SEC460: Enterprise and Cloud | Threat and Vulnerability Assessment

GIAC Enterprise Vulnerability Assessor (GEVA)
GIAC Enterprise Vulnerability Assessor (GEVA)
  • In Person (6 days)
  • Online
36 CPEs

SEC460 will help you build your technical vulnerability assessment skills and techniques using time-tested, practical approaches to ensure true value across the enterprise. Throughout the course you will use real industry-standard security tools for vulnerability assessment, management, and mitigation; learn a holistic vulnerability assessment methodology while focusing on challenges faced in a large enterprise; and practice on a full-scale enterprise range chock-full of target machines representative of an enterprise environment, leveraging production-ready tools and a proven testing methodology. SEC460 takes you beyond the checklist and gives you a tour of attackers' perspectives that is crucial to discovering where they will strike.

What You Will Learn

Computer exploitation is on the rise. As advanced adversaries become more numerous, more capable, and much more destructive, organizations must become more effective at mitigating their information security risks at the enterprise scale. SEC460 is the premier course on building technical vulnerability assessment skills and techniques, while highlighting time-tested practical approaches to ensure true value across the enterprise. The course covers threat management, introduces the core components of comprehensive vulnerability assessment, and provides the hands-on instruction necessary to produce a vigorous defensive strategy right from the start. The course focuses on equipping information security personnel from mid-sized to large organizations who are charged with effectively and efficiently securing 10,000 or more systems.

SEC460 begins with an introduction to information security vulnerability assessment fundamentals, followed by in-depth coverage of the Vulnerability Assessment Framework. It then moves into the structural components of a dynamic and iterative information security program. Through detailed practical analysis of threat intelligence, modeling, and automation, students will learn the skills necessary to not only use the tools of the trade, but also to implement a transformational security vulnerability assessment program.

You will learn how to use real industry-standard security tools for vulnerability assessment, management, and mitigation. It is the only course that teaches a holistic vulnerability assessment methodology while focusing on the unique challenges faced in a large enterprise. You will learn on a full-scale enterprise range chock full of target machines representative of an enterprise environment, leveraging production-ready tools and a proven testing methodology.

SEC460 takes you beyond the checklist, giving you a tour of the attackers' perspective that is crucial to discovering where they will strike. Operators are more than the scanner they employ. SEC460 emphasizes this personnel-centric approach by examining the shortfalls of many vulnerability assessment programs in order to provide you with the tactics and techniques required to secure enterprise networks and cloud infrastructure against even the most advanced intrusions.

We wrap up the first five sections of instruction with a discussion of triage, remediation, and reporting before putting your skills to the test in the final course section on an enterprise-grade cyber range with numerous target systems for you to analyze and explore. The cyber range is a large environment of servers, end-users, and networking gear that represents many of the systems and topologies used by enterprises. By adopting an end-to-end approach to vulnerability assessment, you can be confident that your skills will provide much-needed value to securing your organization.

Hands-On Labs

SEC460: Enterprise and Cloud Threat and Vulnerability Assessment features numerous hands-on lab exercises, each one designed to reinforce the concepts covered in the course. During the hands-on segments of the course, you will use industry-grade tools on a meticulously crafted cyber range. The range is a large environment with many of the same systems you will encounter in a typical enterprise. Lab exercises throughout the course allow students to practice hand-on techniques and overcome issues commonly encountered in real-world enterprise vulnerability assessments.

Lab topics include:

  • Enterprise Engagement Planning and Logistics
  • Open-Source Intelligence Gathering
  • Active and Passive Reconnaissance
  • DNS Zone Speculation and Dictionary-Enabled Discovery
  • The Windows Domain: Exchange, SharePoint, and Active Directory
  • Network Vulnerability Scanning with Nexpose (InsightVM)
  • Web Application Scanning with Acunetix, Nikto, Nmap Scripting Engine, WPScan, and OWASP ZAP
  • Enterprise PowerShell: Windows Remoting, WMI, Third-Party Information Security Cmdlets, and More
  • Triage, Reporting, Remediation, and More

You Will Receive With This Course

  • A Windows Virtual Machine customized for the security tester
  • All policy and configuration files that can be used to implement a comprehensive vulnerability assessment strategy
  • Numerous custom PowerShell scripts to perform automated vulnerability testing or provide a shell for your own unique needs
  • A proven Vulnerability Assessment Framework to guide your operations and assure sustained and iterative value from your services

Courses that are good follow-ups to SEC460

Syllabus (36 CPEs)

  • Overview

    In section one, students will develop the skills needed to conduct high-value vulnerability assessments with measurable impact. We will explore the elemental components of successful vulnerability assessment programs, deconstruct the logistical precursors to value-added operations, and integrate adversarial threat modeling and intelligence.

    To lens our approach to cybersecurity it is vital to consider the evidence available to use from those who have come before. To this effect we will cover numerous breach case studies including those of the infamous Colonial Pipeline and Equifax. Creating change in our environments, often requires us to communicate the importance of its vulnerabilities. Exploring past exploitation cases enables us to be vigilant for the similarities within our own environments.

    Scale and architecture are major challenges for an enterprise. We will discuss techniques and strategies to overcome these obstacles, and perform a table-top exercise to connect theory with reality. We will also dive into fundamental information security topics, explore the nuanced differences between major categories of services, and examine the industry's foremost methodologies for vulnerability assessment. We will examine the strategic influences that impact a typical enterprise and its vulnerability management program.

    The goal of SEC460 is to arm the vulnerability assessor with the knowledge and understanding required to capture and deconstruct vulnerabilities that affect the enterprise both on-premise and in the cloud. This first course section establishes a foundational basis to attain this goal using real-world case studies and hands-on exercises.

    • Case Study: Equifax
    • Vulnerability Assessment Methodology – VAF
    • Lab: Asset Inventory Vulnerability Discovery
    • Case Study: To Patch or Not to Patch
    • Case Study: Colonial Pipeline
    • Lab: VECTR
    • Lab: Threat Modeler
    • Lab: OSINT Vulnerability Discovery
    • Case Study: Cloud Information Disclosure
    • Maximizing Value from Vulnerability Assessments and Programs
    • Strategic and Tactical Vulnerability Management Approaches
    • Patch Management and Remediation Strategies
    • Setting Up for Success at Scale: Enterprise Architecture and Strategy
    • Developing Transformational Vulnerability Assessment Strategies
    • Performing Enterprise Threat Modelling
    • Threat-Centric Threat Modeling (TCTM) with VECTR
    • System-Centric Threat Modeling (SCTM) with Threat Modeler
    • Generating Compounding Interest from Threat Intelligence and Avoiding Information Overload
    • The Vulnerability Assessment Framework
    • Vulnerability Data Management Tools and Techniques
    • Overview of Comprehensive Network Scanning
    • Compliance Standards and Information Security
    • Team Operations and Collaboration
    • Discovering Open-Source Disclosure and Understanding these Risks
    • Cloud Information Disclosure Vulnerabilities and Open-Source Intelligence Gathering (OSINT)
  • Overview

    As the structural foundations of vulnerability management are covered in section one, this course section will pivot to the realm of direct tactical application. Comprehensive reconnaissance, enumeration, and discovery techniques are the prime elements of successful vulnerability assessment. While gaining additional familiarity with hands-on enterprise operations, you will systematically probe the environment in order to discover the relevant host, service, version, and configuration details that will drive the remainder of the assessment system.

    The enterprise and cloud are becoming ever more intertwined as time goes on. Often, it can be difficult to recommend moving toward this transformation within your enterprise, but the transformation is happening, it is constantly evolving, and it is vulnerable. In this course section we will take a hands-on approach to the discussion of the cloud by examining technologies and dissecting the attack surface that is rapidly becoming a core component of our enterprise vulnerability space. We'll look into assessment tools for the cloud and observe real attacks in action. Together, we can identify the potential for vulnerability and strike first.

    As we begin active scrutiny of the enterprise, you will learn how to interpret tool output and form a detailed network map. We will explore proven methods to ensure the integrity of our dataset as we identify IP addresses, operating systems, platforms, and services. The section culminates with a case study involving a real organization that experienced a breach of their hybrid-cloud environment, but was able to detect and respond adequately due to consistent attention to vulnerability management. section two concludes by diveing deeper into the PowerShell scripting language with a focus on large-scale system management, vulnerability discovery, and mitigation.

    • PowerShell Primer
    • Advanced Reconnaissance
    • Scanning with Nmap
    • Case Study: Hybrid-Cloud Incident Response
    • Enterprise and Cloud Scanning
    • PowerShell as an Operations Platform
    • PowerShell Operations for Discovery
    • Automating Vulnerability Assessment Tasks with PowerShell
    • Active and Passive Reconnaissance
    • Reconnaissance Frameworks
    • Identification and Enumeration with DNS
    • DNS Zone Speculation and Dictionary-Enabled Discovery
    • Port Scanning with Nmap and Zenmap
    • Scanning Large-Scale Environments
    • Commonplace Services
    • Scanning the Network Perimeter and Engaging the DMZ
    • Cloud Technology Fundamentals
    • Identifying Cloud Vulnerabilities with First-Party Tools like Amazon Inspector
    • Identifying Cloud Vulnerabilities with Third-Party Tools like SpiderfootHXTrade-offs: Speed, Efficiency, Accuracy, and Thoroughness
    • The Fundamentals of the Enterprise Cloud
    • Scanning the Enterprise Cloud
  • Overview

    This section begins by delving into the next phase of the Vulnerability Assessment Framework and charging into the most exciting topic in security testing: automation to handle scale. We start by breaking vulnerability scanning into its elemental components to gain an understanding of vulnerability measurement that can be applied to task automation. This focus will direct us to the quantitative facets underlying cybersecurity vulnerabilities and drive our discussion of impact, risk, and triage. Each topic discussed will focus on identifying, observing, inciting, or assessing the entry points that threats leverage during network attacks.

    This day is dedicated to learning the hierarchy of vulnerability discovery and translates easily to frontline operations. We'll use premier industry tools like Rapid7's Nexpose/InsightVM and Acunetix MVS, while simultaneously exploring manual testing procedures. We'll also cover application-specific testing tools and techniques to provide you with a broad perspective and actionable experience.

    • Vulnerability Discovery
    • Estimating and Assigning Risk
    • General-Purpose Vulnerability Scanning with Nexpose/InsightVM
    • Case Study: SSL/TLS Vulnerabilities
    • Application-Specific Scanning with Nikto, Acunetix, and WPScan
    • Scanning Enterprise and Cloud Infrastructure
    • Assigning a Confidence Value and Validating Exploitative Potential of Vulnerabilities
    • Enhanced Vulnerability Scanning
    • Risk Assessment Matrices and Rating Systems
    • Quantitative Analysis Techniques Applied to Vulnerability Scoring
    • Performing Tailored Risk Calculation to Drive Triage
    • General Purpose vs. Application-Specific Vulnerability Scanning
    • Tuning the Scanner to the Task, the Enterprise, and Tremendous Scale
    • Scan Policies and Compliance Auditing
    • Performing Vulnerability Discovery with Open-Source and Commercial Appliances
    • Scanning with the Nmap Scripting Engine, Nexpose/InsightVM, and Acunetix
    • The Windows Domain: Exchange, SharePoint, and Active Directory
    • Testing for Insecure Cryptographic Implementations Including SSL
    • Assessing VOIP Environments
    • Discovering Vulnerabilities in the Enterprise Backbone: Active Directory, Exchange, and SharePoint
    • Minimizing Supplemental Risk while Conducting Authenticated Scanning through Purposeful Application of Least Privilege
    • Probing for Data Link Liability to Identify Hazards in Wireless Infrastructure, Switches, and VLANs
    • Manual Vulnerability Discovery Automated to Attain Maximal Efficacy
    • Enterprise Cloud Vulnerability Discovery
  • Overview

    Throughout the fourth section of SEC460 we will tackle vulnerability validation, which is the next phase of our overarching testing methodology. Simultaneously, we will confront and address the biggest headaches common to a vulnerability assessment at scale. At large scale, vulnerability data can be overwhelming and possibly even contradictory. We will cover the specific techniques needed to wade through and better focus those data. Next, we will examine techniques for collaboration and data management with the Acheron tool to analyze vulnerability data across an organization. Later in this section, we will apply our understanding of the vulnerability concept to evolve our PowerShell skills and take action on an enterprise scale.

    • Manual Validation Using Inherent Tools and Systems
    • Authenticated Scanning with Nexpose and Acunetix
    • Vulnerability Validation with PowerShell and WinRM
    • Windows Domain Vulnerability Discovery
    • Configuration Auditing to Discover Vulnerabilities such as Log4shell
    • Data Management and Collaboration
    • Recruiting Disparate Data Sources: Patches, Hotfixes, and Configurations
    • Manual Vulnerability Validation Targeting Enterprise Infrastructure
    • Converting Disparate Datasets into a Central, Normalized, and Relational Knowledge Base
    • Managing Large Repositories of Vulnerability Data
    • Querying the Vulnerability Knowledge Base
    • Evaluating Vulnerability Risk in Custom and Unique Systems, including Web Applications
  • Overview

    Many well-intentioned vulnerability assessment programs begin with zeal and vitality, but after the discovery of vulnerabilities there is often a tendency to ignore the risk reality and shift back to the status quo. During the previous course sections we focused on knowing the target environment and uncovering its weak points. Now it's time for decision and action based on an understanding of the risks the organization faces. Developing an actionable vulnerability remediation plan with time-based success targets sets the stage for continuous improvement, and that's exactly what we cover in this course section. Developing this plan in conjunction with the Vulnerability Assessment Report is an opportunity to galvanize the team, while enhancing the vulnerability assessment value proposition.

    Section five explores in depth vulnerabilities within the Active Directory domain that often fly beneath the radar of or typical scanners such as Rapid7, Tenable, and Qualys. The most significant vulnerabilities in many enterprises are the features that they rely upon to do business. We will explore Kerberos vulnerabilities to uncover access issues to the domain.

