SEC504 vs SEC560 FAQ

by Ed Skoudis, SANS Faculty Fellow

The SANS Security 560: Network Penetration Testing and Ethical Hacking course addresses in-depth methods used by professional penetration testers, ethical hackers, and Red Teamers to find and exploit flaws in a target environment to help better understand and manage business risk. Additionally, SANS offers a course called SANS Security 504: Hacker Techniques, Exploits, and Incident Handling.

Although both courses deal with computer attacks, there are significant differences between them. The purpose of this brief FAQ is to answer questions regarding the differences between the two courses.

What is the Focus of SANS SEC560, and How Does it Differ from SANS SEC504?

SANS Security 560 deals with penetration testing and ethical hacking, in depth, covering numerous techniques for finding and exploiting flaws in a target environment using a consistent, high-quality testing regimen. SANS Security 504 focuses on incident handling, addressing practical methods for preparing for detecting and responding to computer attacks.

In short, 560 covers penetration testing and ethical hacking, while 504 addresses incident handling.

Aren't The Courses Pretty Much the Same?

Not at all. 560 is very different from 504. We cover a variety of different tools in each class. Even when both classes cover the same topic or tool, they cover it from a completely different perspective.

Take Metasploit and Password Attacks as Examples

In 504, we talk about how these attacks work, emphasizing how to defend against them, and addressing how incident handlers can detect and respond to their use. In 560, we go deeper, talking about how to use each and every tool, with detailed, hands-on exercises that cover some of the features that incident handlers don't really need to know about but pen testers will likely use quite often. Incident handlers and penetration testers both need hands-on experience. However, the idea is that incident handlers need to know what the attacks are from a broad perspective so that they can detect and respond to them in their environment. But, incident handlers don't need to know how to launch every one of the attacks we cover, just some of the most important ones. Penetration testers, on the other hand, need to be able to use every tool we analyze, not just recognize its use against their environments.

From a bottom-line perspective, 504 is more broad because incident handlers need to know about a lot of attack vectors that are typically not allowed for penetration testers by the rules of engagement. For example, incident handlers need to understand how to respond to bots and rootkits. But, the vast majority of penetration testers are prohibited from installing bots or rootkits on target machines.

In the end, 560 focuses more deeply on the attacks, because penetration testers need hands-on experience with each tool, while 504 is more broad and covers detection and incident handling, because incident handlers need to focus on recognizing each tool's use in their environments.

Does SEC560 Supersede 504 or Supplant it?

Not at all. SEC560 does not supersede SEC504. SEC504 is a vital course, which we will continue to update and offer, supporting people in their careers as incident handlers. In fact, many people take 504 and then go on to take 560. Others even take 560 first and then go to 504.

I've Already Taken SEC504. Should I Take SEC560 as a Follow-on?

560 was designed as a perfect follow-on for people who have already taken 504 and are looking to get into more depth with tools used in professional penetration testing and ethical hacking. 560 is not recycled 504 material; it is an entirely different class with an entirely different set of slides and exercises.

I've Taken Neither SEC504 nor SEC560. Where Should I Start?

If you are more interested in incident handling, 504 is the course for you. If you need to develop your penetration testing skills, start with 560. Neither course is a pre-requisite for the other.

Where Can I Get More Information About Each Course?

To learn more about SANS Security 504: Hacker Techniques, Exploits, and Incident Handling, go to:
the SEC504 course description here.

To learn more about SANS Security 560: Network Penetration Testing and Ethical Hacking, go to to:
the SEC560 course description here.

SANS SEC560 vs Other Ethical Hacking Courses

Ed Skoudis, SANS Institute Fellow, specifically developed SANS Security 560 to fill a void in really high-quality classes that provide people with hands-on, real-world network penetration testing and ethical hacking skills, organized around the work flow of professional pen testers.

This SANS course differs from other penetration testing and ethical hacking courses offered by other organizations in several important ways:

  • We get deep into the tools arsenal, with numerous hands-on exercises that show subtle, less-well-known, and undocumented features that are incredibly useful for professional penetration testers and ethical hackers.
  • The course discusses how the tools inter-relate with each other in an overall testing process. Rather than just throwing up a bunch of tools and playing with them, we analyze how to leverage information from one tool to get the most bang out of the next tool.
  • We focus on the work flow of professional penetration testers and ethical hackers, proceeding step-by-step discussing the most effective means for conducting projects.
  • The sessions address common pitfalls that arise in penetration tests and ethical hacking projects, providing real-world strategies and tactics for avoiding these problems to maximize the quality of test results.
  • We cover several time saving tactics based on years of in-the- trenches experience from real penetration testers and ethical hackers, actions that might take hours or days unless you know the little secrets we'll cover that will let you surmount a problem in minutes.
  • The course stresses the mind-set of successful penetration testers and ethical hackers, which involves balancing the often contravening forces of creative "outside-the-box" thinking, methodical trouble- shooting, carefully weighing risks, following a time-tested process, painstakingly documenting results, and creating a high quality final report that achieves management and technical buy-in.
  • We also analyze how penetration testing and ethical hacking should fit into a comprehensive enterprise information security program.