Ryan Nicholson

Ryan's passion for information technology started in 2001 when he found himself constantly trying to make his high school's computers and even calculators do things that they weren't exactly intended to do. They lacked games, so he learned how to create some. Yes, some may call this hacking. Ryan called it "fun", which led to attending college with intentions of becoming a software engineer. During school, Ryan obtained an internship with a very cybersecurity-minded organization -- the Defense Information Systems Agency (DISA). Ever since then, he’s been hooked on cybersecurity. Ryan is the author for SEC488: Cloud Security Essentials, co-author of SEC541: Cloud Security Attacker Techniques, Monitoring, and Threat Detection.

More About Ryan


Ryan found out during his first job out of college that, with great technology comes great responsibility. He started working as a system administrator (as most tech careers start) for the US Department of Defense and quickly took on a more security-focused role as the field office's Network Security Officer. It didn't stop there. After addressing the security and compliance needs of the small field office, Ryan took his knowledge on the road and became what most organizations dread - a cybersecurity lead auditor.

After a few years of helping transform the DoD to a better, safer place, Ryan moved on from government service to address the larger issue at hand - security awareness. This was addressed by creating and teaching cybersecurity-focused courses for the DoD's system administrators and analysts. Students loved Ryan's teaching style and this led to his interest in becoming a SANS instructor.  “The look on a student's face when the "lightbulb lights up" is magical. I feel that we, as a community, need to groom better defenders and teaching for SANS is the best way to help ensure that happens.” – Ryan Nicholson

Ryan then passed his courseware to other colleagues to "carry the torch" and moved on to another new area into which the industry is heading - cloud security. As the lead cybersecurity engineer for a major DoD cloud project, he constantly learned new and exciting methods to ensure that information systems in both an off-and on-premise environment can be adequately defended. He still continues providing support to this government contractor, but has moved his "day job" to support SANS Institute full time as a senior technical advisor for Blue Team Operations.  If you've taken the most current version of a Blue Team course (or the latest version of Cyber Defense NetWars), chances are, Ryan has put his hands on it in some way to ensure the student is receiving an excellent and relevant training experience.

A particular point of pride for Ryan was when he was the Senior Cybersecurity Engineer for Tapestry Technology's Cloud Team.  He was solely responsible for all things cybersecurity in a rather large environment that supported several very important clients responsible for the US Department of Defense's sensitive information. Not only was that a huge undertaking, but additionally there was recent guidance to move DoD applications to the cloud which meant his team was a huge part of the transition to ensure adequate protection of this sensitive information. It was a massive responsibility requiring Ryan to become well-versed in all things cloud.

As a blue teamer for over 15 years, Ryan has held several positions that relate to the vast majority of potential students that come to the classroom - making him very relatable. From system administrators, to engineers, architects, analysts, and management, he’s shared many of their struggles and provides takeaways from the classes he teaches and authors. That, combined with his eagerness to constantly learn and keeping informed of the most recent industry issues and trends, ensures his delivery is never in danger of being stale or unrelatable.

Staying abreast of the current threats that face defenders is a challenge in and of itself. However, based upon his experience in the field, he feels the biggest challenge students often face is influencing change in their organizations. These changes are often required to avoid the never ending "cat and mouse" game of discovering an issue and addressing it without addressing the underlying issues.  When Ryan teaches, he ensures not only do the students absorb as much of the material as possible, but he also provides methods on how to influence positive change using "war stories" of instances of how he handled massive issues in organizations and convinced senior leadership to move in a particular direction so that these issues are not repeated (or repeated less often) in the future.

Ryan’s philosophy as an instructor is to provide students with the tools and mindset required to be successful defenders, combating the ever-changing attack methodologies that threaten their current or future organization. His unique background across several previous job roles, as well as a passion to evolve and become a better defender himself, allows him to relate to several students and go deep on particular topics that resonate well with the audience.

Ever since Ryan was ten years old, he has been enthralled with creating and performing music. It takes him to a peaceful place where you will not find hackers, nation state adversaries, or malware. When he’s not working or teaching for SANS, or researching all things cybersecurity, you will often find him playing the guitar with a huge smile on his face.

Ryan holds a Masters in Cybersecurity and Information Assurance through WGU and has picked up a number of industry certifications, and is constantly trying to expand his technical and cybersecurity expertise. These certifications include GIAC's GDSA, GWAPT, GCIH, GSLC, and GSEC, Offensive Security's OSCP, ISC2's CISSP, EC Council's CEH and CFHI, AWS' Certified Solutions Architect Associate.  While at the Defense Information Systems Agency, Ryan was awarded several appreciation awards for his work with leading various projects to support the warfighter.

Listen to Ryan discussion Lift and Shift cloud applications here: