networks, look for indications of an attack, and perform penetration testing and vulnerability analysis against your enterprise to identify problems and issues before a compromise occurs. When a compromise does occur - and it will - you'll be able to eradicate it because you will have already scoped your adversaries activities by collecting digital artifacts of their actions and analyzing malware they have installed on your systems. That done, you can then undertake the recovery and remediation steps that would have been pointless if your adversary had persisted on your network. 26 Hands-on Labs + Capstone CTF

What You Will Learn

Have you ever wanted to...

...execute malware (Ransomware) for the sheer thrill of watching it pop up a scary-looking interface demanding you send Bitcoin to decrypt your data before it is deleted? Or even better, delve into the secrets of how Ransomware does what it does and what it needs to function, then find the data needed to defeat it by deceiving it into believing you have met its demands?

...administer actual network devices and learn about the mysterious world of network engineers and the device configuration settings available to them to maintain a secure network? Or even better, launch real-time attacks against network devices by compromising authentication, redundancy, routing protocols, and encrypted credentials, then hardening devices against these same attacks and validating that they fail?

...explore penetration testing by learning about the tools and techniques to scope tests, conduct reconnaissance of target environments, exploit systems, gather credentials, move laterally, and report your findings? Or even better, discover and compromise systems, enumerate accounts, steal credentials, and discover, identify, attack, compromise, and pivot to other systems on the target network using exploitation tools and frameworks exactly as your adversary would do?

...understand how your adversary discovers the vulnerabilities in enterprise and web applications to breach yet another enterprise? Or better yet, detect these vulnerabilities with sniffers, scanners, and proxies, giving you the opportunity to remediate the weaknesses in your systems before the attack begins?

...monitor your network proactively, analyzing log data in real-time, looking for indicators of compromise to identify a new attack? Or better yet, directly consume threat intelligence, identifying signatures of nascent attacks in packets captured from your network and creating and testing new rules for your Network Intrusion Detection System?

If you want to learn the dynamic skills listed above to defend your enterprise, SEC501: Advanced Security Essentials - Enterprise Defender is the course for you. Effective cybersecurity is more important than ever as attacks become stealthier, have a greater financial impact, and cause broad reputational damage. This course provides a solid foundation of core policies and practices to enable individuals and security teams to defend their enterprise.

It has been said of security that "prevention is ideal, but detection is a must." However, detection without response has little value. Network security needs to be constantly improved to prevent as many attacks as possible and to swiftly detect and appropriately respond to any breach that does occur. This PREVENT - DETECT - RESPONSE strategy must be in place both externally and internally. As data become more portable and networks continue to be porous, there needs to be an increased focus on data protection. Critical information must be secured regardless of where it resides or what paths it travels.

The primary way to PREVENT attacks begins with assuring that your network devices are optimally configured to thwart your adversary. This is done by auditing against established security benchmarks, hardening devices to reduce their attack surface, and validating their increased resilience against attack. Prevention continues with securing hostname resolution (an obvious adversary target for establishing a Machine-in-the-Middle position) and goes even further with securing and defending cloud infrastructure (both public and private) against compromise.

Enterprises need to be able to DETECT attacks in a timely fashion. This is accomplished by understanding the traffic that is flowing on your networks, monitoring for indications of compromise, and employing active defense techniques to provide early warning of an attack. Of course, despite an enterprise's best efforts to prevent network attacks and protect its critical data, some attacks will still be successful. Performing penetration testing and vulnerability analysis against your enterprise to identify problems and issues before a compromise occurs is an excellent way to reduce overall organizational risk.

Once an attack is identified, you must quickly and effectively RESPOND, activating your incident response team to collect the forensic artifacts needed to identify the tactics, techniques, and procedures being used by your adversaries. With this information you can contain their activities, ensure that you have scoped out all systems where they have had an impact, and eventually eradicate them from the network. This can be followed by recovery and remediation to PREVENT their return. Lessons learned through understanding how the network was compromised can then be fed back into more preventive and detective measures, completing the security lifecycle.

It costs enterprises worldwide billions of dollars annually to respond to malware, and particularly Ransomware, attacks. So it is increasingly necessary to understand how such software behaves. Ransomware spreads very quickly and is not stealthy; as soon as your data become inaccessible and your systems unstable, it is clear something is amiss. Beyond detection and response, when prevention has failed, understanding the nature of malware, its functional requirements, and how it achieves its goals is critical to being able to rapidly reduce the damage it can cause and the costs of eradicating it.


This course will help your organization:

  • Improve the effectiveness, efficiency, and success of cybersecurity initiatives
  • Build defensible networks that minimize the impact of attacks
  • Identify your organization's exposure points to ultimately prioritize and fix the vulnerabilities, increasing the organization's overall security

You Will Learn

  • Core components of building a defensible network infrastructure and properly securing your routers, switches, and other network infrastructure
  • Formal methods to perform vulnerability assessment and penetration testing to find weaknesses on your enterprise network
  • Methods to detect advanced attacks against your network and indicators of compromise on deployed systems, including the forensically sound collection of artifacts and what you can learn from them
  • How to respond to an incident using the six-step process of incident response: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned
  • Approaches to analyzing malware, ranging from fully automated techniques to the manual analysis of static properties, interactive behavior, and code reversing

You Will Be Able To

  • Identify network security threats against infrastructure and build defensible networks that minimize the impact of attacks
  • Utilize tools to analyze a network to prevent attacks and detect the adversary
  • Decode and analyze packets using various tools to identify anomalies and improve network defenses
  • Understand how the adversary compromises systems and how to respond to attacks using the six-step incident handling process
  • Perform penetration testing against an enterprise to determine vulnerabilities and points of compromise
  • Use various tools to identify and remediate malware across your enterprise

SEC501 Features 25 Lab Exercises That Will Show You How To

  • Build a defensible network architecture by auditing router configurations, launching successful attacks against them, hardening devices to withstand those same attacks, and using active defense tools to detect an attack and generate an alert
  • Perform detailed analysis of traffic using various sniffers and protocol analyzers, and automate attack detection by creating and testing new rules for detection systems
  • Identify and track attacks and anomalies in network packets
  • Use various tools to assess systems and web applications for known vulnerabilities, and exploit those vulnerabilities using penetration testing frameworks and toolsets
  • Analyze Windows systems during an incident to identify signs of a compromise
  • Find, identify, analyze, and clean up malware such as Ransomware using a variety of techniques, including monitoring the malware as it executes and manually reversing its code to discover its secrets

Syllabus (38 CPEs)

Download PDF
  • Overview

    Section 1 will focus on security in the design and configuration of various enterprise infrastructures. From a security perspective, proper design and configuration protects both the components being configured and the rest of the enterprise that depends on that gear to defend other components from attacks. In other words, a good house needs a good foundation!

    We will discuss published security benchmarks, vendor guidance to secure various products, and regulatory requirements and how they impact defending infrastructure against specific attacks. To illustrate these points, we will look in detail at securing and defending a router infrastructure against a number of device- and network-based attacks. Securing private and public cloud infrastructure against common attacks will also be discussed.

    • Initial Router Configuration and Audit
    • Securing AAA
    • Securing Redundancy Protocols
    • Log Infrastructure in Defense
    • Defending Routing Protocols
    • Final Router Hardening Steps/Audit

    • Security Standards and Audit
    • Authentication, Authorization, and Accounting
    • Defending Network Infrastructure
    • Intrusion Prevention Systems and Firewalls
    • Name Resolution Attacks and Defense
    • Securing Private and Public Cloud Infrastructure
  • Overview

    Security is all about understanding, mitigating, and controlling the risk to an enterprise's critical assets. An enterprise must understand the changing threat landscape and have the capacity to compare it against its own vulnerabilities that could be exploited to compromise the environment. This second course section will present the variety of tests that can be run against an enterprise and show how to perform effective penetration tests to better understand the security posture for network services, operating systems, and applications. In addition, we will talk about social engineering and reconnaissance activities to better emulate increasingly prevalent threats to users.

    Finding basic vulnerabilities is easy but not necessarily effective if these are not the vulnerabilities attackers exploit to break into a system. Advanced penetration testing involves understanding the variety of systems and applications on a network and how they can be compromised by an attacker. Students will learn about scoping and planning their test projects, performing external and internal network penetration testing and web application testing, and pivoting through the environment like real-world attackers.

    Penetration testing is critical to identify an enterprise's exposure points, but students will also learn how to prioritize and fix these vulnerabilities to increase the enterprise's overall security.

    • Network Scanning Fundamentals
    • Scanning with Nessus
    • Exploitation and Metasploit Basics
    • Metasploit and Pivoting
    • Basic Web App Scans and Attacks
    • Penetration Testing Scoping and Rules of Engagement
    • Online Reconnaissance
    • Social Engineering
    • Network Mapping and Scanning Techniques
    • Enterprise Vulnerability Scanning
    • Network Exploitation Tools and Techniques
    • Post-Exploitation and Pivoting
    • Web Application Exploitation Tools and Techniques
    • Reporting and Debriefing
  • Overview

    "Prevention is ideal, but detection is a must" is a critical motto for security professionals. However, because of the changing landscape of attacks, detecting them is an ongoing challenge. Today's attacks are stealthier and more difficult to find than ever before. Only by understanding the core principles of traffic analysis can you become a skilled analyst capable of differentiating between normal and attack traffic. New attacks are surfacing all the time, so security professionals must be able to write intrusion detection rules that detect the latest attacks before they compromise a network environment.

    Traffic analysis and intrusion detection used to be treated as a separate discipline within many enterprises. Today, prevention, detection, and response must be closely knit, so that once an attack is detected, defensive measures can be adapted and proactive forensics implemented so the enterprise can continue to operate. This course section will start with a brief introduction to network security monitoring, followed by a refresher on network protocols with an emphasis on fields to look for as security professionals. We will use tools such as tcpdump and Wireshark to analyze packet traces and look for indicators of attacks. We will use a variety of detection and analysis tools, craft packets with Scapy to test detection, and touch on network forensics and the Security Onion monitoring distribution. Students will also explore Snort as a Network Intrusion Detection System and examine rule signatures in-depth.

    • Analyzing PCAPs with tcpdump
    • Attack Analysis with Wireshark
    • Snort Basics
    • Detecting Malicious Activity with Security Onion
    • Security Analytics with SOF-ELK
    • Network Security Monitoring
    • Advanced Packet Analysis
    • Network Intrusion Detection/Prevention
    • Writing Signatures for Detection
    • Network Forensics and More
    • Event Management Introduction
    • Continuous Monitoring
    • Logging and Event Collection and Analysis
    • SIEM and Analytics
  • Overview

    "Bad guy elimination" is the core mission for Digital Forensics and Incident Response (DFIR) professionals. Incidents happen, and enterprises rely on these professional responders to find, scope, contain, and eradicate evil from their networks. Investigators employ DFIR practices to determine what happened. DFIR teams conduct investigations to find evidence of compromise, remediate the environment, and provide data to generate local threat intelligence for operations teams in order to continuously improve detection. While traditionally seen as a finite process, incident response is now viewed as ongoing, with DFIR professionals searching for evidence of an attacker that has existed in the environment without detection by applying new threat intelligence to existing evidence. This is the crux of the concept known as "threat hunting."

    This section begins with a discussion of Active Defense approaches in some detail. Next, we will present the core concepts of both Digital Forensics and Incident Response. We will explore some of the hundreds of artifacts that can give forensic investigators specific insight about what occurred during an incident. Students will learn how incident response currently operates, after years of evolving, in order to address the dynamic procedures used by attackers to conduct their operations. We will also look at how to integrate DFIR practices into a continuous security operations program.

    The section will cover the general guidelines for a cyclical, six-step incident response process. Each step will be examined in detail, including practical examples of how to apply it. Finally, students will learn about the artifacts that can best be used to determine the extent of suspicious activity within a given environment and how to migrate techniques to a large data set for enterprise-level analysis.

    • Active Defense: Honeyports
    • Data Recovery with FTK Imager and Photorec
    • Discovering Artifacts
    • Ransomware Timeline Analysis
    • Ransomware Network Analysis
    • Active Defense
    • DFIR Core Concepts: Digital Forensics
    • DFIR Core Concepts: Incident Response
    • Modern DFIR
    • Widening the Net: Scaling and Scoping
  • Overview

    Malicious software is responsible for many incidents in almost every type of enterprise. Types of malware vary widely, from Ransomware and Rootkits to Crypto Currency Miners and Worms. We will define each of the most popular types of malware and walk through multiple examples. The four primary phases of malware analysis will be covered: Fully Automated Analysis, Static Properties Analysis, Interactive Behavior Analysis, and Manual Code Reversing. You will complete various in-depth labs requiring you to fully dissect a live Ransomware specimen from static analysis through code analysis. You will get hands-on experience with tricking the malware through behavior analysis techniques, and in decrypting files encrypted by Ransomware by extracting the keys through reverse engineering. All steps are well defined and tested to ensure that the process to achieve these goals is actionable and digestible.

    • Static Properties Analysis of Ransomware
    • Interactive Behavior Analysis of RansomwarePart I
    • Interactive Behavior Analysis of RansomwarePart II
    • Manual Code Reversing of Ransomware
    • Introduction to Malware Analysis
    • Malware Analysis Stages: Fully Automated and Static Properties Analysis
    • Malware Analysis Stages: Interactive Behavior Analysis
    • Malware Analysis Stages: Manual Code Reversing
  • Overview

    The concluding section of the course will serve as a real-world challenge for students by requiring them to work in teams, use the skills they have learned throughout the course, think outside the box, and solve a range of problems from simple to complex. A web server scoring system and Capture-the-Flag engine will be provided to score students as they submit flags to score points. More difficult challenges will be worth more points. In this defensive exercise, challenges include packet analysis, malware analysis, and other challenges related to the course material.

GIAC Certified Enterprise Defender

The GIAC Certified Enterprise Defender (GCED) certification builds on the security skills measured by the GIAC Security Essentials certification. It assesses more advanced, technical skills that are needed to defend the enterprise environment and protect an organization as a whole. GCED certification holders have validated knowledge and abilities in the areas of defensive network infrastructure, packet analysis, penetration testing, incident handling and malware removal.

  • Network and cloud-based defensive infrastructure
  • Penetration testing; Digital forensics; Incident response
  • Network monitoring, forensics, and logging
  • Packet analysis; Intrusion analysis; Malware analysis
More Certification Details


While not required, it is recommended that students take SANS' SEC401: Security Essentials: Network, Endpoint, and Cloud course or have the skills taught in that class. This includes a detailed understanding of networks, protocols, and operating systems.

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.


  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple systems using the M1/M2 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 16GB of RAM or more is required.
  • 125GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.


  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Download and install VMware Workstation Pro 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. This course requires a "Pro" version of VMware software. The "Player" versions are not sufficient.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact

Author Statement

"My introduction to cybersecurity began in the early 1990s as a neuroscience Ph.D. student on the day after our lab was attacked, when I discovered that our UNIX workstations had known vulnerabilities for which patches had to be downloaded and installed. Entirely self-taught, I learned to patch and rebuild kernels, compile, deploy, configure and use tools like Tripwire, SATAN, and TCP Wrappers. Later, as a full-time enterprise administrator, I learned about switches, routers, and firewalls; RSA SecurID, IPSec VPN, and proxy gateways; hardening Windows endpoints; automating the auditing of Active Directory and the dynamic population of security groups; administering Nexpose; and wrangling IPTables. My own multifaceted technology background makes me particularly enthusiastic about being the lead author for SEC501, as the course reflects my own experience as a jack of all trades and provides the perfect opportunity to share that excitement with you! In addition, a group of rock star authors built and maintain this syllabus and content, including Stephen Sims, Dave Shackleford, Phil Hagen, Matt Bromiley, and Rob Vandenbrink."

- Ross Bergman


A must for cyber security professionals!
Gary Oakley
The disciplines/skills taught in SEC501 were exactly what my career and team needed to mature our SOC. Bryce Galbraith was an amazing, extremely knowledgeable instructor who kept all of the material interesting and fun,
John Barrow
Caesars Entertainment Corporation
I would recommend SEC501 as a strong foundation to any security practitioner role. It is broad but assumes a reasonable level of technical proficiency that is refreshing.
Karl King
Vodafone UK
SEC501 offers a great explanation of Net Defense best practices that often get overlooked.
Kirk G.
US Military
This is the best technical training course I have ever taken. SEC501 exposed me to many valuable concepts and tools but also gave me a solid introduction to those tools so that I can continue to study and improve on my own.
Curt Smith
Hildago Medical Services

    Register for SEC501