SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
LDR553: Cyber Incident Management
LDR553Cybersecurity Leadership
- 5 Days (Instructor-Led)
- 30 Hours (Self-Paced)
Course authored by:
Steve Armstrong-Godwin
Course authored by:Steve Armstrong-Godwin
- GIAC Cyber Incident Leader (GCIL)
- 30 CPEs
Apply your credits to renew your certifications
- In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
- 28 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Develop essential leadership skills to effectively manage cyber incidents from discovery to resolution, providing clear direction when your organization needs it most.
Featured Quote
Great insights, examples and relevant tools. I applied the 3rd party incident tool within minutes to an ongoing 3rd party incident. So I can't dream of a more relevant and useful course than this.
Course Overview
While technical teams work to identify and remove attackers, they require strategic direction, management, and support to maximize their effectiveness. Cyber Incident Management focuses on the critical non-technical challenges facing leaders during high-pressure security incidents.
This course equips you to lead incident management teams by providing a comprehensive understanding of immediate, short, and medium-term challenges organizations face during security breaches. You will learn to build and manage teams, distill critical data for briefings, and communicate effectively with executives, board members, and other stakeholders. Through nine detailed case studies, you will gain hands-on experience in incident management methodology and practices applicable to various cybersecurity scenarios.
What You'll Learn
- Lead crisis communications with executives and teams
- Manage incident teams under extreme pressure situations
- Develop comprehensive remediation plans and strategies
- Coordinate effective responses to complex ransom scenarios
- Leverage AI and threat intelligence for incident support
- Deliver clear, impactful briefings to executives and boards
- Manage the transition from active incident to normal operations
Business Takeaways
- Develop expert cyber incident management capabilities
- Accelerate incident resolution with streamlined processes
- Bridge security gaps with comprehensive response plans
- Improve team performance during critical incidents
- Navigate high-stakes attacks with strategic resilience
- Enhance technical and non-technical team collaboration
- Integrate threat intelligence to anticipate threats
Meet Your Author
Steve Armstrong-Godwin
Principal InstructorSteve brings 25+ years of cybersecurity experience, including 12 years in incident response and management. Following his career in the UK Royal Air Force, Steve developed expertise in managing cyber incidents in high-pressure environments worldwide.
Read more about Steve Armstrong-GodwinCourse Syllabus
Explore the course syllabus below to view the full range of topics covered in LDR553: Cyber Incident Management.
Section 1Understanding and Communicating About the Incident
Section 1 focuses on understanding incidents, standardizing language, and defining objectives. You will gather information, set clear goals for the Incident Management team, and assign initial responsibilities. This section introduces the Cyber Incident Management Tool Kit (CIMTK) and explores team composition and stakeholder communication strategies.
Topics covered
- Initial Information Gathering
- Defining your Objectives
- Who's on our Team?
- Building our Communications Plan
Labs
- Setting up for the labs
- Reviewing the initial incident briefing
- The Cyber Incident Management Tool Kit
- Setting the IM Objectives and Priorities
- Crisis Communications with Executives
Section 2Scoping the Damage, Planning the Remediation, and Executing the Plan
Section 2 explores interactions with attackers and remediation strategies. You will learn approaches that can buy time to address issues and prevent data leaks. You will categorize network and data damage, prioritize remediation tasks, and eliminate vulnerabilities, developing skills to create comprehensive incident reports and conduct Root Cause Analysis.
Topics covered
- Talking to or working with attackers
- Tracking incidents and progress
- Remediating network damage
- Utilizing Root Cause Analysis (RAC) methods
- Reporting and documenting cases
Labs
- Dealing with the Attackers
- Drafting a Public Statement
- Crafting Crisis Communications
- Planning Data and System Remediation
- Conducting Root Cause Analysis (RAC)
Section 3Training, Leveraging Cyber Threat Intelligence, Bug Bounties
Section 3 explores training incident response teams and the broader organization. You will learn to develop effective training programs based on organizational maturity and specific needs. We examine integrating Cyber Threat Intelligence (CTI) into incident response efforts and developing strategies for managing supply chain and third-party compromises.
Topics covered
- Developing the wider team
- Analyzing training needs
- Developing the SOC/IR/IM team
- Leveraging Cyber Threat Intelligence
- Third-Party Supply Chain Compromise
Labs
- Choosing Cyber Training Exercises
- Exercise for non-IM specialists
- Planning a Hotseat exercise
- Requests For Intelligence (RFI)
- Third-Party Supply Chain exercises
Section 4Cloud Incidents, Business Email Compromise, Credential Theft Attacks and Incident Metrics
In section 4 you will gain a comprehensive view, visualizing incident timelines and addressing complex attack scenarios. You will learn to create timelines tailored to different audiences, understand credential theft attacks and the MITRE framework, and explore Business Email Compromise (BEC), as well as cloud-based attacks and management console breaches.
Topics covered
- Timelines for Visualization
- Defining Cloud Attacks
- Credential Theft Attacks
- Business Email Compromise (BEC)
- Cloud Assets and Management Console Attacks
Labs
- Reviewing Incident Timelines
- Credential Loss Impact Assessment
- BEC attack response
- Cloud Management attack response
Section 5AI for Incidents, Attacker Extortion, Ransomware, and Capstone Exercise
Section 5 teaches best practices in advanced incident management challenges and emerging threats. You will explore team improvement, KPIs, and efficacy metrics. The section examines AI applications, including Large Language Models and Generative AI. You will gain in-depth knowledge of ransomware incidents and participate in a comprehensive capstone exercise.
Topics covered
- Improving IR/IM
- Leveraging AI for IM
- Ransomware
- Summary and review
- Capstone Exercise
Labs
- Updating the public statement
- Leveraging AI and LLM in IM
- Reviewing Ransomware cases
- Capstone exercise
Things You Need To Know
Relevant Job Roles
Cyber Incident Responder
European Cybersecurity Skills FrameworkMonitor the organisation’s cybersecurity state, handle incidents during cyber-attacks and assure the continued operations of ICT systems.
Explore learning pathSystems Security Management (OPM 722)
NICE: Oversight and GovernanceResponsible for managing the cybersecurity of a program, organization, system, or enclave.
Explore learning pathSenior Security Leader
Cybersecurity LeadershipDaily focus is on the leadership of technical teams. Includes titles such as Technical Director, Manager, and Team Lead.
Explore learning pathCybersecurity Instruction (OPM 712)
NICE: Oversight and GovernanceResponsible for developing and conducting cybersecurity awareness, training, or education.
Explore learning pathExecutive Cybersecurity Leadership (OPM 901)
NICE: Oversight and GovernanceResponsible for establishing vision and direction for an organization's cybersecurity operations and resources and their impact on digital and physical spaces. Possesses authority to make and execute decisions that impact an organization broadly, including policy approval and stakeholder engagement.
Explore learning pathCybersecurity Policy and Planning (OPM 752)
NICE: Oversight and GovernanceResponsible for developing and maintaining cybersecurity plans, strategy, and policy to support and align with organizational cybersecurity initiatives and regulatory compliance.
Explore learning pathCourse Schedule & Pricing
Looking for Group Purchase Options?Contact Us
GIAC Certification Attempt
Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.
OnDemand Course Access
When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.
Filter by:
Location & instructorDate & TimeCourse priceRegistration Options
- Location & instructor
Virtual (OnDemand)
Instructed by Steve Armstrong-GodwinDate & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$8,260 USD*Prices exclude applicable local taxesRegistration Options - Location & instructor
London, GB & Virtual (live)
Instructed by Steve Armstrong-GodwinDate & TimeFetching schedule..View event detailsCourse price£6,715 GBP*Prices exclude applicable taxes | EUR price available during checkoutRegistration Options - Location & instructor
Virginia Beach, VA, US & Virtual (live)
Instructed by Matt BromileyDate & TimeFetching schedule..View event detailsCourse price$8,260 USD*Prices exclude applicable local taxes - Location & instructor
Amsterdam, NL & Virtual (live)
Instructed by Steve Armstrong-GodwinDate & TimeFetching schedule..View event detailsCourse price€7,715 EUR*Prices exclude applicable local taxes - Location & instructor
Las Vegas, NV, US & Virtual (live)
Instructed by Matt BromileyDate & TimeFetching schedule..View event detailsCourse price$8,260 USD*Prices exclude applicable local taxes - Location & instructor
Riyadh, SA & Virtual (live)
Instructed by Steve Armstrong-GodwinDate & TimeFetching schedule..View event detailsCourse price$8,375 USD*Prices exclude applicable local taxes - Location & instructor
Amsterdam, NL & Virtual (live)
Instructed by Matt BromileyDate & TimeFetching schedule..View event detailsCourse price€7,715 EUR*Prices exclude applicable local taxes - Location & instructor
Orlando, FL, US & Virtual (live)
Instructed by Matt BromileyDate & TimeFetching schedule..View event detailsCourse price$8,260 USD*Prices exclude applicable local taxes
Showing 8 of 14
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 4Brilliant insight. Excellent content. An absolute must course for anyone dealing with incident management.
- Slide 2 of 4Highly relevant content and immediately useful tools delivered by a knowledgeable subject matter expert actively working in the field they are teaching.
- Slide 3 of 4It's a perfect course for those leading cyber incidents. I've found nothing else that comes close.
- Slide 4 of 4The labs were perfect. Today's capstone exercise brilliantly brought together the elements we had learned, adopting tools to help deliver the products required. And whilst its goal was to deliver the final exercise of the course it really has sparked the imagination of everything we can do with what we have learned. Excellent work.
Slide 1 of 0
(1/0)
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources