Robert M. Lee

SANS fellow Robert M. Lee brings to the classroom one of the most valuable and respected of credentials: real-world experience. Robert is the CEO and founder of his own company, Dragos, Inc., that provides cyber security solutions for industrial control system networks. Consider the 2015 attack on the Ukraine power grid when for the first time in history a power grid went down due to an intentional cyberattack. Robert and a few others formed a specialized team to analyze the event and passed information to the impacted parties as well as the U.S. government and private sector. "I was the first in the industry to publicly confirm the attack and wrote the industry standard report on the attack exploring how it occurred, the lessons learned, and what must be done to protect other infrastructure sites," Robert says. He and his team also analyzed the malware from the 2016 cyber attack on Ukraine's Kiev substation and dubbed it CRASHOVERRIDE as the first ever malware tailored to specifically disrupt electric grid operations.

More About Robert M.


That experience is what forms his teaching philosophy. "I make it my teaching philosophy to constantly bring in new material into the classroom through my personal experiences and the successes and failures of those I've seen in the industry," says Robert. This augments the traditional classroom material students receive to ensure they get the most relevant and cutting-edge concepts in the industry. But Robert's real-world experience also keeps things interesting. "I enjoy telling and sharing in case studies and stories from the field, looping in bigger concepts into the technical material, and setting a humorous tone so that no matter the seriousness of the topic we all have fun together."

Robert got his start in information security making small control systems for humanitarian missions. He joined the United States Air Force and became a cyberspace warfare operations officer in the U.S. intelligence community. In that role, he created and led a mission examining nation-states targeting ICS, the first mission of its kind in the U.S. intelligence community. For Robert, that intermixing of defense, intrusion analysis, and threat intelligence provided the ultimate thrill.

Robert has worked offense, defense, and intelligence in various government teams. "My time on the offense helped me better appreciate defense and how sometimes we simply get it wrong: defense is not necessarily harder than offense and there are many opportunities we have to defend and make the world a better place," he says.

Robert joined SANS for myriad reasons. He had long been aware of the organization, and followed the career and workings of SANS fellow and DFIR curriculum lead Rob Lee. Also, ongoing encouragement to attend SANS conferences and consider teaching from a number of friends and colleagues such as Dave Shackelford convinced him to give it SANS a shot. His first pitch - a five-day class on identifying and responding to industrial control systems (ICS) attacks - was well-received, and as Robert says, "the rest is history." Today he teaches SANS ICS515: ICS Visibility, Detection, and Response, the industry's first and only incident response and threat hunting class for ICS and FOR578: Cyber Threat Intelligence, the industry standard course for threat intelligence training. "The SANS family is amazing, the students are world class, and teaching is what keeps me constantly refreshed and excited in the industry."

In fact, authoring ICS515 and FOR578 have been highlights in his career, Robert says. Industrial control system security as well as cyber threat intelligence are both exciting topics that receive a lot of hype and misconceptions. "I love destroying hype while giving the students the most blunt and actionable information possible," Robert explains, adding that his experiences "gives me a robust view into the problem space and the solutions needed at various levels. My experiences and hard work have afforded me the chance to significantly advance students' skill sets and the way they view the problem."

Central to helping students succeed in their day-to-day careers is ensuring that they understand the big picture, Robert says. That's more than just understanding what command to run on a specific tool or how to use that tool during an incident. Its' about know the larger context of a security strategy is, all its moving pieces, and how to use analysis to help fill knowledge gaps. "This ensures that students who take my classes are not only technically prepared but are also prepared to think differently about the hard challenges their organizations must face when facing the adversary," says Robert.

Robert has a master's degree in cybersecurity and computer forensics from Utica College as well as cyber and warfare training through the U.S. Air Force, and he's pursuing his doctorate in war studies from King's College London. Robert is a faculty member of the SANS Technology Institute, an NSA Center of Academic Excellence in Cyber Defense and multiple winner of the National Cyber League competition. He was named one of Forbes' 30 under 30 in Enterprise Technology in 2016, was awarded EnergySec's 2015 Cyber Security Professional of the Year and named one of Passcode's "Influencers."

Outside of teaching, Robert enjoys running his company Dragos and working with customers in the industrial community. "It allows me to constantly stay relevant, challenge and grow my skills, and directly help people." He also enjoys writing papers and blogs for the industry, and looks for opportunities to travel, snowboard, and play a Steam game or two whenever he can.

Qualifications Summary

Get to Know Robert M. Lee

Publications and Papers

Awards and Honors

  • 2016: Forbes' 30 under 30 in the area of Enterprise Technology
  • 2015: Energy Sector Cyber Security Professional of the Year, awarded by EnergySec
  • 2014: Colonel Sparky Baird Award, awarded by AFCEA
  • 2014: Air Force Association Gill Robb Wilson Award - Air Force Nominee
  • 2013: Air Force Association Gill Robb Wilson Award - Air Force Nominee
  • 2013: AF Information Dominance Award for Outstanding Cyberspace Operations CGO - 693 ISR Gp
  • 2013: Junior Officer (Operator Category) of the Year - Europe/Africa
  • 2013: Military Performer of the Year - Threat Operations Center
  • 2013: CGO of the Year - 693d ISR Gp
  • 2012: Distinguished Young AFCEAN Officer - Central Europe
  • 2012: Outstanding ISR Officer Contributor of the Year - 693rd ISR Group
  • 2011: AFCEA Intelligence Professional of the Year - 693 ISR Group

Robert M.'s Contributions