SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense, Artificial Intelligence
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
BETA
SEC559: Identity Security for Cloud and Hybrid
SEC559Cloud Security
- 5 Days (Instructor-Led)
- 30 Hours
Course authored by:
Maxim Deweerdt
Course authored by:Maxim Deweerdt
- 30 CPEs
Apply your credits to renew your certifications
- In-Person or Virtual
Attend a live, instructor-led class from a location near you or virtually from anywhere
- Advanced Skill Level
Course material is geared for cyber security professionals with hands-on experience
- 16 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Build the skills to detect, govern, and respond to identity-based attacks across human, workload, and AI agent identities throughout the full identity lifecycle.
Course Overview
Today, identity is the main way to control access in organizations and is also the top target for attackers. Instead of using old methods, attackers now take advantage of tokens, applications, hybrid trust setups, and non-human identities including AI agents and automated workloads to get ongoing and often hidden access. SEC559 gives defenders the knowledge and hands-on experience they need to secure, monitor, and respond to identity-based attacks in Microsoft Entra ID and hybrid Active Directory environments. The course covers the whole identity lifecycle, including authentication, token issuance, trust abuse, governance of human and agent identities, and AI-assisted detection and response in Microsoft Entra ID and Active Directory. The main goal is to teach practical detection, safe remediation, and how to stop identity attacks before they spread across cloud and on-premises systems.
What You'll Learn
- Detect OAuth consent abuse, token replay, and Graph API misuse across user, workload, and agent identities
- Analyze OAuth, OIDC, and SAML authentication flows to identify anomalies in tokens, claims, and session behavior
- Identify and remediate compromised applications, service principals, managed identities, and AI agents operating as application workloads, including credential abuse and persistence
- Map and investigate identity attack paths across cloud and hybrid environments, including Active Directory to Microsoft Entra ID escalation scenarios
- Detect and respond to hybrid identity attacks such as synchronization abuse, federation trust manipulation, and Kerberos-based escalation
- Uncover governance and lifecycle weaknesses that enable long-term persistence, including overprivileged access, ungoverned agent identities, and external identity abuse
- Execute safe, effective remediation by revoking sessions, rotating credentials, securing identity infrastructure, applying AI-assisted and agentic workflow, and restoring trust without disrupting operations
Business Takeaways
- Reduce risk from identity-based attacks that bypass traditional defenses by targeting the identity control plane
- Detect attackers operating with legitimate credentials, tokens, non-human workloads, and application identities before they escalate access
- Prevent tenant-wide and domain-wide compromise by breaking identity attack paths early across cloud and hybrid environments
- Improve visibility across Microsoft Entra ID and Active Directory to enable faster, more accurate detection and response
- Strengthen Zero Trust by enforcing strong authentication, conditional access, and continuous session evaluation
- Mature identity governance programs by addressing privilege sprawl, ungoverned agent identities, ownership gaps, and lifecycle weaknesses
- Enhance incident response capabilities with AI-assisted and agentic workflow, repeatable processes to contain, remediate, and validate identity compromises across the full identity lifecycle
Meet Your Author
Maxim Deweerdt
Principal InstructorMaxim Deweerdt is a Principal SANS Instructor and author of SEC559: Cloud and Hybrid Identity Security. With 15+ years in cyber defense, he brings deep expertise in identity-driven attacks, SOC operations, and detection engineering to every class.
Read more about Maxim DeweerdtCourse Syllabus
Explore the course syllabus below to view the full range of topics covered in SEC559: Cloud and Hybrid Identity Security.
Section 1Identity as the Control Plane
Day 1 introduces identity as the core security control plane, including agent identity foundations and limitations of service principals for autonomous AI workloads. Students explore identity types, applications, permissions, and relationships in Microsoft Entra ID, learning how misconfigurations, privilege paths, and ownership gaps create attack surfaces.
Topics covered
- Identity-first security model and control plane concepts
- Identity types: users, devices, workloads, and agents
- Applications, service principals, and managed identities
- Authorization model: roles, permissions, and Microsoft Graph
- Identity relationships, privilege paths, and attack surface
Labs
- Explore identity types and relationships in Entra Portal
- Manage applications and service principals
- Using managed identities
- Explore Graph API permissions and access paths
Section 2Authentication, Tokens and Session Security
Day 2 focuses on how authentication and token issuance define access in modern environments, including how agent identities authenticate/leverage tokens and how it's different from human identities. Students analyze how tokens, sessions, and authentication methods work in Microsoft Entra ID, and how attackers abuse them to gain persistent, often invisible access.
Topics covered
- Authentication flows and identity providers vs relying parties
- Authentication strength: passwordless, FIDO2, and device binding
- Token model: access, refresh, PRT, and token chaining
- Token abuse: replay, persistence, device code, and session hijacking
- Conditional Access, session control, and token protection
Labs
- Implement phishing-resistant authentication
- Investigate OAuth tokens and relationships
- Simulate OAuth and token abuse scenarios
- Protect access with Conditional Access policies
Section 3Hybrid Identity and Active Directory Security
Day 3 expands identity security into hybrid environments, where Active Directory and Microsoft Entra ID form a combined control plane. Students analyze how synchronization, trust, and Kerberos enable cross-plane attacks and privilege escalation.
Topics covered
- Hybrid identity architecture and trust boundaries
- Identity synchronization models and object matching
- Sync infrastructure and connector identity risks
- Hybrid privilege escalation and cross-plane attack paths
- Kerberos, federation, and modern hybrid authentication models
Labs
- Investigate hybrid domain configurations in Entra
- Analyze Active Directory - Entra sync configuration
- Simulate hybrid privilege escalation
- Hybrid attack path analysis with AzureHound and BloodHound
Section 4Identity Governance, External Trust and Lifecycle Security
Day 4 focuses on identity governance and lifecycle security as critical controls for limiting attack persistence. Students analyze how weak ownership, excessive privileges, and external trust in Microsoft Entra ID enable long-term access, covering agent identity governance alongside workload identity with ownership models, credential management, and access reviews for AI workloads.
Topics covered
- Identity lifecycle risks: joiner, mover, leaver and ownership gaps
- Privileged access governance: PIM, JIT, and break-glass accounts
- Access governance: reviews, entitlement management, and policies
- External identities, cross-tenant access, and delegated administration
- Governance failures enabling persistence and long-lived access
Labs
- Identify risky roles and PIM misconfigurations
- Analyze lifecycle and governance gaps
- Explore cross-tenant access and risks
- Identify persistence via external identities
Section 5Hybrid Identity Threat Detection, Prevention and Response
Day 5 focuses on detecting and responding to identity-based attacks across hybrid environments. Students use telemetry from Microsoft Entra ID and Active Directory supported by AI-assisted and agentic response workflows, to investigate attacks, contain compromised identities, and restore trust. The day ends with a story-driven Capture the Flag (CTF) where students respond to an end-to-end hybrid identity breach putting everything from the week into practice.
Topics covered
- Identity telemetry: sign-in, audit, and Graph activity logs
- Identity attack patterns across the kill chain
- Detecting token abuse, OAuth attacks, and session hijacking
- Hybrid attack detection: sync, federation, and trust abuse
- Incident response: containment, remediation, and validation
Labs
- CTF: Hybrid Identity Compromise Investigation
Things You Need To Know
Relevant Job Roles
Cloud Security Analyst Training, Salary, and Career Path
Cloud SecurityA Cloud Security Analyst monitors and analyzes activity across cloud environments, proactively detects and assesses threats, and implements preventive controls and targeted defenses to protect critical business systems and data.
Explore learning pathCloud Threat Detection and Response
Cloud SecurityMonitor, test, detect, and investigate threats to cloud environments.
Explore learning pathCourse Schedule and Pricing
Looking for Group Purchasing Options?Contact Us
Location & instructorDate & TimeCourse priceRegistration Options
- Date & TimeFetching schedule..Course price€5,786 EUR*Prices exclude applicable local taxes
- Date & TimeFetching schedule..Course price$6,195 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..Course price$8,260 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..Course price$8,260 USD*Prices exclude applicable local taxes
Showing 4 of 4
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources