by Ed Skoudis, SANS Faculty Fellow
The SANS Security 560: Network Penetration Testing and Ethical Hacking course addresses in-depth methods used by professional penetration testers, ethical hackers, and Red Teamers to find and exploit flaws in a target environment to help better understand and manage business risk. Additionally, SANS offers a course called SANS Security 504: Hacker Techniques, Exploits, and Incident Handling.
Although both courses deal with computer attacks, there are significant differences between them. The purpose of this brief FAQ is to answer questions regarding the differences between the two courses.
SANS Security 560 deals with penetration testing and ethical hacking, in depth, covering numerous techniques for finding and exploiting flaws in a target environment using a consistent, high-quality testing regimen. SANS Security 504 focuses on incident handling, addressing practical methods for preparing for detecting and responding to computer attacks.
In short, 560 covers penetration testing and ethical hacking, while 504 addresses incident handling.
Not at all. 560 is very different from 504. We cover a variety of different tools in each class. Even when both classes cover the same topic or tool, they cover it from a completely different perspective.
In 504, we talk about how these attacks work, emphasizing how to defend against them, and addressing how incident handlers can detect and respond to their use. In 560, we go deeper, talking about how to use each and every tool, with detailed, hands-on exercises that cover some of the features that incident handlers don't really need to know about but pen testers will likely use quite often. Incident handlers and penetration testers both need hands-on experience. However, the idea is that incident handlers need to know what the attacks are from a broad perspective so that they can detect and respond to them in their environment. But, incident handlers don't need to know how to launch every one of the attacks we cover, just some of the most important ones. Penetration testers, on the other hand, need to be able to use every tool we analyze, not just recognize its use against their environments.
From a bottom-line perspective, 504 is more broad because incident handlers need to know about a lot of attack vectors that are typically not allowed for penetration testers by the rules of engagement. For example, incident handlers need to understand how to respond to bots and rootkits. But, the vast majority of penetration testers are prohibited from installing bots or rootkits on target machines.
In the end, 560 focuses more deeply on the attacks, because penetration testers need hands-on experience with each tool, while 504 is more broad and covers detection and incident handling, because incident handlers need to focus on recognizing each tool's use in their environments.
Not at all. SEC560 does not supersede SEC504. SEC504 is a vital course, which we will continue to update and offer, supporting people in their careers as incident handlers. In fact, many people take 504 and then go on to take 560. Others even take 560 first and then go to 504.
560 was designed as a perfect follow-on for people who have already taken 504 and are looking to get into more depth with tools used in professional penetration testing and ethical hacking. 560 is not recycled 504 material; it is an entirely different class with an entirely different set of slides and exercises.
If you are more interested in incident handling, 504 is the course for you. If you need to develop your penetration testing skills, start with 560. Neither course is a pre-requisite for the other.
To learn more about SANS Security 504: Hacker Techniques, Exploits, and Incident Handling, go to:
the SEC504 course description here.
To learn more about SANS Security 560: Network Penetration Testing and Ethical Hacking, go to to:
the SEC560 course description here.
Ed Skoudis, SANS Institute Fellow, specifically developed SANS Security 560 to fill a void in really high-quality classes that provide people with hands-on, real-world network penetration testing and ethical hacking skills, organized around the work flow of professional pen testers.
This SANS course differs from other penetration testing and ethical hacking courses offered by other organizations in several important ways: