SEC504 vs SEC560 FAQ

What Is The Primary Focus Of Each Course?

While both classes cover common attack techniques in use today, they each have a very different goal.

SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling is primarily focused on learning the attack techniques through the perspective of an Incident Handler supporting the theme that "offense must inform defense".

SEC560: Network Penetration Testing and Ethical Hacking covers many of the same attacks with the primary goal of teaching students how to execute those attacks to perform high quality network penetration tests.

How Are They Different?
How Are They Similar?
Is There Overlap?
I've Already Taken SEC504. Should I Take SEC560 as a Follow-on?
I've Taken Neither SEC504 nor SEC560. Where Should I Start?
Where Can I Get More Information About Each Course?

How Are They Different?

Aside from the primary focus of each course, they both cover certain topics the other does not. SEC504 covers a slightly broader range of attacks; however, SEC560 covers certain attack and techniques in much greater depth than SEC504.

What you'll learn	SEC504	SEC560
Incident Handling Process	Covered	Not Covered
Incident Reporting	Covered	Not Covered
Defensive Spotlights	Covered*	Not Covered
Forensic Imaging	Covered	Not Covered
Handling Evidence	Covered	Not Covered
Memory, Network, & Malware Analysis	Covered*	Not Covered
Wireless Attacks	Covered*	Not Covered
Web Application Attacks	Covered*	Not Covered
Physical Attacks	Covered	Not Covered
Pen Test Focused	Not Covered	Covered
Pen Test Process & Planning	Not Covered	Covered*
Pen Test Reporting	Not Covered	Covered
Building Pen Testing Infrastructure	Not Covered	Covered
Organizational Recon	Not Covered	Covered*
Infrastructure Recon	Not Covered	Covered*
User/Employee Recon	Not Covered	Covered*
Privilege Escalation	Not Covered	Covered*
Attacking Azure	Not Covered	Covered*

* includes hands-on lab

How Are They Similar?

There are several topics covered at a survey level in SEC504 that are covered in more detail, often including a lab, in SEC560.

What you'll learn	SEC504	SEC560
MITRE ATT&ACK	Covered	Partially Covered
Recon & Enumeration	Partially Covered*	Covered*
Kerberoasting	Partially Covered	Covered*
Attacking Active Directory	Partially Covered	Covered*
Active Directory Persistence	Not Covered	Covered*

* includes hands-on lab

Is There Overlap?

There are a few topics that are covered in both classes; however, each addresses the topic in its own way. For instance, in SEC504, the Password Guessing section is followed up by a Defensive Spotlight using Elastic Stack to identify a password guessing attack.

What you'll learn	SEC504	SEC560
Intro to Hacking	Covered	Covered
Netcat	Covered*	Covered*
Password Guessing	Covered*	Covered*
Password Cracking	Covered*	Covered*

*includes hands-on lab

I've Already Taken SEC504. Should I Take SEC560 as a Follow-on?

SEC560 was designed as a perfect follow-on for people who have already taken SEC504 and are looking to get into more depth with tools used in professional penetration testing and ethical hacking. SEC560 is not recycled SEC504 material; it is an entirely different class with an entirely different set of slides and exercises.

I've Taken Neither SEC504 nor SEC560. Where Should I Start?

If you are more interested in incident handling, 504 is the course for you. If you need to develop your penetration testing skills, start with 560. Neither course is a pre-requisite for the other.

Where Can I Get More Information About Each Course?

Click here to learn more about SANS SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling

Click here to learn more about SANS SEC560: Network Penetration Testing and Ethical Hacking

Free Course Demos

SANS CISO Primer: 4 Cyber Trends

2024 Security Awareness Report

Security Policy Templates

Join the Community