SANS currently offers two purple team courses that enable red and blue teams to collaborate and work together more effectively -- SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses, and SEC699: Purple Team Tactics - Adversary Emulation for Breach Prevention & Detection.

Although the emphasis of both courses is on purple teaming, adversary emulation, and detection, there are several important differences security professionals should be aware of when evaluating which course is right for them. The purpose of this brief FAQ is to answer questions and guide you through the process of understanding the focus, differences, and similarities of the two courses.

What is the focus of SEC599?

  • The first step into purple teaming
  • Emulation and implementation of controls (prevention)
  • More focused on blue team/defense

What is the focus of SEC699?

  • Advanced purple teaming techniques
  • Mimic real-world threat actors to develop breach detection rules
  • Heavily focused on adversary emulation for data breach prevention
  • Utilizes Ansible for automated lab deployment

How are the courses similar?

Both courses equally leverage the red and blue team tactics to build and understand the common adversary language and improve the state of security in the organization.

Both courses cover a variety of purple teaming tools and techniques. For example:

  • Modern enterprise controls affecting credentials in memory
  • Network traffic interception and protocol

How are the courses different?

Although both courses emphasize purple teaming, they cover it from completely different perspectives, with varying course goals and objectives. The goal of SEC599 is to introduce students to security controls aimed at stopping, detecting, and responding to adversaries. The goal of SEC699, on the other hand, is to educate students on how adversarial techniques can be emulated and detected.

  • SEC599 is 20% emulation, 30% detection, and 50% prevention
  • SEC699 is 70% emulation and 30% detection, meant for a more experienced and advanced student

While there are no prerequisite courses for SEC599 or SEC699, students may want to ensure they have the underlying knowledge that will better ensure success in SEC599 and SEC699

Red Team Skills

  • If you are more interested in incident handling, start with SEC504
  • If you need to develop your penetration testing skills, start with SEC560 or SEC564

Blue Team Skills

  • If you want to enhance your prevention and detection skills, start with SEC511 or SEC555
  • If you are interested in security architecture, start with SEC530
  • If you need a well-rounded deep dive into several areas such as architecture, pen test, malware analysis, and incident response, consider SEC501

I've taken SEC599, should I take SEC699?

SEC699 was designed as the perfect follow-up/progression for people who have already taken SEC599 and are looking to go more in-depth with the tools used in professional adversary emulation for breach prevention and detection. SEC699 does not recycle SEC599 material; it is a different course with an entirely different set of slides and exercises.

  • SEC599 - 50% Lecture, 50% Hands-On Labs
  • SEC699 - 30% Lecture, 70% Hands-On Labs

Where can I get more information about each course?

I am looking for purple team resources...

Visit our purple team page for a selection of valuable resources, including information about related GIAC certifications, informative webcasts on a variety of purple team topics, and educational blogs.