SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
SEC504: Hacker Tools, Techniques, and Incident Handling
SEC504Offensive Operations
- 6 Days (Instructor-Led)
- 38 Hours (Self-Paced)
Course authored by:
Joshua Wright
Course authored by:Joshua Wright
- GIAC Certified Incident Handler Certification (GCIH)
- 38 CPEs
Apply your credits to renew your certifications
- In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
- 44 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Master real-world incident response through hands-on labs, AI-powered analysis, and attacker mindset training. AI doesn't change the need for expertise—it raises the bar for what expertise looks like.
Featured Quote
The hands-on labs are the main reason why I chose SANS over other providers. The content, difficulty, and details in the labs are all fantastic. The challenges are real!
Course Overview
SEC504 is SANS' flagship incident handling course, equipping you with essential skills to detect, respond to, and neutralize threats across Windows, Linux, and cloud platforms. Through immersive hands-on labs simulating real-world breaches, you’ll master the attacker mindset to strengthen your organization’s defenses. This course delivers immediately applicable expertise in Cyber Threat Intelligence (CTI), modern threat response, and cutting-edge topics, including API security exploitation and defense, leveraging AI for offensive and defensive operations, and protecting against AI-targeted attacks like prompt injections. Whether analyzing malicious code, hunting threats, or responding to sophisticated attacks, SEC504 prepares you for today’s evolving threat landscape.
What You’ll Learn
- Respond effectively to incidents to limit damage
- Evaluate breach evidence to determine compromise scope
- Identify shadow cloud systems and other potential threats
- Use attack tools to assess cloud and on-premises exposure
- Apply defenses to enhance security and stop attacks
- Develop threat intelligence by analyzing attacker tactics
- Accelerating analysis tasks using AI systems
Business Takeaways
- Adopt a dynamic and holistic incident response strategy
- Strengthen cloud security posture
- Leverage automation and AI to accelerate response
- Understand and counter advanced attacker tactics
- Protect critical assets with proactive defense strategies
- Enhance threat detection with multi-layered analysis
Meet Your Author
Joshua Wright
FellowAs Senior Technical Director at Counter Hack and SANS Faculty Fellow, Joshua has advanced cybersecurity through ethical penetration testing, uncovering critical vulnerabilities across Fortune 500 companies and national infrastructure providers.
Read more about Joshua WrightCourse Syllabus
Explore the course syllabus below to view the full range of topics covered in SEC504: Hacker Tools, Techniques, and Incident Handling.
Section 1Incident Response and Cyber Investigations
The first section covers building an incident response process using the Dynamic Approach to Incident Response (DAIR) to verify, scope, contain, and remediate threats. Through hands-on labs and real-world examples, you’ll apply this method with tools like PowerShell and learn to accelerate analysis while using generative AI without compromising accuracy.
Topics covered
- Incident Response
- Live Examination
- Network Investigations
- Malware Investigations
- Accelerating Incident Response with AI
Labs
- Live Windows Investigation
- Network Investigation with NDR
- Analyzing Malware
- Writing IR Playbooks with AI
- WordPress Log Assessment
Section 2Scanning and Enumeration Attacks
This section explores attacker reconnaissance techniques, including network scanning, and target enumeration to identify security gaps. You’ll apply these tactics on Windows, Linux, Azure, and AWS targets, then analyze logs and evidence to detect attacks in real time.
Topics covered
- Network and Host Scanning with Nmap
- Cloud Spotlight: Cloud Scanning
- Server Message Block (SMB) Security
- Defense Spotlight: Hayabusa and Sigma Rules
- Attacker Network Access Manipulation
Labs
- Host Discovery and Assessment with Nmap
- Shadow Cloud Asset Discovery with Masscan
- Windows Server Message Block (SMB) Security Investigation
- Windows Password Spray Attack Detection
- The Many Uses of Netcat
Section 3Password Attacks and Exploit Frameworks
This section covers key techniques for password compromises against on-premises and cloud systems, using tools like Legba, Hashcat, and Metasploit to simulate attacks and strengthen defenses. The insights gained help enhance practical defenses and inform incident response strategies.
Topics covered
- Password Attacks
- Microsoft 365 Attacks
- Understanding Password Hashes
- Password Cracking
- Metasploit Framework
Labs
- Using Legba for Password Guessing and Spray Attacks
- Bypassing Microsoft 365 authentication defenses with Amazon AWS
- Password Cracking with Hashcat
- Metasploit Attack and Analysis
- Offensive AI Attacks
Section 4Web Application Attacks
In this course section we’ll focus on exploiting the many vulnerabilities in web applications including internal and public-facing systems, from on-premises targets to cloud and Software as a Service (SaaS) platforms.
Topics covered
- Forced Browsing and IDOR
- Command Injection
- Cross-Site Scripting (XSS)
- SQL Injection
- Exploiting API Systems
Labs
- Forced Browsing and Insecure Direct Object Resource (IDOR) Attack
- Command Injection Attack
- Cross-Site Scripting Attack
- SQL Injection Attack
- API Attack
Section 5Post-Exploitation and AI Attacks
This section covers advanced post-exploitation and AI attacks, teaching how attackers bypass protections, establish persistence, exploit AI vulnerabilities, and exfiltrate data from internal networks and vulnerable cloud deployments. You’ll build analysis skills to detect and respond to these threats and apply them in real-world scenarios.
Topics covered
- Endpoint Security Bypass
- Pivoting and Lateral Movement
- Hijacking Attacks
- Establishing Persistence
- Attacking AI Systems
Labs
- Endpoint Protection Bypass: Bypassing Application Allow Lists
- Pivoting and Lateral Movement with Command & Control Frameworks
- Exploiting Windows as A Network Insider with Responder
- Establishing Persistence with Metasploit
- AI Prompt Injection Attacks
Section 6Capture-the-Flag Event
Our Capture-the-Flag event is a full day of hands-on activity that has you working as a consultant for ISS Playlist, a fictitious company that has recently been compromised.
Things You Need To Know
Relevant Job Roles
Protection
SCyWF: Protection And DefenseThis role uses cybersecurity tools to protect information, systems and networks from cyber threats. Find the SANS courses that map to the Protection SCyWF Work Role.
Explore learning pathTechnology Portfolio Management (OPM 804)
NICE: Oversight and GovernanceResponsible for managing a portfolio of technology investments that align with the overall needs of mission and enterprise priorities.
Explore learning pathAll-Source Analyst (DCWF 111)
DoD 8140: Intelligence (Cyberspace)Analyzes data from multiple sources to prepare environments, respond to information requests, and support intelligence planning and collection requirements.
Explore learning pathThreat Analysis (OPM 141)
NICE: Protection and DefenseResponsible for collecting, processing, analyzing, and disseminating cybersecurity threat assessments. Develops cybersecurity indicators to maintain awareness of the status of the highly dynamic operating environment.
Explore learning pathCybersecurity Curriculum Development (OPM 711)
NICE: Oversight and GovernanceResponsible for developing, planning, coordinating, and evaluating cybersecurity awareness, training, or education content, methods, and techniques based on instructional needs and requirements.
Explore learning pathCybersecurity Architect
European Cybersecurity Skills FrameworkPlans and designs security-by-design solutions (infrastructures, systems, assets, software, hardware and services) and cybersecurity controls.
Explore learning pathCyber Incident Responder
European Cybersecurity Skills FrameworkMonitor the organisation’s cybersecurity state, handle incidents during cyber-attacks and assure the continued operations of ICT systems.
Explore learning pathSystems Security Management (OPM 722)
NICE: Oversight and GovernanceResponsible for managing the cybersecurity of a program, organization, system, or enclave.
Explore learning pathCourse Schedule & Pricing
Looking for Group Purchase Options?Contact Us
GIAC Certification Attempt
Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.
OnDemand Course Access
When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.
Location & instructorDate & TimeCourse priceRegistration Options
- Date & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$8,780 USD*Prices exclude applicable local taxesBuy now for access on Oct 23. Use code Presale10 for 10% off course price!Registration Options
- Date & TimeFetching schedule..View event detailsCourse price$8,900 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..View event detailsCourse price€8,230 EUR*Prices exclude applicable local taxes
- Date & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..View event detailsCourse price£7,160 GBP*Prices exclude applicable taxes | EUR price available during checkoutRegistration Options
- Date & TimeFetching schedule..View event detailsCourse price$8,900 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes
Showing 10 of 54
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 4Incident response is the most underused aspect in small companies. SEC504™ gives us the ability to help management understand the value.
- Slide 2 of 4Great content! As a developer it is extremely useful to understand exploits and how better coding practices help your security position.
- Slide 3 of 4SEC504 is a great course and well-organized. The labs are amazing and well-tailored to learning the content. This is my first SANS training course and I am simply amazed at the content thus far. Greatly enjoying it!
- Slide 4 of 4SEC504 has been the single best course I have ever taken. It leaves the student prepared and able to understand a broad scope of content in security.
Slide 1 of 0
(1/0)
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources