We're opening this virtual Summit to the community. Register now for FREE!

Summit: September 9-10 | Courses: September 13-18 | Co-Chairs: John Hubbard, Justin Henderson


Level Up Your Blue Team Skills

Defending against attacks is an ongoing challenge with new threats emerging all the time. Do you want to enhance your current skill set and become even better at defending your organization? Are you looking for the latest ways to mitigate the most recent attacks? The blue team represents information security professionals on the front-line of defending an organization’s critical assets and systems against attacks and threats from adversaries.

Blue team professionals are highly skilled at deploying actionable techniques for timely detection, responding to compromises, and monitoring adversary activities to maintain and improve security over time. It’s an ongoing effort, day in & day out. Whether hunting for threats, designing a defensible security architecture, or analyzing log data, it’s the skills and agility of blue teams that enable world-class detection and defensive capabilities.

The 2021 Blue Team Summit will feature:

  • Highly technical talks and panel discussions - The industry's top practitioners will share their latest cyber defense research, solutions, tools, and case studies. You’ll have a number of talks to choose from, plus lots of new virtual event features that will have you schooled up for the year and planning for 2021 before the week is out.
  • Exclusive Networking Opportunities - Connect with your fellow blue teamers and the wider cyber defense community via virtual chat rooms.
  • Blue Team SOC Solutions Track -  Join this SANS lead forum as we explore various SOC topics through invited speakers while showcasing current capabilities available today. Presentations will focus on technical case-studies and thought leadership using specific examples relevant to the industry. Register Here
  • Closely Aligned SANS Cyber Defense Courses - Enhance your knowledge base and add to your toolkit with a hands-on, immersive course taught by top SANS instructors and course authors.
  • Cyber Defense NetWars! - Students enrolled in long courses at the SANS Blue Team Summit can join us for everyone's favorite defense-focused competition aimed at testing your ability to solve problems and secure your systems from compromise. Cyber Defense NetWars is a truly unique experience, and an opportunity to test your skills in administration, threat hunting, log analysis, packet analysis, cryptography, and much more.


Over two days, Blue Team Summit talks will deliver diverse viewpoints and actionable advice on key topics, including:

  • Detecting advanced post-exploitation
  • Modern security architecture (zero trust and micro segmentation)
  • Log analysis and anomaly detection at scale
  • Network security monitoring in an increasingly encrypted world
  • Operationalizing endpoint detection
  • Cloud security monitoring tools and techniques
  • Prevention of common and high-impact attacks – human operated ransomware, business email compromise, etc.
  • Threat hunting techniques and tools
  • Managing, measuring, and improving security operations
  • Building and operating an intelligence-driven defense
  • Monitoring and detection for cloud services - containers, PaaS, SaaS, serverless workloads, and more
  • Leveraging industry frameworks to improve and measure detection, prevention, and response (ATT&CK, etc.)
  • How to jump-start a career in blue teaming
  • Securing an increasingly remote workforce
  • Blue teams & IT leadership

CPEs & Certificate of Completion

- You will get 12 CPEs for attending the Blue Team Summit. (6 for each day you attend)
- Currently, we are not able to issue CPEs to those that view the Summit recordings.

- A Certificate of Completion will be available in your account after the conclusion of the Blue Team Summit & Training 2021 [September 18].
- SANS will automatically submit your CPEs to GIAC within 7-10 days after the event’s end date of September 18 - No action is required on your part.

Boost Expertise with a Bundled Course

After the Summit, choose from a number of hands-on, immersion-style SANS Live Online courses to help you expand your information security expertise. SANS courses are taught by experienced practitioners who are among the best cybersecurity instructors in the world. They will provide you with the guidance and skills you need to protect your organization and advance your career.

Follow Us

Stay current with all things SANS Blue Team on Twitter, Linkedin, YouTube, Blueprint Podcast and BTO News. Follow and interact with our community, using the hashtags #BlueTeamSummit


The full agenda will be available soon, but confirmed talks include: 

Yara for Mere Mortals
Tony Drake, Senior Engineer, ICE (Intercontinental Exchange)

I think almost all of us who have looked at a vendor report or email with a Yara rule. Some of us have thought, "that's really cool and useful". Many of us have thought "But there's no way I can do that!". If you have ever thought that, this talk is for you. The talk tries to demystify Yara rule writing and cure your fears of hex, strings, and running Yara to find evil on your networks by ignoring the "what it means" and focusing on "what it finds.”

Modern Authentication for the Security Admin
Bailey Berci
k @BaileyBercik, Program Manager, Microsoft
Mark Morowczynsk
i @markmorow, Principal Program Manager, Microsoft

Many organizations’ applications are moving to modern authentication protocols such as SAML, OAuth and OpenID Connect. Claims, bearer tokens and JWT tokens are traversing various authentication flow paths in your environment today. Security teams need to be just as familiar with how these work, the risks and the benefits they provide, as they are with Kerberos tickets and NTLM hashes (please stop btw). In this session we will break down these authentication concepts and common flows for the non-identity admin. We will also discuss some common attacks and defenses the security team should be monitoring for and implementing in their environment.

