SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals


Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact Us


Apply your credits to renew your certifications
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
Apply what you learn with hands-on exercises and labs
Achieve a holistic approach to defensible security architecture and engineering. Master tactics from network segmentation to conditional access and privileged identity controls under Zero Trust.
I would highly recommend this for any business and organization […] to fully understand why this attitude of Zero Trust needs to be taken into consideration. This course covers areas that CISSP or Sec+ would not.
SEC530 teaches practical cyber defense, improving prevention, detection, and response by leveraging your existing infrastructure like firewalls, SIEM, identity platforms, and cloud controls. You will learn to assess and reconfigure technologies to reduce attack surfaces, and to anticipate threats while showcasing practical Zero Trust like implementations. Over 25 hands-on labs will reinforce your skills, offering vendor-neutral expertise and real-world application. Whether you're building out an SOC or strengthening enterprise defenses, SEC530 stands out among cyber security architect courses for its hands-on approach and hybrid enterprise focus. SEC530 is a course designed by all-around defenders for all-around defenders, emphasizing actionable skills and Zero Trust infrastructure enhancements for the hybrid enterprise.


Ismael is a Senior SANS Instructor and Arctic Wolf VP. Author of SEC530 and a prestigious GSE-certified expert, he blends decades of SOC, threat research, and community contributions to equip defenders with resilient, adversary-aware strategies.
Read more about Ismael ValenzuelaExplore the course syllabus below to view the full range of topics covered in SEC530: Defensible Security Architecture and Engineering: Implementing Zero Trust for the Hybrid Enterprise.
This section covers defensible system design, Zero Trust principles, and practical threat modeling using MITRE ATT&CK. It emphasizes building a strong foundation, from physical to network security, using VLANs, NetFlow baselining, and Time-Based Security.
Section 2 details hardening hybrid infrastructure: routers and firewalls in on-prem and cloud deployments. It covers often-overlooked IPv6 security, addressing errors and solutions. It covers key Zero Trust concepts like macro, micro, and identity-based segmentation, including a new lab with OpenZiti. Finally, it covers web and SMTP proxy security.
This section focuses on optimizing network security tech (NGFW, IDS/IPS, Proxies, VPNs, ZTNA and SASE) with Zero Trust. It critiques over-reliance on built-in features, advocating for application-layer security to boost prevention and detection. It covers application proxies, remote access (VPNs, ZTNA and SASE), and the risks/benefits of TLS decryption.
This section covers data-centric security, a core Zero Trust strategy. It emphasizes identifying, classifying, and protecting critical data across on-prem and cloud environments. It also explores data governance, WAFs, DAM, WAAP, RASP, Microsoft Purview, MDM, and Entra ID, and advocates prioritizing security controls around vital data, not everything.
Section 5 shifts from "trust but verify" to "verify then trust." It leverages previous learning to implement adaptive trust models and effective identity management and federation, to defend against modern authentication attacks, and to use AI, Analytics and MITRE ATT&CK content engineering to maintain a defensible security architecture.
The course concludes with an immersive team-based "Design-and-Secure-the-Flag" competition, powered by SANS Cyber Ranges. Teams apply principles in a full-day, hands-on challenge. They assess, design, and secure systems, using learned skills to defend Tyrell Corporation from a replicant attack, demonstrating techniques learned throughout SEC530.
This role uses cybersecurity tools to protect information, systems and networks from cyber threats. Find the SANS courses that map to the Protection SCyWF Work Role.
Explore learning pathThis role conducts conducts cybersecurity research and development. Find the SANS courses that map to the Cybersecurity Research & Development SCyWF Work Role.
Explore learning pathDesign, implement, and tune an effective combination of network-centric and data-centric controls to balance prevention, detection, and response. Security architects and engineers are capable of looking at an enterprise defense holistically and building security at every layer. They can balance business and technical requirements along with various security policies and procedures to implement defensible security architectures.
Explore learning pathResponsible for ensuring that security requirements are adequately addressed in all aspects of enterprise architecture, including reference models, segment and solution architectures, and the resulting systems that protect and support organizational mission and business processes.
Explore learning pathImplements and maintains network services, including hardware and virtual systems, ensuring operational support for infrastructure platforms.
Explore learning pathThis role uses monitoring and analysis tools to identify and analyze events and to detect incidents. Find the SANS courses that map to the Defense SCyWF Work Role.
Explore learning pathDesigns secure enterprise systems considering environmental constraints and translates them into enforceable security processes and protocols.
Explore learning pathThis job, which may have varying titles depending on the organization, is often characterized by the breadth of tasks and knowledge required. The all-around defender and Blue Teamer is the person who may be a primary security contact for a small organization, and must deal with engineering and architecture, incident triage and response, security tool administration and more.
Explore learning pathAdd a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.
When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.
SEC530 is a great course for Blue Teams & Security Engineers. This is an evolution to the significance of good & practical defense approach in enterprises.
I just have to say, these labs are astonishingly well set up. They demonstrate exactly what's needed in very few steps. There's a lot of moving parts behind some of them but they are robust, and all in a small VM footprint. I've never seen any course lab environment executed so well.
This training showed how overall security posture of an organization can be improved. It helps connect the dots between different areas within security infrastructure.
SEC530 teaches you to defend and put mechanisms in place to secure the environment. The real life scenarios and examples were priceless.

Get feedback from the world’s best cybersecurity experts and instructors

Choose how you want to learn - online, on demand, or at our live in-person training events

Get access to our range of industry-leading courses and resources