Our SANS Cyber Defense curriculum provides intensive, immersion training designed to help you and your staff master the practical steps necessary for defending systems and applications against the most dangerous threats. Our courses are full of important and immediately useful techniques that you can put to work as soon as you return to your office. The curriculum has been developed through a consensus process involving industry leading engineers, architects, administrators, developers, security managers, and information security professionals.

Blue Teamer - All Around Defender

This job, which may have varying titles depending on the organization, is often characterized by the breadth of tasks and knowledge required. The all-around defender and Blue Teamer is the person who may be a primary security contact for a small organization, and must deal with engineering and architecture, incident triage and response, security tool administration and more.
  • Linux is the operating system of millions of systems all around the world. No matter what area of cybersecurity you work in or the vertical you support, to do your job effectively you need to understand how Linux works and how to secure it. Skilled attackers certainly know how to use and operate in a Linux environment and love nothing more than to find your security tools running on improperly secured Linux boxes. SEC406 teaches the Linux essentials every security professional needs to know to run the many open-source tools that are crucial to doing your job.

  • SEC450 provides students with technical knowledge and key concepts essential for security operation center (SOC) analysts and new cyber defense team members. By providing a detailed explanation of the mission and mindset of a modern cyber defense operation, this course will jumpstart and empower those on their way to becoming the next generation of blue team members.

    Certification: GIAC Security Operations Certified (GSOC)

  • SEC503: Intrusion Detection In-Depth delivers the technical knowledge, insight, and hands-on training you need to defend your network with confidence. You will learn about the underlying theory of TCP/IP and the most used application protocols, such as HTTP, so that you can intelligently examine network traffic for signs of an intrusion.

    Certification: GIAC Certified Intrusion Analyst (GCIA)
    • Want to block Windows attacks, thwart the lateral movement of hackers inside your LAN, and prevent administrative credential theft? And you want to have fun learning PowerShell scripting at the same time? Then SEC505 is the course for you! In SEC505 you will learn how to use PowerShell to automate Windows security and harden PowerShell itself. No prior PowerShell scripting experience is required to take the course because you will learn PowerShell along the way. We will even write a PowerShell ransomware script together in a lab in order to implement better ransomware defenses. The course author, Jason Fossen, is a Faculty Fellow who has taught defensible PowerShell at SANS for more than a decade. Jason gives away his PowerShell security scripts for free at https://BlueTeamPowerShell.com .

      Certification: GIAC Certified Windows Security Administrator (GCWN)
    • This course assesses the current state of security architecture and continuous monitoring, and provides a new approach to security architecture that can be easily understood and defended. When students finish, they have a list of action items in hand for making their organization one of the most effective vehicles for frustrating adversaries. Students are able to assess deficiencies in their own organization's security architectures and affect meaningful changes that are continuously monitored for deviations from their expected security posture.

      Certification: 
      GIAC Continuous Monitoring Certification (GMON)

    • This course is designed to help students build and maintain a truly defensible security architecture, while taking them on a journey towards implementing Zero Trust principles, pillars and capabilities. There will be a heavy focus on leveraging current infrastructure and investment. Students will learn how to assess, re-configure and validate existing technologies to significantly improve their organizations' prevention, detection and response capabilities, augment visibility, reduce attack surface, and even anticipate attacks in innovative ways. The course will also delve into some of the latest technologies and their capabilities, strengths, and weaknesses. You will come away with recommendations and suggestions that will aid in building a robust security infrastructure, layer by layer, across hybrid environments, as you embark on a journey towards Zero Trust.

      Certification: GIAC Defensible Security Architecture (GDSA)

    • Many organizations have logging capabilities but lack the people and processes to analyze them. In addition, logging systems collect vast amounts of data from a variety of data sources which require an understanding of the sources for proper analysis. This class is designed to provide training, methods, and processes for enhancing existing logging solutions. This class will also provide the understanding of the when, what, and why behind the logs. This is a lab-heavy course that utilizes SOF-ELK, a SANS-sponsored free SIEM solution, to train hands-on experience and provide the mindset for large-scale data analysis.

      Certification: GIAC Certified Detection Analyst (GCDA)

    • Are you a Blue Teamer who has been asked to do more with less? Do you wish you could detect and respond at the same pace as your adversaries who are breaking into and moving within the network? SEC586: Security Automation with PowerShell teaches deep automation and defensive capabilities using PowerShell. Come join us and learn how to automate everything from regular hardening and auditing tasks to advanced defenses. This course will provide you with skills for near real-time detection and response and elevate your defenses to the next level.

    • If you are a SOC manager or leader looking to unlock the power of proactive, intelligence-informed cyber defense, then LDR551 is the perfect course for you! In a world where IT environments and threat actors evolve faster than many teams can track, position your SOC to defend against highly motivated threat actors. Highly dynamic modern environments require a cyber defense capability that is forward-looking, fast-paced, and intelligence-driven. This SOC manager training course will guide you through these critical activities from start to finish and teach you how to design defenses with your organization's unique risk profile in mind. Walk away with the ability to align your SOC activities with organizational goals. 17 hands-on exercises + Cyber42 interactive leadership simulations.

      Certification: GSOM

    •  SEC573 is an immersive, self-paced, hands-on, and lab-intensive course. After covering the essentials required for people who have never coded before, the course will present students with real-world forensics, defensive, and offensive challenges. You will develop a malware dropper for an offensive operation; learn to search your logs for the latest attacks; develop code to carve forensics artifacts from memory, hard drives, and packets; automate the interaction with an online website's API; and write a custom packet sniffer. Through fun and engaging labs, youll develop useful tools and build essential skills that will make you the most valuable member of your information security team.

      Certification:
       GIAC Python Coder (GPYC)

    • SEC673 is designed as the logical progression point for students who have completed SEC573: Automating Information Security with Python, or for those who already familiar with basic Python programming concepts. We jump immediately into advanced concepts. SEC673 looks at coding techniques used by popular open-source information security packages and how to apply them to your own Python cybersecurity projects. We'll learn from the best of them as we spend the week making information security for our project, named SPF100, as easy to develop and maintain as that of the most popular cybersecurity projects. Discover how to organize your code and use advanced programming concepts to make your code faster, more efficient, and easier to develop and maintain.

    Security Architect & Engineer

    Design, implement, and tune an effective combination of network-centric and data-centric controls to balance prevention, detection, and response. Security architects and engineers are capable of looking at an enterprise defense holistically and building security at every layer. They can balance business and technical requirements along with various security policies and procedures to implement defensible security architectures.
    • Linux is the operating system of millions of systems all around the world. No matter what area of cybersecurity you work in or the vertical you support, to do your job effectively you need to understand how Linux works and how to secure it. Skilled attackers certainly know how to use and operate in a Linux environment and love nothing more than to find your security tools running on improperly secured Linux boxes. SEC406 teaches the Linux essentials every security professional needs to know to run the many open-source tools that are crucial to doing your job.

    • SEC503: Intrusion Detection In-Depth delivers the technical knowledge, insight, and hands-on training you need to defend your network with confidence. You will learn about the underlying theory of TCP/IP and the most used application protocols, such as HTTP, so that you can intelligently examine network traffic for signs of an intrusion.

      Certification: 
      GIAC Certified Intrusion Analyst (GCIA)

    • Want to block Windows attacks, thwart the lateral movement of hackers inside your LAN, and prevent administrative credential theft? And you want to have fun learning PowerShell scripting at the same time? Then SEC505 is the course for you! In SEC505 you will learn how to use PowerShell to automate Windows security and harden PowerShell itself. No prior PowerShell scripting experience is required to take the course because you will learn PowerShell along the way. We will even write a PowerShell ransomware script together in a lab in order to implement better ransomware defenses. The course author, Jason Fossen, is a Faculty Fellow who has taught defensible PowerShell at SANS for more than a decade. Jason gives away his PowerShell security scripts for free at https://BlueTeamPowerShell.com .


      Certification: GIAC Certified Windows Security Administrator (GCWN)

    • This course assesses the current state of security architecture and continuous monitoring, and provides a new approach to security architecture that can be easily understood and defended. When students finish, they have a list of action items in hand for making their organization one of the most effective vehicles for frustrating adversaries. Students are able to assess deficiencies in their own organization's security architectures and affect meaningful changes that are continuously monitored for deviations from their expected security posture.


      Certification:  
      GIAC Continuous Monitoring Certification (GMON)


    • This course is designed to help students build and maintain a truly defensible security architecture, while taking them on a journey towards implementing Zero Trust principles, pillars and capabilities. There will be a heavy focus on leveraging current infrastructure and investment. Students will learn how to assess, re-configure and validate existing technologies to significantly improve their organizations' prevention, detection and response capabilities, augment visibility, reduce attack surface, and even anticipate attacks in innovative ways. The course will also delve into some of the latest technologies and their capabilities, strengths, and weaknesses. You will come away with recommendations and suggestions that will aid in building a robust security infrastructure, layer by layer, across hybrid environments, as you embark on a journey towards Zero Trust.


      Certification: 
      GIAC Defensible Security Architecture (GDSA)

    Cybersecurity Analyst / Engineer

    As this is one of the highest-paid jobs in the field, the skills required to master the responsibilities involved are advanced. You must be highly competent in threat detection, threat analysis, and threat protection. This is a vital role in preserving the security and integrity of an organization’s data.
    • Whether you are new to information security or a seasoned practitioner with a specialized focus, SEC401 will provide the essential information security skills and techniques you need to protect and secure your critical information and technology assets, whether on-premise or in the cloud. SEC401 will also show you how to directly apply the concept learned into a winning defensive strategy, all in the terms of the modern adversary. This is how we fight; this is how we win!

      Certification: GIAC Security Essentials (GSEC)

    • Linux is the operating system of millions of systems all around the world. No matter what area of cybersecurity you work in or the vertical you support, to do your job effectively you need to understand how Linux works and how to secure it. Skilled attackers certainly know how to use and operate in a Linux environment and love nothing more than to find your security tools running on improperly secured Linux boxes. SEC406 teaches the Linux essentials every security professional needs to know to run the many open-source tools that are crucial to doing your job.

    • ICS410: ICS/SCADA Security Essentials provides a foundational set of standardized skills and knowledge for industrial cybersecurity professionals. The course is designed to ensure that the workforce involved in supporting and defending industrial control systems is trained to keep the operational environment safe, secure, and resilient against current and emerging cyber threats.


      Certification:
       Global Industrial Cyber Security Professional (GICSP)
    • SEC450 provides students with technical knowledge and key concepts essential for security operation center (SOC) analysts and new cyber defense team members. By providing a detailed explanation of the mission and mindset of a modern cyber defense operation, this course will jumpstart and empower those on their way to becoming the next generation of blue team members.


      Certification: GIAC Security Operations Certified (GSOC)
    • The ICS456: Essentials for NERC Critical Infrastructure Protection course empowers students with knowledge of the what and the how of the version 5/6/7 standards. The course addresses the role of the Federal Energy Regulatory Commission (FERC), North American Electric Reliability Corporation (NERC), and Regional Entities, provides multiple approaches for identifying and categorizing BES Cyber Systems, and helps asset owners determine the requirements applicable to specific implementations.

      Certification: 
      GIAC Critical Infrastructure Protection (GCIP)

    • SEC501: Advanced Security Essentials - Enterprise Defender is an essential course for members of security teams of all sizes. That includes smaller teams where you wear several (or all) hats and need a robust understanding of many facets of cybersecurity, and larger teams where your role is more focused, and gaining skills in additional areas adds to your flexibility and opportunities. This course concentrates on showing you how to examine the traffic that is flowing on your networks, look for indications of an attack, and perform penetration testing and vulnerability analysis against your enterprise to identify problems and issues before a compromise occurs.

      Certification: 
      GIAC Certified Enterprise Defender (GCED)

    • SEC503: Intrusion Detection In-Depth delivers the technical knowledge, insight, and hands-on training you need to defend your network with confidence. You will learn about the underlying theory of TCP/IP and the most used application protocols, such as HTTP, so that you can intelligently examine network traffic for signs of an intrusion.

      Certification:
       GIAC Certified Intrusion Analyst (GCIA)

    • SEC504 helps you develop the skills to conduct incident response investigations. You will learn how to apply a dynamic incident response process to evolving cyber threats, and how to develop threat intelligence to mount effective defense strategies for cloud and on-premises platforms. We'll examine the latest threats to organizations, from watering hole attacks to cloud application service MFA bypass, enabling you to get into the mindset of attackers and anticipate their moves. SEC504 gives you the information you need to understand how attackers scan, exploit, pivot, and establish persistence in cloud and conventional systems. To help you develop retention and long-term recall of the course material, 50 percent of class time is spent on hands-on exercises, using visual association tools to break down complex topics. This course prepares you to conduct cyber investigations and will boost your career by helping you develop these in-demand skills.

    • The world is changing and so is the data we need to conduct our investigations. Cloud platforms change how data is stored and accessed. They remove the examiner's ability to directly access systems and use classical data extraction methods. Unfortunately, many examiners are still trying to force old methods for on-premise examination onto cloud-hosted platforms. Rather than resisting change, examiners must learn to embrace the new opportunities presented to them in the form of new evidence sources. FOR509: Enterprise Cloud Forensics and Incident Response addresses today's need to bring examiners up to speed with the rapidly changing world of enterprise cloud environments by uncovering the new evidence sources that only exist in the Cloud.

      Certification: 
      GIAC Cloud Forensics Responder (GCFR)

    • This course is designed to help students build and maintain a truly defensible security architecture, while taking them on a journey towards implementing Zero Trust principles, pillars and capabilities. There will be a heavy focus on leveraging current infrastructure and investment. Students will learn how to assess, re-configure and validate existing technologies to significantly improve their organizations' prevention, detection and response capabilities, augment visibility, reduce attack surface, and even anticipate attacks in innovative ways. The course will also delve into some of the latest technologies and their capabilities, strengths, and weaknesses. You will come away with recommendations and suggestions that will aid in building a robust security infrastructure, layer by layer, across hybrid environments, as you embark on a journey towards Zero Trust.

      Certification: 
      GIAC Defensible Security Architecture (GDSA)

    • Organizations are moving to the cloud to enable digital transformation and reap the benefits of cloud computing. However, security teams struggle to understand the DevOps toolchain and how to introduce security controls in their automated pipelines responsible for delivering changes to cloud-based systems. Without effective pipeline security controls, security teams lose visibility into the changes released into production environments. SEC540 provides security professionals with a methodology to secure modern Cloud and DevOps environments.

    • Many organizations have logging capabilities but lack the people and processes to analyze them. In addition, logging systems collect vast amounts of data from a variety of data sources which require an understanding of the sources for proper analysis. This class is designed to provide training, methods, and processes for enhancing existing logging solutions. This class will also provide the understanding of the when, what, and why behind the logs. This is a lab-heavy course that utilizes SOF-ELK, a SANS-sponsored free SIEM solution, to train hands-on experience and provide the mindset for large-scale data analysis.

      Certification:
       GIAC Certified Detection Analyst (GCDA)

    • Are you a Blue Teamer who has been asked to do more with less? Do you wish you could detect and respond at the same pace as your adversaries who are breaking into and moving within the network? SEC586:  Security Automation with PowerShell teaches deep automation and defensive capabilities using PowerShell. Come join us and learn how to automate everything from regular hardening and auditing tasks to advanced defenses. This course will provide you with skills for near real-time detection and response and elevate your defenses to the next level.

    • SEC573 is an immersive, self-paced, hands-on, and lab-intensive course. After covering the essentials required for people who have never coded before, the course will present students with real-world forensics, defensive, and offensive challenges. You will develop a malware dropper for an offensive operation; learn to search your logs for the latest attacks; develop code to carve forensics artifacts from memory, hard drives, and packets; automate the interaction with an online website's API; and write a custom packet sniffer. Through fun and engaging labs, youll develop useful tools and build essential skills that will make you the most valuable member of your information security team.

      Certification:
      GIAC Python Coder (GPYC)
    • SEC673 is designed as the logical progression point for students who have completed SEC573: Automating Information Security with Python, or for those who already familiar with basic Python programming concepts. We jump immediately into advanced concepts. SEC673 looks at coding techniques used by popular open-source information security packages and how to apply them to your own Python cybersecurity projects. We'll learn from the best of them as we spend the week making information security for our project, named SPF100, as easy to develop and maintain as that of the most popular cybersecurity projects. Discover how to organize your code and use advanced programming concepts to make your code faster, more efficient, and easier to develop and maintain.

    OSINT Investigator/Analyst

    These resourceful professionals gather requirements from their customers and then, using open sources and mostly resources on the internet, collect data relevant to their investigation. They may research domains and IP addresses, businesses, people, issues, financial transactions, and other targets in their work. Their goals are to gather, analyze, and report their objective findings to their clients so that the clients might gain insight on a topic or issue prior to acting.
    • SEC497 is based on two decades of experience with open-source intelligence (OSINT) research and investigations supporting law enforcement, intelligence operations, and a variety of private sector businesses ranging from small start-ups to Fortune 100 companies. The goal is to provide practical, real-world tools and techniques to help individuals perform OSINT research safely and effectively. One of the most dynamic aspects of working with professionals from different industries worldwide is getting to see their problems and working with them to help solve those problems. SEC497 draws on lessons learned over the years in OSINT to help others. The course not only covers critical OSINT tools and techniques, it also provides real-world examples of how they have been used to solve a problem or further an investigation.

    • In SEC587 you will learn how to perform advanced OSINT Gathering & Analysis as well as understand and use common programming languages such as JSON and Python. SEC587 also will go into Dark Web and Financial (Cryptocurrency) topics as well as disinformation, advanced image and video OSINT analysis. This is an advanced fast-paced course that will give seasoned OSINT investigators new techniques and methodologies and entry-level OSINT analysts that extra depth in finding, collecting and analyzing data sources from all around the world.

    • Cyber threat intelligence represents a force multiplier for organizations looking to update their response and detection programs to deal with increasingly sophisticated advanced persistent threats. Malware is an adversary's tool but the real threat is the human one, and cyber threat intelligence focuses on countering those flexible and persistent human threats with empowered and trained human defenders. During a targeted attack, an organization needs a top-notch and cutting-edge threat hunting or incident response team armed with the threat intelligence necessary to understand how adversaries operate and to counter the threat. FOR578: Cyber Threat Intelligence will train you and your team in the tactical, operational, and strategic level cyber threat intelligence skills and tradecraft required to make security teams better, threat hunting more accurate, incident response more effective, and organizations more aware of the evolving threat landscape.


      Certification: 
      GIAC Cyber Threat Intelligence (GCTI)

    Intrusion Detection / (SOC) Analyst

    Security Operations Center (SOC) analysts work alongside security engineers and SOC managers to implement prevention, detection, monitoring, and active response. Working closely with incident response teams, a SOC analyst will address security issues when detected, quickly and effectively. With an eye for detail and anomalies, these analysts see things most others miss.
    • Linux is the operating system of millions of systems all around the world. No matter what area of cybersecurity you work in or the vertical you support, to do your job effectively you need to understand how Linux works and how to secure it. Skilled attackers certainly know how to use and operate in a Linux environment and love nothing more than to find your security tools running on improperly secured Linux boxes. SEC406 teaches the Linux essentials every security professional needs to know to run the many open-source tools that are crucial to doing your job.

    • SEC450 provides students with technical knowledge and key concepts essential for security operation center (SOC) analysts and new cyber defense team members. By providing a detailed explanation of the mission and mindset of a modern cyber defense operation, this course will jumpstart and empower those on their way to becoming the next generation of blue team members.

      Certification: GIAC Security Operations Certified (GSOC)
    • SEC503: Intrusion Detection In-Depth delivers the technical knowledge, insight, and hands-on training you need to defend your network with confidence. You will learn about the underlying theory of TCP/IP and the most used application protocols, such as HTTP, so that you can intelligently examine network traffic for signs of an intrusion.


      Certification: GIAC Certified Intrusion Analyst (GCIA)

      • SEC504 helps you develop the skills to conduct incident response investigations. You will learn how to apply a dynamic incident response process to evolving cyber threats, and how to develop threat intelligence to mount effective defense strategies for cloud and on-premises platforms. We'll examine the latest threats to organizations, from watering hole attacks to cloud application service MFA bypass, enabling you to get into the mindset of attackers and anticipate their moves. SEC504 gives you the information you need to understand how attackers scan, exploit, pivot, and establish persistence in cloud and conventional systems. To help you develop retention and long-term recall of the course material, 50 percent of class time is spent on hands-on exercises, using visual association tools to break down complex topics. This course prepares you to conduct cyber investigations and will boost your career by helping you develop these in-demand skills.

        Certification: GIAC Certified Incident Handler (GCIH)

        • Threat hunting and Incident response tactics and procedures have evolved rapidly over the past several years. Your team can no longer afford to use antiquated incident response and threat hunting techniques that fail to properly identify compromised systems. The key is to constantly look for attacks that get past security systems, and to catch intrusions in progress, rather than after attackers have completed their objectives and done worse damage to the organization. For the incident responder, this process is known as " threat hunting ". FOR508 teaches advanced skills to hunt, identify, counter, and recover from a wide range of threats within enterprise networks, including APT nation-state adversaries, organized crime syndicates, and hactivists.

          Certification:
          GIAC Certified Forensic Analyst (GCFA)

        • This course assesses the current state of security architecture and continuous monitoring, and provides a new approach to security architecture that can be easily understood and defended. When students finish, they have a list of action items in hand for making their organization one of the most effective vehicles for frustrating adversaries. Students are able to assess deficiencies in their own organization's security architectures and affect meaningful changes that are continuously monitored for deviations from their expected security posture.


          Certification: GIAC Continuous Monitoring Certification (GMON)
        • Many organizations have logging capabilities but lack the people and processes to analyze them. In addition, logging systems collect vast amounts of data from a variety of data sources which require an understanding of the sources for proper analysis. This class is designed to provide training, methods, and processes for enhancing existing logging solutions. This class will also provide the understanding of the when, what, and why behind the logs. This is a lab-heavy course that utilizes SOF-ELK, a SANS-sponsored free SIEM solution, to train hands-on experience and provide the mindset for large-scale data analysis.


          Certification: 
          GIAC Certified Detection Analyst (GCDA)
        • Whether you handle an intrusion incident, data theft case, employee misuse scenario, or are engaged in proactive adversary discovery, the network often provides an unparalleled view of the incident. SANS FOR572 covers the tools, technology, and processes required to integrate network evidence sources into your investigations to provide better findings, and to get the job done faster.


          Certification: 
          GIAC Network Forensic Analyst (GNFA)

        • SEC573 is an immersive, self-paced, hands-on, and lab-intensive course. After covering the essentials required for people who have never coded before, the course will present students with real-world forensics, defensive, and offensive challenges. You will develop a malware dropper for an offensive operation; learn to search your logs for the latest attacks; develop code to carve forensics artifacts from memory, hard drives, and packets; automate the interaction with an online website's API; and write a custom packet sniffer. Through fun and engaging labs, youll develop useful tools and build essential skills that will make you the most valuable member of your information security team.

          Certification:
          GIAC Python Coder (GPYC)
        • SEC673 is designed as the logical progression point for students who have completed SEC573: Automating Information Security with Python, or for those who already familiar with basic Python programming concepts. We jump immediately into advanced concepts. SEC673 looks at coding techniques used by popular open-source information security packages and how to apply them to your own Python cybersecurity projects. We'll learn from the best of them as we spend the week making information security for our project, named SPF100, as easy to develop and maintain as that of the most popular cybersecurity projects. Discover how to organize your code and use advanced programming concepts to make your code faster, more efficient, and easier to develop and maintain.

        SOC Manager

        Security Operations Center (SOC) managers bridge the gap between business processes and the highly technical work that goes on in the SOC. They direct SOC operations and are responsible for hiring and training, creating and executing cybersecurity strategy, and leading the company’s response to major security threats.
        • Linux is the operating system of millions of systems all around the world. No matter what area of cybersecurity you work in or the vertical you support, to do your job effectively you need to understand how Linux works and how to secure it. Skilled attackers certainly know how to use and operate in a Linux environment and love nothing more than to find your security tools running on improperly secured Linux boxes. SEC406 teaches the Linux essentials every security professional needs to know to run the many open-source tools that are crucial to doing your job.

        • SEC450 provides students with technical knowledge and key concepts essential for security operation center (SOC) analysts and new cyber defense team members. By providing a detailed explanation of the mission and mindset of a modern cyber defense operation, this course will jumpstart and empower those on their way to becoming the next generation of blue team members.

          Certification: GIAC Security Operations Certified (GSOC)
        • SEC503: Intrusion Detection In-Depth delivers the technical knowledge, insight, and hands-on training you need to defend your network with confidence. You will learn about the underlying theory of TCP/IP and the most used application protocols, such as HTTP, so that you can intelligently examine network traffic for signs of an intrusion.


          Certification: GIAC Certified Intrusion Analyst (GCIA)
        • This course assesses the current state of security architecture and continuous monitoring, and provides a new approach to security architecture that can be easily understood and defended. When students finish, they have a list of action items in hand for making their organization one of the most effective vehicles for frustrating adversaries. Students are able to assess deficiencies in their own organization's security architectures and affect meaningful changes that are continuously monitored for deviations from their expected security posture.


          Certification: GIAC Continuous Monitoring Certification (GMON)
        • SEC504 helps you develop the skills to conduct incident response investigations. You will learn how to apply a dynamic incident response process to evolving cyber threats, and how to develop threat intelligence to mount effective defense strategies for cloud and on-premises platforms. We'll examine the latest threats to organizations, from watering hole attacks to cloud application service MFA bypass, enabling you to get into the mindset of attackers and anticipate their moves. SEC504 gives you the information you need to understand how attackers scan, exploit, pivot, and establish persistence in cloud and conventional systems. To help you develop retention and long-term recall of the course material, 50 percent of class time is spent on hands-on exercises, using visual association tools to break down complex topics. This course prepares you to conduct cyber investigations and will boost your career by helping you develop these in-demand skills.

          Certification: GIAC Certified Incident Handler (GCIH)
        • Are you a Blue Teamer who has been asked to do more with less? Do you wish you could detect and respond at the same pace as your adversaries who are breaking into and moving within the network? SEC586:  Security Automation with PowerShell teaches deep automation and defensive capabilities using PowerShell. Come join us and learn how to automate everything from regular hardening and auditing tasks to advanced defenses. This course will provide you with skills for near real-time detection and response and elevate your defenses to the next level.

        • If you are a SOC manager or leader looking to unlock the power of proactive, intelligence-informed cyber defense, then LDR551 is the perfect course for you! In a world where IT environments and threat actors evolve faster than many teams can track, position your SOC to defend against highly motivated threat actors. Highly dynamic modern environments require a cyber defense capability that is forward-looking, fast-paced, and intelligence-driven. This SOC manager training course will guide you through these critical activities from start to finish and teach you how to design defenses with your organization's unique risk profile in mind. Walk away with the ability to align your SOC activities with organizational goals. 17 hands-on exercises + Cyber42 interactive leadership simulations.

          Certification: GSOM

        SANS.EDU_Social_Cards_470x382_CDO.jpg

        SANS.edu Graduate Certificate in Cyber Defense Operations

        Gain hands-on knowledge in the applied technologies and operational techniques needed to defend and secure information assets and business systems.

        • Designed for working InfoSec and IT professionals
        • Highly technical 12-credit-hour program
        • Includes 4 industry-recognized GIAC certifications