Blue-Team-as-Code: Lessons From Real-world Red Team Detection Automation Using Logs
Oleg Kolesnikov, Vice President, Securonix; Instructor, Cybersecurity, Northeastern University

Building on last year's SANS blue team automation talk, we'll focus on some real-world examples of how implementing blue team detection automation in code can be leveraged to better detect attack/red-team activity in logs, including visualization, pivoting, and decoding of malicious activity. We will be using open source frameworks such as sigma as a basis for some of hunting hypotheses along with python and Jupyter notebook-based automation. We will share some code examples as well as our experiences with blue team detection automation in code, including examples of some of the common blind spots, including an example of oath2 permission grants exploitation in O365, and how these blind spots can be addressed by a blue team. You'll also see a practical demo of blue team code automation helping detect a red team in action.

DeTT&CT(ing) Kubernetes ATT&CK(s) with Audit Logs
Magno Logan @magnologan, Information Security Specialist, Trend Micro

This presentation aims to discuss the different ways blue teamers can use to detect attacks and malicious behaviours on Kubernetes (K8s) clusters by leveraging the K8s audit logs and the new MITRE ATT&CK for Containers (and K8s). By deep-diving into a real-world attack scenario of a compromised cluster from one of our K8s honeypots, to demonstrate different ways defenders and incident responders can use to detect any malicious activity happening on their clusters. We will show how to enable audit logs and highlight which events are the most important from a security perspective. As K8s clusters can be very noisy, it is crucial to know where to look when there is an incident, as time is of the essence. Finally, we will demonstrate how to create dashboards and alerts around those logs on the SIEM of preference (Splunk, ELK, Datadog) so that you can quickly and easily act upon any suspicious activity on a cluster.

Measuring Detection Engineering Teams
Kyle Bailey, Sr Manager, Threat Operations, Box

My talk is primarily focused on a maturity matrix that I have created for measuring our detection engineering team. Participants will be able to take away high level principles around building a successful detection engineering program and a maturity matrix to help guide and measure progress. More here: https://kyle-bailey.medium.com/detection-engineering-maturity-matrix-f4f3181a5cc7

Adversary Simulation: Measure and Close the Gaps in Your Security Posture
Don Murdoch
, Director, Information Security & CISO for RSA NetWitness Division

Need to validate a security posture and assess network resilience against an adversary? Looking for techniques to develop and measured adversary simulation or Purple Team program? This session will demonstrate how to use proven Purple Teaming techniques, evaluate security and process apparatus, and build a continually evolving program to better protect the enterprise, drawing partially on material from SANS SEC 599 and SEC 530.

Monitoring and Incident Response in Azure AD
Yochana Henderson, Identity Program Manager, Microsoft
Thomas Detzner, Senior Program Manager Identity and Network Access Division, Microsoft

We are going to present our Azure AD Sec Ops guidance, so SOC teams know what to monitor, alert on and investigate. With so many events to monitor we will present the high-importance alerts recommended for investigating users, privileged accounts, apps and service principles as well as and core changes in your Azure AD environment. Key takeaways are for SOC teams to be able to collect the right logs, alert on the important events and investigate on these alerts. Will also showcase our playbooks for incident response when one of these alerts is triggered so these can be used and adapted by SOC teams so they can respond and remediate some of the most common attacks we see against Azure AD.

Threat detection use cases, how to find them, where to start
Alex Teixeira, Senior Threat Detection Engineer, BlueVoyant 

In this talk, I share what I've learned after working for more than 5y as a freelancer solely dedicated to SIEM content engineering for enterprise Security Operations teams with focus on how to spot the best use cases for existing logs, how to drive the collection of more and how to lay out a good strategy forward. Data, data everywhere! With so many systems generating logs and tools available to easily collect and search through log data, how to make sense of them from a threat detection perspective? Which logs do provide the best cost/benefit ratio? How to align an strategy to drive the collection of the relevant data sources in an enterprise organization? In this talk I share some challenges along the way as well as how to possibly overcome them.

Ransomware Containment and Response Strategies
Anurag Khanna, Principal Consultant, Mandiant Consulting

Ransomware is the most challenging attack blue teamers have dealt with. The ways ransomware attackers work have some key differences compared to traditional espionage attacks. Ransomware causes business disruption which is catastrophic for many organizations. Dealing with ransomware requires swiftness of response, quick decision making and implementation capabilities. This talk with walk through a three pronged approach for responding to ransomware attacks including preparation, Containment and Recovery. I will share techniques that defenders can use to respond to ransomware propagation in real time using available tools in organizations.

What Attendees Say About Their Blue Team Summit Experience

The Blue Team Summit was a fantastic opportunity to hear great speakers talk on various blue team related topics. Additionally, there are significant networking opportunities and everyone was very welcoming.
Justin C.
- EnerVest
Excellent opportunity to meet other folks on blue teams and pick up skills to make the role of a blue team member more effective.
Kyle C.
- Splunk
SANS keeps the content cutting edge and technical. We need more of this because there is always a gap between the blue team and the adversaries. Overall, it was great.
Brandon G.
- Waystar

    Important Dates

    Refund Date
    August 23, 2021