Talk With an Expert

DFIR Summit & Training 2025

  • Thu, Jul 24 - Thu, Jul 31, 2025
  • 9 Courses
  • 12 CPEs (Summit Only)
  • 1 Tournament
  • English
Salt Lake City, UT & Virtual (MT)
75 South West Temple, Salt Lake City, UT
DFIR Summit & Training

Powered By

Register

Summit and Course Registration

from $6,995 USD
In personIncludes
  • Course: Live Instructor Training with Hands-on Exercises
  • Course: DFIR NetWars Tournament with purchase of a course
  • Summit: Talks, Presentations and Workshops
  • Summit: DFIRBytes: Hands-On Simulation
  • Summit: Best Corporate Feud: A fast-paced, game show-style competition
  • Summit: Access to Summit Exhibit Hall
Live onlineIncludes
  • Course: Virtual Live Instructor Training with Hands-on Exercises
  • Summit: Select Talks and Content
  • Summit: Interactive Chat on Slack

Summit Registration Only

from Free
$525 USD*Prices exclude applicable local taxes
In personIncludes
  • Free Lunch and Snacks
  • DFIRBytes: Hands-on Simulation
  • Best Corporate Feud — a fast-paced, game show-style competition
  • Access to Exhibit Hall
Attend In PersonLogin to register
Free
Live onlineIncludes
  • Interactive Chat on Slack
  • Talks and Sessions
Important Dates
Refund Deadline:
Hotel Group Discount Deadline:

Courses

Looking for Group Purchasing? Contact Us

Showing 9 of 9
Filter by:

FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics

Intermediate
FOR508Digital Forensics and Incident Response
FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
  • GIAC Certified Forensic Analyst
  • 6 Days
  • 36 CPEs
  • Eric Zimmerman
  • Starts 26 Jul 2025 at 8:30 AM MT
  • $8,780 USD (Course)
  • $999 USD (Certification)
  • *Prices exclude applicable local taxes

View course details
Log in to register:In-PersonVirtual

FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques

Advanced
FOR610Digital Forensics and Incident Response
FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques
  • GIAC Reverse Engineering Malware
  • 6 Days
  • 36 CPEs
  • Evan Dygert
  • Starts 26 Jul 2025 at 8:30 AM MT
  • $8,780 USD (Course)
  • $999 USD (Certification)
  • *Prices exclude applicable local taxes

View course details
Log in to register:In-PersonVirtual

FOR500: Windows Forensic Analysis

Essentials
FOR500Digital Forensics and Incident Response
FOR500: Windows Forensic Analysis
  • GIAC Certified Forensic Examiner
  • 6 Days
  • 36 CPEs
  • Mari DeGrazia
  • Starts 26 Jul 2025 at 8:30 AM MT
  • $8,780 USD (Course)
  • $999 USD (Certification)
  • *Prices exclude applicable local taxes

View course details
Log in to register:In-PersonVirtual

FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

Advanced
FOR572Digital Forensics and Incident Response
FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
  • GIAC Network Forensic Analyst
  • 6 Days
  • 36 CPEs
  • Philip Hagen
  • Starts 26 Jul 2025 at 8:30 AM MT
  • $8,780 USD (Course)
  • $999 USD (Certification)
  • *Prices exclude applicable local taxes

View course details
Log in to register:In-PersonVirtual

FOR509: Enterprise Cloud Forensics and Incident Response

Intermediate
FOR509Digital Forensics and Incident Response
FOR509: Enterprise Cloud Forensics and Incident Response
  • GIAC Cloud Forensics Responder
  • 6 Days
  • 36 CPEs
  • Pierre Lidome
  • Starts 26 Jul 2025 at 8:30 AM MT
  • $8,780 USD (Course)
  • $999 USD (Certification)
  • *Prices exclude applicable local taxes

View course details
Log in to register:In-PersonVirtual

FOR608: Enterprise-Class Incident Response & Threat Hunting

Intermediate
FOR608Digital Forensics and Incident Response
FOR608: Enterprise-Class Incident Response & Threat Hunting
  • GIAC Enterprise Incident Responder
  • 6 Days
  • 36 CPEs
  • Mike Pilkington
  • Starts 26 Jul 2025 at 8:30 AM MT
  • $8,780 USD (Course)
  • $999 USD (Certification)
  • *Prices exclude applicable local taxes

View course details
Log in to register:In-PersonVirtual

FOR528: Ransomware and Cyber Extortion

Intermediate
FOR528Digital Forensics and Incident Response
FOR528: Ransomware and Cyber Extortion
  • 4 Days
  • 24 CPEs
  • Ryan Chapman
  • Starts 26 Jul 2025 at 8:30 AM MT
  • $6,995 USD (Course)
  • *Prices exclude applicable local taxes

View course details
Log in to register:Virtual

FOR577: LINUX Incident Response and Threat Hunting

newIntermediate
FOR577Digital Forensics and Incident Response
FOR577: LINUX Incident Response and Threat Hunting
  • GIAC Linux Incident Responder
  • 6 Days
  • 36 CPEs
  • Tarot Wake
  • Starts 26 Jul 2025 at 8:30 AM MT
  • $8,780 USD (Course)
  • $999 USD (Certification)
  • *Prices exclude applicable local taxes

View course details
Log in to register:In-PersonVirtual

FOR589: Cybercrime Investigations

Major UpdatesIntermediate
FOR589Digital Forensics and Incident Response
FOR589: Cybercrime Intelligence
  • 5 Days
  • 30 CPEs
  • Kevin Ripa & Sean O'Connor
  • Starts 26 Jul 2025 at 8:30 AM MT
  • $8,260 USD (Course)
  • *Prices exclude applicable local taxes

View course details
Log in to register:In-PersonVirtual

Advisory Board

Schedule

Summit Dates

Thursday 24th July & Friday 25th July

Training Dates

Saturday 26th July - Thursday 31st July

Showing 21 of 33
Filter by:

Welcome & Opening Remarks

Summit Day 108:45AM - 09:00AM MDT
In-Person & Virtual

Keynote

More details to come

Summit Day 109:00AM - 09:45AM MDT

Break

Summit Day 109:45AM - 10:00AM MDT
In-Person & Virtual

A North Korean Cyber Operation: Exposing ARP-Based Covert C2s, WebSocket Malware, and Video Conference Software Abuse

This research uncovers a real-world covert remote-control system designed by a North Korean IT worker, who was caught operating within an unsuspecting organization.

Summit Day 110:00AM - 10:35AM MDT
In-Person & Virtual

macOS Lockdown Mode: A DFIR Odyssey

With increasing cyber threats, Apple introduced a robust security feature known as "Lockdown Mode." This session delves into the intricacies of Lockdown Mode, exploring its purpose and evolution.

Summit Day 110:00AM - 10:35AM MDT

Virtual

Playbook Power-Up: Applying Modular Design to Maintain IR Playbooks at Scale

With only 23% of surveyed security professionals stating their incident response (IR) playbooks are updated frequently enough to keep up with best practices, a new approach is needed to “power up” the way organizations maintain their playbooks.

Summit Day 110:35AM - 11:10AM MDT
In-Person & Virtual

Backdoors & Breadcrumbs: How Threat Actors Persist In Your Microsoft 365

Threat actors don’t just break in, they find creative ways to remain persistent. In this session, we will explore persistence techniques used in real-life Microsoft 365 incidents and how to identify them in your environment.

Summit Day 110:35AM - 11:10AM MDT

Virtual

Think Like an Examiner: Strengthening Your Forensic & Response Mindset

Cybersecurity professionals are often faced with complex, high-stakes investigations where quick decision-making and investigative accuracy are critical.

Summit Day 111:10AM - 11:45AM MDT
In-Person & Virtual

From Identity Admins to Cloud Compromise: Detecting Modern Ransomware Attacks in the Financial Sector

Human-operated ransomware groups have increased their focus on cloud environments, targeting identity administrators and cloud misconfigurations to gain persistent access.

Summit Day 111:10AM - 11:45AM MDT

Virtual

Investigating a Malicious Script in Microsoft Intune: A DFIR Case Study

The proliferation of cloud-based solutions has significantly transformed the landscape of enterprise security, with Microsoft Intune emerging as a pivotal tool for device and application management.

Summit Day 111:45AM - 12:20PM MDT

DFIR Bytes

DFIR Bytes are digital forensics and incident response case simulations that provide a real-world investigative experience.

Summit Day 111:45AM - 03:00PM MDT
In-Person

Lunch

Summit Day 112:20PM - 01:30PM MDT
In-Person

MDR to IR Handoffs: Stick The Landing

Security leaders and teams rely on MDR providers to deliver 24/7 monitoring of security events, augment the expertise of internal SOC analysts, assist with or perform response actions, and offer assurance that adversaries are not present in the environment through threat hunting.

Summit Day 101:30PM - 02:05PM MDT
In-Person & Virtual

Making Sense of the Chaos: When to Conduct Structured and Unstructured Threat Hunts

Making Sense of the Chaos explores two distinct threat hunting approaches. Structured, hypothesis-driven hunts, and Unstructured hunts, where data leads the way.

Summit Day 102:05PM - 02:40PM MDT
In-Person & Virtual

Does Slicing Onions Make You Cry - Forensic Analysis of TAILs

Adversaries leverage the TAILs (The Amnesic Incognito Live System) operating system for conducting criminal activity.

Summit Day 102:40PM - 03:15PM MDT
In-Person & Virtual

Break

Summit Day 103:15PM - 03:25PM MDT
In-Person & Virtual

Ensuring Data Integrity in Incident Response: Tools and Techniques for Forensically Sound Log Extraction

Logs are foundational to nearly all DFIR engagements, yet reliably extracting logs from sources such as network appliances, SaaS applications, and cloud environments can be challenging.

Summit Day 103:25PM - 04:00PM MDT
In-Person & Virtual

Finding Relevant Alerts, Events and Logs

In modern cybersecurity, the ability to connect isolated security alerts into coherent, actionable attack chains is essential. However, traditional detection methods often struggle to contextualize vast amounts of security data, leaving slow and stealthy attacks undetected within a sea of noise and false positives.

Summit Day 104:00PM - 04:35PM MDT
In-Person & Virtual

MacOS Endpoint Security Framework: Not Another MacOS Log Source

As many Mac DFIR professionals know, MacOS is constantly changing. New features are regularly being added to the platform that may provide a new source of information that an examiner can use during an investigation.

Summit Day 104:35PM - 05:05PM MDT
In-Person & Virtual

Closing Remarks

Summit Day 105:00PM - 05:10PM MDT
In-Person & Virtual

Summit Night In

Get ready for high-energy fun at the DFIR Summit! Join us on the evening of July 24 for Best Corporate Feud—a fast-paced, game show-style competition where teams go head-to-head guessing the most popular answers to fun survey questions. Whether you're on stage or in the audience, everyone gets in on the action!

Summit Day 105:30PM - 07:30PM MDT
In-Person

Welcome & Opening Remarks

Summit Day 209:00AM - 09:15AM MDT
In-Person

Keynote | TBA

More to come.

Summit Day 209:15AM - 10:00AM MDT
In-Person & Virtual

Break & Release to Workshops

Summit Day 210:00AM - 10:15AM MDT
In-Person

Workshop 1 | Not So Private Browsing!

Private browsing, often referred to as "Incognito Mode," is widely considered a way to maintain privacy during internet use. However, while this mode may obscure browsing activity from casual users and the device’s history logs, it does not guarantee complete anonymity.

Summit Day 210:15AM - 12:45PM MDT
In-Person

Workshop 2 | Google Cloud Lateral Movement: Leveraging Default Service Accounts

This hands-on workshop uncovers the critical configurations of roles, permissions, and service accounts, with a special focus on the often-overlooked risks posed by default service accounts and their excessive permissions.

Summit Day 210:15AM - 12:45PM MDT
In-Person

Lunch

Summit Day 212:45PM - 01:45PM MDT
In-Person

Workshop 3 | Finding Answers Fast – Extracting Knowledge From the Noise

Today more than ever, we are faced with the daunting task of protecting our environment and stopping attacks. At the same time, the adversary is getting smarter and more effective by the day.

Summit Day 201:45PM - 04:15PM MDT
In-Person

Break

Summit Day 202:35PM - 02:50PM MDT
In-Person

Closing Remarks

Summit Day 204:15PM - 04:30PM MDT
In-Person

SANS@Night: Skynet for Incident Response - What Problems Can AI Solve For Us?

Artificial intelligence is still one of the most popular buzzwords we use in cybersecurity. We see it added to everything, to the point that we use it to write emails that end up being read by other AI agents.

Training Event (Sunday)05:30PM - 06:30PM MDT
In-Person

DFIR NetWars Tournament

Registration: All students who register for a 4–6 day course will be eligible to play NetWars for free. Registration for this event will be through your SANS Account Dashboard the week of the event.

Training Event (Tuesday)06:30PM - 09:30PM MDT
In-Person

DFIR NetWars Tournament

Registration: All students who register for a 4–6 day course will be eligible to play NetWars for free. Registration for this event will be through your SANS Account Dashboard the week of the event.

Training Event (Wednesday)06:30PM - 09:30PM MDT
In-Person

Salt Lake Marriott Downtown at City Creek

Hotel Special Rates and Reservations

A special discounted rate of $209.00 S/D plus applicable taxes will be honored based on space availability.

A limited number of Government Per Diem rooms at the prevailing rate are available with proper ID. 

These rates include Internet in your room and are only available through Tuesday, July 1, 2025 

Salt Lake City, Marriott

3 Reasons To Stay At The Event Venue

  • Ultimate Convenience

    Eliminate the hassle of daily commutes and wasted travel time. You’ll have everything you need—from your training to dining and amenities - all in one centralized, convenient location.

  • Seamless Networking Opportunities

    Stay where the action is! Maximize your chances to connect with fellow cybersecurity professionals and industry leaders - from impromptu conversations in the lobby to exclusive after-hours events.

  • All Day, All Event Access

    SANS live training events include bonus sessions exclusively at the venue. Staying on-site ensures you won’t miss these opportunities to grow your network and engage with peers beyond the conference agenda.

People at laptops smiling

More Information