Mark Baggett

Mark Baggett’s first foray into information security was on the receiving end of hacking, and he was amazed by the experience. “The hackers made my computer do stuff that I didn't think was possible,” he says. “It was like magic and I had to know how the trick was done.” He immediately became obsessed with understanding all the tricks, how they worked, and how to prevent them from happening again.

Fast forward to today and Mark’s infosec career spans nearly 30 years with 15 of those years spent teaching for SANS. Mark is currently a faculty fellow for SANS and an independent consultant through his company Indepth Defense providing forensics, incident response, and penetration testing services. Mark served as the technical advisor to the DoD for SANS from 2011 until 2024, where he assisted various government organizations in the development of information security capabilities. Today he is the Chief Technology Officer for the Internet Storm Center.

More About Mark

Upcoming Courses


Mark still finds information security as fun as the first day he discovered it, and feels that learning about information security should be fun too. “I really want the students to enjoy their classroom experience and look forward to learning skills that will make them more effective information security professionals,” he says. And Mark stays busy in the SANS classroom teaching and authoring SEC573 Automating Information Security with Python and SEC673 Advanced Information Security Automation with Python.

As an instructor, Mark’s enjoyment of information security is infectious and his favorite moments are when students solve complex problems they thought were beyond their capability at the beginning of the week. “When students learn how to code and how to apply it to their day jobs it changes their lives forever,” he says.

“It is my goal to meet the student where his or her current skill level is and move them forward,” says Mark, noting that his most successful students are those who are honest about where their skills are and willing to put in the work to improve. “I'll promise to give them the resources and assistance they need in a way that is both entertaining and judgement-free.”

Mark recalls a recent interaction with an SEC573 student that demonstrates the growth potential SANS courses provide. “A student came up to me in class and shared that he had taken 4 years of college courses and 4 months of military training, and he hated programming and really wasn't looking forward to sitting in SEC573 for a week with me,” recalls Mark. “But after only four days I had changed his mind about programming. It was fun! He was enjoying the challenges instead of dreading them and said he’d learned more about how to actually use his skills in real world scenarios in 4 days than in all those years of prior training.”

Mark sees information security as the evolution of information technology challenges, moving from making computers do what they’re supposed to do to getting computers to do what they aren’t supposed to do. Something that requires constant learning. “Hacker techniques are constantly changing and in a few cases evolving. When I stop learning, I stop being effective,” says Mark.

One of Mark’s most challenging and fulfilling roles was working as the chief information security officer for a midsized media company. “I've always been committed to maintaining a high level of technical proficiency and expertise. Being able to use that in an executive position while leading a talented team, educating my peers on the board, setting strategy, and working to secure the organization was extremely challenging but very fulfilling.”

Mark earned a Master of Science in Information Security Engineering from the SANS Technology Institute, where he is currently serves on the faculty.  He is the 15th person in the world to receive the prestigious GIAC Security Expert certification (GSE). He also holds GPYC, GXPN, GPEN, GCIA, GCIH, GSEC, GWAPT, and GCPM certifications.

An active participant in the information security community, Mark is the founding president of The Greater Augusta Information Systems Security Association (ISSA) chapter which has been extremely successful in bringing networking and educational opportunities to Augusta information technology workers. He’s also co-founder of the BSidesAugusta Information Security Conference, and has written a number of articles on information security topics.



New tools for your threat hunting toolbox, August 2020

The Hackers Apprentice, May 2020

Check out SEC573! More Python3! More Pywars!, April 2020

SANS Introduction to Python Course, August 2019


TEDxAugusta | Pay no attention to the hacker behind the curtain

Security Weekly #471 - Mark Baggett, SANS

KringleCon - Escaping Python Shells


  • - A python implementation of an EAP authentication cracking.
  • Freq Server - A Web server that integrates with SEIM systems and identifies hosts being used for Command and control by identifying domains being used for Command and Control. The tools uses character frequency analysis to identify random hostnames.
  • Domain Stats - A SEIM Integration tool that monitors DNS hostnames used by your network to identify first contact with new domains and contact with new domains that have been established in the last 2 years, effective in identifying malicious actors.
  • API-ify - A Web server that provides an API that allows network defenders to consume the output of any Linux based command and integrate it into their ELK stack, splunk or other SEIM tools.
  • Reassembler - A tool that allows network defenders to reassemble and view packets using the 5 widely used fragment reassembly policies commonly found in Intrusion Detection Systems.
  • SET-KBLED - A Powershell script that will allow you to set the Keyboard LED Color to the color of your Clevo chipset based Keyboard. 
  • SRUM-DUMP - Windows GUI Forensics tool produces XLSX spreadsheet with detailed information on all processes that have run in the last 30 days on Windows computers.
  • ESE Analyst - Command line based tool that dumps and analyzes databases used on Windows systems that stores various forensics information. Plugins are used to dump different types of data.
  • Werejugo - A Windows Forensics tool that analyzes the registry, event logs and wireless network configurations to identify physical locations of where the laptop has been used.

Mark's Contributions