SEC573: Automating Information Security with Python

GIAC Python Coder (GPYC)
GIAC Python Coder (GPYC)
  • In Person (6 days)
  • Online
36 CPEs

The challenges faced by security professionals are constantly evolving, so there is a huge demand for those who can understand a technology problem and quickly develop a solution. If you have to wait on a vendor to develop a tool to recover a forensics artifact, or to either patch or exploit that new vulnerability, then you will always be behind. It is no longer an option for employers serious about information security to operate without the ability to rapidly develop their own tools. This course will give you the skills to develop solutions so that your organization can operate at the speed of the adversary. SEC573 is an immersive, self-paced, hands-on, and lab-intensive course. After covering the essentials required for people who have never coded before, the course will present students with real-world forensics, defensive, and offensive challenges. You will develop a malware dropper for an offensive operation; learn to search your logs for the latest attacks; develop code to carve forensics artifacts from memory, hard drives, and packets; automate the interaction with an online website's API; and write a custom packet sniffer. Through fun and engaging labs, youll develop useful tools and build essential skills that will make you the most valuable member of your information security team. 128 Hands-on Labs + Capture-the-Flag Challenge

Course Authors:

What You Will Learn

Versatile, Repeatable, Efficient: Security Tasks Automated with Python

Python is a simple, user-friendly language that is designed to make it quick and easy to automate the tasks performed by security professionals. Whether you are new to coding or have been coding for years, SANS SEC573: Automating Information Security with Python will have you creating programs that make your job easier and your work more efficient. This self-paced course starts from the very beginning, assuming you have no prior experience or knowledge of programming. We cover all of the essentials of the language up front. If you already know the essentials, you will find that the pyWars lab environment allows advanced developers to quickly accelerate to more advanced course material.

All security professionals, including penetration testers, forensics analysts, network defenders, security administrators, and incident responders, have one thing in common: CHANGE. Change is constant. Technology, threats, and tools are constantly evolving. If we don't evolve with them, we'll become ineffective and irrelevant, unable to provide the vital defenses our organizations increasingly require.

Maybe your chosen Operating System has a new feature that creates interesting forensics artifacts that would be invaluable for your investigation, if only you had a tool to access it. Often for new features and forensics artifacts, no such tool has yet been released. You could try moving your case forward without that evidence or hope that someone creates a tool before the case goes cold...or you can write a tool yourself.

Or perhaps an attacker bypassed your defenses and owned your network months ago. If existing tools were able to find the attack, you wouldn't be in this situation. You are bleeding sensitive data and the time-consuming manual process of finding and eradicating the attacker is costing you money and hurting your organization big time. The answer is simple if you have the skills: Write a tool to automate your defenses.

If you are a penetration tester, you need to evolve as quickly as the threats you are paid to emulate. What do you do when "off-the-shelf" tools and exploits fall short? If you're good, you write your own tool.

SEC573 is designed to give you the skills you need to tweak, customize, or outright develop your own tools. We put you on the path to create your own tools, empowering you to better automate the daily routine of today's information security professional and achieve more value in less time. Again and again, organizations serious about security emphasize their need for skilled tool builders. There is a huge demand for people who can understand a problem and then rapidly develop prototype code to attack or defend against it. Join us and learn Python in-depth and fully weaponized.

Business Takeaways

This course will help your organization:

  • Automate system processes and process their input quickly and efficiently
  • Create programs that increase efficiency and productivity
  • Develop tools to provide the vital defenses our organizations need

You Will Learn How To

  • Leverage Python to perform routine tasks quickly and efficiently
  • Automate log analysis and packet analysis with file operations, regular expressions, and analysis modules to find evil
  • Develop forensics tools to carve binary data and extract new artifacts
  • Read data from databases and the Windows Registry
  • Interact with websites to collect intelligence
  • Develop UDP and TCP client and server applications
  • Automate system processes and process their output

What Comes Next?

SANS offers several courses to help you continue advancing in your automation journey:

If you'd like to continue advancing your Python and automation skills,

Syllabus (36 CPEs)

Download PDF
  • Overview

    The course begins with a brief introduction to Python and the pyWars Capture-the-Flag challenge. We set the stage for students to learn at their own pace in the pyWars lab environment. With more than 100 labs in the course, there is no shortage of hand-on labs to develop life-changing skills. As more advanced students take on Python-based bonus challenges, students who are new to programming will start from the very beginning with Python essentials.

    • Syntax
    • Variables
    • Math Operators
    • Strings
    • Functions
    • Control Statements
    • Modules
  • Overview

    You will never learn to program by staring at PowerPoint slides. This section continues the hands-on, lab-centric approach established at the beginning of the course. It covers data structures and more detailed programming concepts. Next we will discuss how to effectively use Python Virtual Environments to resolve library conflict and organize your environment. Then you will learn how to use Microsoft's Visual Studio code to effectively debug your programs. We will show you valuable tips and tricks to make you a better Python programmer. Last, we will discuss many of the pitfalls you will encounter as you upgrade your code and dependent libraries from Python2 to Python3.

    • Lists
    • Loops
    • Tuples
    • Dictionaries
    • Python Virtual Environments
    • Debugging with Visual Studio Code
    • Tricks and Shortcuts
    • Upgrading from Python2 and Python3
  • Overview

    In this section we take on the role of a network defender with more logs to examine than there is time in the day. Attackers have penetrated the network and you will have to analyze the logs and packet captures to find them. We will discuss how to analyze network logs and packets to discover where the attackers are coming from and what they are doing. We will build scripts to empower continuous monitoring and disrupt the attackers before they exfiltrate your data. Forensics and offensive security professional won't be left out because the skills we will be developing, such as reading and writing files and parsing data, are also essential skill for their craft.

    • File Operations
    • Python Sets
    • Regular Expressions
    • Log Parsing
    • Data Analysis Tools and Techniques
    • Long-Tail/Short-Tail Analysis
    • Geolocation Acquisition
    • Packet Analysis
    • Packet Reassembly
    • Payload Extraction
  • Overview

    In our forensics-themed section, we will assume the role of a forensic analyst who has to carve evidence from artifacts when no tool exists to do so. Even if you don't do forensics, you will find that the skills covered in this section are foundational to every security role. We will discuss the process required to carve binary images, find appropriate data of interest in them, and extract those data. Once you have the artifact isolated, there is more analysis to be done. You will learn how to extract metadata from image files. Then, we will discuss techniques for finding artifacts in other locations, such as SQL databases, and interacting with web pages.

    • Acquiring Images from Disk
    • Memory and the Network
    • File Carving
    • The STRUCT module
    • Raw Network Sockets and Protocols
    • Image Forensics and PIL
    • SQL Queries
    • Web Communications with the Requests Module
    • Effective use of Online Website APIs
  • Overview

    During our offensively themed section we play the role of penetration testers whose normal tricks have failed. Their attempts to establish a foothold have been stopped by modern defenses. To bypass these defenses, you will build an agent to give you access to a remote system. Similar agents can be used for incident response or systems administration. Although the theme is offensive, the core skills - interacting with system processes and handling errors and TCP network communications - will benefit all disciplines.

    • Network Socket Operations
    • Exception Handling
    • Process Execution
    • Blocking and Non-blocking Sockets
    • Using the Select Module for Asynchronous Operations
    • Python Objects
    • Argument Packing and Unpacking
  • Overview

    In this final section you will be placed on a team with other students to apply the skills you have mastered in a series of programming challenges. Participants will exercise the new skills and the code they have developed throughout the course in a series of challenges. You will solve programming challenges, exploit vulnerable systems, analyze packets, parse logs, and automate code execution on remote systems. Test your skills! Prove your might!

    Note that OnDemand students will enjoy this exercise on an individual basis. As always, SANS SME's are available to support every OnDemand student's experience.

GIAC Python Coder

The GIAC Python Coder (GPYC) certification validates a practitioner's understanding of core programming concepts, and the ability to write and analyze working code using the Python programming language. GPYC certification holders have demonstrated knowledge of common python libraries, creating custom tools, collecting information about a system or network, interacting with websites and databases, and automating testing.

  • Python language essentials
  • Packet and data analysis
  • Website and database interaction
  • Regular expressions
  • Exception handling and debugging
More Certification Details


A basic understanding of any programming or scripting language is highly recommended but not required for this course. SEC573 starts with the most basic fundamentals of Python programming. There is no aspect of programming or Python that must be understood before attending this course. The lab environment is self-paced and this allows students who have had some experience coding to advance more quickly than those who have not. You are provided a Virtual Machine that gives you the ability to complete the labs that are in your course book after the live course or your OnDemand access has finished.

Laptop Requirements

CRITICAL NOTE: Apple Silicon devices cannot perform the necessary virtualization and cannot be used for this course.

Laptop Required

Students are required to bring their own laptop so that they can connect directly to the workshop network we will create, and thus get the most value out of the course. It is the student's responsibility to make sure that the system is properly configured with all drivers necessary to connect to an Ethernet network.

Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the course. If you plan to use a Mac, please make sure you bring VMware Fusion, along with a Windows guest virtual machine. All of the VMware products are available at


You are required to bring Windows 10 (Professional), Windows 8.1 (Professional), Windows 8 (Professional), Windows 7 (Professional, Enterprise, or Ultimate), or Windows Vista (Business, Enterprise, or Ultimate) either on a real system or a virtual machine. You will need administrative access to your Windows computer and the ability to install various software packages, including Python, on that computer.

IMPORTANT NOTE: You may also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that Administrator password for your anti-virus tool.

The course includes a VMware image file of a guest Linux system that is larger than 15 GB. Therefore, you need a file system with the ability to read and write files that are larger than 15 GB, such as NTFS on a Windows machine.

Enterprise VPN clients may interfere with the network configuration required to participate in the course. If your system has an enterprise VPN client installed, you may need to uninstall it for the course exercises.


You will use VMware to run Windows and Linux operating systems simultaneously when performing exercises in class. You must have either the free VMware Player or later or the commercial VMware Workstation 8 or later installed on your system prior to coming to class. You can download VMware Workstation Player for free at

Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation here. VMware will send you a time-limited license number for VMware Workstation if you register for the trial on its website. No license number is required for VMware Player.

We will provide a Linux image with all of our tools pre-installed that runs within VMware Player or VMware Workstation.


You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware Workstation or VMware Player. The class does not support VirtualPC or other non-VMware virtualization products.

Mandatory Laptop Hardware Requirements

  • x86- compatible or x64-compatible 2.0 GHz CPU minimum or higher
  • An available USB port with the ability to read an ExFat format.
  • 8 GB or higher recommended
  • 15 GB available hard drive space

If you have additional questions about the laptop specifications, please contact support.

Author Statement

"Good scripting skills are essential for professionals working in all aspects of information security. Understanding how to develop your own applications means you can automate tasks and do more, with fewer resources, in less time. SEC573 is designed for network defenders, forensics examiners, penetration testers, and other security professionals who want to learn how to apply basic coding skills to do their job more efficiently. This course will help take your career to the next level by teaching you this highly sought-after skill. We will focus on the most important skills for security professionals, such as interacting with networks, websites, databases, and file systems. We will cover these essential skills as we build practical applications that you can immediately put into use in your place of work."

- Mark Baggett


Python is a tool required in the world of InfoSec, and SEC573 helped me build that tool belt.
Ben Weber
Raymond James
Very well put together. I have been afraid of learning how to code for years. Within the first days' worth of material my mind has been put at ease.
Blake Thompson
Merrick Bank
I have had a few Python courses in the past in school, but I am already learning new things and ways to find new information on Day 1.
Vergil Daughtery

    Register for SEC573

    Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.