Korstiaan Stam

Korstiaan is an Incident Response specialist with over seven years working experience in digital forensics and incident response. He owns his own IR company called Invictus (undefeated) Incident Response and teaches a cybersecurity course part-time at the University of Applied Sciences in Amsterdam. Way before the cloud was cool, he was already researching it from a forensics perspective. He got a huge head start in the cloud that makes him a great SANS Instructor for FOR509: Enterprise Cloud Forensics and Incident Response.

More About Korstiaan
Headshot of Korstiaan Stam


Beginning with assembling personal computers at a small computer shop, Korstiaan quickly developed an interest in IT—specifically in investigating digital traces. “Once I heard about a professional program to develop these skills, I jumped on that opportunity and never looked back,” he says. He currently holds a master’s degree in Digital Investigation and Forensic Computing and a bachelor’s degree in IT Forensics. 

He started his career in cybersecurity monitoring as an analyst and developed his skills in that area to become a Splunk expert. “After building out the technical component of many SOC and CSIRT teams I joined PwC, where I worked in an international team responding to incidents all over the world.” Korstiaan went on to lead the IR team for PwC in the Netherlands and Europe. 

When, a few years ago, Business Email Compromise (BEC) attacks increased drastically, Korstiaan and his team at PwC took it upon themselves to battle this threat. “I developed a Splunk application that helps you investigate key evidence items from a BEC attack,” he says. “I also co-developed the Office365 extractor, a tool to acquire forensic evidence from an Office365 environment. This was the first tool that could do this, and it is still used all over the world, which is amazing.” It is one of the things he is most proud of in his career. “To be able to empower security teams all over the globe to investigate BEC attacks is definitely one of my greatest accomplishments.” 

“I love the field of DFIR, because it keeps challenging you and you need to keep developing your skillset,” he says. “It’s also a great area to be in as you’re actually solving important problems for your own organization or your client’s.” Korstiaan has gained a lot of knowledge and skills over the years which he is keen to share. It has always been his goal to become a SANS Instructor, “because instructors at SANS stand out in their field amongst peers based on their knowledge, but also their contributions to the field. SANS therefore is the best education money can buy, and I am thrilled to be a part of it.” 

Way before the cloud became a hot topic, Korstiaan was already researching it from a forensics perspective. “Because I took this approach I have an advantage, because I simple spent more time in the cloud than others. More so, because I have my own IR consultancy company, I spent a lot of time in the cloud investigating malicious behavior, so I don’t just know one cloud platform, but I have knowledge about all of them.” That equips him to help students with the challenge of every cloud working slightly or completely different. “If you understand the main concepts, you can then see that there’s also a similarity among all the clouds. That is why 

I start with the big picture in my classes and then zoom in on the details,” he says. Korstiaan also uses real-life examples from his work to discuss challenges he’s faced with students to relate with their day-to-day work. “To me, teaching not only means sharing my knowledge on a topic, but also applying real-life implications of that knowledge. I always try to combine the theory with the everyday practice so students can see why it’s important to understand certain concepts and how the newly founded knowledge can be applied.”

Get tot know Korstiaan:

Presentation at SANS DFIR Summit 2021:


Guest on the Mnemonic security podcast:


Co-developed the BEC guide:




Personal research:


Repository with tools & research: