SEC504 vs SEC560 FAQ

Prospective students often ask about the difference between SEC504 and SEC560. Although both courses deal with computer attacks, there are significant differences between them. The purpose of this brief FAQ is to answer questions regarding the differences between the two courses.

What Is The Primary Focus Of Each Course?

While both classes cover common attack techniques in use today, they each have a very different goal.

SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling is primarily focused on learning the attack techniques through the perspective of an Incident Handler supporting the theme that "offense must inform defense".

SEC560: Network Penetration Testing and Ethical Hacking covers many of the same attacks with the primary goal of teaching students how to execute those attacks to perform high quality network penetration tests.

How Are They Different?
How Are They Similar?
Is There Overlap?
I've Already Taken SEC504. Should I Take SEC560 as a Follow-on?
I've Taken Neither SEC504 nor SEC560. Where Should I Start?
Where Can I Get More Information About Each Course?

How Are They Different?

Aside from the primary focus of each course, they both cover certain topics the other does not. SEC504 covers a slightly broader range of attacks; however, SEC560 covers certain attack and techniques in much greater depth than SEC504.
What you'll learn
SEC504
SEC560
Incident Handling Process

Covered

Not Covered

Incident Reporting

Covered

Not Covered

Defensive Spotlights

Covered*

Not Covered

Forensic Imaging

Covered

Not Covered

Handling Evidence

Covered

Not Covered

Memory, Network, & Malware Analysis

Covered*

Not Covered

Wireless Attacks

Covered*

Not Covered

Web Application Attacks

Covered*

Not Covered

Physical Attacks

Covered

Not Covered

Pen Test Focused

Not Covered

Covered

Pen Test Process & Planning

Not Covered

Covered*

Pen Test Reporting

Not Covered

Covered

Building Pen Testing Infrastructure

Not Covered

Covered

Organizational Recon

Not Covered

Covered*

Infrastructure Recon

Not Covered

Covered*

User/Employee ReconNot Covered

Covered*

Privilege Escalation

Not Covered

Covered*

Attacking Azure

Not Covered

Covered*

* includes hands-on lab

How Are They Similar?

There are several topics covered at a survey level in SEC504 that are covered in more detail, often including a lab, in SEC560.
What you'll learn
SEC504
SEC560
MITRE ATT&ACK

Covered

Partially Covered

Recon & Enumeration

Partially Covered*

Covered*

Kerberoasting

Partially Covered

Covered*

Attacking Active Directory

Partially Covered

Covered*

Active Directory Persistence

Not Covered

Covered*

* includes hands-on lab

Is There Overlap?

There are a few topics that are covered in both classes; however, each addresses the topic in its own way. For instance, in SEC504, the Password Guessing section is followed up by a Defensive Spotlight using Elastic Stack to identify a password guessing attack.

What you'll learn
SEC504
SEC560
Intro to Hacking

Covered

Covered

Netcat

Covered*

Covered*

Password Guessing

Covered*

Covered*

Password Cracking

Covered*

Covered*

*includes hands-on lab

I've Already Taken SEC504. Should I Take SEC560 as a Follow-on?

SEC560 was designed as a perfect follow-on for people who have already taken SEC504 and are looking to get into more depth with tools used in professional penetration testing and ethical hacking. SEC560 is not recycled SEC504 material; it is an entirely different class with an entirely different set of slides and exercises.

I've Taken Neither SEC504 nor SEC560. Where Should I Start?

If you are more interested in incident handling, 504 is the course for you. If you need to develop your penetration testing skills, start with 560. Neither course is a pre-requisite for the other.

Where Can I Get More Information About Each Course?

Click here to learn more about SANS SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling

Click here to learn more about SANS SEC560: Network Penetration Testing and Ethical Hacking