SANS OnDemand - 45+ Courses Available Today - View a Demo for an Hour of Free Content


To attend this webcast, login to your SANS Account or create your Account.

What is Purple Team? Updates to SEC599

  • Wednesday, June 20th, 2018 at 11:00 AM EDT (15:00:00 UTC)
  • Chris Gates, Erik Van Buggenhout and Stephen Sims
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.

You can now attend the webcast using your mobile device!


After seeing so many blue teamers take a penetration course, authors Stephen Sims and Erik Van Buggenhout created SANS first Purple Team course SEC599: Defeating Advanced Adversaries Purple Team Tactics and Kill Chain Defenses. But what is Purple Teaming? Does 1+1=3 here?

"In my experience, after years of teaching penetration testing classes for SANS, over half of the students in each class are not actually penetration testers. In fact, they most often worked in a defensive role and were coming to these courses to learn about the techniques used by attackers so that they could better defend their networks", says SANS Fellow, Stephen Sims.

"Single, stand-alone solutions, tools, and techniques will only get us so far," comments course author and instructor Erik Van Buggenhout, "If we want to stop advanced adversaries effectively, we have to ensure we have an in-depth approach to defense where we can implement security controls that counter each and every one of their attacking moves."

The newly updated SEC599 course contains over 20 hands-on labs, culminating in a full-day Defend the Flag exercise. Get an in-depth understanding of purple team tactics and how to implement kill chain defenses in order to defeat the adversary. This webcast will review what Purple Teaming is, team exercises, and new updates to the course. Well reserve time at the end for webcast attendees to ask SANS authors Stephen Sims and Erik Van Buggenhout questions about the APT cycle, Purple Team and the newly updated SEC599.

Speaker Bios

Chris Gates

Chris Gates (@carnal0wnage) has been breaking things professionally for over a decade via Network & Web Application Penetration Testing, Red Teaming & Adversarial Simulation.These days Chris splits his time being both a breaker and fixer. Chris is the author of Metta, a tool for adversarial simulation. Co-author of WeirdAAL, a tool for AWS reconnaissance and contributes to other open source projects. Chris has spoken at the United States Military Academy, BlackHat, DefCon, Wild West Hacking Fest, Toorcon, Brucon, Troopers, SOURCE Boston, Derbycon, LasCon, HashDays, HackCon, Bsides ATL, YSTS, IT Defense, OWASP AppSec DC, and Devops Days. Chris is also a cofounder of NoVAHackers.

Erik Van Buggenhout

Erik Van Buggenhout is the lead author of SEC599 - Defeating Advanced Adversaries. In addition to SEC599, Erik teaches SEC560 - Network Penetration Testing & Ethical Hacking and SEC542 - Web Application Penetration Testing & Ethical Hacking. He has been involved with SANS since 2009, first as a Mentor, working his way to Community Instructor in 2012 and finally becoming a Certified Instructor in 2016.

Erik loves explaining deeply technical concepts by using war stories, adding a few funny anecdotes here and there. As a testimony of his technical expertise, he has obtained the GSE, GCIA, GNFA, GPEN, GWAPT, GCIH, and GSEC certifications.

In addition to his work with SANS, Erik is the co-founder of Belgian cyber security firm NVISO, which focuses on high-end cyber security services, specializing in government, defense and the financial sector. Together with his team of 20+ technical experts, Erik delivers a wide array of technical security services, including penetration testing, security monitoring & incident response.

Stephen Sims

Stephen Sims is an industry expert with over 15 years of experience in information technology and security. Stephen currently works out of San Francisco as a consultant. He has spent many years performing security architecture, exploit development, reverse engineering, and penetration testing. Stephen has an MS in information assurance from Norwich University and is a course author and senior instructor for the SANS Institute. He is the author of SANS' only 700-level course, SEC760: Advanced Exploit Development for Penetration Testers, which concentrates on complex heap overflows, patch diffing, and client-side exploits. Stephen is also the lead author on SEC660: Advanced Penetration Testing, Exploits, and Ethical Hacking and co-author of SEC599: Defeating Advanced Adversaries Purple Team Tactics & Kill Chain Defenses. He holds the GIAC Security Expert (GSE) certification as well as the CISSP, CISA, Immunity NOP, and many other certifications. In his spare time Stephen enjoys snowboarding and writing music.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.