Steve Armstrong-Godwin

Steve Armstrong-Godwin’s career began more than 25 years ago when he joined the UK Royal Air Force (RAF), bringing with him a love of IT and a desire to protect others. When the opportunity to move into information security presented itself, Steve jumped at the chance, eventually leading the RAF's penetration and TEMPEST testing teams and having some memorable work experiences along the way. “There’s nothing quite like securing wireless networks under attack while in a warzone with full body armour, loaded weapons, and hacking gear in 50+ degree centigrade heat,” he recalls. Steve is the author of the new LDR553: Cyber Incident Management course and can be found teaching SEC504: Hacker Tools, Techniques, and Incident Handling.

More About Steve

Upcoming Courses


After retiring from active RAF duty, Steve founded Logically Secure in 2006 to provide specialist security advice to government departments, defence contractors, the online video gaming industry, and music and film labels worldwide. Steve directed the development of the company’s own internally developed incident response platform, CyberCPR, while also coordinating the delivery of penetration testing and consultant services throughout the world.

In 2004, Steve started to teach for SANS, starting with Community instruction of SEC504.He saw this as a way of helping others, and giving back to the community as he loved “seeing that magical look on people’s faces when they get an earth shattering concept for the first time.”

Having supported them for over 7 years as a contractor, Steve sold his company in 2018 and took a full time position at Electronic Arts (EA Games) where he was the Director of Incident Response.There he led the more complex incidents relating to FIFA, Apex Legends, SIMS4, Need for Speed and the Battlefield franchises. He recalls the professional challenges as the Incident Commander during the publicly reported 2021 compromise and data leak. Working with various Law Enforcement departments they managed to identify the culprits and secure arrests. Finally, as a diligent investigator Steve worked as part of a multi-disciplined team including Game Studio and Platform security staff that identified Apex game lead sources and successfully shut them down.

In mid 2022 Steve left EA and moved into the Finance Sector as he sought new challenges and hands on understanding of technical risk management in a highly regulated industry.

As an instructor, Steve brings years of experience working in a variety of situations, and a good dose of fun, to the classroom. “I've dealt with incidents at scale and for always-on organizations. I have worked on various sized incidents ranging in size from small incidents with one of two systems to huge, advanced incursions with around 1500 systems compromised. I've also helped small organizations with limited tools and almost zero budget to improve visibility and response times,” he says. He loves teaching the technical aspects of IR on the SEC504 and the management aspects of dealing with major incidents in LDR553; the latter being built upon his many years in the field leading incident teams dealing with major and critical level breaches and attacks.

Steve can be found teaching LDR553:Cyber Incident Management and periodically SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling.

A frequent speaker at Steelcon, and DefCon (Group DC441452), Steve holds GCIH, GPEN, GCFA, GCDA, GYPC and CISSP certifications. He has appeared on national television and radio discussing cyber security, is regularly quoted in the press. Steve is also is also a faculty member of the SANS Technology Institute, an NSA Center of Academic Excellence in Cyber Defense and multiple winner of the National Cyber League competition.

When he’s not working and teaching, you’ll find Steve playing Apex Legends or TitanFall2, tinkering with home automation or tending to his beehives.

Qualifications Summary


  • GCIH (GIAC Certified Incident Handler)
  • GCFA (GIAC Certified Forensic Analyst)
  • GCDA (GIAC Certified Detection Analyst)
  • GPEN (GIAC Penetration Tester)
  • GPYC (GIAC Python Coder)
  • Former CISSP (Certified Information Systems Security Professional)



CIMTK: Third-Party/Supply Chain Incident Management Plan



A small blog at