homepage
Menu
Open menu
  • Training
    Go one level top Back

    Training

    • Courses

      Build cyber prowess with training from renowned experts

    • Hands-On Simulations

      Hands-on learning exercises keep you at the top of your cyber game

    • Certifications

      Demonstrate cybersecurity expertise with GIAC certifications

    • Ways to Train

      Multiple training options to best fit your schedule and preferred learning style

    • Training Events & Summits

      Expert-led training at locations around the world

    • Free Training Events

      Upcoming workshops, webinars and local events

    • Security Awareness

      Harden enterprise security with end-user and role-based training

    Featured: Solutions for Emerging Risks

    Discover tailored resources that translate emerging threats into actionable strategies

    Risk-Based Solutions

    Can't find what you are looking for?

    Let us help.
    Contact us
  • Learning Paths
    Go one level top Back

    Learning Paths

    • By Focus Area

      Chart your path to job-specific training courses

    • By NICE Framework

      Navigate cybersecurity training through NICE framework roles

    • DoDD 8140 Work Roles

      US DoD 8140 Directive Frameworks

    • By European Skills Framework

      Align your enterprise cyber skills with ECSF profiles

    • By Skills Roadmap

      Find the right training path based on critical skills

    • New to Cyber

      Give your cybersecurity career the right foundation for success

    • Leadership

      Training designed to help security leaders reduce organizational risk

    • Degree and Certificate Programs

      Gain the skills, certifications, and confidence to launch or advance your cybersecurity career.

    Featured

    New to Cyber resources

    Start your career
  • Community Resources
    Go one level top Back

    Community Resources

    Watch & Listen

    • Webinars
    • Live Streams
    • Podcasts

    Read

    • Blog
    • Newsletters
    • White Papers
    • Internet Storm Center

    Download

    • Open Source Tools
    • Posters & Cheat Sheets
    • Policy Templates
    • Summit Presentations
    • SANS Community Benefits

      Connect, learn, and share with other cybersecurity professionals

    • CISO Network

      Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

  • For Organizations
    Go one level top Back

    For Organizations

    Team Development

    • Why Partner with SANS
    • Group Purchasing
    • Skills & Talent Assessments
    • Private & Custom Training

    Leadership Development

    • Leadership Courses & Accreditation
    • Executive Cybersecurity Exercises
    • CISO Network

    Security Awareness

    • End-User Training
    • Phishing Simulation
    • Specialized Role-Based Training
    • Risk Assessments
    • Public Sector Partnerships

      Explore industry-specific programming and customized training solutions

    • Sponsorship Opportunities

      Sponsor a SANS event or research paper

    Interested in developing a training plan to fit your organization’s needs?

    We're here to help.
    Contact us
  • Talk with an expert
  • Log In
  • Join - it's free
  • Account
    • Account Dashboard
    • Log Out
  1. Home >
  2. Courses >
  3. SEC504J™: Hacker Tools, Techniques, and Incident Handling™ (Japanese)

SEC504J™: Hacker Tools, Techniques, and Incident Handling™ (Japanese)

GIAC Certified Incident Handler (GCIH)
GIAC Certified Incident Handler (GCIH)
    38 CPEs

    SEC504™ (in Japanese) helps you develop the skills to conduct incident response investigations. You will learn how to apply a dynamic incident response process to evolving cyber threats, and how to develop threat intelligence to mount effective defense strategies for cloud and on-premises platforms. We'll examine the latest threats to organizations, from watering hole attacks to cloud application service MFA bypass, enabling you to get into the mindset of attackers and anticipate their moves. 30+ Hands-on Labs

    Course Authors:
     Joshua  Wright
    Joshua Wright
    Fellow
    What You Will LearnSyllabusCertificationLaptop RequirementsAuthor Statement

    What You Will Learn

    The Internet is full of powerful hacking tools and bad guys using them extensively. If your organization has an Internet connection or one or two disgruntled employees (and whose doesn't!), your computer systems will get attacked. From the hundreds to thousands of daily probes against your Internet infrastructure to the malicious insider slowly creeping through your most vital information assets, attackers are targeting your systems with increasing viciousness and stealth. As defenders, it is essential we understand these hacking tools and techniques.

    This course will enable you to turn the tables on computer attackers by helping you understand their tactics and strategies, providing you with hands-on experience in finding vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan. It addresses the latest cutting-edge insidious attack vectors, the "oldie-but-goodie" attacks that are still prevalent, and everything in between. Instead of merely teaching a few hack attack tricks, this course provides a time-tested, step-by-step process to respond to computer incidents and a detailed description of how attackers undermine systems so you can prevent, detect, and respond to them. Finally, students will participate in a hands-on workshop that focuses on scanning, exploiting, and defending systems. Applying these skills in your own organization will enable you to discover the flaws in your system before the bad guys do!

    The course is particularly well-suited to individuals who lead or are a part of an incident handling team. General security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to thwart attacks.

    You will learn

    • How to best prepare for an eventual breach
    • The step-by-step approach used by many computer attackers
    • Proactive and reactive defenses for each stage of a computer attack
    • How to identify active attacks and compromises
    • The latest computer attack vectors and how you can stop them
    • How to properly contain attacks
    • How to ensure that attackers do not return
    • How to recover from computer attacks and restore systems for business
    • How to understand and use hacking tools and techniques
    • Strategies and tools to detect each type of attack
    • Application-level vulnerabilities, attacks, and defenses
    • How to develop an incident handling process and prepare a team for battle
    • Legal issues in incident handling

    If you are unfamiliar with Linux, please view this short Intro to Linux video to help get you started.

    Syllabus (38 CPEs)

    Download PDF
    • Incident Handling Step-by-Stepand Computer Crime Investigation

      Overview

      Responding to an incident of any size is a complex task. Effective response requires careful consideration and input from several stakeholders, including business and information security concerns. With new vulnerabilities being discovered on a daily basis, there is always the potential for an intrusion. In addition to online intrusions, physical incidents such as fires, floods, and crime all require a solid incident handling approach to getting systems and services back online as quickly and securely as possible.

      The course starts by examining the key components of both incident response and digital investigations. Informed by several incidents, we consider the goals and outcomes that are important to both business operations and security. The dynamic approach put forth can be applied to the specific needs of an individual business and incident. We then shift to more practical matters, examining issues surrounding live systems and identifying abnormal activity. Continuing the practical focus, we look at investigative techniques for examining evidence from the network and memory. We also cover techniques to determine if an unknown program is malicious, and if so, what footprints are left behind.

      Exercises
      • Live Windows examination
      • Network investigation
      • Memory investigation
      • Malware investigation
      Topics

      Incident Response

      • Common incident response mistakes
      • Incident goals and milestones
      • Post-incident activities

      Digital Investigations

      • Asking and answering the right questions
      • Pivoting during an investigation
      • Taking notes and writing reports
      • Artifact and event-based timelines

      Live Examination

      • How to start, even with minimal information
      • Examining a live environment
      • Identifying abnormal activity

      Digital Evidence

      • Understanding what digital evidence is and how to collect it
      • The role and elements of a chain of custody
      • How to collect digital evidence

      Network Investigations

      • Analyzing packet captures using tcpdump
      • Web proxy logs

      Memory Investigations

      • How to investigate memory images using the Volatility framework

      Malware Investigations

      • Basic approaches for investigating malware
      • Best practices for working with malware
      • Monitoring the environment using snapshot and continuous recording tools
    • Recon, Scanning, and Enumeration Attacks

      Overview

      Your networks reveal an enormous amount of information to potential attackers. In addition to looking for information leakage and open-source intelligence attackers conduct detailed scans of systems, scouring for openings to get through your defenses. To break into your network, they scope out targets of opportunity, such as weak DMZ systems and turnkey platforms, or vulnerable Wi-Fi and proprietary wireless systems. Attackers will also leverage detailed scanning and interrogation of complex Windows Active Directory domains, identifying and manipulating configuration policies to their significant advantage.

      This course section covers the details associated with the beginning phases of many cyber attacks. We will introduce important frameworks for understanding the tools, techniques, and practices of modern attackers through the MITRE ATT&CK Framework, using it as a starting point to investigate the pre-attack steps attackers employ. We will leverage local and cloud-based tools to conduct effective reconnaissance of a target organization, identifying the information disclosure that will reveal weaknesses for initial compromise. We'll then take a deep dive into scanning techniques, both from a network perspective and with a focus on the complexities of modern Windows Active Directory forests to map out an attack plan that will grant an attacker privileged access. We will also spotlight defensive techniques using free and open-source tools that provide you with a competitive advantage to detect attacks on your organization.

      Exercises
      • Using Open Source Intelligence (OSINT) for attack reconnaissance
      • Wi-Fi network scanning for rogue, malicious, and misconfigured access points
      • Server enumeration and analysis with Nmap
      • Vulnerability scanning and scan result prioritization techniques
      • Windows networking scanning and data harvesting techniques
      • Defense Spotlight: DeepBlueCLI
    • Password and Access Attacks

      Overview

      Any attacker will tell you the same thing: Password compromise is better than exploit compromise. Not only is system access through a valid username and password more reliable than exploits, using authenticated credentials will also blend into normal system use, creating fewer logs and system anomalies that could lead to detection. Because these attacks are so prevalent, we dig into password-based attacks in significant detail, equipping you with the tools to test your systems with the same skill and technique as the sophisticated adversaries you must defend against.

      This course day starts with straightforward password guessing attacks, quickly investigating the techniques attackers employ to make this an effective process that bypasses defense systems such as account lockout. We will investigate the critical topics of creating effective password guessing lists from other network compromises, and how attackers leverage user password reuse against your organization. We'll dig into the algorithms behind password hashing, using several tools to recover plaintext passwords while optimizing the cracking process to complete in days, not years. We will also get a jump-start on understanding essential network attack topics through the use of easy backdoors, forward and reverse shells, and discrete data transfer within the organization, all through an unassuming system binary. We will also investigate defensive measures that you can immediately apply when you get back to work, including the use of the Domain Password Audit Tool (DPAT) and Elastic Stack (formerly ELK) tools for monitoring authentication logs in your organization.

      Exercises
      • Online password guessing attacks with Hydra
      • Defense Spotlight: Password guessing attack analysis with Elastic Stack
      • Effective password cracking using Hashcat and John the Ripper
      • Defense Spotlight: Domain Password Exposure Analysis with DPAT
      • Data exfiltration, scanning, and pivoting with Netcat
      Topics

      Password Attacks

      • How attackers bypass account lockout policies
      • Choosing a target protocol for password guessing attacks
      • Techniques for choosing password lists
      • How attackers reuse compromise password lists against your organization
      • Techniques for password cracking
      • Recommendations for password cracking in your organization

      Defense Spotlight: Log Analysis with Elastic Stack (formerly ELK)

      • Establishing a lightweight log analysis system with Elasticsearch, Logstack, Beats, and Kibana
      • Understanding Linux and UNIX authentication logging data
      • Configuring Filebeat for simple log ingestion
      • Using Kibana to identify password attack events
      • Customizing Kibana visualization for effective threat hunting

      Understanding Password Hashes

      • Hashing algorithms, processes, and problems
      • Understanding Windows hashing function through Windows Server 2019
      • Password hash function strength and quality metrics
      • Extracting Windows domain password hashes using built-in tools
      • Getting password hashes from Windows 10 systems
      • Decoding UNIX and Linux password hashes
      • Mitigating GPU-based cracking: PBKDF2, bcrypt, and scrypt

      Password Cracking Attacks

      • John the Ripper: single, wordlist, incremental, and external cracking modes
      • Cracking hashes with Hashcat: straight and combinator attacks
      • Effective hash computation using mask attacks
      • Breaking user password selection weaknesses with Hashcat rules
      • Three simple strategies for defeating password cracking

