SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense, Artificial Intelligence
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
UPDATED
FOR608: Enterprise-Class Incident Response & Threat Hunting
FOR608Digital Forensics and Incident Response
- 6 Days (Instructor-Led)
- 36 Hours (Self-Paced)
Course authored by:
Mathias Fuchs, Mike Pilkington, Tarot (Taz) Wake & Marcus Guevara
Course authored by:Mathias Fuchs, Mike Pilkington, Tarot (Taz) Wake & Marcus Guevara
- GIAC Enterprise Incident Responder (GEIR)
- 36 CPEs
Apply your credits to renew your certifications
- In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
- Intermediate Skill Level
Course material is geared for cyber security professionals with hands-on experience
- 20 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Learn to identify and respond to enterprise-class incidents. Deepen your threat hunting abilities using enterprise-class tools and digging into analysis methodologies to understand attacker movement.
Featured Quote
The course content covers a lot of important topics focused on detection and response. I enjoyed the sections on Threat Driven Intelligence and TimeSketch for creating incident timelines.
Course Overview
When attackers breach an enterprise, they don't stop at one machine, and neither can you. FOR608 teaches you to hunt and respond at scale, across hundreds or thousands of systems spanning Windows, Linux, macOS, containers, and cloud platforms. You'll learn to collect the right data fast, automate where it matters, and begin leveraging AI-assisted workflows to accelerate investigations. From proactive deception and threat intelligence to cloud IR in Microsoft 365 and AWS, this course equips you to lead the response when the stakes are highest.
What You’ll Learn
- Know when to perform deep host analysis vs. quick data collection at scale
- Use collaboration tools for seamless remote teamwork
- Gather forensic data from on-prem and cloud sources (M365, AWS)
- Analyze Linux, Mac, and containerized (e.g., Docker) environments
- Correlate data (network, endpoint, etc.) to uncover attacker actions
- Analyze structured and unstructured data to reveal attacker behavior
- Enrich data to identify IOCs, create detection signatures, and track incidents
Business Takeaways
- Limit financial and reputational impact through precise incident response
- Maximize efficiency with effective IR resource management
- Collaborate seamlessly across teams using dedicated platforms
- Detect and counter EDR and app control evasion on Windows
- Analyze and respond to compromised Linux and macOS systems
- Handle incidents in Docker, M365, Entra ID, and AWS environments
Meet Your Authors
- Slide 1 of 4
Mathias Fuchs
Senior Instructor"Renaissance man" may be the most fitting description of SANS instructor Mathias Fuchs, who is the Head of Investigation & Intelligence at the Swiss firm InfoGuard AG as well as a volunteer paramedic and a pilot.
Read more about Mathias Fuchs - Slide 2 of 4
Mike Pilkington
Senior InstructorCurrent DFIR consultant, and former incident response lead at Shell and Halliburton, Mike’s work has helped shape enterprise-scale incident response and directly advanced the global community’s ability to combat cyber adversaries.
Read more about Mike Pilkington - Slide 3 of 4
Tarot (Taz) Wake
Certified InstructorWith FOR577, Taz has authored the first course to systematize threat hunting on Linux systems. His operational leadership—from military intelligence to heading a FTSE100 CSIRT—has fortified global cyber defense capabilities across sectors.
Read more about Tarot (Taz) Wake - Slide 4 of 4
Marcus Guevara
Certified InstructorMarcus Guevara is a Texas native and the author of the philosophical book "Hacking Theology". He holds a bachelor's degree in Computer Science and a master's degree in Cybersecurity.
Read more about Marcus Guevara
Slide 1 of 0
(1/0)
Course Syllabus
Explore the course syllabus below to view the full range of topics covered in FOR608: Enterprise-Class Incident Response & Threat Hunting.
Section 1Proactive Detection and Response
Section one focuses on proactive cyber defense through early detection, rapid response, and managing incident response teams effectively. It covers active defense tactics like honeypots and canaries, as well as efficient incident response with tools like Aurora, Velociraptor, and Timesketch.
Topics covered
- Enterprise Incident Response and Threat Hunting
- Managing Large-Scale Response
- Rapid Response Triage and Evidence Processing
- Scalable and Collaborative Analysis with Timesketch
Labs
- Development of honey tokens for active detection
- Getting to know Stark Research Labs (the client)
- Acquiring forensic triage images using Velociraptor
- Using Timesketch to analyze a potential breach
Section 2Scaling Response and Analysis
Section two covers threat intelligence concepts, EDR technology and EDR bypass techniques, deploying Velociraptor for IR and threat hunting, and tactical use of Elasticsearch fast forensics in ad-hoc scenarios. The section concludes with a discussion on AI integration in DFIR, including MCP servers, agentic AI, and AI attack vectors.
Topics covered
- Intel-Driven Threat Hunting and Incident Response
- EDR and EDR Bypass
- Scaling Incident Response with Velociraptor
- Scaling Analysis with the Elastic Stack
- Integrating AI for DFIR and AI Attacks
Labs
- Analyzing Sysmon telemetry and log events
- Using a Velociraptor client-server installation to scope a network intrusion
- Using the Elasticsearch SQL API and ES|QL for rapid log analysis
Section 3Modern Attacks against Windows and Linux DFIR
Section three focuses on host-based forensics, covering Windows modern attacks like "fileless" malware and "living of the land" techniques, with detection using Sigma rules, Elasticsearch, and Hayabusa. It then shifts to Linux DFIR, addressing exploits, file systems, logging, and hardening—building skills to investigate both Windows and Linux intrusions.
Topics covered
- Modern Attacks Against Windows
- Rapid Windows Event Log Analysis
- Modern Attacks Against Linux
- Linux DFIR Fundamentals and Log Analysis
- Linux Triage Collection and Forensic Readiness
Labs
- Detecting LOLBAS activity via Sigma
- Rapid event log analysis with Hayabusa
- Linux web log analysis
- Triaging Linux hosts
Section 4Analyzing macOS and Docker Containers
This section covers macOS incident response, including its ecosystem, data acquisition, log analysis, and key artifacts. It also introduces containerized environments, focusing on Docker and its role in modern enterprise investigations.
Topics covered
- macOS Foundations
- Apple Filesystems
- Mac Incident Response
- Containers in the Enterprise
- DFIR for Containers
Labs
- Mount and analyze APFS disk images
- Review macOS artifacts and logs
- Docker administration and logs
- Docker triage and IR
Section 5Cloud Attacks and Response
This section covers incident response in Microsoft Azure, M365, and AWS, highlighting unique cloud challenges and the MITRE ATT&CK® Cloud Matrix. It focuses on common attack scenarios, key logs, and tools like GuardDuty. It concludes with strategies for cloud response using security accounts, AMIs, and automation tools like Lambda and Step Functions.
Topics covered
- DFIR in the Cloud
- Incident Response in Azure and M365
- Attackers in the Cloud; AWS Foundations
- Incident Response in AWS
- IR Automation in AWS
Labs
- M365 log analysis
- Finding attacker cloud exfil infrastructure
- AWS CloudTrail log analysis
- AWS VPC Flow log analysis
Section 6Capstone: Enterprise-Class IR Challenge
Section six is the capstone exercise, where students apply course concepts to analyze a multi-platform breach. Using real-world tools and techniques, they’ll investigate an end-to-end incident across hosts and cloud systems, working in teams to simulate real-world response.
Things You Need To Know
Relevant Job Roles
Cyber Intelligence Analyst Training, Salary, and Career Path
European Cybersecurity Skills FrameworkCyber Intelligence Analysts analyze evolving cyber threats, profile adversaries, and leverage intelligence platforms to proactively inform security decisions and mitigation strategies, bridging technical insights with strategic awareness.
Explore learning pathCyber Incident Responder Training, Salary, and Career Path
European Cybersecurity Skills FrameworkMonitor the organisation’s cybersecurity state, handle incidents during cyber-attacks and assure the continued operations of ICT systems.
Explore learning pathInsider Threat Analysis
NICE: Protection and DefenseResponsible for identifying and assessing the capabilities and activities of cybersecurity insider threats; produces findings to help initialize and support law enforcement and counterintelligence activities and investigations.
Explore learning pathThreat Management
SCyWF: Protection And DefenseThis role collects and analyzes information about threats, searches for undetected threats and provides actionable insights to support cybersecurity decision-making. Find the SANS courses that map to the Threat Management SCyWF Work Role.
Explore learning pathCybercrime Investigation (CRIM)
Skills Framework for the Information AgeCollection, preservation, and analysis of digital evidence to trace cybercrime and support prosecution efforts. Technical artefacts are translated into admissible findings in collaboration with legal and law enforcement teams.
Explore learning pathDigital Forensics (OPM 212)
NICE: Protection and DefenseResponsible for analyzing digital evidence from computer security incidents to derive useful information in support of system and network vulnerability mitigation.
Explore learning pathCybercrime Investigator Training, Salary, and Career Path (OPM 221)
NICE: InvestigationCybercrime Investigators navigate dark web forums, trace cybercriminal activity, and conduct covert investigations. They follow forensic and legal standards to gather evidence and respond to cybercrimes.
Explore learning pathMilitary Operations / Law Enforcement Agents
Digital Forensics and Incident ResponseExecute digital forensic operations under demanding conditions, rapidly extracting critical intelligence from diverse devices. Leverage advanced threat hunting and malware analysis skills to neutralize sophisticated cyber adversaries.
Explore learning pathCourse Schedule and Pricing
Have Questions?Contact Us
Group and Private Pricing
Enroll your team as a group or arrange a private session for your organization. We’ll help you choose the format that fits your goals.
Location & instructorDate & TimeCourse priceRegistration Options
- Date & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$8,780 USD*Prices exclude applicable local taxesRegistration Options
- Date & TimeFetching schedule..Course price€8,230 EUR*Prices exclude applicable local taxes
- Date & TimeFetching schedule..Course price£7,160 GBP*Prices exclude applicable taxes | EUR price available during checkout
- Date & TimeFetching schedule..Course priceS$11,390 SGD*Prices exclude applicable local taxes
- Location & instructor
SANS DFIR Europe Summit and Training 2026
Prague, CZ & Virtual (live)
Instructed byDate & TimeFetching schedule..Course price€8,230 EUR*Prices exclude applicable local taxes - Location & instructor
SANS DFIR Summit & Training 2026
Arlington, VA, US & Virtual (live)
Instructed byDate & TimeFetching schedule..Course price$8,780 USD*Prices exclude applicable local taxes - Date & TimeFetching schedule..Course price¥1,335,000 JPY*Prices exclude applicable local taxesRegistration Options
- Date & TimeFetching schedule..Course price$8,900 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..Course price€8,230 EUR*Prices exclude applicable local taxesRegistration Options
- Date & TimeFetching schedule..Course price€8,230 EUR*Prices exclude applicable local taxes
Showing 10 of 11
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 2The elastic work was very impressive. I have been using it for a number of years, but it introduced me to new ways to ingest data that could have saved me a lot of work in the past.
- Slide 2 of 2Good overview of structure, characteristics and challenges of engagements. That's the value for me, putting alle the tools and strategies into context.
Slide 1 of 0
(1/0)
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources