Ryan Chapman

Ryan has worked in the Digital Forensics & Incident Response (DFIR) realm for over 10 years. He is the author of the new SANS course on ransomware FOR528: Ransomware for Incident Responders and he has also taught the SANS FOR610: Reverse Engineering Malware. During his career, Ryan has worked in Security Operations Center and Cyber Incident Response Team roles that handled incidents from inception through remediation. With Ryan, it's all about the blue team, including sifting through Packet Captures, researching domains and IPs, hunting through log aggregation utilities, analyzing malware, and performing host and network forensics.

More About Ryan


Prior to moving to security, Ryan worked as a technical trainer for over five years. His stint as a full-time trainer prepared him for the rigors of life-long learning. He loves training and often assists with training development.

One of Ryan’s primary interests in the security realm is the exciting world of reverse engineering. “Malware has become pervasive,” he says, “and I relish in the ability to dissect, understand, and protect against evolving threats." Ryan loves finding all the new tricks that malware authors use to circumvent security appliances.

Ryan’s current passion is researching ransomware in order to help as many people as possible learn to deter, detect, and respond to it. In preparing the upcoming forensics course for SANS, FOR528: Ransomware for Incident Responders, Ryan is drawing on his extensive expertise with ransomware incidents. The course will feature numerous lab and Capture-the-Flag exercises and provides tools that can be used to share and collaborate on hunting queries between entities and disparate systems.

"When it comes to ransomware, the primary blocker for students will most likely be realizing that early detection often requires hunting," Ryan explains. "Many DFIR students who take the FOR528 course may not have experience with hunting, so the concept is simply new to them. We are not relying on alerting systems. We are relying on our ability to seek out and hunt the adversary within our own networks."

Ryan's association with SANS began when he took a course in 2013, a path that eventually led to him becoming a course instructor and author.

"These days it’s difficult to have a conversation concerning DFIR without referencing SANS in some way, shape, or form,” he says. “The power of SANS isn’t just behind the courses, but rather behind the family as a whole. The course authors, instructors, and folks in all other departments have come together to create an ever-evolving beast of a training institute."

As a teacher Ryan wants his students to walk away with a full understanding of the content covered in class. "I don’t want to teach people how to push buttons to get bananas. I aim for every student to understand the ‘why’ behind the ‘how.’ I want to ensure that students leave the class knowing why we look for VirtualAlloc and VirtualProtect calls in packed malware samples. I want my students to know WHY these are important function calls," he says.

Ryan also wants students to realize their potential for mastering the topics covered in class. "Be it general malware or ransomware analysis, I strive to instill confidence in my students. We learn the foundations of advanced topics. But these things are doable outside of the classroom, even at their daily jobs. My classes aren’t magical adventures that end when the class ends. Rather, these are skills that can be translated to the daily lives of every student."

When teaching FOR610 Ryan often stays after class on the day they cover the stack in order to discuss the topic in more detail using additional samples. Ryan even provides students with a recording of himself going over this content. He also provides additional resources such as vetted and trusted YouTube videos and articles that cover the stack in slightly different ways. "I tell any student struggling with the concept that it’s all about the practice and recognition of how the stack works. Thus, I provide plenty of samples to ensure that if they put in the time, the concept will solidify for them."

Ryan also leads a hacker and security conference in Arizona called CactusCon. Outside of work, he enjoys watching anime with his daughter and playing retro games.

Qualifications Summary:

  • More than 10 years of experience in incident response, digital forensics investigations (host- and network-based forensics), and malware analysis
  • Seasoned speaker at technical conferences including DefCon, various BSides events, CactusCon, Splunk Conference, and more
  • Lead organizer for CactusCon, Arizona’s hacker/security conference
  • Author of several PluralSight.com training courses

Ryan's Workshops, Blog Posts, Podcasts and Livestreams:

Get to Know Ryan Chapman:

  • 1st Place in SOCX Professional SOC Team Work Championship 2021 (team)
  • 1st Place in Network Forensics Puzzle Contest at DefCon 23 and DefCon 22 (team)
  • Master’s of Information Assurance from a NSA-certified Regis University
  • GIAC Reverse Engineering Malware (GREM)
  • GIAC Defending Advanced Threats (GDAT)
  • GIAC Certified Incident Handler (GCIH)
  • Splunk Certified Admin and Power User
  • CompTIA Securtiy+ and Linux+
  • Certified Linux Server Professional (LPIC-1)
Learn more about Ryan at his website: https://incidentresponse.training/