SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsApply your credits to renew your certifications
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
Apply what you learn with hands-on exercises and labs
Cloud forensics is evolving. FOR509 equips examiners to embrace new evidence sources in enterprise cloud environments instead of forcing outdated on-premise methods.
People used to predict that cloud computing would become the dominant technology a few years ago, but it has expanded quickly! It is imperative that this course be taken in order to manage the SOC and secure the cloud.
With FOR509: Enterprise Cloud Forensics and Incident Response, examiners will learn how each of the major cloud service providers (Microsoft Azure, Amazon AWS and Google Cloud) are extending analyst's capabilities with new evidence sources not available in traditional on-premise investigations. From cloud equivalents of network traffic monitoring to direct hypervisor interaction for evidence preservation, forensics is not dead. It is reborn with new technologies and capabilities.
The updated FOR509 course now delivers significantly expanded multi-cloud DFIR coverage with in-depth focus on AWS, Azure, Google Cloud, Microsoft 365, Google Workspace, and Kubernetes. New hands-on labs, a multi-cloud intrusion capstone, and enhanced tooling prepare teams to counter advanced persistence techniques, cloud-native service abuse, and cross-platform privilege escalation across today's complex environments. For a detailed breakdown of what's new and how these updates can strengthen your team, download the flyer.
David brings 25+ years in cybersecurity, shifting from pen testing to DFIR in 1999. He’s VP at Charles River Associates, a SANS instructor and course author, and Red Team Captain for the National Collegiate Cyber Defense Competition.
Read more about David CowenPierre is a SANS course author and cyber threat hunter with 25+ years in DFIR, security, and network engineering. He volunteers for NCCDC, teaches at University of Houston, and serves on the GIAC advisory board and SANS Technology Institute faculty.
Read more about Pierre LidomeMegan is a Senior Security Engineer at Datadog, SANS DFIR faculty, and co-author of FOR509. She holds two master’s degrees, serves as CFO of Mental Health Hackers, and is a strong advocate for hands-on cloud forensics training and mental wellness.
Read more about Megan Roddie-FonsecaExplore the course syllabus below to view the full range of topics covered in FOR509: Enterprise Cloud Forensics and Incident Response.
Before exploring the universe of cloud data, you must understand where and how it exists. This section introduces foundational cloud concepts like snapshots and cloud flows. You will understand what kind of logging and data access is provided by each cloud architecture and the various log hierarchy to guide your investigations.
In this section, you will learn to navigate Azure's various activity and diagnostics logs to track resources, investigate compromised virtual machines, and detect data exfiltration. We will also cover how to deploy your own analysis tools directly into the cloud for more efficient investigations.
This section explores how responders can leverage AWS for investigations, covering new and relevant log sources such as CloudTrail, VPC Flow logs, and S3 Access logs. In the labs, you will work through a realistic intrusion scenario that begins with the compromise of the AWS organization via a federated user account.
This section provides a foundational understanding of Kubernetes, the open-source container orchestration platform used by all major cloud providers. The course explains the evolution from traditional hardware to container deployments and breaks down the core architectural components.
This section equips DFIR professionals with the essential skills to investigate incidents within Google Cloud, starting with its unique approach to Identity and Access Management (IAM). You will learn to navigate Google Cloud's hierarchical structure of organizations, folders, and projects.
In this final capstone section, you will apply the knowledge gained throughout the week to a real-world challenge. Working in teams, you will investigate a complex intrusion that spans all three major cloud providers: AWS, Azure, and GCP.
Monitor the organisation’s cybersecurity state, handle incidents during cyber-attacks and assure the continued operations of ICT systems.
Explore learning pathResponsible for identifying and assessing the capabilities and activities of cybersecurity insider threats; produces findings to help initialize and support law enforcement and counterintelligence activities and investigations.
Explore learning pathMonitor, test, detect, and investigate threats to cloud environments.
Explore learning pathResponsible for analyzing digital evidence from computer security incidents to derive useful information in support of system and network vulnerability mitigation.
Explore learning pathExecute digital forensic operations under demanding conditions, rapidly extracting critical intelligence from diverse devices. Leverage advanced threat hunting and malware analysis skills to neutralize sophisticated cyber adversaries.
Explore learning pathAnalyze network and endpoint data to swiftly detect threats, conduct forensic investigations, and proactively hunt adversaries across diverse platforms including cloud, mobile, and enterprise systems.
Explore learning pathThis role investigates, analyzes and responds to cyber incidents. Find the SANS courses that map to the Incident Response SCyWF Work Role.
Explore learning pathThis dynamic and fast-paced role involves identifying, mitigating, and eradicating attackers while their operations are still unfolding.
Explore learning pathSecurity Operations Center (SOC) analysts work alongside security engineers and SOC managers to implement prevention, detection, monitoring, and active response. Working closely with incident response teams, a SOC analyst will address security issues when detected, quickly and effectively. With an eye for detail and anomalies, these analysts see things most others miss.
Explore learning pathAs this is one of the highest-paid jobs in the field, the skills required to master the responsibilities involved are advanced. You must be highly competent in threat detection, threat analysis, and threat protection. This is a vital role in preserving the security and integrity of an organization’s data.
Explore learning pathResponsible for identifying, collecting, examining, and preserving digital evidence using controlled and documented analytical and investigative techniques.
Explore learning pathAdd a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.
When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.
FOR509 is very much needed in the industry as there is very little training out there for Cloud DFIR. So the fact that this course exists and is huge.
Thanks a lot for FOR509 course. I believe this course provides a great way to get a really compressed introduction into the different cloud service providers and what is forensically possible there.
I love SANS - the training you all provide is world class! I hope that I am able to earn another certification and attend again next year!
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources