SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals


Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact Us


Apply your credits to renew your certifications
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
Apply what you learn with hands-on exercises and labs
Gain technical knowledge in network monitoring and threat detection. Learn to identify emerging threats, perform large-scale correlation for threat hunting, and reconstruct network attacks.
The concepts learned in SEC503 helped me bridge a gap in knowledge of what we need to better protect our organization.
SEC503 is the threat detection training you need to gain the skills and hands-on experience to defend both traditional and cloud-based networks. It covers TCP/IP theory and key application protocols to help you analyze network traffic effectively. You'll learn how to detect threats, conduct large-scale threat hunting, and reconstruct attacks from network data. This in-depth network monitoring training course also supports preparation for the GCIA certification (GIAC Certified Intrusion Analyst), a respected credential for professionals responsible for network security monitoring and analysis.


Andy Laman is a Senior SANS Instructor and author of SEC503: Network Monitoring and Threat Detection In-Depth. Founder of A4 InfoSec and a veteran of enterprise security leadership, he holds the elite GIAC Security Expert (GSE #142) certification. Andy also serves on the GIAC Advisory Board and faculty of the SANS Technology Institute.
Read more about Andrew LamanExplore the course syllabus below to view the full range of topics covered in SEC503: Network Monitoring and Threat Detection In-Depth.
Section one dives into TCP/IP fundamentals to build a deep understanding of network traffic and threat detection. Students learn packet analysis using Wireshark and tcpdump, explore real-world traffic, and practice identifying attacker behaviors through hands-on exercises and a Bootcamp-style challenge.
Section two wraps up "Packets as a Second Language" by diving into transport-layer protocols (TCP, UDP, ICMP) and advanced traffic analysis with Wireshark and tcpdump. Students filter large-scale data to spot threats, expand threat models, and practice real-world packet analysis through hands-on labs and Bootcamp-style exercises.
Section three shifts to application layer protocols and modern threat detection across cloud, hybrid, and traditional networks. Students learn to read/write Snort/Suricata rules, analyze protocols like DNS and HTTP(S), and their impact on signature-based detection systems.
Section four focuses on advanced behavioral detection using Zeek/Corelight. Students explore network architecture, TLS interception, encrypted traffic analysis, and scripting for anomaly detection. The section includes hands-on Zeek labs, Scapy use for testing, and evasion technique analysis, all leading into a real-world Bootcamp scenario.
Section five emphasizes hands-on practice in large-scale analysis using NetFlow/IPFIX, traffic analytics, and AI/ML for anomaly detection. Students apply zero-day threat hunting techniques and perform network forensics through real-world incident reconstructions using tools and skills developed throughout the course.
The course ends with a fun, hands-on capstone where students compete solo or in teams to analyze real-world data from a live-fire incident. Using tools and theory from the course, they answer questions in a timed "ride-along" challenge based on an investigation by professional analysts.
This role uses cybersecurity tools to protect information, systems and networks from cyber threats. Find the SANS courses that map to the Protection SCyWF Work Role.
Explore learning pathDesign, implement, and tune an effective combination of network-centric and data-centric controls to balance prevention, detection, and response. Security architects and engineers are capable of looking at an enterprise defense holistically and building security at every layer. They can balance business and technical requirements along with various security policies and procedures to implement defensible security architectures.
Explore learning pathCollect, process, analyse data and information to produce actionable intelligence reports and disseminate them to target stakeholders.
Explore learning pathDesigns and evaluates information system security throughout the software lifecycle to ensure confidentiality, integrity, and availability.
Explore learning pathThis role collects and analyzes information about threats, searches for undetected threats and provides actionable insights to support cybersecurity decision-making. Find the SANS courses that map to the Threat Management SCyWF Work Role.
Explore learning pathDeploys, configures, maintains infrastructure software and hardware to support secure and effective IT operations across organizational systems.
Explore learning pathImplements and maintains network services, including hardware and virtual systems, ensuring operational support for infrastructure platforms.
Explore learning pathOversees program, system, or enclave cybersecurity, ensuring protection from cyber threats and compliance with organizational standards.
Explore learning pathAdd a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.
When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.
From a heavy background in host forensics and limited knowledge in network analysis and forensics, SEC503 has filled in a lot of the gaps in knowledge I have had throughout my career.
I feel like I have been working with my eyes closed before this course.
This course is outstanding! It has changed my view on my network defense tools and the need to correlate data through multiple tools.
SEC503 completely changed how I look at networking and how I approach problems, and it significantly increased my understanding of intrusion detection.

Get feedback from the world’s best cybersecurity experts and instructors

Choose how you want to learn - online, on demand, or at our live in-person training events

Get access to our range of industry-leading courses and resources