SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense, Artificial Intelligence
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Gain technical knowledge in network monitoring and threat detection. Learn to identify emerging threats, perform large-scale correlation for threat hunting, and reconstruct network attacks.
Featured Quote
The concepts learned in SEC503 helped me bridge a gap in knowledge of what we need to better protect our organization.
Course Overview
SEC503 is the threat detection training you need to gain the skills and hands-on experience to defend both traditional and cloud-based networks. It covers TCP/IP theory and key application protocols to help you analyze network traffic effectively. You'll learn how to detect threats, conduct large-scale threat hunting, and reconstruct attacks from network data. This in-depth network monitoring training course also supports preparation for the GCIA certification (GIAC Certified Intrusion Analyst), a respected credential for professionals responsible for network security monitoring and analysis.
What You’ll Learn
- Analyze traffic to detect threats and anomalies
- Detect zero-day threats using advanced techniques
- Configure and tune network security tools
- Perform network forensics to reconstruct events
- Understand and differentiate normal and abnormal traffic
- Develop threat models to enhance detection capabilities
- Practice hands-on skills through real-world scenarios
Business Takeaways
- Avoid your organization becoming another front-page headline
- Augment detection in traditional, hybrid, and cloud network environments
- Increase efficiency in threat modeling for network activities
- Decrease attacker dwell time
Meet Your Author
Andrew Laman
Senior InstructorAndy Laman is a Senior SANS Instructor and author of SEC503: Network Monitoring and Threat Detection In-Depth. Founder of A4 InfoSec and a veteran of enterprise security leadership, he holds the elite GIAC Security Expert (GSE #142) certification. Andy also serves on the GIAC Advisory Board and faculty of the SANS Technology Institute.
Read more about Andrew LamanCourse Syllabus
Explore the course syllabus below to view the full range of topics covered in SEC503: Network Monitoring and Threat Detection In-Depth.
Section 1Network Monitoring and Analysis: Part I
Section one dives into TCP/IP fundamentals to build a deep understanding of network traffic and threat detection. Students learn packet analysis using Wireshark and tcpdump, explore real-world traffic, and practice identifying attacker behaviors through hands-on exercises and a Bootcamp-style challenge.
Topics covered
- Concepts of TCP/IP
- Introduction to Wireshark
- Network Access/Link Layer: Layer 2
- IP Layer: Layer 3
- UNIX Command Line Processing
Labs
- TCP/IP
- Wireshark
- Network Access Link/Link Payer
- IP
- Fragmentation
Section 2Network Monitoring and Analysis: Part II
Section two wraps up "Packets as a Second Language" by diving into transport-layer protocols (TCP, UDP, ICMP) and advanced traffic analysis with Wireshark and tcpdump. Students filter large-scale data to spot threats, expand threat models, and practice real-world packet analysis through hands-on labs and Bootcamp-style exercises.
Topics covered
- Wireshark Display Filters and Writing BPF Filters
- TCP
- UDP
- ICMP
- QUIC
Labs
- Wireshark Display Filters
- Writing tcpdump Filters
- TCP
- UDP/ICMP
- QUIC
Section 3Signature-Based Threat Detection and Response
Section three shifts to application layer protocols and modern threat detection across cloud, hybrid, and traditional networks. Students learn to read/write Snort/Suricata rules, analyze protocols like DNS and HTTP(S), and their impact on signature-based detection systems.
Topics covered
- Network Architecture
- Signature-based Detection Systems
- HTTPs
- DNS
- Microsoft Protocols
Labs
- Running Snort and Suricata
- Writing Rules
- HTTP
- DNS
Section 4Building Zero-Day Threat Detection Systems
Section four focuses on advanced behavioral detection using Zeek/Corelight. Students explore network architecture, TLS interception, encrypted traffic analysis, and scripting for anomaly detection. The section includes hands-on Zeek labs, Scapy use for testing, and evasion technique analysis, all leading into a real-world Bootcamp scenario.
Topics covered
- Zeek
- Scapy
- IDS/IPS Evasion Theory
- Extract Payloads/Encryption
Labs
- Running Zeek and Zeek Output
- Zeek Signatures
- Zeek Scripting
- Evasion Techniques
- Packet Crafting
Section 5Large-Scale Threat Detection, Forensics, and Analytics
Section five emphasizes hands-on practice in large-scale analysis using NetFlow/IPFIX, traffic analytics, and AI/ML for anomaly detection. Students apply zero-day threat hunting techniques and perform network forensics through real-world incident reconstructions using tools and skills developed throughout the course.
Topics covered
- Using Network Flow Records
- Threat Hunting and Visualization
- Introduction to Network Forensic Analysis
Labs
- SiLK and NetFlow
- SiLK Statistics
- Basic Analytics
- Researching Anomalies
- Artificial Intelligence
Section 6Advanced Network Monitoring and Threat Detection Capstone
The course ends with a fun, hands-on capstone where students compete solo or in teams to analyze real-world data from a live-fire incident. Using tools and theory from the course, they answer questions in a timed "ride-along" challenge based on an investigation by professional analysts.
Things You Need To Know
Course Schedule and Pricing
Have Questions?Contact Us
Group and Private Pricing
Enroll your team as a group or arrange a private session for your organization. We’ll help you choose the format that fits your goals.
Location & instructorDate & TimeCourse priceRegistration Options
- Date & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$8,780 USD*Prices exclude applicable local taxesRegistration Options
- Date & TimeFetching schedule..Course price$8,780 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..Course price€8,230 EUR*Prices exclude applicable local taxes
- Date & TimeFetching schedule..Course price$8,780 USD*Prices exclude applicable local taxesRegistration Options
- Date & TimeFetching schedule..Course price$8,780 USD*Prices exclude applicable local taxes
- Location & instructor
SANS Cyber Defence Australia 2026
Canberra, ACT, AU & Virtual (live)
Instructed byDate & TimeFetching schedule..Course priceA$13,350 AUD*Prices exclude applicable local taxes - Date & TimeFetching schedule..Course price$8,900 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..Course price£7,160 GBP*Prices exclude applicable taxes | EUR price available during checkout
- Date & TimeFetching schedule..Course price$8,780 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..Course price$8,780 USD*Prices exclude applicable local taxes
Showing 10 of 15
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 4From a heavy background in host forensics and limited knowledge in network analysis and forensics, SEC503 has filled in a lot of the gaps in knowledge I have had throughout my career.
- Slide 2 of 4I feel like I have been working with my eyes closed before this course.
- Slide 3 of 4This course is outstanding! It has changed my view on my network defense tools and the need to correlate data through multiple tools.
- Slide 4 of 4SEC503 completely changed how I look at networking and how I approach problems, and it significantly increased my understanding of intrusion detection.
Slide 1 of 0
(1/0)
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources