SEC504: Hacker Tools, Techniques, and Incident Handling

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsApply your credits to renew your certifications
Attend a live, instructor-led class from a location near you or virtually from anywhere
Apply what you learn with hands-on exercises and labs
Transform your incident response skills; think like an attacker as you investigate cybersecurity incidents, develop threat intelligence, and apply defense strategies against real-world threats.
The content was well thought out and provided a great foundation on which to apply IR techniques. I also really enjoyed the bonus activities at the end of the lab. While gaining muscle memory through repeating commands provided in the lab is great, nothing beats having to apply what you’ve learned without having the answers fed to you.
SEC504J training is our flagship incident handling course that equips you with essential incident response skills to detect, respond to, and neutralize threats across Windows, Linux, and cloud platforms. With a focus on hands-on learning, you'll engage in immersive labs to simulate real-world breaches, enhancing your ability to think like an attacker and improve your organization's security posture. This course provides practical skills in Cyber Threat Intelligence (CTI) and threat defense strategies that can be applied immediately.
As Senior Technical Director at Counter Hack and SANS Faculty Fellow, Joshua has advanced cybersecurity through ethical penetration testing, uncovering critical vulnerabilities across Fortune 500 companies and national infrastructure providers.
Read more about Joshua WrightExplore the course syllabus below to view the full range of topics covered in SEC504J: Hacker Tools, Techniques, and Incident Handling (Japanese).
The first section covers building an incident response process using the Dynamic Approach to Incident Response (DAIR) to verify, scope, contain, and remediate threats. Through hands-on labs and real-world examples, you’ll apply this method with tools like PowerShell and learn to accelerate analysis using generative AI without compromising accuracy.
This section explores attacker reconnaissance techniques, including open-source intelligence, network scanning, and target enumeration to identify security gaps. You’ll apply these tactics on Windows, Linux, Azure, and AWS targets, then analyze logs and evidence to detect attacks in real time.
This section covers key techniques for password compromises on on-premises and cloud systems, using tools like Legba, Hashcat, and Metasploit to simulate attacks and strengthen defenses. The insights gained help enhance practical defenses and inform incident response strategies.
In this course section we'll begin our look at target exploitation frameworks that take advantage of weaknesses on public servers and client-side vulnerabilities.
This section covers advanced post-exploitation tactics, teaching how attackers bypass protections, establish persistence, and exfiltrate data from internal networks and vulnerable cloud deployments. You'll build analysis skills to detect and respond to these threats and apply them in real-world scenarios, preparing for long-term success and certification.
Our Capture-the-Flag event is a full day of hands-on activity that has you working as a consultant for ISS Playlist, a fictitious company that has recently been compromised.
Analyzes data from multiple sources to prepare environments, respond to information requests, and support intelligence planning and collection requirements.
Explore learning pathPerforms advanced analysis of collection and open-source data to track target activity, profile cyber behavior, and support cyberspace operations.
Explore learning pathMonitors cyber defense tools like IDS and logs to analyze network events, identifying and mitigating potential threats to security environments.
Explore learning pathAdd a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.
When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.
Incident response is the most underused aspect in small companies. SEC504™ gives us the ability to help management understand the value.
Great content! As a developer it is extremely useful to understand exploits and how better coding practices help your security position.
SEC504 is a great course and well-organized. The labs are amazing and well-tailored to learning the content. This is my first SANS training course and I am simply amazed at the content thus far. Greatly enjoying it!
SEC504 has been the single best course I have ever taken. It leaves the student prepared and able to understand a broad scope of content in security.
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources