SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals


Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact Us

Apply your credits to renew your certifications
Attend a live, instructor-led class from a location near you or virtually from anywhere
Apply what you learn with hands-on exercises and labs
Acquire critical visibility, detection, and response capabilities to protect ICS/OT environments against sophisticated threats while ensuring the safety and reliability of operations.
ICS515 is so relevant to my day to day that I feel like I can't take notes fast enough. This is so critical for the ICS and OT community.
This ICS incident response course equips security professionals with practical skills to secure industrial environments. Through hands-on exercises using real industrial equipment, you'll learn to gain network visibility, identify assets, detect threats, and respond to incidents in critical infrastructure and other environments that rely on ICS/OT systems. The curriculum covers advanced defensive techniques against sophisticated threats like STUXNET, HAVEX, BLACKENERGY2, CRASHOVERRIDE, TRISIS/TRITON, FROSTYGOOP, EKANS, and PIPEDREAM. You'll work with a real programmable logic controller (PLC) kit, sector simulation board, and virtual machines that you keep post-course to continue skill development. Leveraging industry frameworks , you'll develop repeatable methodologies to secure industrial environments.


SANS Fellow and Dragos CEO Robert M. Lee, author of ICS515 and FOR578 and co-author of ICS310, teaches from landmark industrial cyber investigations, turning real adversary tradecraft into visibility, detection, and response skills in OT.
Read more about Robert M. LeeExplore the course syllabus below to view the full range of topics covered in ICS515: ICS Visibility, Detection, and Response.
Learn to leverage threat intelligence to analyze threats, extract indicators of compromise, document tactics, techniques, and procedures, and guide security teams to protect industrial environments.
Understand the networked environment to build comprehensive asset inventories and develop effective collection strategies for both industrial operations and security operations.
Develop detection strategies to remain resilient against targeted and untargeted threats, with focus on safely conducting threat hunting and analyzing attack patterns in industrial environments.
Learn to safely perform ICS incident response with focus on acquiring digital evidence while scoping threats and their operational impact, using forensic techniques tailored for industrial environments.
Extract information from threats through malware analysis to reduce the effectiveness of threats and create shareable threat intelligence for improved defensive posture.
A full-day technical challenge where students apply all learned skills to analyze packet captures, logic, memory images, and more from compromised ICS ranges and equipment, simulating real-world scenarios.
This expert applies new threat intelligence against existing evidence to identify attackers that have slipped through real-time detection mechanisms. The practice of threat hunting requires several skill sets, including threat intelligence, system and network forensics, and investigative development processes. This role transitions incident response from a purely reactive investigative process to a proactive one, uncovering adversaries or their footprints based on developing intelligence.
Explore learning pathAnalyzes data from multiple sources to prepare environments, respond to information requests, and support intelligence planning and collection requirements.
Explore learning pathDeploys, configures, maintains infrastructure software and hardware to support secure and effective IT operations across organizational systems.
Explore learning pathOversees cybersecurity configuration and daily security operations of control systems, ensuring mission support and stakeholder coordination.
Explore learning pathThis role conducts cybersecurity tasks for Industrial Control Systems and Operational Technologies (ICS/OT). Find the SANS courses that map to the Industrial Control Systems and Operational Technologies SCyWF Work Role.
Explore learning pathResponds to and investigates network cyber incidents, performing analysis to mitigate threats and maintain cybersecurity in enclave environments.
Explore learning pathResponsible for investigating, analyzing, and responding to network cybersecurity incidents.
Explore learning pathExecutes specific industrial incident response for incidents that threaten or impact control system networks and assets, while maintaining the safety and reliability of operations.
Explore learning pathAdd a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.
When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.
Very good for any ICS program, security-focused or not.
Very good focus on the OT/ICS side & integrated into class.
This course was like a catalyst. It not only boosted my knowledge about the threats facing ICS environments and provided me with a framework to actively defend these threats, it also inspired me to learn more.

Get feedback from the world’s best cybersecurity experts and instructors

Choose how you want to learn - online, on demand, or at our live in-person training events

Get access to our range of industry-leading courses and resources