SANS offers multiple purple team courses that enable information security teams to collaborate and work together more effectively:

• SEC504: Hacker Tools, Techniques, and Incident Handling
• SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses
• SEC699: Purple Team Tactics - Adversary Emulation for Breach Prevention & Detection

A common theme you will hear in all these courses is that offense informs defense and defense informs offense. That means both Blue Teamers and Red Teamers will find these courses valuable. The purpose of this brief FAQ is to help you pick which purple team course is right for you!

• What is the focus of SEC504?
• What is the focus of SEC599?
• What is the focus of SEC699?
• How are the courses similar?
• How are the courses different?
• Are there prerequisites?
• I've taken SEC599, should I take SEC699?
• Additional Purple Team Resources

What is the focus of SEC504?

• Prepares you to respond to incidents for on-premises and cloud systems
• Better defense through offense: effectively respond to incidents by understanding real attacker tools and techniques
• Integrated with MITRE ATT&CK framework for consistency and validation of techniques
• Highlights the attacks and defenses needed with Defense Spotlight modules
• 50% of class time in hands-on labs that are forever available to students

What is the focus of SEC599?

• Introduce students to security controls aimed at preventing, detecting, and responding to the most common adversarial attacks
• Understand how recent high-profile attacks were delivered and how they could have been prevented
• Learn how to emulate those attacks
• Implement security controls throughout the different phases of the Cyber Kill Chain and the MITRE ATT&CK framework to prevent, detect, and respond to attacks

What is the focus of SEC699?

• Heavily focused on advanced adversary emulation for detection and response
• Educate advanced students on how adversarial techniques can be emulated and detected
• Advanced purple teaming techniques including bypassing preventive controls
• Developing detection rules for those advanced techniques and procedures

How are the courses similar?

All SANS courses are developed by industry leaders with multiple years of experience in offense and defense. The courses all map to industry leading frameworks like the Cyber Kill Chain and MITRE ATT&CK to cover a variety of tools, tactics, techniques, and procedures. All courses train students to operate in modern enterprise environments with extensive hands-on lab exercises. Day 6 of each course is a capstone where students compete to win the respective challenge coin!

How are the courses different?

• SEC504 is 70% attack and 30% incident handling. SEC504 is meant to propel students into various specializations in information security.
• SEC599 is 50% prevention, 30% detection, and 20% attack emulation. SEC599 is more advanced than SEC504 and focuses on implementing preventive controls against some of the most common adversary tactics, techniques, and procedures.
• SEC699 is 70% attack emulation and 30% detection. SEC699 is a 600-level advanced purple team course focused on understanding threat emulation and detecting attacks that cannot be prevented.

Are there prerequisites?

While none of the courses have required prerequisites, the most successful students take SEC504,  then SEC599 and then SEC699. However, if you have experience you may be able to skip those courses. Depending on your background and experience, you may want to consider the below courses as well:

• If you need a well-rounded deep dive into several areas such as architecture, penetration testing, malware analysis, and incident response, consider SEC501
• If you are more interested in incident handling, start with SEC504
• If you need to develop your penetration testing or red team skills, start with SEC560 or SEC565 respectively

• If you want to enhance your prevention and detection skills, start with SEC511 or SEC555

I've taken SEC599, should I take SEC699?

Yes! SEC699 was designed as the perfect progression for people who have already taken SEC599 and are looking to go more in-depth with the tools used in professional adversary emulation and detection. SEC699 does not recycle SEC599 material; it is a different course with an entirely different set of courseware and exercises.

I am looking for purple team resources...

Visit our SANS Purple Team page for a selection of valuable resources, including information about related GIAC certifications, informative webcasts on a variety of purple team topics, and educational blogs.