      Defense Spotlight: Domain Password Auditing

      • Enumerating Windows domain settings with simple PowerShell one-line scripts
      • Characterizing systemic behavior in user password selection
      • Identifying bad password offenders in your organization
      • Mitigating password sharing in Windows domains

      Netcat: The Attacker's Best Friend

      • Transferring files, creating backdoors, and shoveling shells
      • Netcat relays to obscure the source of an attack
      • Replay attacks with Netcat
    • Public-Facing and Drive-By Attacks

      Overview

      Public-facing and drive-by attacks represent significant risk areas for organizations, and they are a popular attack vector for adversaries targeting your organization. Public-facing targets such as web applications, VPN servers, email systems, and other supporting protocols are quickly identified by an adversary and assessed for vulnerabilities. In drive-by attacks, adversaries compromise and leverage the trust inherent to third-party websites to trick users into taking actions that render their systems vulnerable.

      This course section examines the hacker tools for compromising your exposed systems through exploit frameworks such as Metasploit. We also dig into the concepts and techniques behind drive-by and watering-hole attacks, and how attackers create the exploits and system-compromise tools through malicious installers, browser JavaScript, and malicious Microsoft Office documents. We'll examine the attacks specific to web applications in an organization, both from the perspective of the unauthenticated and the authenticated user, with practical exploit steps for the most popular web application vulnerabilities. In addition to examining the hacker tools, we'll also investigate several freely available and practical defense steps, including the use of the Windows SRUM database for historical system activity reporting, and the use of Elastic Stack (formerly ELK) tools for assessing web server logging data to identify signs of attack.

      Exercises
      • Metasploit Attack and Analysis
      • Software Update Browser Exploitation
      • System Resource Utilization Database Analysis
      • Command Injection Attack
      • Cross Site Scripting Attack
      • SQL Injection Attack
      • SQL Injection Log Analysis
      Topics

      Using Metasploit for System Compromise

      • Using the Metasploit framework for specific attack goals
      • Matching exploits with reconnaissance data
      • Deploying Metasploit Meterpreter Command & Control
      • Identifying Metasploit exploit artifacts on the system and network

      Drive-By and Watering Hole Attacks

      • Examining the browser attack surface
      • Identifying browser vulnerabilities with JavaScript
      • Code-executing Microsoft Office attacks
      • Backdooring legitimate code with attacker payloads

      Defense Spotlight: System Resource Usage Monitor (SRUM)

      • Assessing attacker activity with Windows 10 app history
      • Extracting useful data from the protected SRUM database
      • Converting raw SRUM data to useful post-exploit analysis

      Web Application Attacks

      • Account harvesting for user enumeration
      • Command injection attacks for web server remote command injection
      • SQL Injection: Manipulating back-end databases
      • Session Cloning: Grabbing other users' web sessions
      • Cross-Site Scripting: Manipulating victim browser sessions

      Defense Spotlight: Effective Web Server Log Analysis

      • Using Elastic Stack (ELK) tools for post-attack log analysis
      • Configuring Filebeat for web server log consumption
      • Using the Kibana Query Language (KQL) to identify custom web attacks
      • Hunting for common SQL Injection attack signatures
      • Decoding obfuscated attack signatures with CyberChef
    • Evasion and Post-Exploitation Attacks

      Overview

      Rarely is it an attacker's goal to simply compromise a system. More often, the attacker's compromise is the initial step, followed by post-exploitation attacks to gain additional network access, or to retrieve sensitive data within the organization. Along the way, attackers will also have to deal with defense controls designed to thwart their efforts, including endpoint protection, server lock-down, and restricted privilege environments.

      This course section examines the attacker steps after the initial compromise is over. We will dig into the techniques attackers use to implant malware after bypassing endpoint detection and response platforms, how they pivot through the network using third-party and built-in tools, and how they leverage the initial foothold on your network for internal network scanning and asset discovery. We will look at how the compromise of a single host grants attackers privileged network insider access to open up a whole new field of attacks, and how they will use that access wisely, covering their tracks on hosts and on the network to evade detection systems. We will look at how attackers, with their initial access established, then access, collect, and exfiltrate data from compromised networks. We will finish the lecture component of the course with a look at where to go from here in your studies, examining resources and best practices to turn your new skills into permanent, long-term recall.

