MGT553: Cyber Incident Management

  • In Person (2 days)
  • Online
12 CPEs

If you are worried about leading or supporting a major cyber incident, then this is the course for you. MGT553: Cyber Incident Management focuses on the non-technical challenges facing leaders in times of extreme pressure. Whilst you may have a full team of technical staff standing-by to find, understand and remove the attackers, they need information, tasking, managing, supporting, and listening to so you can maximize their utilization and effectiveness. We focus on building a team to remediate the incident, on managing that team, on distilling the critical data for briefing, and how to run that briefing. We look at communication at all levels from the hands-on team to the executives and Board, investigative journalists, and even the attackers. This course contains nine (9) case studies for hands-on learning.

What You Will Learn

Open in Case of Emergency

You can't predict or pick when your organization will face a major cyber incident, but you can choose how prepared you are you when you face it. While there are broad technical aspects to cyber incidents there is also a myriad of other activities that generally falls to executives, managers, legal, press, and human relations staff. These include communicating both internally and externally, considering the battle rhythm and a look at methodologies for tracking information gathered and released to the public.

This course empowers you to become an effective incident management team member or leader; ensuring you fully understand the different issues facing incident commanders in the immediate, short and medium term. As well as becoming comfortable with terminology, you will understand what preparatory work you can undertake at different stages to help you get ahead of the situation. MGT553 was developed to ensure efficient management of a diverse range of incidents with a focus on cyber; however, the methodology, concepts and guidance will apply to many regular major and critical incidents.

"Probably the most important part to an organization - how to get their operation functioning again and sorted out with the structure and governance to cover the areas." - Peter Leonhardt


This course will help your organization:

  • Develop staff that know how to lead or contribute to a cyber incident management team
  • Manage your incidents more effectively and thus resolve them quicker
  • Understand the gaps in your security incident plans and response strategies
  • Create higher performing security teams


  • How to make sense of different incident response frameworks
  • Understanding the importance of scoping incidents correctly
  • The ability to define the incident management team's objectives
  • Recognition of the importance of managing a team under extreme pressure
  • Awareness of human responses to facing catastrophically impactful urgent changes
  • How to structure, manage, and deliver briefings to upper management and the board
  • Planning and controling communications when managing a serious incident
  • Communicating with attackers and the pros and cons thereof
  • Where and how to track the incident
  • Planning, coordinating, and executing counter compromise activities
  • Understanidng types and contents of incident resports both during and post closure
  • Steps on how to close the incident and return to business as usual


MGT553 uses case scenarios, group discussions, team-based exercises, and in-class games, to help students absorb both technical and management topics. We follow along as a fictious company deals with a network breach from start to finish.

Section 1: Reviewing the initial incident briefing, Capture initial information and generate intial tasks, Setting the objectives for the IM team, crisis communications: briefing the executives

Section 2: Dealing with the attackers, Drafting public statements, Crisis communications: briefing the wider team, Prioritizing the data and system remediation planning, Running an example tabletop exercise

"All the labs are fantastic and really grounded in reality. Really useful thought experiments and training." - Luigi Ritacca


Section 1: Scoping, defining, and communicating about the incident.

Section 2: Damage control, reporting, closing the incident and training the wider team.


  • Electronic courseware containing the entire course content
  • Printed course books
  • Access to the Cyber Incident Management Tool Kit
  • MP3 audio files of the complete course lecture
  • Access to a new Discord server to chat about the course
  • Immediate actions for dealing with ransomware
  • Training plans, report templates, incident frameworks and other cheat sheets


NOTE: Some course material for SEC504 and MGT553 may overlap. SANS recommends SEC504 for those interested in a more technical course of study, and MGT553 for those primarily interested in a leadership-oriented but less technical learning experience.

Syllabus (12 CPEs)

Download PDF
  • Overview

    In Section 1 we will focus on understanding the incident, gathering information from different groups and standardizing the language. To assist in this, we will remind ourselves of some of the common terms to optimize communications. From there we will define what the Incident Management (IM) group will seek to achieve, so we can state and focus on our objectives. This is important as retaining focus can be hard when it gets super busy.

    With the objectives defined we then turn to initial tasks and delegating those to the team; this is to give us some breathing space to plan the next steps. Our initial tasking output will be based on one of the core tools in the Cyber Incident Response Tool Kit (CIMTK) the "IM Starting Grid". This detailed list of Yes/No questions outputs a list of core IM tasks that aide rapid response. By identifying these tasks early, concurrent activity can be initiated for both support teams (Incident Response (IR), Information Technology (IT), Human Resources (HR), Legal etc.) and the IM team. As IM is totally dependent upon a good team, we will assess team composition and what different groups need to contribute to the mission. Finally, we dig into communication and how to interact with different stakeholders. Tracking activity, tasks, and communications is a big theme throughout this course.

