Find the Right Path Using the European Cybersecurity Skills Framework (ECSF)
The European Cybersecurity Skills Framework (ECSF) is a practical tool to support the identification and articulation of tasks, competences, skills and knowledge associated with the roles of European cybersecurity professionals. The ECSF provides profiles of 12 typical cybersecurity professional roles. The main purpose of the ECSF is to create a common understanding between individuals, employers and providers of learning programmes across the EU.
For more information on this framework and how it can assist you in finding the right cybersecurity training for you or your organisation, speak to a SANS representative.
Organizational Benefits of the European Cybersecurity Skills Framework ECSF
In this video we discuss how to use European Cybersecurity Skills Framework (ECSF) along with how it can be applied to meet the standardization of the work roles within your security teams. Brian Correia - Director of Business Development of GIAC, Fabio Di Franco - Project Manager of ECSF/ENISA, and Richard Widh – CEO of Ancautus provide a mixture of a presentation, interview, and Q&A on useful ways to apply the ECSF framework to your organization along with a case study where such frameworks have been beneficial in the real world.
ECSF Profiles
Chief Information Security Officer (CISO)
LDR512: Security Leadership Essentials for Managers
Security leaders need both technical knowledge and leadership skills to gain the respect of technical team members, understand what technical staff are actually doing, and appropriately plan and manage security projects and initiatives. This security managers training course will teach leaders about the key elements of any modern security program. Learn to quickly grasp critical cybersecurity issues and terminology, with a focus on security frameworks, security architecture, security engineering, computer/network security, vulnerability management, cryptography, data protection, security awareness, cloud security, application security, DevSecOps, generative AI (GenAI) security, and security operations. This is more than security training. You will learn how to lead security teams and manage programs by playing through twenty-three Cyber42 activities throughout the class, approximately 60-80 minutes daily.
Certification: GIAC Security Leadership (GSLC)LDR514: Security Strategic Planning, Policy, and Leadership
The next generation of security leadership must bridge the gap between security staff and senior leadership by strategically planning how to build and run effective security programs. Yet, creating a security strategy, executing a plan that includes sound policy coupled with top-notch leadership is hard for IT and security professionals because we spend so much time responding and reacting. We almost never do strategic planning until we get promoted to a senior position, and then we are not equipped with the skills we need to run with the pack. This information security course will provide you with the tools to build a cybersecurity strategic plan, an entire IT security policy, and lead your teams in the execution of your plan and policy. By the end of class you will have prepared an executive presentation, read 3 business case studies, responded to issues faced by 4 fictional companies, analyzed 15 case scenarios, and responded to 15 Cyber42 events.
Certification: GIAC Strategic Planning, Policy, and Leadership (GSTRT)
LDR520: Cloud Security for Leaders
This cloud security strategy for leaders training course focuses on what managers, directors, and security leaders need to know about developing their plan/roadmap while managing cloud security implementation capabilities. To safeguard the organization's cloud environment and investments, a knowledgeable management team must engage in thorough planning and governance. We emphasize the essential knowledge needed to develop a cloud security roadmap and effectively implement cloud security capabilities. Making informed security decisions when adopting the cloud necessitates understanding the technology, processes, and people associated with the cloud environment. 12 Hands-on Cyber42 Exercises + Capstone.
LDR521: Security Culture for Leaders
This Security Culture for Leaders course will teach and enable today's cybersecurity leaders to build, manage, and measure a strong security culture. Cybersecurity leadership is no longer just about technology. It is ultimately about culture - not only what people think and feel about security but how they act, from the Board of Directors to every corner of the organization. As a result of this cyber security culture course, students will not only create an engaged and far more secure workforce, but also lead more effective and successful security initiatives. In addition, students will apply everything they learn through a series of 12 interactive team labs, numerous case studies and the Cyber42 leadership simulation capstone.
LDR551: Building and Leading Security Operations Centers
If you are a SOC manager or leader looking to unlock the power of proactive, intelligence-informed cyber defense, then LDR551 is the perfect course for you! In a world where IT environments and threat actors evolve faster than many teams can track, position your SOC to defend against highly motivated threat actors. Highly dynamic modern environments require a cyber defense capability that is forward-looking, fast-paced, and intelligence-driven. This SOC manager training course will guide you through these critical activities from start to finish and teach you how to design defenses with your organization's unique risk profile in mind. Walk away with the ability to align your SOC activities with organizational goals. 17 hands-on exercises + Cyber42 interactive leadership simulations.
Certification: GIAC Security Operations Manager (GSOM)
Cyber Incident Responder
SEC504: Hacker Tools, Techniques, and Incident Handling
SEC504 helps you develop the skills to conduct incident response investigations. You will learn how to apply a dynamic incident response process to evolving cyber threats, and how to develop threat intelligence to mount effective defense strategies for cloud and on-premises platforms. We'll examine the latest threats to organizations, from watering hole attacks to cloud application service MFA bypass, enabling you to get into the mindset of attackers and anticipate their moves. SEC504 gives you the information you need to understand how attackers scan, exploit, pivot, and establish persistence in cloud and conventional systems. To help you develop retention and long-term recall of the course material, 50 percent of class time is spent on hands-on exercises, using visual association tools to break down complex topics. This course prepares you to conduct cyber investigations and will boost your career by helping you develop these in-demand skills.
Certification: GIAC Certified Incident Handler (GCIH)FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
Threat hunting and Incident response tactics and procedures have evolved rapidly over the past several years. Your team can no longer afford to use antiquated incident response and threat hunting techniques that fail to properly identify compromised systems. The key is to constantly look for attacks that get past security systems, and to catch intrusions in progress, rather than after attackers have completed their objectives and done worse damage to the organization. For the incident responder, this process is known as "threat hunting".FOR508 teaches advanced skills to hunt, identify, counter, and recover from a wide range of threats within enterprise networks, including APT nation-state adversaries, organized crime syndicates, and hactivists.
Certification: GIAC Certified Forensic Analyst (GCFA)
FOR509: Enterprise Cloud Forensics and Incident Response
The world is changing and so is the data we need to conduct our investigations. Cloud platforms change how data is stored and accessed. They remove the examiner's ability to directly access systems and use classical data extraction methods. Unfortunately, many examiners are still trying to force old methods for on-premise examination onto cloud-hosted platforms. Rather than resisting change, examiners must learn to embrace the new opportunities presented to them in the form of new evidence sources. FOR509: Enterprise Cloud Forensics and Incident Response addresses today's need to bring examiners up to speed with the rapidly changing world of enterprise cloud environments by uncovering the new evidence sources that only exist in the Cloud.
Certification: GIAC Cloud Forensics Responder (GCFR)
FOR518: Mac and iOS Forensic Analysis and Incident Response
FOR518 is the first non-vendor-based Mac and iOS incident response and forensics course that focuses students on the raw data, in-depth detailed analysis, and how to get the most out of their Mac and iOS cases. The intense hands-on forensic analysis and incident response skills taught in the course will enable analysts to broaden their capabilities and gain the confidence and knowledge to comfortably analyze any Mac or iOS device. 23 Hands-On Labs.
Certification: GIAC iOS and macOS Examiner (GIME)
FOR528: Ransomware and Cyber Extortion
FOR528: Ransomware for Incident Responders provides the hands-on training required for those who may need to respond to ransomware incidents. The term "Ransomware" no longer refers to a simple encryptor that locks down resources. The advent of Human-Operated Ransomware (HumOR) along with the evolution of Ransomware-as-a-Service (RaaS) have created an entire ecosystem that thrives on hands-on the keyboard, well-planned attack campaigns. Our course uses deftly devised, real-world attacks and their subsequent forensic artifacts to provide you, the analyst, with all that you need to respond when the threat become a reality.
FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
Whether you handle an intrusion incident, data theft case, employee misuse scenario, or are engaged in proactive adversary discovery, the network often provides an unparalleled view of the incident. SANS FOR572 covers the tools, technology, and processes required to integrate network evidence sources into your investigations to provide better findings, and to get the job done faster.
Certification: GIAC Network Forensic Analyst (GNFA)
FOR608: Enterprise-Class Incident Response & Threat Hunting
FOR608: Enterprise-Class Incident Response & Threat Hunting focuses on identifying and responding to incidents too large to focus on individual machines. By using example tools built to operate at enterprise-class scale, students learn the techniques to collect focused data for incident response and threat hunting, and dig into analysis methodologies to learn multiple approaches to understand attacker movement and activity across hosts of varying functions and operating systems by using an array of analysis techniques.
FOR710: Reverse-Engineering Malware: Advanced Code Analysis
Developing deep reverse-engineering skills requires consistent practice. FOR710: Reverse-Engineering Malware – Advanced Code Analysis prepares malware specialists to dissect sophisticated 32 and 64-bit Windows executables, such as those that dominate the headlines and preoccupy incident response teams across the globe. This course not only includes the necessary background and instructor-led walk-throughs, but also provides students with numerous opportunities to tackle real-world reverse engineering scenarios during class.
LDR553: Cyber Incident Management
If you are worried about leading or supporting a major cyber incident, then this is the course for you. You cannot predict or pick when your organization will face a major cyber incident, but you can choose how prepared you are when it happens. While there are broad technical aspects to cyber incidents there is also a myriad of other activities that generally fall to executives, managers, legal, press, and human relations staff. These include communicating both internally and externally, considering the battle rhythm, and a look at methodologies for tracking information gathered and released to the public. This cyber incident management training course focuses on the challenges facing leaders and incident commanders as they work to bring enterprise networks back online and get business moving again.
Cyber Legal, Policy, & Compliance Officer
SEC566: Implementing and Auditing CIS Controls
High-profile cybersecurity attacks indicate that offensive attacks are outperforming defensive measures. Cybersecurity engineers, auditors, privacy, and compliance team members are asking how they can practically protect and defend their systems and data, and how they should implement a prioritized list of cybersecurity hygiene controls. In SANS SEC566, students will learn how an organization can defend its information by using a vetted cybersecurity control standard. Students will specifically learn how to implement, manage, and assess security control requirements defined by the Center for Internet Security's (CIS) Controls. Students will gain direct knowledge of the CIS Controls and ecosystem of tools to implement CIS controls across organizations complex networks, including cloud assets. 17 Lab Exercises and a program management simulation.
Certification: GIAC Critical Controls Certification (GCCC)
LDR514: Security Strategic Planning, Policy, and Leadership
The next generation of security leadership must bridge the gap between security staff and senior leadership by strategically planning how to build and run effective security programs. Yet, creating a security strategy, executing a plan that includes sound policy coupled with top-notch leadership is hard for IT and security professionals because we spend so much time responding and reacting. We almost never do strategic planning until we get promoted to a senior position, and then we are not equipped with the skills we need to run with the pack. This information security course will provide you with the tools to build a cybersecurity strategic plan, an entire IT security policy, and lead your teams in the execution of your plan and policy. By the end of class you will have prepared an executive presentation, read 3 business case studies, responded to issues faced by 4 fictional companies, analyzed 15 case scenarios, and responded to 15 Cyber42 events.Certification: GIAC Strategic Planning, Policy, and Leadership (GSTRT)
Cyber Threat Intelligence Specialist
SEC503: Network Monitoring and Threat Detection In-Depth
SEC503: Network Monitoring and Threat Detection In-Depth training delivers the technical knowledge, insight, and hands-on training you need to confidently defend your network, whether traditional or cloud-based. You will learn about the underlying theory of TCP/IP and the most used application protocols so that you can intelligently examine network traffic to identify emerging threats, perform large-scale correlation for threat hunting, and reconstruct network attacks. 37 Hands-on Labs + Capstone Challenge.
Certification: GIAC Certified Intrusion Analyst (GCIA)
SEC541: Cloud Security Threat Detection
While shifting to cloud infrastructure offers many benefits, it also exposes organizations to new and continuously evolving threats. Many organizations are unaware of the critical differences between on-premises and cloud environments, leading to challenges in understanding what to log and how to detect threats effectively. Unlike other, primarily theoretical courses, SEC541: Cloud Security Threat Detection provides hands-on-keyboard experience through 21 practical labs covering AWS, Azure, and Microsoft 365. This course empowers your team to master cloud-native logging, threat detection, and monitoring, solving hidden, low-hanging but high ROI issues. Equip your team with the skills necessary to enhance your organization's cloud security posture and stay ahead of potential breaches with SEC541.
Certification: GIAC Cloud Threat Detection (GCTD)
SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses
Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses will arm you with the knowledge and expertise you need to overcome today's threats. Recognizing that a prevent-only strategy is not sufficient, we will introduce security controls aimed at stopping, detecting, and responding to your adversaries through a purple team strategy. 20+ Hands-on Labs & a unique APT Defender Capstone.
Certification: GIAC Defending Advanced Threats (GDAT)
FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
Threat hunting and Incident response tactics and procedures have evolved rapidly over the past several years. Your team can no longer afford to use antiquated incident response and threat hunting techniques that fail to properly identify compromised systems. The key is to constantly look for attacks that get past security systems, and to catch intrusions in progress, rather than after attackers have completed their objectives and done worse damage to the organization. For the incident responder, this process is known as " threat hunting ". FOR508™ training teaches advanced skills to hunt, identify, counter, and recover from a wide range of threats within enterprise networks, including APT nation-state adversaries, organized crime syndicates, and hactivists.
Certification: GIAC Certified Forensic Analyst (GCFA)
FOR578: Cyber Threat Intelligence
Cyber threat intelligence represents a force multiplier for organizations looking to update their response and detection programs to deal with increasingly sophisticated advanced persistent threats. Malware is an adversary's tool but the real threat is the human one, and cyber threat intelligence focuses on countering those flexible and persistent human threats with empowered and trained human defenders. During a targeted attack, an organization needs a top-notch and cutting-edge threat hunting or incident response team armed with the threat intelligence necessary to understand how adversaries operate and to counter the threat. FOR578: Cyber Threat Intelligence will train you and your team in the tactical, operational, and strategic level cyber threat intelligence skills and tradecraft required to make security teams better, threat hunting more accurate, incident response more effective, and organizations more aware of the evolving threat landscape.
Certification: GIAC Cyber Threat Intelligence (GCTI)
FOR577: Linux Incident Response & Threat Hunting
FOR577 teaches the skills needed to identify, analyze, and respond to attacks on Linux platforms and how to use threat hunting techniques to find the stealthy attackers who can bypass existing controls. The course addresses today's incidents by teaching the hands-on incident response and threat hunting tactics and techniques that elite responders and hunters are successfully using to combat real-world breach cases. 23 hands-on labs.
Certification: GIAC Linux Incident Responder (GLIR)
FOR589: Cybercrime Intelligence
The cybercrime landscape is perpetually evolving, driven by technological advancements, increased investments by nation-states in offensive cyber operations, and a dynamic cybercrime ecosystem that continuously lowers the barriers for novice criminals to collaborate with more sophisticated actors. FOR589 offers a comprehensive exploration of the cybercrime underground, detailing a broad spectrum of tactics and techniques used by cybercriminals to target organizations. This course includes over twenty hands-on labs and a final capstone exercise, equipping analysts with the skills necessary to enhance their organization's defenses, proactively gather critical intelligence, trace cryptocurrency proceeds of crime, and generate actionable insights to protect their organization preemptively.
FOR608: Enterprise-Class Incident Response & Threat Hunting
FOR608: Enterprise-Class Incident Response & Threat Hunting focuses on identifying and responding to incidents too large to focus on individual machines. By using example tools built to operate at enterprise-class scale, students learn the techniques to collect focused data for incident response and threat hunting, and dig into analysis methodologies to learn multiple approaches to understand attacker movement and activity across hosts of varying functions and operating systems by using an array of analysis techniques.
Certification: GIAC Enterprise Incident Responder (GEIR)
Cybersecurity Architect
SEC530: Defensible Security Architecture and Engineering: Implementing Zero Trust for the Hybrid Enterprise
This course is designed to help students build and maintain a truly defensible security architecture, while taking them on a journey towards implementing Zero Trust principles, pillars and capabilities. There will be a heavy focus on leveraging current infrastructure and investment. Students will learn how to assess, re-configure and validate existing technologies to significantly improve their organizations' prevention, detection and response capabilities, augment visibility, reduce attack surface, and even anticipate attacks in innovative ways. The course will also delve into some of the latest technologies and their capabilities, strengths, and weaknesses. You will come away with recommendations and suggestions that will aid in building a robust security infrastructure, layer by layer, across hybrid environments, as you embark on a journey towards Zero Trust.
Certification: GIAC Defensible Security Architecture (GDSA)
SEC549: Cloud Security Architecture
The age of cloud computing has arrived as organizations have seen the advantages of migrating their applications from traditional on-premises networks. However, the rapid adoption of cloud has left architects scrambling to design on this new medium. A shift to the cloud requires cybersecurity professionals to reorient their security goals around a new threat model to enable business requirements while improving their organization's security posture. SEC549 is here to help enable this shift. The course takes an architectural lens to enterprise-scale, cloud infrastructure challenges. We address the security considerations architects need to address when tasked with business expansion into the cloud, from the centralization of workforce identity and network security controls, to the secure usage of shared cloud-hosted data, and the design of effective logging strategies.
Cybersecurity Educator
SEC275: Foundations: Computers, Technology, & Security
SANS Foundations is the most comprehensive, certified introductory cybersecurity course on the market. Developed by leading subject matter experts, SEC275 builds fundamental cybersecurity knowledge and skills, giving students with no prior technical or industry experience a level of proficiency that allows them to speak the same language as professionals. Learn foundational computer and security concepts, and develop programming skills, in an interactive learning environment, supported by world-renowned instructors, video lectures, hands-on labs and exercises. SANS Foundations transforms learning into real-world, practical skills, going far beyond what all other foundational cybersecurity courses offer.
Certification: GIAC Foundational Cybersecurity Technologies (GFACT)SEC401: Security Essentials - Network, Endpoint, and Cloud
Whether you are new to information security or a seasoned practitioner with a specialized focus, SEC401 will provide the essential information security skills and techniques you need to protect and secure your critical information and technology assets, whether on-premise or in the cloud. SEC401 will also show you how to directly apply the concept learned into a winning defensive strategy, all in the terms of the modern adversary. This is how we fight; this is how we win!
Certification: GIAC Security Essentials (GSEC)SEC403: Secrets to Successful Cybersecurity Presentation
SEC403 shows you how to put together an effective security briefing, secure the interest and engagement of your audience, and confidently deliver presentations to a variety of groups. You will learn effective techniques to secure management approval for new security projects and tools, as well as how to handle the toughest questions and adjust on-the-fly. Designed exclusively for cybersecurity professionals, this course covers best practices for common security presentations such as penetration testing reports, security assessment reports, incident updates, after-action reports, security awareness briefings, and more.
SEC504: Hacker Tools, Techniques, and Incident Handling
SEC504 helps you develop the skills to conduct incident response investigations. You will learn how to apply a dynamic incident response process to evolving cyber threats, and how to develop threat intelligence to mount effective defense strategies for cloud and on-premises platforms. We'll examine the latest threats to organizations, from watering hole attacks to cloud application service MFA bypass, enabling you to get into the mindset of attackers and anticipate their moves. SEC504 gives you the information you need to understand how attackers scan, exploit, pivot, and establish persistence in cloud and conventional systems. To help you develop retention and long-term recall of the course material, 50 percent of class time is spent on hands-on exercises, using visual association tools to break down complex topics. This course prepares you to conduct cyber investigations and will boost your career by helping you develop these in-demand skills.
Cybersecurity Implementor
SEC450: Blue Team Fundamentals: Security Operations and Analysis
SEC450 provides students with technical knowledge and key concepts essential for security operation center (SOC) analysts and new cyber defense team members. By providing a detailed explanation of the mission and mindset of a modern cyber defense operation, this course will jumpstart and empower those on their way to becoming the next generation of blue team members.
Certification: GIAC Security Operations Certified (GSOC)
SEC501: Advanced Security Essentials - Enterprise Defender
Become an Enterprise Defender! Enhance your knowledge and skills in the specific areas of network architecture defense, penetration testing, security operations, digital forensics and incident response, and malware analysis. SEC501: Advanced Security Essentials - Enterprise Defender is an essential course for members of security teams of all sizes. That includes smaller teams where you wear several (or all) hats and need a robust understanding of many facets of cybersecurity, and larger teams where your role is more focused, and gaining skills in additional areas adds to your flexibility and opportunities. This course concentrates on showing you how to examine the traffic that is flowing on your networks, look for indications of an attack, and perform penetration testing and vulnerability analysis against your enterprise to identify problems and issues before a compromise occurs. When a compromise does occur - and it will - you'll be able to eradicate it because you will have already scoped your adversaries activities by collecting digital artifacts of their actions and analyzing malware they have installed on your systems. That done, you can then undertake the recovery and remediation steps that would have been pointless if your adversary had persisted on your network.
Certification: GIAC Certified Enterprise Defender (GCED)
SEC504: Hacker Tools, Techniques, and Incident Handling
SEC504 helps you develop the skills to conduct incident response investigations. You will learn how to apply a dynamic incident response process to evolving cyber threats, and how to develop threat intelligence to mount effective defense strategies for cloud and on-premises platforms. We'll examine the latest threats to organizations, from watering hole attacks to cloud application service MFA bypass, enabling you to get into the mindset of attackers and anticipate their moves. SEC504 gives you the information you need to understand how attackers scan, exploit, pivot, and establish persistence in cloud and conventional systems. To help you develop retention and long-term recall of the course material, 50 percent of class time is spent on hands-on exercises, using visual association tools to break down complex topics. This course prepares you to conduct cyber investigations and will boost your career by helping you develop these in-demand skills.
Certification: GIAC Certified Incident Handler (GCIH)
SEC511: Cybersecurity Engineering: Advanced Threat Detection and Monitoring
This course assesses the current state of security architecture and continuous monitoring, and provides a new approach to security architecture that can be easily understood and defended. When students finish, they have a list of action items in hand for making their organization one of the most effective vehicles for frustrating adversaries. Students are able to assess deficiencies in their own organization's security architectures and affect meaningful changes that are continuously monitored for deviations from their expected security posture.
Certification: GIAC Continuous Monitoring Certification (GMON)
SEC522: Application Security: Securing Web Apps, APIs, and Microservices
Web Applications are increasingly distributed. What used to be a complex monolithic application hosted on premise has become a distributed set of services incorporating on-premise legacy applications along with interfaces to cloud-hosted and cloud-native components. Because of this coupled with a lack of security knowledge, web applications are exposing sensitive corporate data. Security professionals are asked to provide validated and scalable solutions to secure this content in line with best industry practices using modern web application frameworks. Attending this class will not only raise awareness about common security flaws in modern web applications, but it will also teach students how to recognize and mitigate these flaws early and efficiently.
Certification: GIAC Certified Web Application Defender (GWEB)
Cybersecurity Researcher
SEC497: Practical Open-Source Intelligence (OSINT)
SEC497 is based on two decades of experience with open-source intelligence (OSINT) research and investigations supporting law enforcement, intelligence operations, and a variety of private sector businesses ranging from small start-ups to Fortune 100 companies. The goal is to provide practical, real-world tools and techniques to help individuals perform OSINT research safely and effectively. One of the most dynamic aspects of working with professionals from different industries worldwide is getting to see their problems and working with them to help solve those problems. SEC497 draws on lessons learned over the years in OSINT to help others. The course not only covers critical OSINT tools and techniques, it also provides real-world examples of how they have been used to solve a problem or further an investigation. Hands-on labs based on actual scenarios provide students with the opportunity to practice the skills they learn and understand how those skills can help in their research. 29 Hands-on Labs + Capstone CTF.
Certification: GIAC Open Source Intelligence (GOSI)
SEC566: Implementing and Auditing CIS Controls
High-profile cybersecurity attacks indicate that offensive attacks are outperforming defensive measures. Cybersecurity engineers, auditors, privacy, and compliance team members are asking how they can practically protect and defend their systems and data, and how they should implement a prioritized list of cybersecurity hygiene controls. In SANS SEC566, students will learn how an organization can defend its information by using a vetted cybersecurity control standard. Students will specifically learn how to implement, manage, and assess security control requirements defined by the Center for Internet Security's (CIS) Controls. Students will gain direct knowledge of the CIS Controls and ecosystem of tools to implement CIS controls across organizations complex networks, including cloud assets. 17 Lab Exercises and a program management simulation.
Certification: GIAC Critical Controls Certification (GCCC)
SEC587: Advanced Open-Source Intelligence (OSINT) Gathering and Analysis
With Open-Source Intelligence (OSINT) being the engine of most major investigations in this digital age the need for a more advanced course was imminent. The data in almost every OSINT investigation becomes more complex to collect, exploit and analyze. For this OSINT practitioners all around the world have a need for performing OSINT at scale and means and methods to check and report on the reliability of their analysis for sound and unbiased reports. In SEC587 you will learn how to perform advanced OSINT Gathering & Analysis as well as understand and use common programming languages such as JSON and Python. SEC587 also will go into Dark Web and Financial (Cryptocurrency) topics as well as disinformation, advanced image and video OSINT analysis. This is an advanced fast-paced course that will give seasoned OSINT investigators new techniques and methodologies and entry-level OSINT analysts that extra depth in finding, collecting and analyzing data sources from all around the world.
LDR516: Building and Leading Vulnerability Management Programs
Vulnerability, patch, and configuration management are not new security topics. In fact, they are some of the oldest security functions. Yet, we still struggle to manage these capabilities effectively. The quantity of outstanding vulnerabilities for most large organizations is overwhelming, and all organizations struggle to keep up with the never-ending onslaught of new vulnerabilities in their infrastructure and applications. When you add in the cloud and the increasing speed with which all organizations must deliver systems, applications, and features to both their internal and external customers, security may seem unachievable. This course will show you the most effective ways to mature your vulnerability management program and move from identifying vulnerabilities to successfully treating them. 16 Cyber42 and lab exercises.
Cybersecurity Risk Manager
LDR419: Performing A Cybersecurity Risk Assessment
Recent laws are requiring organizations to perform a cybersecurity risk assessment for compliance and audit reasons. However, many organizations do this without a specific strategy, which leads to random defenses, ineffective programs, and financial loss. Understanding the business context for the assessment promotes accurately discerning business risk and protecting accordingly. Go beyond theoretical and academic and truly understand how to perform risk assessments that matter - know what risks to look for in relation to your specific organizational context, how to uncover these risks effectively, and present results to leadership for actionable results. LDR419 teaches students the practical, hands-on skills they need to perform such risk assessments.
LDR514: Security Strategic Planning, Policy, and Leadership
The next generation of security leadership must bridge the gap between security staff and senior leadership by strategically planning how to build and run effective security programs. Yet, creating a security strategy, executing a plan that includes sound policy coupled with top-notch leadership is hard for IT and security professionals because we spend so much time responding and reacting. We almost never do strategic planning until we get promoted to a senior position, and then we are not equipped with the skills we need to run with the pack. This information security course will provide you with the tools to build a cybersecurity strategic plan, an entire IT security policy, and lead your teams in the execution of your plan and policy. By the end of class you will have prepared an executive presentation, read 3 business case studies, responded to issues faced by 4 fictional companies, analyzed 9 case scenarios, and responded to 20 Cyber42 events.
Certification: GIAC Strategic Planning, Policy, and Leadership (GSTRT)
LDR519: Cybersecurity Risk Management and Compliance
LDR519: Cybersecurity Risk Management and Compliance, addresses a significant problem in the cybersecurity domain: the challenge of effectively managing and mitigating cybersecurity risks while ensuring regulatory compliance. This problem is increasingly relevant due to the complex and evolving nature of cyber threats, which can significantly impact organizational operations, data security, and overall business continuity. This comprehensive course delves into threat modeling, safeguard frameworks, and risk analytics to equip you with the skills needed to manage cybersecurity risks effectively. Learn to prioritize threats, select appropriate safeguards, and ensure regulatory compliance. Gain practical insights through multiple real-world case studies and SANS Cyber42 simulations that enhance your understanding of cybersecurity governance and program management. Join us to master the art of risk management and compliance, and secure your organization's digital future.
Digital Forensics Investigator
FOR498: Digital Acquisition and Rapid Triage.
FOR498, a digital forensic acquisition training course, provides the necessary skills to identify the many and varied data storage mediums in use today, and how to collect and preserve this data in a forensically sound manner despite how and where it may be stored. It covers digital acquisition from computers, portable devices, networks, and the cloud. It then teaches the student Battlefield Forensics, or the art and science of identifying and starting to extract actionable intelligence from a hard drive in 90 minutes or less.
Certification: GIAC Battlefield Forensics and Acquisition (GBFA)FOR500: Windows Forensic Analysis
FOR500 builds in-depth and comprehensive digital forensics knowledge of Microsoft Windows operating systems by analyzing and authenticating forensic data as well as track detailed user activity and organize findings. It teaches students to apply digital forensic methodologies to a variety of case types and situations, allowing them to apply in the real world the right methodology to achieve the best outcome.
Certification: GIAC Certified Forensic Examiner (GCFE)
FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
Threat hunting and Incident response tactics and procedures have evolved rapidly over the past several years. Your team can no longer afford to use antiquated incident response and threat hunting techniques that fail to properly identify compromised systems. The key is to constantly look for attacks that get past security systems, and to catch intrusions in progress, rather than after attackers have completed their objectives and done worse damage to the organization. For the incident responder, this process is known as "threat hunting".FOR508 teaches advanced skills to hunt, identify, counter, and recover from a wide range of threats within enterprise networks, including APT nation-state adversaries, organized crime syndicates, and hactivists.
Certification: GIAC Certified Forensic Analyst (GCFA)
FOR528: Ransomware and Cyber Extortion
FOR528: Ransomware for Incident Responders provides the hands-on training required for those who may need to respond to ransomware incidents. The term "Ransomware" no longer refers to a simple encryptor that locks down resources. The advent of Human-Operated Ransomware (HumOR) along with the evolution of Ransomware-as-a-Service (RaaS) have created an entire ecosystem that thrives on hands-on the keyboard, well-planned attack campaigns. Our course uses deftly devised, real-world attacks and their subsequent forensic artifacts to provide you, the analyst, with all that you need to respond when the threat become a reality.
FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
Whether you handle an intrusion incident, data theft case, employee misuse scenario, or are engaged in proactive adversary discovery, the network often provides an unparalleled view of the incident. SANS FOR572 covers the tools, technology, and processes required to integrate network evidence sources into your investigations to provide better findings, and to get the job done faster.
Certification: GIAC Network Forensic Analyst (GNFA)
FOR578: Cyber Threat Intelligence
Cyber threat intelligence represents a force multiplier for organizations looking to update their response and detection programs to deal with increasingly sophisticated advanced persistent threats. Malware is an adversary's tool but the real threat is the human one, and cyber threat intelligence focuses on countering those flexible and persistent human threats with empowered and trained human defenders.During a targeted attack, an organization needs a top-notch and cutting-edge threat hunting or incident response team armed with the threat intelligence necessary to understand how adversaries operate and to counter the threat. FOR578: Cyber Threat Intelligence will train you and your team in the tactical, operational, and strategic level cyber threat intelligence skills and tradecraft required to make security teams better, threat hunting more accurate, incident response more effective, and organizations more aware of the evolving threat landscape.
Certification: GIAC Cyber Threat Intelligence (GCTI)
FOR608: Enterprise-Class Incident Response & Threat Hunting
FOR608: Enterprise-Class Incident Response & Threat Hunting focuses on identifying and responding to incidents too large to focus on individual machines. By using example tools built to operate at enterprise-class scale, students learn the techniques to collect focused data for incident response and threat hunting, and dig into analysis methodologies to learn multiple approaches to understand attacker movement and activity across hosts of varying functions and operating systems by using an array of analysis techniques.
Penetration Tester
SEC555: Detection Engineering and SIEM Analytics
Are you ready to outsmart today’s evolving cyber threats? Dive into the cutting-edge world of Detection Engineering and SIEM (Security Information and Event Management) - where technology meets security, to safeguard your critical assets. Learn how to create a detection lab, collect and enrich logs, build real-time alerts and methods to harness your data to protect from advanced attacks. Remember: Even if you can’t stop them, you have to see them coming.
Certification: GIAC Certified Detection Analyst (GCDA)
SEC560: Enterprise Penetration Testing
SEC560 prepares you to conduct successful penetration testing for a modern enterprise, including on-premise systems, Azure, and Azure AD. You will learn the methodology and techniques used by real-world penetration testers in large organizations to identify and exploit vulnerabilities at scale and show real business risk to your organization. The course material is complemented with more than 30 practical lab exercises concluding with an intensive, hands-on Capture-the-Flag exercise in which you will conduct a penetration test against a sample target organization and demonstrate the knowledge you have mastered.
Certification: GIAC Penetration Tester (GPEN)
SEC542: Web App Penetration Testing and Ethical Hacking
SEC542 enables students to assess a web application's security posture and convincingly demonstrate the business impact should attackers exploit the discovered vulnerabilities. You will practice the art of exploiting web applications to find flaws in your enterprise's web apps. You'll learn about the attacker's tools and methods and, through detailed hands-on exercises, you will learn a best practice process for web application penetration testing, inject SQL into back-end databases to learn how attackers exfiltrate sensitive data, and utilize cross-site scripting attacks to dominate a target infrastructure.
Certification: GIAC Web Application Penetration Tester (GWAPT)
SEC573: Automating Information Security with Python
The challenges faced by security professionals are constantly evolving, so there is a huge demand for those who can understand a technology problem and quickly develop a solution. If you have to wait on a vendor to develop a tool to recover a forensics artifact, or to either patch or exploit that new vulnerability, then you will always be behind. It is no longer an option for employers serious about information security to operate without the ability to rapidly develop their own tools. This course will give you the skills to develop solutions so that your organization can operate at the speed of the adversary. SEC573 is an immersive, self-paced, hands-on, and lab-intensive course. After covering the essentials required for people who have never coded before, the course will present students with real-world forensics, defensive, and offensive challenges. You will develop a malware dropper for an offensive operation; learn to search your logs for the latest attacks; develop code to carve forensics artifacts from memory, hard drives, and packets; automate the interaction with an online website's API; and write a custom packet sniffer. Through fun and engaging labs, youll develop useful tools and build essential skills that will make you the most valuable member of your information security team. 128 Hands-on Labs + Capture-the-Flag Challenge
Certification: GIAC Python Coder (GPYC)
SEC588: Cloud Penetration Testing
SEC588 will equip you with the latest cloud-focused penetration testing techniques and teach you how to assess cloud environments. The course dives into topics like cloud-based microservices, in-memory data stores, serverless functions, Kubernetes meshes, and containers. It also looks at how to identify and test cloud-first and cloud-native applications. You will also learn specific tactics for penetration testing in Azure and Amazon Web Services, particularly important given that AWS and Microsoft account for more than half the market. It is one thing to assess and secure a data center, but it takes a specialized skill set to evaluate and report on the risks to an organization if its cloud services are left insecure.
Certification: GIAC Cloud Penetration Tester (GCPN)
SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking
SEC660 is designed as a logical progression point for students who have completed SEC560: Network Penetration Testing and Ethical Hacking, or for those with existing penetration testing experience. This course provides you with in-depth knowledge of the most prominent and powerful attack vectors and furnishes an environment to perform these attacks in numerous hands-on scenarios. The course goes far beyond simple scanning for low-hanging fruit and teaches you how to model the abilities of an advanced attacker to find significant flaws in a target environment and demonstrate the business risk associated with these flaws.
Certification: GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
SEC760: Advanced Exploit Development for Penetration Testers
You will learn the skills required to reverse-engineer applications to find vulnerabilities, perform remote user application and kernel debugging, analyze patches for one-day exploits, perform advanced fuzzing, and write complex exploits against targets such as the Windows kernel and the modern Linux heap, all while circumventing or working with against cutting-edge exploit mitigation.