Talk With an Expert

SEC511: Cybersecurity Engineering: Advanced Threat Detection and Monitoring

SEC511Cyber Defense
  • 6 Days (Instructor-Led)
  • 46 Hours (Self-Paced)
Course authored by:
Eric ConradSeth Misenar
Eric Conrad & Seth Misenar
SEC511: Continuous Monitoring and Security Operations
Course authored by:
Eric ConradSeth Misenar
Eric Conrad & Seth Misenar
  • GIAC Continuous Monitoring Certification (GMON)
  • 46 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • 18 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Learn cutting-edge cybersecurity engineering and advanced threat detection skills for cloud, network, and endpoint environments in this comprehensive course.

Course Overview

SEC511 prepares defenders to secure hybrid enterprises using tools like Zero Trust, Artificial Intelligence and Machine Learning (AI/ML), Extended Detection and Response (XDR), and cloud technology. With 18+ hands-on labs and a capstone challenge, this course builds real-world skills in detection, response, and cybersecurity engineering across cloud, network, and endpoint environments.

What You'll Learn

  • Assess current defenses and engineer modern, prioritized improvements
  • Apply frameworks like MITRE ATT&CK and Zero Trust for threat-informed defense
  • Hunt threats across networks, endpoints, and cloud using advanced tools and techniques
  • Build visibility across hybrid, decentralized infrastructure and encrypted traffic
  • Understand and use CNAPP, CSPM, CIEM, and CWPP for strong cloud security
  • Analyze and detect threats using NDR, EDR, Suricata, Zeek, Wireshark, and more
  • Secure identity, endpoints, and AI/LLM apps; enhance SOC with SOAR and automation

Business Takeaways

  • Develop strong protection and detection strategies for cloud, network, and endpoints
  • Engineer and refine threat detection and defense capabilities
  • Use threat-informed defense to optimize security countermeasures
  • Strengthen overall security operations and SOC performance
  • Detect and close protection gaps across hybrid environments
  • Secure GenAI and LLM apps to ensure safe, trustworthy use
  • Maximize existing infrastructure and rapidly detect intrusions

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in SEC511: Cybersecurity Engineering: Advanced Threat Detection and Monitoring.

Section 1Threat Informed Defense: Frameworks, Hunting, and Current State Assessment

This section covers modern cyber defense, shifting from reactive to proactive strategies. Students explore MITRE ATT&CK, Zero Trust, and GenAI risks, and tackle hands-on labs to detect and respond to evolving threats.

Topics covered

  • Adversary Tactics and Cyber Defense Principles
  • Introducing Security Onion 2.X
  • Frameworks/Mental Models
  • Threat Informed Defense and Hunting
  • GenAI/LLM Fundamentals

Labs

  • Detecting Traditional Attack Techniques
  • Detecting Modern Attack Techniques
  • Complex Intrusion Analysis: Apache ActiveMQ
  • NetWars Bootcamp: Immersive Cyber Challenges

Section 2Cloud, Edge, and Network: Visibility and Protection

This section explores visibility and protection across cloud, edge, and network environments. Students learn about IDS/IPS, TLS/DNS encryption, cloud and edge security tools, and apply skills in hands-on labs and a NetWars Bootcamp.

Topics covered

  • Security Visibility
  • Encryption
  • Cloud Protection and Detection
  • Edge Security

Labs

  • Web Application Firewalls: ModSecurity
  • Decrypting TLS with Wireshark
  • Detecting Adversaries with Protocol Inspection
  • Intrusion Detection Honeypots
  • NetWars Bootcamp: Immersive Cyber Challenges

Section 3Threat Hunting with Network Detection and Response (NDR)

This section focuses on Network Detection Response (NDR) within Network Security Monitoring (NSM) and Security Information and Event Management (SIEM), teaching students to detect threats using diverse data sources and analytic techniques. Hands-on labs and NetWars Bootcamp reinforce skills in threat hunting and traffic analysis.

Topics covered

  • Network Detection Response (NDR)
  • Network Threat Hunting

Labs

  • Pcap Analysis and Carving with Zeek
  • Security Onion Service-Side Attack Analysis
  • Wireshark Merlin Analysis
  • Detecting TLS Certificate and User-Agent Anomalies
  • NetWars Bootcamp: Immersive Cyber Challenges

Section 4Hybrid Enterprise Security: User and Endpoint Protection and Detection

This section covers endpoint and user security in hybrid environments, focusing on Endpoint Detection and Response (EDR), Endpoint Protection Platforms (EPPs), identity protection, modern authentication, and User and Entity Behavior Analysis (UEBA). Labs and NetWars Bootcamp build hands-on defense and monitoring skills.

Topics covered

  • Endpoint Detection Response (EDR)
  • Endpoint Protection Platform (EPP)
  • Identity/User/Authentication Monitoring

Labs

  • Sysmon
  • CFO Compromise Investigation: Autoruns and Sysmon
  • Application Control with AppLocker
  • Merlin Sysmon Analysis
  • NetWars Bootcamp: Immersive Cyber Challenges

Section 5GenAI Application Defense, Automation, Supply Chain Protection, and SOC

This section covers securing GenAI and Large Language Model (LLM) apps, software supply chains, and SOC automation using SOAR. Students gain hands-on skills in threat hunting, adversary emulation, and ransomware response via labs and NetWars.

Topics covered

  • Defending AI/LLM Applications
  • AI/Software Supply Chain
  • Service and Event Log Monitoring
  • Automation/SOAR/SOC

Labs

  • Ransomware Investigation
  • Windows Event Logs
  • DNS over HTTPS (DoH)
  • NetWars Bootcamp: Immersive Cyber Challenges

Section 6Capstone: Design, Detect, Defend

The course concludes with a full-day, team-based NetWars competition, challenging students to apply and master modern cyber defense skills through hands-on, multi-level design, detection, and defense missions.

Topics covered

  • Modern Cyber Defense: Protection, Detection, and Monitoring
  • Applied NDR, NSM, and EDR
  • Network, Endpoint, and Cloud-Oriented Threat Hunting
  • Analyzing Malicious Traffic and Windows Event Logs
  • Packet and Log Analysis

Things You Need To Know

Relevant Job Roles

Protection

SCyWF: Protection And Defense

This role uses cybersecurity tools to protect information, systems and networks from cyber threats. Find the SANS courses that map to the Protection SCyWF Work Role.

Explore learning path

Systems Security Analyst (DCWF 461)

DoD 8140: Software Engineering

Ensures systems and software security from development to maintenance by analyzing and improving security across all lifecycle phases.

Explore learning path

Security Architect & Engineer

Cyber Defense

Design, implement, and tune an effective combination of network-centric and data-centric controls to balance prevention, detection, and response. Security architects and engineers are capable of looking at an enterprise defense holistically and building security at every layer. They can balance business and technical requirements along with various security policies and procedures to implement defensible security architectures.

Explore learning path

Cybersecurity Architecture (OPM 652)

NICE: Design and Development

Responsible for ensuring that security requirements are adequately addressed in all aspects of enterprise architecture, including reference models, segment and solution architectures, and the resulting systems that protect and support organizational mission and business processes.

Explore learning path

Information Systems Security Developer (DCWF 631)

DoD 8140: Cybersecurity

Designs and evaluates information system security throughout the software lifecycle to ensure confidentiality, integrity, and availability.

Explore learning path

Cyber Defense Infrastructure Support Specialist (DCWF 521)

DoD 8140: Cybersecurity

Deploys, configures, maintains infrastructure software and hardware to support secure and effective IT operations across organizational systems.

Explore learning path

Network Operations Specialist (DCWF 441)

DoD 8140: Cyber IT

Implements and maintains network services, including hardware and virtual systems, ensuring operational support for infrastructure platforms.

Explore learning path

Information Systems Security Manager (DCWF 722)

DoD 8140: Cybersecurity

Oversees program, system, or enclave cybersecurity, ensuring protection from cyber threats and compliance with organizational standards.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us
  • Location & instructor

    Virtual (OnDemand)

    Instructed by
    Date & Time
    OnDemand (Anytime)Self-Paced, 4 months access
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Virtual (live)

    Instructed by
    Date & Time
    Fetching schedule..View event details
    Course price
    ¥1,335,000 JPY*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Virtual (live)

    Instructed by
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Austin, TX, US & Virtual (live)

    Instructed by
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Dubai, AE & Virtual (live)

    Instructed by
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Washington, DC, US & Virtual (live)

    Instructed by
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    London, GB & Virtual (live)

    Instructed by
    Date & Time
    Fetching schedule..View event details
    Course price
    £7,160 GBP*Prices exclude applicable taxes | EUR price available during checkout
    Registration Options
  • Location & instructor

    La Jolla, CA, US & Virtual (live)

    Instructed by
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Singapore, SG & Virtual (live)

    Instructed by
    Date & Time
    Fetching schedule..View event details
    Course price
    S$11,390 SGD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Orlando, FL, US & Virtual (live)

    Instructed by
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
Showing 10 of 21

Benefits of Learning with SANS

Instructor teaching to a class

Get feedback from the world’s best cybersecurity experts and instructors

OnDemand Mobile App

Choose how you want to learn - online, on demand, or at our live in-person training events

Resources

Get access to our range of industry-leading courses and resources