Major Update

SEC541: Cloud Security Threat Detection

GIAC Cloud Threat Detection (GCTD)
GIAC Cloud Threat Detection (GCTD)
  • In Person (5 days)
  • Online
30 CPEs

While shifting to cloud infrastructure offers many benefits, it also exposes organizations to new and continuously evolving threats. Many organizations are unaware of the critical differences between on-premises and cloud environments, leading to challenges in understanding what to log and how to detect threats effectively. Unlike other, primarily theoretical courses, SEC541: Cloud Security Threat Detection provides hands-on-keyboard experience through 21 practical labs covering AWS, Azure, and Microsoft 365. This course empowers your team to master cloud-native logging, threat detection, and monitoring, solving hidden, low-hanging but high ROI issues. Equip your team with the skills necessary to enhance your organization's cloud security posture and stay ahead of potential breaches with SEC541.

What You Will Learn

Detect, Respond, Secure

It's undeniable that cloud environments offer unparalleled benefits, however, poorly trained personnel can expose your organization to an ever-expanding list of dynamic threats. SEC541: Cloud Security Threat Detection is designed to address these challenges by equipping professionals with the skills to identify, detect, and respond to threats in cloud infrastructures. This comprehensive course delves into cloud-native logging, threat models, intrusion detection, and continuous monitoring, ensuring that your organization can maintain a robust security posture in AWS, Azure, and Microsoft 365 environments.

SEC541 immerses students in real-world scenarios, teaching them to navigate cloud-specific logs, build effective threat detection systems, and understand the unique aspects of cloud architecture. By mastering these skills, your team can significantly reduce detection and response times, enhance visibility into the cloud threat landscape, and effectively defend against sophisticated attacks.

SEC541 boosts the proficiency of cloud security analysts and empowers teams to operate more efficiently and effectively, maximizing your organization's security capabilities. Equip your workforce with the latest knowledge in cloud security threat detection and ensure your organization is prepared to tackle the complexities of modern cloud security challenges.

"I would recommend SEC541 to any cloud security stakeholder that wants to empower all the security tools companies have in order to improve detection, understand protection, and overall increase their security level."

- Veronique Dupont, Cloud Cyber Security Architect, Airbus

What Is Cloud Security Threat Detection?

Cloud security threat detection involves identifying and responding to potential threats within cloud environments by leveraging cloud-native tools and techniques. It encompasses monitoring cloud infrastructure for suspicious activities, analyzing cloud-native logs, and implementing threat detection systems to protect applications, data, and services. Effective cloud security threat detection includes continuous monitoring, intrusion detection, threat hunting, and utilizing frameworks like MITRE ATT&CK to maintain a robust security posture.

Business Takeaways

  • Reduce Detection and Response Time: Quickly identify and respond to critical cloud threats.
  • Enhance Visibility: Gain comprehensive insights into your cloud environment.
  • Improve Security Posture: Implement effective cloud-specific threat detection strategies.
  • Proactive Threat Management: Address threats early, aiding in swift incident resolution.
  • Efficiency and Automation: Increase efficiency with automated detection and response workflows.
  • Cost Savings: Avoid financial fallout by proactively securing your cloud environment.
  • Upskill Workforce: Equip your team with the latest cloud security knowledge and techniques to defend against sophisticated cloud threats.

Skills Learned

  • Understand how identities can be abused in cloud environments.
  • Monitor threat actors using cloud-native logging tools.
  • Define and understand compute resources such as virtual machines (VMs) and containers.
  • Detect and address attacker pivots within your cloud infrastructure.
  • Implement effective detection strategies using cloud provider tools.
  • Investigate and analyze instances in your compute resources for suspicious activities.
  • Perform detailed analysis and detection of threats in Microsoft 365 and Azure environments.
  • Pivot between different log sources to uncover the full narrative of an attack.
  • Build automation workflows to reduce repetitive security tasks.
  • Centralize and normalize data from various sources to enhance analysis and threat detection.

Hands-On Cloud Security Threat Detection Training

The hands-on portion of SEC541 is designed to provide students with practical, real-world experience in cloud security threat detection. Each student receives access to their own AWS and Azure accounts, where they can explore and interact with live cloud environments. The labs cover a wide range of topics, from analyzing cloud-native logs to detecting and responding to threats in AWS, Azure, and Microsoft 365. Students will perform attacks against their own accounts, generating the data needed for thorough analysis and investigation.

A key component of SEC541 is the 21 interactive labs, making up about 40% of the course time, split evenly between AWS and Azure environments. These labs are essential for applying the lecture's lessons by allowing students to practice and hone their skills in a controlled environment. By engaging in these hands-on activities, students gain a deeper understanding of cloud-specific threats and the tools and techniques needed to detect and respond to them effectively. This immersive approach ensures that participants leave the course with the confidence and capability to secure their own cloud environments.

"Inputting the malicious commands makes the labs much more interesting. Learning what to look for from both sides of the keyboard in one course is refreshing."

- Scott H., US Government

"I liked the labs. They were beefy but they were fun. I really liked the brute force lab because that is 100% legit. I thought it was really cool too how they show you two ways to do almost the same thing with Athena and CloudWatch."

- Samuel Cosentino, Cisco

"I really like the labs and the fact that we play the attacks before watching the logs, that's pretty cool."

- Damien Glomon, ANSSI

Syllabus Summary

  • Section 1: Detect adversarial activity through management API and network logs.
  • Section 2: Dive into logging for compute resources, VMs, and containers.
  • Section 3: Master detection services and understand cloud attack surfaces.
  • Section 4: Deep dive into threats and detections in Microsoft 365 and Azure.
  • Section 5: Automate response actions and test your skills in the CloudWars Challenge.

Additional Free Resources





What You Will Receive

  • Printed and electronic courseware
  • MP3 audio files of the complete course lecture
  • Access to virtual machine in the AWS cloud
  • SANS provided AWS account
  • SANS provided Azure account

What Comes Next?

Depending on your professional goals and direction, SANS offers a number of follow-on courses to SEC541.

Syllabus (30 CPEs)

Download PDF
  • Overview

    Detecting adversarial activity in your cloud environment through management plane and network logging & analysis.

    • Introduction to the Environment
    • Investigate management API
    • Investigate with CloudWatch Insights
    • Network Analysis with VPC Flow Logs
    • Code Spaces Case Study
    • MITRE ATT&C and Definitions
    • API logging
    • Parsing JSON
    • Cloud-Native Logging Services
    • Network Flow Logging
    • Capturing Raw Network Traffic
  • Overview

    Dig deeper into your applications, serverless deployments and compute systems running within the cloud environment.

    • Threat Intelligence Generation
    • Serverless Web Attacks
    • Kubernetes Command and Control
    • Cryptojacking Cloud Services
    • Data Exfiltration Analysis
    • Telsa Case Study
    • Host Visibility
    • Application Component Logging
    • Managed Container Services
    • Operational logging Techniques
    • Identifying Data Exfiltration
  • Overview

    Leverage cloud provider's security services to detect activity, investigate resources, identify data compromises, vulnerability systems and pivoting through many different telemetry types.

    • Metadata and GuardDuty
    • Purple-Teaming Lambda
    • Detecting Sensitive Data
    • Vulnerability Analysis
    • Graylog Analysis
    • Capital One Case Study
    • Metadata Service and GuardDuty
    • Function Attack Surface
    • Investigating Resources
    • Investigating Data
    • Vulnerability Analysis Services
    • Artifical Intelligence (AI) in the Cloud
    • Tracking Across Logs
  • Overview

    Deep dive into Azure's ecosystem and the unique threats that can occur.

    • Baker221b Onboarding and Active Incidents
    • Suspicious Email Investigation
    • Authentication Attacks and Rogue Activities
    • Sherlock's Data Breach
    • Filling in the Blanks with Network Data
    • Malware Bytes Case Study
    • Detection Services
    • Microsoft 365
    • Entra ID
    • Command and Control
    • Storage Monitoring
    • Network Enrichment and Analytics
  • Overview

    Learn how to cross pull logs across multiple clouds, automate response actions, and put your new skills to the test in a Capture the Flag event.

    • Cross-Cloud Log Shipping
    • Automated Anomaly Detection
    • CloudWars
    • Data Shipping, Enrichment and Export
    • Automating Detection and Response Actions

GIAC Cloud Threat Detection

The GIAC Cloud Threat Detection (GCTD) certification validates a practitioner's ability to detect and investigate suspicious activity in cloud infrastructure. GCTD-certified professionals are experienced in cyber threat intelligence, secure cloud configuration, and other practices needed to defend cloud solutions and services.

  • Detecting attacks in the cloud
  • Cloud investigations and cyber threat intelligence
  • Assessments and automation in AWS and Azure
More Certification Details


Students should be familiar with AWS or Azure and have worked with them hands-on, especially security professionals working in the cloud security field who understand basic threats and attack vectors.

The course assumes that students can understand or do the following without help:

  • Understand basic cloud resources such as virtual machines, storage services, and Identity Access Management
  • Use the Linux command line console.
  • Understand how identity access roles/policies work in cloud environments
  • Understand basic cloud networking capabilities

Common prerequisite SANS courses for SEC541 are either:

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.
  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Students should have an OpenSSH client installed on their laptop.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact support.

Author Statement

"Cloud service providers are giving us new tools faster than we can learn how to use them. As with any new and complex tool, we need to get past the surface-level "how-to" so we can radically reshape our infrastructure. SEC541 is an overview of the elements of AWS and Azure that you may have used before but are ready to truly explore. By the end of the class, you'll be confident knowing that you have the skills to start looking for the threats and building a true threat detection program in AWS and Azure."

-Shaun McCullough and Ryan Nicholson

"I really enjoyed learning more about the AWS data sources and then performing relevant attacks against them to generate events that we could hunt for." - Gavin Knapp, Bridewell Consulting


These labs are great and have all the components of real world events and experience from both the attacker and defender/analyst -side of the practices.
Doug Wolk
This is a very well designed course. Shaun and Ryan did great work putting it together. The content is great and there's a lot to learn.
Scott Perry
Each day's content is like a well told story. The labs bring the lecture to life.
Frank Balluffi
BNY Mellon

    Register for SEC541

    Learn about Group Pricing

    Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.