    • Reviewing the initial incident briefing
    • The incident management starting grid
    • Setting the objectives for the IM team
    • Crisis communications: briefing the executives


    Initial Information Gathering

    • Using common language
    • Understanding the attack
    • IR Frameworks, OODA loops and non-Zero-sum games
    • Scoping your initial tasks

    Defining your Objectives

    • What are typical objectives in IR/IM?
    • Mapping attacks to business impacts

    Building and Managing our Team

    • Managing people to create productive teams
    • Recognizing Stress
    • Battle rhythm and burnout

    Building our Communications Plan

    • Communications planning
    • Communicating with Execs, teams, and 3rd parties
      • Communicating with Executives
      • Communicating with Law Enforcement
      • Communicating with Customers
      • Communicating with Journalists
    • Tracking the message
  • Overview

    After reviewing Section 1, we conclude the communications topic by looking at communications with the attackers. While you may have no plans to pay any ransom, by entering into dialogue with attackers, you can gain time to fix issues the attackers have uncovered, discovered, or could leak. While controversial and possibly contrary to your own beliefs, it is important to understand options are available to the organization. We will cover how attacker dialogue may occur and what factors will influence the response options and process.

    We will look at what incident information should be tracked and options or ways to achieve that. We review both commonly available products as well as bespoke options (including those for on prem and cloud hosted solutions).

    Getting into the remediation of the network and data damage, we have a large section on categorizing the damage the attackers have inflicted and then mapping to the necessitated remediation work that will need to be prioritized and tracked to ensure that all possible vulnerabilities have been removed. A much-overlooked aspect, we discuss secrets that are included in stolen data and systems and consider how this might affect our future operations.

    In the reporting and documenting of the case, we review some of the outputs from the IM process. While a solid IR report is always useful, we will cover what aspects could be added to expand it to cover IM. This is important as the direction of the Incident Response is often mandated by Incident Management, so linking the two into one report makes for a more structured reading while outsourcing some aspects to others.

    In planning the closure of the incident, we discover what remediation and vulnerability closure tasks should be moved to non-incident mainstream projects and what reflection meetings should be held to ensure root causes are captured and lessons are identified and tracked.

    In developing the wider team, we examine some of the training you can give those outside of the regular IR and IM staff to improve their awareness of issues and to help smooth future incidents. To assist this, we explore tabletop exercises and how you make them. We then both build one as a lab and close out the section by running one.

    • Dealing with the attackers
    • Drafting a public statement
    • Crisis communications: briefing the team
    • Prioritizing the data and system remediation planning
    • Running an example tabletop exercise

    Talking to or working with, the attackers

    • Understanding what results the attackers are trying to achieve
    • Choosing a communications medium
    • Attacker media and comms methods
    • Proxies, trusted 3rd parties and attacker reputation
    • Trying to control the narrative
    • Understanding what the attackers have
    • Options and impacts
    • The cost of doing nothing
    • Is paying the attackers really an option?

    Tracking the Incident, tasks, people and progress

    • Review of the functions we might want to include in our IM solution
    • Incident Trackers and what they can look like
    • Evidence management
    • Task and work tracking
    • Building the right solution for the organisation
    • Using Google Docs as an emergency IM Platform

    Remediation of network and data damage

    • Types of Remediation system & data
    • Tracking the remediation
    • CIMTK: CC Systems and users impacted
    • Categorizing exposed assets
    • Identifying who owns the data
    • Documenting and notifying impacted parties - Counter Compromise Activities

    Reporting and documenting the case

    • When do you start the report?
    • Types of reports
    • What goes in the report?
    • Graphics are great!
    • Getting input, support and consensus
    • Control and access to the reports

    Planning the closure of the Incident

    • Reviewing the task and key objectives
    • What is BAU for the impacted teams?
    • What's the team up to?
    • Running a FRCA
    • Handing things over to others
    • Breaking up the team

    Developing the wider team

    • Why train others?
    • Training the wider organization
    • Planning enterprise-wide training
    • Developing and running Cyber Incident Exercises

    Summary and closure


This course covers the core areas of cyber incident management and assumes a basic understanding of technology, networks, and security. For those who are new to the field and have no background knowledge, the recommended starting point is the SEC301: Introduction to Cyber Security course. While SEC301 is not a prerequisite, it will provide the introductory knowledge to maximize the experience with MGT553.

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.


  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.


  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact

Author Statement

"Of my 28 years in cyber security, I've spent over 11 of them in incident response and later incident management. During that time, I've seen a wide range of approaches to handling cyber incidents, some good and others less so. One common issue was that most people on the Incident team had never been part of a major incident and thus they lacked confidence, forward planning, and were easily stunned when the incident took a turn they had not predicted.

This course is designed to demystify incident management, to provide attendees with a framework to not only deal with the matters at hand, but also to plan for the subsequent phases, so they are technically ready and mentally prepared. Cyber incidents, such as ransomware, can be devastating, not only to the networks, but also the team charged with investigating, mitigating, reporting and remediating the damage. In addition to the core incident management aspects, we cover the mental health of the team, the operational tempo and how to spot people suffering under pressure. I believe that this course, enriched with the anecdotes of the SANS incident response instructors' own toe-curling incidents will prepare your team for anything attackers and bots throw at them. When you are prepared and ready, you can respond better, faster and get control of the situation quicker facilitating a rapid return to business as usual."

- Steve Armstrong

"Excellent. Very skilled, and fun to listen to." - Jan Olav Walldal, TV 2 Norway

"Excellent content with relevant real world examples. A wealth of knowledge from the instructor who is clearly passionate about the subject. Covered areas that I had not even considered (but were very important)." - Gary Smith


All was very relevant and well delivered. All extremely useful information.
Peter Leonhardt
Labs are great, really useful thought experiments and training.
Luigi Ritacca
Brilliant insight. Excellent content. An absolute must course for anyone dealing with incident management.
Gary Smith

    Register for MGT553