Learn How to Thwart Cyber Attackers with Training in San Antonio. Save $200 thru 4/24.

SANS 2013

Orlando, FL | Fri, Mar 8 - Fri, Mar 15, 2013
This event is over,
but there are more training opportunities.

MGT535: Incident Response Team Management

Sat, March 9, 2013

Since I am fresh out of college this was a definite eye opener. This course was very valuable in that it gives a view of most tools available for auditing networks.

Ryan Awai, SANS Student

This course brings hands-on and very relevant information for everyone establishing or being part of an incident response team.

Geir Lossius, Sparebanken Vest

This course will take you to the next level of managing an incident response team. Given the frequency and complexity of today's attacks, incident response has become a critical function for organizations. Detecting and efficiently responding to incidents, especially those where critical resources are exposed to elevated risks, has become paramount, and to be effective, incident response efforts must have strong management processes to facilitate and guide them. Managing an incident response team requires special skills and knowledge. A background in information security management or security engineering is not sufficient for managing incidents. Furthermore, incident responders with strong technical skills do not necessarily become effective incident response managers. Special training is necessary.

This course was developed by an information security professional with over 26 years of experience, much of it in incident response. He was the founder of the first U.S. government incident response team. Students will learn by applying course content through hands-on skill-building exercises. These exercises range from: writing and evaluating incident response procedures, to the table-top validation of procedures, incident response management role playing in hypothetical scenarios, and hands-on experience in tracking incident status in hypothetical scenarios.


  • Introduction to incident response
  • Establishing requirements
  • Setting up operations
  • Communications
  • Making operations work
  • Legal and regulatory issues
  • Training, education, and awareness


Course Syllabus

Additional Information

Students can bring any type of laptop with any type of word processing software and any type of calculator tool. There is no specific requirement for a particular operating system or office suite.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Information security engineers and managers
  • IT managers
  • Operations managers
  • Risk management professionals
  • IT/system administration/network administration professionals
  • IT auditors
  • Business continuity and disaster recovery staff

  • SEC504: Hacker Techniques, Exploits, and Incident Handling
  • MGT512: SANS Security Leadership Essentials for Managers with Knowledge Compression√ʬ¬Ę
  • MGT519: IT Security Strategic Planning, Policies and Leadership
  • FOR408: Computer Forensic Investigations - Windows In-Depth

Author Statement

Author Statement

I've developed this course because of the critical importance of good management in incident response efforts. As management goes, so do these efforts. I've learned much about incident response management from having formed and managed incident response teams and from helping many organizations start or improve incident response efforts. I've taken the knowledge and skills I have gained and incorporated them into this course. - Eugene Schultz, Ph.D

Dr. Schultz passed away Oct 2, 2011. Though I do not have his level of experience, I was asked by the white house to handle national cyber response issues for Y2k and founded the incident response team that preceded the Internet Storm Center. More importantly, we have asked incident response managers from the community to help up keep this course up to date and relevant. The author royalties from this course will be sent to the Schultz family. - Stephen Northcutt, President, The SANS Technology Institute.