SEC536: Adversarial AI - Penetration Testing AI Systems
SEC536Offensive Operations
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
SEC530: Defensible Security Architecture and Engineering: Implementing Zero Trust for the Hybrid Enterprise
SEC530Cyber Defense
- 6 Days (Instructor-Led)
- 36 Hours (Self-Paced)
Course authored by:
Ismael Valenzuela
Course authored by:Ismael Valenzuela
- GIAC Defensible Security Architecture (GDSA)
- 36 CPEs
Apply your credits to renew your certifications
- In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
- Intermediate Skill Level
Course material is geared for cyber security professionals with hands-on experience
- 24 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Achieve a holistic approach to defensible security architecture for the AI era. Engineer Zero Trust architectures across networks, applications, data, identity, and AI-assisted enforcement.
Featured Quote
I would highly recommend this for any business and organization […] to fully understand why this attitude of Zero Trust needs to be taken into consideration. This course covers areas that CISSP or Sec+ would not.
Course Overview
SEC530 teaches practical security architecture and engineering for the AI era, helping you design and build stronger prevention, detection, and response capabilities by leveraging your existing infrastructure like next-gen firewalls, SIEM, identity platforms, cloud controls, routers, switches, IDS/IPS, WAF, proxies, encryption, PKI, and Microsoft Entra ID, among others.
What You’ll Learn
- Design defensible security architectures using the DARIOM, MITRE ATT&CK, and ZT principles
- Harden routers, switches, IPv6, segmentation boundaries, NAC, and identity-based access
- Engineer network visibility using NGFWs, NDR/NSM, Zeek, Suricata, flow data, and cloud telemetry
- Design secure access strategies with ZTNA, SASE, TLS inspection, and encryption tradeoffs
- Protect applications, APIs, and data with WAAP, WAF, DSPM, DLP, and workload identity
- Defend against OAuth abuse, token theft, PRT abuse, MFA bypass, and cloud lateral movement
- Connect ITDR risk signals to Conditional Access enforcement with OCSF-normalized telemetry
Business Takeaways
- Identify security architecture gaps across networks, identity, and visibility pipelines
- Use existing infrastructure more effectively while moving toward Zero Trust outcomes
- Prioritize controls by business impact, adversary behavior, and implementation cost
- Prepare security architecture for AI-driven business workflows and AI-enabled adversaries
- Reduce attack surface with segmentation, ZTNA, least privilege, and context-aware access
- Strengthen identity defense against OAuth abuse, MFA fatigue, and credential theft
- Connect engineered security signals to enforcement through risk scoring and Conditional Access
Meet Your Author
Ismael Valenzuela
Senior InstructorIsmael is a Senior SANS Instructor and Arctic Wolf VP. Author of SEC530 and a prestigious GSE-certified expert, he blends decades of SOC, threat research, and community contributions to equip defenders with resilient, adversary-aware strategies.
Read more about Ismael ValenzuelaCourse Syllabus
Explore the course syllabus below to view the full range of topics covered in SEC530: Defensible Security Architecture and Engineering: Implementing Zero Trust for the Hybrid Enterprise.
Section 1A Journey Toward Zero Trust: Defensible Security Strategies for the AI Era
Section 1 establishes the architecture method used throughout SEC530. It introduces defensible security architecture, the DARIOM lifecycle, Time-Based Security, MITRE ATT&CK threat modeling, and the Zero Trust journey grounded in NSA ZIG. Hands-on work covers Layer 2 controls, flow data, OCSF normalization, & behavioral baselining for AI-era visibility.
Topics covered
- Defensible security architecture, DARIOM, and Time-Based Security
- Threat modeling with MITRE ATT&CK, ATT&CK Navigator, DeTT&CT, and MITRE ATLAS
- Zero Trust strategy, NIST SP 800-207, CISA ZTMM, and NSA ZIG pillars
- Physical, wireless, and Layer 2 security: VLANs, PVLANs, ARP spoofing, switch controls
- Flow data with NetFlow, IPFIX, sFlow, Suricata, OCSF normalization, baselining
Labs
- Practical Threat Modeling with MITRE ATT&CK
- Egress Analysis
- Layer 2 Attacks
- Architecting for Flow Data
Section 2Network Architecture: Edge, Segmentation, and Identity-Based Access Control
Section 2 focuses on the network architecture layer: hardened edge devices, router and switch security, IPv6, segmentation, NAC, and identity-based access control. Drawing on Volt Typhoon & Salt Typhoon threat models, students engineer Zero Trust enforcement points and connect traditional network engineering to SD-WAN, SSE, ZTNA, SASE, and microsegmentation.
Topics covered
- Router, switch, and SD-WAN hardening with AAA, TACACS+, RADIUS, and logging
- SNMP security, NTP/NTS, bogon filtering, blackholes, darknets, and edge visibility
- IPv6 security, rogue router advertisements, Neighbor Discovery attacks, and tunnels
- Macro- and micro-segmentation, OT/ICS segmentation, data diodes, and zone design
- NAC, 802.1X, OpenZiti, Software-Defined Perimeter, and identity-based segmentation
Labs
- Router Security
- IPv6
- Identity-Based Segmentation with OpenZiti
Section 3Network Detection, Secure Access, and Encrypted Traffic
Section 3 builds network-centric visibility & secure access architecture. It covers NGFW design, NDR/NSM placement, Security Onion, Zeek, Suricata, proxies, email security, ZTNA, SASE, mTLS, PKI, TLS inspection, and post-quantum encryption. The section emphasizes control placement, signal collection, & visibility as traffic encrypts across AI-era workflows.
Topics covered
- NGFW architecture, application control, DNS security, sinkholing, and GenAI exfiltration
- Network visibility with NSM, NDR, Security Onion, Zeek, Suricata, and cloud telemetry
- Web and SMTP proxies, SWG, remote browser isolation, SPF, DKIM, DMARC, sandboxing
- Secure remote access with VPN, ZTNA, SASE, SSE, OpenZiti, and cloud-routed access
- Encryption architecture: mTLS, PKI, IPsec, ZTDNS, TLS inspection, and PQC readiness
Labs
- Architecting for NSM
- Network Security Monitoring
- Encryption Considerations
Section 4Data-Centric Security: Protecting Data, APIs, and Workloads
Section 4 shifts the architecture toward applications, APIs, data, and workloads. It covers WAAP, WAFs, API gateways, RASP, database security, data discovery, encryption, DLP, DSPM, MDM, and privileged access. The section connects data controls to Zero Trust enforcement and addresses AI data security and exfiltration challenges from generative AI.
Topics covered
- WAAP, WAF, API gateways, OWASP API Security Top 10, ModSecurity, and RASP
- Database security, data discovery, credential abuse, masking, and activity visibility
- Data encryption at rest and in use, confidential computing, HSM/KMS, and PQC awareness
- Data governance, Microsoft Purview, DSPM, CASB, DLP, and GenAI exfiltration controls
- Privileged access, PAWs, JIT, PIM/PAM, MDM, Kubernetes, SBOM, and runtime visibility
Labs
- Securing Web Applications
- Discovering Sensitive Data
- Secure Visualization
Section 5Zero Trust in Action: Identity, Deception, and Agentic Orchestration
Section 5 brings the architecture together through identity-centered design, telemetry, and enforcement. It covers NSA ZIG, OAuth and token abuse, Silk Typhoon-style identity attacks, ITDR, OCSF normalization, LangGraph agentic orchestration, and deception. Students learn to use AI responsibly while controlling agent identity and human-in-the-loop gates.
Topics covered
- Variable trust, NSA ZIG activity levels, and identity enforcement
- IAM, IdP federation, FIDO2, passkeys, OAuth 2.0, OIDC, and Entra ID controls
- Silk Typhoon, token theft, PRT abuse, MFA fatigue, AiTM phishing, ITDR, and UEBA
- Agentic AI security, NHI, OWASP LLM risks, MITRE ATLAS, LangGraph, and risk scoring
- Log architecture, Sysmon, Sigma, deception, honeytokens, and AI-resilient defense
Labs
- ITDR Part 1: Identity Attacks in the Cloud
- ITDR Part 2: Agentic AI Orchestration, Risk Scoring, and Conditional Access Response
- Sigma Generic Signatures
- Advanced Defense Strategies
Section 6Hands-On Secure the Flag Challenge
Section 6 is the capstone challenge. Apply SEC530 architecture and engineering techniques in an immersive Secure the Flag environment. Assess, design, harden, validate, and defend Tyrell Corporation systems using controls and thinking patterns built throughout the course, including Zero Trust, visibility, identity, and enforcement concepts.
Topics covered
- Defensible security architecture under pressure
- Architecture assessment, attack-path analysis, and weakness identification
- Tool- and script-based validation of the initial state
- Defensive design changes, validation evidence, and challenge strategy
- Practical application of Zero Trust, network, data, identity, and enforcement controls
Labs
- Capstone - Design, Detect, Defend
Things You Need To Know
Relevant Job Roles
Protection
SCyWF: Protection And DefenseThis role uses cybersecurity tools to protect information, systems and networks from cyber threats. Find the SANS courses that map to the Protection SCyWF Work Role.
Explore learning pathCybersecurity Research & Development
SCyWF: Cybersecurity Architecture, Research And DevelopmentThis role conducts conducts cybersecurity research and development. Find the SANS courses that map to the Cybersecurity Research & Development SCyWF Work Role.
Explore learning pathCybersecurity Architect
European Cybersecurity Skills FrameworkPlans and designs security-by-design solutions (infrastructures, systems, assets, software, hardware and services) and cybersecurity controls.
Explore learning pathSecurity Architect Training, Salary, and Career Path
Cyber DefenseDesign, implement, and tune an effective combination of network-centric and data-centric controls to balance prevention, detection, and response. Security architects and engineers are capable of looking at an enterprise defense holistically and building security at every layer. They can balance business and technical requirements along with various security policies and procedures to implement defensible security architectures.
Explore learning pathCybersecurity Architecture (OPM 652)
NICE: Design and DevelopmentResponsible for ensuring that security requirements are adequately addressed in all aspects of enterprise architecture, including reference models, segment and solution architectures, and the resulting systems that protect and support organizational mission and business processes.
Explore learning pathInfrastructure Design (IFDN)
Skills Framework for the Information AgePlanning and design of secure, scalable, and resilient infrastructure across on-premise, cloud, and hybrid environments. Design outputs meet both current and future business needs.
Explore learning pathCyber Defense Infrastructure Support Specialist (DCWF 521)
DoD 8140: CybersecurityDeploys, configures, maintains infrastructure software and hardware to support secure and effective IT operations across organizational systems.
Explore learning pathNetwork Operations Specialist (DCWF 441)
DoD 8140: Cyber ITImplements and maintains network services, including hardware and virtual systems, ensuring operational support for infrastructure platforms.
Explore learning pathCourse Schedule and Pricing
Have Questions?Contact Us
Group and Private Pricing
Enroll your team as a group or arrange a private session for your organization. We’ll help you choose the format that fits your goals.
Location & instructorDate & TimeCourse priceRegistration Options
- Date & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$8,780 USD*Prices exclude applicable local taxesRegistration Options
- Date & TimeFetching schedule..Course price$8,900 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..Course price$8,780 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..Course price$8,900 USD*Prices exclude applicable local taxesRegistration Options
- Date & TimeFetching schedule..Course price$8,780 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..Course price€8,230 EUR*Prices exclude applicable local taxes
- Date & TimeFetching schedule..Course price$8,780 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..Course price$8,900 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..Course price€8,230 EUR*Prices exclude applicable local taxesRegistration Options
- Date & TimeFetching schedule..Course price$8,900 USD*Prices exclude applicable local taxes
Showing 10 of 20
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 4SEC530 is a great course for Blue Teams & Security Engineers. This is an evolution to the significance of good & practical defense approach in enterprises.
- Slide 2 of 4I just have to say, these labs are astonishingly well set up. They demonstrate exactly what's needed in very few steps. There's a lot of moving parts behind some of them but they are robust, and all in a small VM footprint. I've never seen any course lab environment executed so well.
- Slide 3 of 4This training showed how overall security posture of an organization can be improved. It helps connect the dots between different areas within security infrastructure.
- Slide 4 of 4SEC530 teaches you to defend and put mechanisms in place to secure the environment. The real life scenarios and examples were priceless.
Slide 1 of 0
(1/0)
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources