SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense, Artificial Intelligence
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Major updates
SEC560: Enterprise Penetration Testing
SEC560Offensive Operations
- 6 Days (Instructor-Led)
- 36 Hours (Self-Paced)
Course authored by:
Jeff McJunkin & Jon Gorenflo
Course authored by:Jeff McJunkin & Jon Gorenflo
- GIAC Penetration Tester (GPEN)
- 36 CPEs
Apply your credits to renew your certifications
- In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
- Intermediate Skill Level
Course material is geared for cyber security professionals with hands-on experience
- 30 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Learn enterprise-scale penetration testing; identify, exploit, and assess real business risks across on-prem, Azure, and Entra ID environments through hands-on labs and an intensive CTF.
Featured Quote
This course transformed my understanding of penetration testing. The hands-on labs and real-world scenarios provided practical skills I immediately applied at work. The instructor's expertise and the comprehensive coverage from initial access through domain compromise exceeded my expectations.
Course Overview
SEC560 teaches students how to conduct comprehensive enterprise penetration tests that mirror real-world attacks. Starting with reconnaissance and scanning, students progress through gaining initial access, post-exploitation, privilege escalation, lateral movement, and maintaining persistence while evading detection.
The course emphasizes practical, hands-on techniques using industry-standard tools including Nmap, Metasploit, Sliver, BloodHound, Impacket, and Mimikatz. Students learn both on-premises Active Directory attacks and cloud-based Azure/Entra ID exploitation. Each section includes multiple labs reinforcing concepts through realistic scenarios against purpose-built vulnerable environments.
The course culminates in a Capture the Flag competition where students apply all learned techniques across multiple target networks, demonstrating mastery of the complete penetration testing lifecycle from initial foothold through domain dominance.
What You'll Learn
- Gather intel with OSINT, DNS, and breach data to map targets and identify attack surfaces. (100)
- Exploit weak authentication via credential stuffing, spraying, and hash-based attacks. (97)
- Harvest creds, establish C2, and escalate privileges post-exploitation on Windows and Linux.
- Attack Active Directory using Kerberoasting, BloodHound, and ADCS exploitation.
- Move laterally with pass-the-hash, Impacket, SSH tunneling, and pivoting techniques.
- Maintain persistence through tasks, services, and WMI while evading EDR and AV.
- Gain domain dominance using DCSync, golden tickets, and Azure RBAC exploitation.
Business Takeaways
- Run realistic pentests to find exploitable flaws before attackers can discover and exploit them.
- Use real attacker tactics to guide security investments based on real-world threats, not theory.
- Review MFA to uncover single-factor services that expose critical enterprise entry points.
- Evaluate AD for privilege paths, misconfigurations, and Kerberos authentication weaknesses.
- Test how fast defenders detect and respond to lateral movement and post-exploitation.
- Stay compliant and show progress through regular pentests documenting security maturity.
- Build internal pentest skills to cut reliance on consultants and strengthen in-house expertise.
Meet Your Authors
- Slide 1 of 2
Jeff McJunkin
Principal InstructorJeff McJunkin, Rogue Valley InfoSec founder, has led Fortune 100 pen tests and shaped Core NetWars. His key role in SANS Holiday Hack Challenge and hands-on security innovations continue to elevate the industry, advancing defenses worldwide.
Read more about Jeff McJunkin - Slide 2 of 2
Jon Gorenflo
Principal InstructorJon Gorenflo has strengthened cybersecurity through leadership in pen testing, incident response, and security engineering. His dedication to mentoring and knowledge-sharing has empowered professionals and enhanced defenses industry-wide.
Read more about Jon Gorenflo
Slide 1 of 0
(1/0)
Course Syllabus
Explore the course syllabus below to view the full range of topics covered in SEC560: Enterprise Penetration Testing.
Section 1Miniature Engagement, Recon, and Scanning
Section 1 begins with a credential stuffing attack to introduce the penetration testing mindset then guides students through infrastructure setup, Linux fundamentals, and pre-engagement planning. It dives into reconnaissance using OSINT to gather organizational intelligence, concluding with scanning via Masscan and Nmap to identify active hosts and services.
Topics covered
- Penetration Testing Frameworks and Methodology
- Infrastructure Setup and Linux Essentials
- Pre-engagement and Rules of Engagement
- OSINT and Reconnaissance Techniques
- Port Scanning with Masscan and Nmap
Labs
- Lab 1.1: Credential Stuffing to a Breach
- Lab 1.2: Reconnaissance and OSINT
- Lab 1.3: Masscan
- Lab 1.4: Nmap
Section 2Scanning and Initial Access
Section 2 expands on Nmap’s advanced scanning with version and OS detection plus scripting for vulnerabilities. Students then explore initial access through password attacks, Azure and Entra ID spraying, and network exploits using Responder, Metasploit, and Meterpreter to gain and control compromised systems.
Topics covered
- Nmap Version and OS Detection
- Nmap Scripting Engine and Vulnerability Scanning
- Password Guessing and Spraying Attacks
- Azure and Entra ID Reconnaissance
- Network Protocol Attacks with Responder
Labs
- Lab 2.1: Version Scanning, OS Detection, NSE, and GoWitness
- Lab 2.2: Password Guessing
- Lab 2.3: Azure Recon and Password Spraying
- Lab 2.4: Responder
- Lab 2.5: Metasploit and Meterpreter
Section 3Post-Exploitation
Section 3 focuses on post-exploitation, teaching credential access with Mimikatz, Metasploit, and Hashcat. Students build C2 skills with Sliver, craft evasive payloads, and use tools like Seatbelt for situational awareness on Linux and Windows. The section ends with Windows privilege escalation techniques to gain admin access.
Topics covered
- Credential Harvesting and Password Dumping
- Offline Password Cracking with Hashcat
- Command and Control with Sliver
- Payload Generation and Delivery
- Windows and Linux Situational Awareness
Labs
- Lab 3.1: MSF psexec, hashdump, and Mimikatz
- Lab 3.2: Hashcat
- Lab 3.3: Sliver
- Lab 3.4: Payloads
- Lab 3.5: Seatbelt
Section 4Domain Privilege Escalation and Lateral Movement
Section 4 explores Kerberos and Kerberoasting to crack service accounts, plus BloodHound for attack path mapping and ADCS exploitation for privilege escalation. Students practice lateral movement using SSH, Impacket, and native tools, then perform Pass-the-Hash and pivoting with Metasploit and C2 frameworks.
Topics covered
- Kerberos Authentication and Kerberoasting
- BloodHound for Attack Path Analysis
- Active Directory Certificate Services Exploitation
- Lateral Movement from Windows and Linux
- Impacket Toolkit Usage
Labs
- Lab 4.1: Kerberoasting
- Lab 4.2: BloodHound
- Lab 4.3: Active Directory Certificate Services
- Lab 4.4: Lateral Movement from Windows
- Lab 4.5: Lateral Movement from Linux
Section 5Persistence and Evading Controls
Section 5 teaches persistence via registry edits, tasks, and WMI while evading AMSI and EDR defenses. Students learn professional reporting, advanced AD attacks like Pass-the-Ticket, DCSync, and Golden/Silver tickets, then shift to cloud exploits targeting Azure authentication, RBAC abuse, and managed identities.
Topics covered
- Persistence Mechanisms and Techniques
- Bypassing AMSI, AV/EDR, and Application Controls
- Penetration Testing Reporting Best Practices
- Advanced Kerberos and Domain Dominance Attacks
- Golden and Silver Ticket Forgery
Labs
- Lab 5.1: Persistence
- Lab 5.2: MSBuild and Application Control Bypass
- Lab 5.3: Domain Dominance
- Lab 5.4: Golden Ticket
- Lab 5.5: Silver Ticket
Section 6CTF and Next Steps
Section 6 culminates in a team-based Capture the Flag event applying all learned skills across target networks. Afterward, students explore next steps with cloud pentesting resources, GIAC GPEN prep, home lab guidance, and advanced training like Game of Active Directory to refine attack mastery.
Topics covered
- Capture the Flag Competition
- Cloud Penetration Testing Resources
- GIAC GPEN Exam Preparation
- Building Home Lab Environments
- Advanced Training and Practice
Labs
- CTF: Multi-Network Penetration Testing Competition
Things You Need To Know
Relevant Job Roles
Vulnerability Assessment Analyst (DCWF 541)
DoD 8140: CybersecurityAssesses systems and networks to ensure compliance with policies and identify vulnerabilities in support of secure and resilient operations.
Explore learning pathVulnerability Assessment
SCyWF: Protection And DefenseThis role tests IT systems and networks and assesses their threats and vulnerabilities. Find the SANS courses that map to the Vulnerability Assessment SCyWF Work Role.
Explore learning pathVulnerability Analysis (OPM 541)
NICE: Protection and DefenseResponsible for assessing systems and networks to identify deviations from acceptable configurations, enclave policy, or local policy. Measure effectiveness of defense-in-depth architecture against known vulnerabilities.
Explore learning pathExploitation Analyst (DCWF 121)
DoD 8140: Cyber EffectsCollaborates to identify access and collection gaps using cyber resources and techniques to penetrate target networks and support mission operations.
Explore learning pathApplication Pen Tester
Offensive OperationsApplication penetration testers probe the security integrity of a company’s applications and defenses by evaluating the attack surface of all in-scope vulnerable web-based services, clientside applications, servers-side processes, and more. Mimicking a malicious attacker, app pen testers work to bypass security barriers in order to gain access to sensitive information or enter a company’s internal systems through techniques such as pivoting or lateral movement.
Explore learning pathCyber Operations Planner (DCWF 332)
DoD 8140: Cyber EffectsCoordinates cyber operations plans, working with analysts and operators to support targeting and synchronization of actions in cyberspace.
Explore learning pathPenetration Tester
European Cybersecurity Skills FrameworkAssess the effectiveness of security controls, reveals and utilise cybersecurity vulnerabilities, assessing their criticality if exploited by threat actors.
Explore learning pathTarget Digital Network Analyst (DCWF 132)
DoD 8140: Cyber EffectsPerforms advanced analysis of collection and open-source data to track target activity, profile cyber behavior, and support cyberspace operations.
Explore learning pathCourse Schedule & Pricing
Looking for Group Purchase Options?Contact Us
GIAC Certification Attempt
Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.
OnDemand Course Access
When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.
Location & instructorDate & TimeCourse priceRegistration Options
- Date & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$8,780 USD*Prices exclude applicable local taxesRegistration Options
- Date & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..View event detailsCourse price$8,900 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..View event detailsCourse price£7,160 GBP*Prices exclude applicable taxes | EUR price available during checkoutRegistration Options
- Date & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..View event detailsCourse price€8,230 EUR*Prices exclude applicable local taxes
- Date & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..View event detailsCourse price¥1,335,000 JPY*Prices exclude applicable local taxes
- Date & TimeFetching schedule..View event detailsCourse price$8,900 USD*Prices exclude applicable local taxesRegistration Options
Showing 10 of 25
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 3I think if you genuinely want to learn how exploitation techniques work and how to properly think like a hacker, it would be silly not to attend SEC560.
- Slide 2 of 3SEC560 introduces the whole process of penetration testing from the start of engagement to the end.
- Slide 3 of 3Thank you for an amazing week of training in SEC560! My favorite parts were lateral movement, password cracking, and web exploits!
Slide 1 of 0
(1/0)
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources