Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training, Courses, and Resources
Can't find what you are looking for?

Let us help.

Contact us
Community Resources

SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

AI Risk & Readiness

Explore expert-driven guidance, training, and tools to help defend against AI-powered threats and adopt AI securely.

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations

Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk With an Expert
Talk With an Expert

LDR553: Cyber Incident Management

LDR553Cybersecurity Leadership
  • 5 Days (Instructor-Led)
  • 30 Hours (Self-Paced)
Course authored by:
Steve Armstrong-Godwin
Steve Armstrong-Godwin
Register NowCourse Preview
LDR553: Cyber Incident Management
Course authored by:
Steve Armstrong-Godwin
Steve Armstrong-Godwin
Register NowCourse Preview
  • GIAC Cyber Incident Leader (GCIL)

    Learn about certification

  • 30 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • 28 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Jump to:

Develop essential leadership skills to effectively manage major cyber incidents from discovery to resolution, providing clear direction when your organization needs it most.

Featured Quote

Great insights, examples and relevant tools. I applied the 3rd party incident tool within minutes to an ongoing 3rd party incident. So I can't dream of a more relevant and useful course than this.
Jonas Roos ChristenseCopenhagen Airports

Course Overview

While technical teams work to identify and remove attackers, they require strategic direction, management, and support to maximize their effectiveness. Cyber Incident Management focuses on the critical non-technical challenges facing leaders during high-pressure security incidents. This course equips you to lead incident management teams by providing a comprehensive understanding of immediate, short, and medium-term challenges organizations face during security breaches.

You will learn to build and manage teams, distill critical data for briefings, and communicate effectively with executives, board members, and other stakeholders. Through nine detailed case studies, you will gain hands-on experience in incident management methodology and practices applicable to various cybersecurity scenarios.

What You'll Learn

  • Run briefings under pressure with minimal prep and deliver real impact
  • Lead meetings when the team is stressed, the facts are incomplete, and execs are impatient
  • Build and test your own GenAI tools to draft briefs, simulate reactions, and organize chaos
  • Survive a supply chain breach with minimal 3rd party support
  • Distinguish between technical facts, assumptions, and noise during incident response
  • Use the CIMTK framework to prioritize tasks and drive progress
  • Track attacker behavior, infrastructure risk, and team readiness in real time

Business Takeaways

  • Develop expert cyber incident management capabilities
  • Accelerate incident resolution with streamlined processes
  • Foster better vendor and legal coordination during third-party breach escalation
  • Improve team performance during critical incidents
  • Reduce workload without increasing risk with the integration of GenAI
  • Build stronger bridge between technical and non-technical functions during cyber events
  • Integrate threat intelligence to anticipate threats

Meet Your Author

Steve Armstrong-Godwin
Steve Armstrong-Godwin

Steve Armstrong-Godwin

Principal Instructor

Steve brings 25+ years of cybersecurity experience, including 14+ years in incident response and management. After serving in the UK Royal Air Force, where he led penetration testing teams, he gained expertise in managing cyber incidents globally.

Read more about Steve Armstrong-Godwin

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in LDR553: Cyber Incident Management.

Section 1Understanding the Incident, Building the Team With GenAI, Scoping & Tracking the Impact

Section 1 focuses on understanding incidents, standardizing language, and defining objectives. You will gather information, set goals for the Incident Management team, and assign responsibilities. The section introduces the Cyber Incident Management Tool Kit (CIMTK), team composition, task tracking, and GenAI support.

Topics covered

  • Initial Information Gathering
  • Using Common Language
  • Defining Your Objectives
  • Who's On Our Team?
  • Building Our Communications Plan

Labs

  • Initial Setup at the Start of the Course
  • Initial Incident Briefing
  • CIMKT: The Grid and AIM-RADAR
  • Setting Objectives and Developing the Commander’s Intent
  • Making GPTs in OpenAI

Section 2Communications, Planning and Executing Remediations

Section 2 explores communications in great depth as we look at interactions with executives, attackers, our staff and the public/customers. You will learn approaches that can buy time to address issues and prevent data leaks. You will categorize network and data damage, prioritize remediation tasks, and eliminate vulnerabilities.

Topics covered

  • Engaging with attackers
  • Tracking incidents and progress
  • Remediating damage and evaluating attacker removal options
  • Utilizing Root Cause Analysis (RAC) methods
  • Reporting and documenting cases

Labs

  • Crisis Comms: Briefing Executives and the Wider Organization
  • Crisis Comms: Dealing with Attackers
  • Crisis Comms: Drafting a Public Statement
  • Planning Data and System Remediation
  • Conducting Root Cause Analysis (RAC)

Section 3Training, Leveraging Cyber Threat Intelligence, Bug Bounties

Section 3 explores training IR teams and the broader organization. You will learn to develop effective training programs based on organizational maturity and specific needs. We examine integrating Cyber Threat Intelligence (CTI) into IR efforts and deep dive into developing strategies for managing supply chain and third-party compromises.

Topics covered

  • Developing the wider team
  • Analyzing training needs
  • Developing the SOC/IR/IM team
  • Leveraging Cyber Threat Intelligence
  • Third-Party Supply Chain Compromise

Labs

  • Choosing Cyber Training Exercises
  • Planning a Hotseat exercise
  • Submitting a Request For Intelligence (RFI)
  • Complete Third-Party Supply Chain Exercises

Section 4Cloud Incidents, Business Email Compromise, Credential Theft Attacks and Incident Metrics

In section 4 you will gain a comprehensive view, visualize incident timelines and address complex attack scenarios. You will learn to create timelines tailored to different audiences, understand credential theft attacks and the MITRE framework, and explore Business Email Compromise (BEC), as well as cloud-based attacks and management console breaches.

Topics covered

  • Timelines for Visualization
  • Defining Cloud Attacks
  • Credential Theft Attacks
  • Business Email Compromise (BEC)
  • Cloud Assets and Management Console Attacks

Labs

  • Reviewing Incident Timelines
  • Credential Loss Impact Assessment
  • BEC attack response
  • Cloud Management attack response

Section 5AI for Incidents, Attacker Extortion, Ransomware, and Capstone Exercise

Section 5 examines AI applications, including Large Language Models and Generative AI. You will gain in-depth knowledge of ransomware incidents from examining historic cases and considering how to prepare and train to deal with encryption events.

Topics covered

  • Leveraging AI for IM
  • Ransomware
  • Summary and review
  • Capstone Exercise

Labs

  • Updating the public statement
  • Leveraging AI and LLM in IM
  • Reviewing Ransomware cases
  • Capstone exercise

Things You Need To Know

Relevant Job Roles

Cyber Incident Responder

European Cybersecurity Skills Framework

Monitor the organisation’s cybersecurity state, handle incidents during cyber-attacks and assure the continued operations of ICT systems.

Explore learning path

Systems Security Management (OPM 722)

NICE: Oversight and Governance

Responsible for managing the cybersecurity of a program, organization, system, or enclave.

Explore learning path

Senior Security Leader

Cybersecurity Leadership

Daily focus is on the leadership of technical teams. Includes titles such as Technical Director, Manager, and Team Lead.

Explore learning path

Cybersecurity Instruction (OPM 712)

NICE: Oversight and Governance

Responsible for developing and conducting cybersecurity awareness, training, or education.

Explore learning path

Incident Response

SCyWF: Protection And Defense

This role investigates, analyzes and responds to cyber incidents. Find the SANS courses that map to the Incident Response SCyWF Work Role.

Explore learning path

Executive Cybersecurity Leadership (OPM 901)

NICE: Oversight and Governance

Responsible for establishing vision and direction for an organization's cybersecurity operations and resources and their impact on digital and physical spaces. Possesses authority to make and execute decisions that impact an organization broadly, including policy approval and stakeholder engagement.

Explore learning path

Cybersecurity Policy and Planning (OPM 752)

NICE: Oversight and Governance

Responsible for developing and maintaining cybersecurity plans, strategy, and policy to support and align with organizational cybersecurity initiatives and regulatory compliance.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us

GIAC Certification Attempt

Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.

OnDemand Course Access

When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.

Filter by:
Showing 8 of 17

Learn Alongside Leading Cybersecurity Professionals From Around The World

  • Slide 1 of 3
    It was awesome to have the opportunity to apply existing and newly learned skills to the labs. It was obvious that a significant amount of time had been invested in these.
    Andrew KempsterDXC Technologies
  • Slide 2 of 3
    The hands-on experiences and assignments have been exceptional and have significantly contributed to my learning experience.
    Ben RadfordLaw and Order
  • Slide 3 of 3
    This is a great course for incident managers or anyone that could be put into the firing line of dealing with incidents.
    Peter HallTesco
Slide 1 of 0

Benefits of Learning with SANS

Instructor teaching to a class

Get feedback from the world’s best cybersecurity experts and instructors

OnDemand Mobile App

Choose how you want to learn - online, on demand, or at our live in-person training events

Resources

Get access to our range of industry-leading courses and resources