    An emerging security objective is known as Attack Path Mapping. In SEC460 we extend this concept to your enterprise environment so that we can identify risk beyond a simple CVE. When discussing novel risk it is also important to consider unconventional solutions. The fifth section of class culminates with an exercise focused on directed out-of-the-box thinking.

    • Evaluating Password Strength with the Domain Password Audit Tool (DPAT)
    • Password Cracking and Trend Analysis with CryptBreaker
    • Auditing Domain Trust Relationships
    • Triage, Remediation, and Compensating Controls
    • Case Study: HSE and Conti Breach
    • Case Study: Vulnerability Assessment
    • Analyzing User Password Selection and Addressing Underlying Vulnerabilities
    • Creating and Navigating Vulnerability Prioritization
    • Domain Password Auditing
    • Discovering Negative Security Policy Implementation
    • Developing a Web of Network and Host Affiliations
    • Modeling Account Relationships on Active Directory Forests
    • Designing Vulnerability Mitigations and Compensating Controls
    • Azure AD Password Protection
    • Creating Effective Vulnerability Assessment Reports
    • Transforming Triage Listing into the Vulnerability Remediation Plan
    • Kerberos and Domain Authentication
    • Closure: Be a Positive Influence in the Context of the Global Information Security Crisis
  • Overview

    In celebration of your diligence, curiosity, and new vulnerability skills, we welcome you to your final hands-on challenge to hammer home the capabilities you have learned. The guided scenario in this final course section is designed to test your mettle by trial and detailed work in a fun capture-the-flag-style environment. The challenge is the canvas upon which you can hone your skills and measure your maturing talents. Armed for the fight, you will doubtless rise to the challenge...and triumph!

    The scenario: The Ellingson Mineral Company (EMC) has engaged you to perform a vulnerability assessment of its environment. EMC is very aware of your particular set of vulnerability assessment skills, and it treasures the insights it is certain you will provide to help secure the company against its formidable adversaries, including nefarious cybercrime cartels and jealous nation-state actors. Teams will work together to resolve issues that would lead to a compromise of EMC's precious assets.

    • A Full-Day Campaign Powered by the NetWars Scoring Engine, a Simulation Environment Used by Cutting-Edge Commercial Organizations, Government Agencies, and Military Groups
    • Use the Tactics, Techniques, and Procedures Learned Throughout the Course
    • Accomplish an Enterprise Vulnerability Assessment Against a Target Environment
    • Tactical Employment of the Vulnerability Assessment Framework
    • Threat Modeling
    • Discovery
    • Vulnerability Scanning
    • Validation
    • Data Management and Triage

GIAC Enterprise Vulnerability Assessor

GIAC Enterprise Vulnerability Assessor is the premier certification focused on validating technical vulnerability assessment skills and time-tested practical approaches to ensure security across the enterprise. The GEVA-certified practitioner will be capable of handling threat management, comprehensively assessing vulnerabilities, and producing a vigorous defensive strategy from day one.

  • Vulnerability assessment framework planning and methodology in an enterprise environment
  • Discovery and validation of vulnerabilities using tactics like network scanning and PowerShell scripting
  • Remediation and reporting techniques utilizing proper data management
More Certification Details


As this is a lab-oriented, specialized, and technical course, functional knowledge of information security concepts, technology, and networking is highly recommended.

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.


  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple systems using the M1/M2 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 16GB of RAM or more is required.
  • 50GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.


  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact

Author Statement

"Assuming the role of standard-bearer for a community comprised of many of today's foremost thought leaders may seem like a daunting proposition at first. However, the opportunity to introduce aspiring new hackers to a tribe of like minds is a singular and enduring pleasure. Because SEC460 is a foundational course in the SANS Penetration Testing Curriculum, it is itself a herald and a promise. For some newcomers, the first adventure with SANS is the spark of awakening for their inner hacker. It acts as a catalyst, facilitating personal evolution and even genesis of a lifelong passion. Adrien de Beaupre and I have meticulously crafted the SEC460 challenge to be a formative experience, attainable by all yet elementary to none. Few things are more gratifying than watching an assiduous mind, armed for the fight, rising to meet the challenge with a flourish and a coup de grace, and ending in triumph!" - Matthew Toussain

"Matt was great! Very patient, expert knowledge, willing to explain...superb!" - Adam Baker, Anonymous


I'm getting insight and perspective on tools and techniques to manage asset and vulnerability data effectively. Fantastic!
Andrew Bell
SEC460 covers both technical concepts and business context to address communicating risk.
Trevi Housholder
I will definitely propose that SEC460 be the first course taken by our new auditors.
Rob E.

    Register for SEC460