Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training, Courses, and Resources
Can't find what you are looking for?

Let us help.

Contact us
Community Resources

SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

AI Risk & Readiness

Explore expert-driven guidance, training, and tools to help defend against AI-powered threats and adopt AI securely.

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations

Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk With an Expert
Talk With an Expert

SEC504 vs SEC560 FAQ

Prospective students often ask about the difference between SEC504 and SEC560. Although both courses deal with computer attacks, there are significant differences between them. The purpose of this brief FAQ is to answer questions regarding the differences between the two courses.

View all courses and certificationsExplore Offensive Ops

What Is The Primary Focus Of Each Course?

While both classes cover common attack techniques in use today, they each have a very different goal.

SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling is primarily focused on learning the attack techniques through the perspective of an Incident Handler supporting the theme that "offense must inform defense".

SEC560: Network Penetration Testing and Ethical Hacking covers many of the same attacks with the primary goal of teaching students how to execute those attacks to perform high quality network penetration tests.

How Are They Different?

Aside from the primary focus of each course, they both cover certain topics the other does not. SEC504 covers a slightly broader range of attacks; however, SEC560 covers certain attack and techniques in much greater depth than SEC504.

What you'll learnSEC504SEC560
Incident Handling Process Covered Not Covered
Incident Reporting Covered Not Covered
Defensive Spotlights Covered* Not Covered
Forensic Imaging Covered Not Covered
Handling Evidence Covered Not Covered
Memory, Network, & Malware Analysis Covered* Not Covered
Wireless Attacks Covered* Not Covered
Web Application Attacks Covered* Not Covered
Physical Attacks Covered Not Covered
Pen Test Focused Not Covered Covered
Pen Test Process & Planning Not Covered Covered*
Pen Test Reporting Not Covered Covered
Building Pen Testing Infrastructure Not Covered Covered
Organizational Recon Not Covered Covered*
Infrastructure Recon Not Covered Covered*
User/Employee Recon Not Covered Covered*
Privilege Escalation Not Covered Covered*
Attacking Azure Not Covered Covered*
* Includes hands-on lab

How Are They Similar?

There are several topics covered at a survey level in SEC504 that are covered in more detail, often including a lab, in SEC560.

What you'll learnSEC504SEC560
MITRE ATT&ACK Covered Partially Covered
Recon & Enumeration Partially Covered* Covered*
Kerberoasting Partially Covered Covered*
Attacking Active Directory Partially Covered Covered*
Active Directory Persistence Not Covered Covered*
* Includes hands-on lab

Is There Overlap?

There are a few topics that are covered in both classes; however, each addresses the topic in its own way. For instance, in SEC504, the Password Guessing section is followed up by a Defensive Spotlight using Elastic Stack to identify a password guessing attack.

What you'll learnSEC504SEC560
Intro to Hacking Covered Covered
Netcat Covered* Covered*
Password Guessing Covered* Covered*
Password Cracking Covered* Covered*
*Includes hands-on lab

I've Already Taken SEC504. Should I Take SEC560 as a Follow-on?

SEC560 was designed as a perfect follow-on for people who have already taken SEC504 and are looking to get into more depth with tools used in professional penetration testing and ethical hacking. SEC560 is not recycled SEC504 material; it is an entirely different class with an entirely different set of slides and exercises.

I've Taken Neither SEC504 nor SEC560. Where Should I Start?

If you are more interested in incident handling, 504 is the course for you. If you need to develop your penetration testing skills, start with 560. Neither course is a pre-requisite for the other.

Where Can I Get More Information About Each Course?

Click here to learn more about SANS SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling

Click here to learn more about SANS SEC560: Network Penetration Testing and Ethical Hacking