      Exercises
      • Advanced network pivoting with Metasploit
      • Insider network attack event analysis
      • Hijacking Windows: Responder attacks
      • Post-exploitation command history analysis
      • Hiding (and finding) valuable data on Windows servers
      • Selectively editing Windows event logs
      • Network threat hunting with RITA
      Topics

      Endpoint Security Bypass

      • Evading EDR analysis with executable manipulation: ghostwriting
      • Manipulating Windows Defender for attack signature disclosure
      • Using LOLBAS to evade application whitelisting
      • Adapting Metasploit payloads on protected platforms

      Pivoting and Lateral Movement

      • Pivoting from initial compromise to internal networks
      • Effective port forwarding with Meterpreter payloads
      • Leveraging compromised hosts for internal network scanning, exploitation
      • Windows netsh and attacker internal network access

      Privileged Insider Network Attacks

      • Leveraging initial access for network attacks
      • Deploying packet sniffers, MITM attack tools
      • Native packet capture on compromised Windows hosts
      • Abusing weak protocols: DNS, HTTP
      • Network service impersonation attacks with Flamingo
      • Abusing Windows name resolution for password disclosure

      Covering Tracks

      • Maintaining access by manipulating compromised hosts
      • Editing log files on Linux and Windows systems
      • Hiding data in Windows ADS
      • Network persistence through hidden Command & Control

      Defense Spotlight: Real Intelligence Threat Analytics (RITA)

      • Characterizing advanced Command & Control activity over the network
      • Capturing and processing network data with Zeek
      • Network threat hunting: beacons, long connections, strobes, and DNS analysis

      Post-Exploitation Data Collection

      • Harvesting passwords from compromised Linux hosts
      • Password dumping with Mimikatz and EDR bypass
      • Defeating Windows and macOS password managers
      • Windows keystroke logging attacks
      • Data exfiltration over blended network protocols

      Where To Go From Here

      • Techniques for solving the problem of needing time for study
      • Understanding the Forgetting Curve dilemma
      • Techniques for developing long-term retention from what you have learned
      • Building study strategies for certification, applying your knowledge
    • Capture the Flag Event

      Overview

      Over the years, the security industry has become smarter and more effective in stopping attackers. Unfortunately, attackers themselves are also getting smarter and more sophisticated. One of the most effective ways to stop an adversary is to actually test the environment with the same tools and tactics that the attacker will use against you. Our Capture-the-Flag event is a full day of hands-on activity that involves you working as a consultant for a fictitious company that has recently been compromised. You will apply all of the skills you've learned in class, using the same techniques attackers use to compromise modern, sophisticated network environments. Working together as teams, small groups will scan, exploit, and complete post-exploitation tasks against a cyber range of target systems including Windows, Linux, Internet of Things, and cloud targets. This hands-on challenge is designed to help players practice their skills and reinforce concepts learned throughout the course while challenging each individual player in an environment that replicates modern networks. Powered by the NetWars engine, the event guides players to successfully compromise target systems, bypass endpoint protection platforms, pivot to internal network high-value hosts, and exfiltrate data that are of greatest value to the target organization. The winners will win the coveted SEC504™ challenge coin.

      Topics

      Hands-on Analysis

      • Exploiting user password misuse
      • Completing scanning, reconnaissance analysis
      • Using OSINT resources to collect information about a target network
      • Matching reconnaissance data with public exploits
      • Privilege escalation on Linux and Windows systems
      • Exploiting common Windows Domain vulnerabilities
      • Pillaging data on compromised systems
      • Pivoting from initial compromise to internal network access
      • Identifying attacker artifacts following a network compromise

    GIAC Certified Incident Handler

    The GIAC Incident Handler (GCIH) certification validates a practitioner's ability to detect, respond, and resolve computer security incidents using a wide range of essential security skills. GCIH certification holders have the knowledge needed to manage security incidents by understanding common attack techniques, vectors and tools, as well as defend against and respond to such attacks when they occur.

    • Incident Handling and Computer Crime Investigation
    • Computer and Network Hacker Exploits
    • Hacker Tools (Nmap, Metasploit and Netcat)
    More Certification Details

    Laptop Requirements

    Important! Bring your own system configured according to these instructions.

    A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

    Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

    MANDATORY SEC504™ SYSTEM HARDWARE REQUIREMENTS
    • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
    • CRITICAL: Apple Silicon devices cannot perform the necessary virtualization and therefore cannot in any way be used for this course.
    • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
    • 16GB of RAM or more is required.
    • 100GB of free storage space or more is required.
    • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
    • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.
    MANDATORY SEC504™ HOST CONFIGURATION AND SOFTWARE REQUIREMENTS
    • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
    • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
    • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
    • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
    • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
    • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
    • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
    • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
    • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

    Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

    Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

    If you have additional questions about the laptop specifications, please contact customer service.

    Author Statement

    "When I was 18 I got caught hacking the school card catalog server. Instead of getting expelled, I became a school employee, spending the next 10 years working on improving security while getting better at using hacker tools, writing exploits, developing new techniques, and figuring out how to better respond to the onslaught of attacks. During that time, I came to understand the benefits of truly understanding attacker techniques to evaluate and improve on the defensive capabilities I managed.

    In SEC504 we dig into the hacker tools, techniques, and exploits used by modern attackers from the perspective of an incident response analyst. We'll cover everything from reconnaissance to exploitation, and from scanning to data pillaging. The course lectures, hands-on lab exercises, and an immersive capstone event will arm you with the tools and techniques you need to make smart decisions about network security. Once you learn how hackers operate, you'll be better prepared to identify attacks and protect your network from sophisticated adversaries."

    -Joshua Wright

    "Our instructor Josh was incredible! Engaging, enthusiastic, extremely knowledgeable (especially vim, WOW). His enthusiasm is contagious and really motivating to the material. Keep up the great work Josh!" - Jen F., US Federal Agency

    Need to justify a training request to your manager?

    Use this justification letter template to share the key details of this training and certification opportunity with your boss.

    Download the Letter

    Related Programs

    DoDD 8140
    DoDD 8140 (IAT Level III)
    See how this and other SANS Courses and GIAC Certifications align with the Department of Defense Directive 8140.
    • Company
    • Mission
    • Instructors
    • About
    • FAQ
    • Press
    • Contact Us
    • Careers
    • Policies
    • Training Programs
    • Work Study
    • Academies & Scholarships
    • Public Sector Partnerships
    • Law Enforcement
    • SkillsFuture Singapore
    • Degree Programs
    • Get Involved
    • Join the Community
    • Become an Instructor
    • Become a Sponsor
    • Speak at a Summit
    • Join the CISO Network
    • Award Programs
    • Partner Portal
    Subscribe to SANS Newsletters
    Receive curated news, vulnerabilities, & security awareness tips
    United States
    Canada
    United Kingdom
    Spain
    Belgium
    Denmark
    Norway
    Netherlands
    Australia
    India
    Japan
    Singapore
    Afghanistan
    Aland Islands
    Albania
    Algeria
    American Samoa
    Andorra
    Angola
    Anguilla
    Antarctica
    Antigua and Barbuda
    Argentina
    Armenia
    Aruba
    Austria
    Azerbaijan
    Bahamas
    Bahrain
    Bangladesh
    Barbados
    Belarus
    Belize
    Benin
    Bermuda
    Bhutan
    Bolivia
    Bonaire, Sint Eustatius, and Saba
    Bosnia And Herzegovina
    Botswana
    Bouvet Island
    Brazil
    British Indian Ocean Territory
    Brunei Darussalam
    Bulgaria
    Burkina Faso
    Burundi
    Cambodia
    Cameroon
    Cape Verde
    Cayman Islands
    Central African Republic
    Chad
    Chile
    China
    Christmas Island
    Cocos (Keeling) Islands
    Colombia
    Comoros
    Cook Islands
    Costa Rica
    Cote D'ivoire
    Croatia (Local Name: Hrvatska)
    Curacao
    Cyprus
    Czech Republic
    Democratic Republic of the Congo
    Djibouti
    Dominica
    Dominican Republic
    East Timor
    Ecuador
    Egypt
    El Salvador
    Equatorial Guinea
    Eritrea
    Estonia
    Eswatini
    Ethiopia
    Falkland Islands (Malvinas)
    Faroe Islands
    Fiji
    Finland
    France
    French Guiana
    French Polynesia
    French Southern Territories
    Gabon
    Gambia
    Georgia
    Germany
    Ghana
    Gibraltar
    Greece
    Greenland
    Grenada
    Guadeloupe
    Guam
    Guatemala
    Guernsey
    Guinea
    Guinea-Bissau
    Guyana
    Haiti
    Heard And McDonald Islands
    Honduras
    Hong Kong
    Hungary
    Iceland
    Indonesia
    Iraq
    Ireland
    Isle of Man
    Israel
    Italy
    Jamaica
    Jersey
    Jordan
    Kazakhstan
    Kenya
    Kiribati
    Korea, Republic Of
    Kosovo
    Kuwait
    Kyrgyzstan
    Lao People's Democratic Republic
    Latvia
    Lebanon
    Lesotho
    Liberia
    Liechtenstein
    Lithuania
    Luxembourg
    Macau
    Madagascar
    Malawi
    Malaysia
    Maldives
    Mali
    Malta
    Marshall Islands
    Martinique
    Mauritania
    Mauritius
    Mayotte
    Mexico
    Micronesia, Federated States Of
    Moldova, Republic Of
    Monaco
    Mongolia
    Montenegro
    Montserrat
    Morocco
    Mozambique
    Myanmar
    Namibia
    Nauru
    Nepal
    Netherlands Antilles
    New Caledonia
    New Zealand
    Nicaragua
    Niger
    Nigeria
    Niue
    Norfolk Island
    North Macedonia
    Northern Mariana Islands
    Oman
    Pakistan
    Palau
    Palestine
    Panama
    Papua New Guinea
    Paraguay
    Peru
    Philippines
    Pitcairn
    Poland
    Portugal
    Puerto Rico
    Qatar
    Reunion
    Romania
    Russian Federation
    Rwanda
    Saint Bartholemy
    Saint Kitts And Nevis
    Saint Lucia
    Saint Martin
    Saint Vincent And The Grenadines
    Samoa
    San Marino
    Sao Tome And Principe
    Saudi Arabia
    Senegal
    Serbia
    Seychelles
    Sierra Leone
    Sint Maarten
    Slovakia
    Slovenia
    Solomon Islands
    South Africa
    South Georgia and the South Sandwich Islands
    South Sudan
    Sri Lanka
    St. Helena
    St. Pierre And Miquelon
    Suriname
    Svalbard And Jan Mayen Islands
    Sweden
    Switzerland
    Taiwan
    Tajikistan
    Tanzania, United Republic Of
    Thailand
    Togo
    Tokelau
    Tonga
    Trinidad And Tobago
    Tunisia
    Turkey
    Turkmenistan
    Turks And Caicos Islands
    Tuvalu
    Uganda
    Ukraine
    United Arab Emirates
    United States Minor Outlying Islands
    Uruguay
    Uzbekistan
    Vanuatu
    Vatican City State
    Venezuela
    Vietnam
    Virgin Islands (British)
    Virgin Islands (U.S.)
    Wallis And Futuna Islands
    Western Sahara
    Yemen
    Zambia
    Zimbabwe

    By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
    • Privacy Policy
    • Terms and Conditions
    • Do Not Sell/Share My Personal Information
    • Contact
    • Careers
    © 2025 The Escal Institute of Advanced Technologies, Inc. d/b/a SANS Institute. Our Terms and Conditions detail our trademark and copyright rights. Any unauthorized use is expressly prohibited.
    • Twitter
    • Facebook
    • Youtube
    • LinkedIn