Training
Featured CourseView All Courses

SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

SEC595Cyber Defense, Artificial Intelligence
SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
View course detailsRegister
Get a Free Hour of SANS Training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
NEW - AI Security Training
Can't find what you are looking for?

Let us help.

Contact us
Free Resources

SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

Customer Case Studies

Discover how organizations and individual cyber practitioners use SANS training and GIAC certifications

AI Risk & Readiness

Explore expert-driven guidance, training, and tools to help defend against AI-powered threats and adopt AI securely

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations

Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Contact Sales
Contact Sales

Incident Response

Return To SAP HomepageJoin The SANS Community
SAP

Role Description 

Incident Response safeguards an organization’s SAP systems and data against cyberattacks and security incidents. This role acts as the first line of defense, minimizing the impact of incidents, restoring business continuity, and ensuring resilience through a structured, well-defined response process.

BLUF 

Incident responders need a progression of skills — from baseline security foundations, to digital forensics, malware analysis, and advanced threat hunting. These courses provide the full roadmap, ensuring responders can detect, analyze, contain, and recover from incidents at every stage of their career.

Development Roadmap with TKS Alignment

T1 – Novice (Foundations)

Course: SEC275 / SEC401. Aligned TKSs: 101 Security Foundations, K0663 Knowledge of SOC processes (introductory), T0310 Coordinate incident response activities (exposure-level)

  • Slide 1 of 2

    SEC275: Foundations: Computers, Technology, & Security

    Beginner
    SEC275Cyber Defense
    SEC406: Linux Security for InfoSec Professionals
    • GIAC Foundational Cybersecurity Technologies (GFACT)
    • 38 CPEs / 38 Hours (Self-Paced)
    • Labs: 90 Hands-On Labs

    View course detailsRegister
  • Slide 2 of 2

    SEC401: Security Essentials - Network, Endpoint, and Cloud

    Essentials
    SEC401Cyber Defense
    SEC401: Security Essentials - Network, Endpoint, and Cloud
    • GIAC Security Essentials (GSEC)
    • 6 Days (Instructor-Led)
    • 46 CPEs / 46 Hours (Self-Paced)
    • Labs: 20 Hands-On Labs

    View course detailsRegister

T2 – Practitioner (Applied Knowledge)

Course: SEC504. Aligned TKSs: K0299 Knowledge of CSIRT processes, K0663 Knowledge of SOC processes (applied), T0310 Coordinate incident response activities (practical), T1063 Recover from security incidents

SEC504: Hacker Tools, Techniques, and Incident Handling

MAJOR UPDATES
AI SKILLS
Essentials
SEC504Offensive Operations
SEC504: Hacker Tools, Techniques, and Incident Handling
  • GIAC Certified Incident Handler Certification (GCIH)
  • 6 Days (Instructor-Led)
  • 38 CPEs / 38 Hours (Self-Paced)
  • Labs: 44 Hands-On Labs

View course detailsRegister

T3 – Advanced (Specialized Knowledge)

Course: FOR500. Aligned TKSs: K0135 Knowledge of digital forensics, T1082 Analyze compromised systems, T0182 Perform Tier 1–2 malware analysis (supporting evidence collection & triage)

FOR500: Windows Forensic Analysis

UPDATED
Essentials
FOR500Digital Forensics and Incident Response
FOR500: Windows Forensic Analysis
  • GIAC Certified Forensic Examiner (GCFE)
  • 6 Days (Instructor-Led)
  • 36 CPEs / 36 Hours (Self-Paced)
  • Labs: 22 Hands-On Labs

View course detailsRegister

T4 – Expert (Business Integration & Deep Technical)

Course(s): FOR508, FOR509. Aligned TKSs: T1069 Perform threat hunting, T0182 Perform Tier 3 malware analysis, K0916 Knowledge of malware analysis principles, K1207 Knowledge of reverse engineering tools & techniques, S0351 Develop secure configurations

  • Slide 1 of 2

    FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics

    UPDATED
    Intermediate
    FOR508Digital Forensics and Incident Response
    FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
    • GIAC Certified Forensic Analyst (GCFA)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 35 Hands-On Labs

    View course detailsRegister
  • Slide 2 of 2

    FOR509: Enterprise Cloud Forensics and Incident Response

    MAJOR UPDATES
    Intermediate
    FOR509Digital Forensics and Incident Response
    FOR509: Enterprise Cloud Forensics and Incident Response
    • GIAC Cloud Forensics Responder (GCFR)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 23 Hands-On Labs

    View course detailsRegister

T5 – Expert / Mentor

Course: FOR572. Aligned TKSs: K0851 Knowledge of reverse engineering principles & practices, S0651 Skill in performing malware analysis (expert-level), T0182 Perform Tier 3 malware analysis (mentor-level refinement), T1069 Perform threat hunting (strategic/mentorship focus)

FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

Advanced
FOR572Digital Forensics and Incident Response
FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
  • GIAC Network Forensic Analyst (GNFA)
  • 6 Days (Instructor-Led)
  • 36 CPEs / 36 Hours (Self-Paced)
  • Labs: 20 Hands-On Labs

View course detailsRegister