SANS currently offers two purple team courses that enable red and blue teams to collaborate and work together more effectively -- SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses, and SEC699: Purple Team Tactics - Adversary Emulation for Breach Prevention & Detection.
Although the emphasis of both courses is on purple teaming, adversary emulation, and detection, there are several important differences security professionals should be aware of when evaluating which course is right for them. The purpose of this brief FAQ is to answer questions and guide you through the process of understanding the focus, differences, and similarities of the two courses.
What is the focus of SEC599?
- The first step into purple teaming
- Emulation and implementation of controls (prevention)
- More focused on blue team/defense
What is the focus of SEC699?
- Advanced purple teaming techniques
- Mimic real-world threat actors to develop breach detection rules
- Heavily focused on adversary emulation for data breach prevention
- Utilizes Ansible for automated lab deployment
How are the courses similar?
Both courses equally leverage the red and blue team tactics to build and understand the common adversary language and improve the state of security in the organization.
Both courses cover a variety of purple teaming tools and techniques. For example:
- Modern enterprise controls affecting credentials in memory
- Network traffic interception and protocol
How are the courses different?
Although both courses emphasize purple teaming, they cover it from completely different perspectives, with varying course goals and objectives. The goal of SEC599 is to introduce students to security controls aimed at stopping, detecting, and responding to adversaries. The goal of SEC699, on the other hand, is to educate students on how adversarial techniques can be emulated and detected.
- SEC599 is 20% emulation, 30% detection, and 50% prevention
- SEC699 is 70% emulation and 30% detection, meant for a more experienced and advanced student
While there are no prerequisite courses for SEC599 or SEC699, students may want to ensure they have the underlying knowledge that will better ensure success in SEC599 and SEC699
Red Team Skills
- If you are more interested in incident handling, start with SEC504
- If you need to develop your penetration testing skills, start with SEC560 or SEC564
Blue Team Skills
I've taken SEC599, should I take SEC699?
SEC699 was designed as the perfect follow-up/progression for people who have already taken SEC599 and are looking to go more in-depth with the tools used in professional adversary emulation for breach prevention and detection. SEC699 does not recycle SEC599 material; it is a different course with an entirely different set of slides and exercises.
- SEC599 - 50% Lecture, 50% Hands-On Labs
- SEC699 - 30% Lecture, 70% Hands-On Labs
Where can I get more information about each course?
I am looking for purple team resources...
Visit our purple team page for a selection of valuable resources, including information about related GIAC certifications, informative webcasts on a variety of purple team topics, and educational blogs.