The most trusted source for

cybersecurity training, certifications,

degrees, and research

Cybersecurity
Career Paths
Find your path. Develop new skills. Prove your knowledge.

65+
hands-on
courses 120+
extraordinary
SANS-certified
instructors

35+
certifications

SANS Focus Areas The SANS Promise

Cyber Defense Incident Response, Industrial Control
Essentials Threat Hunting, and
Digital Forensics
Systems You will be able to use the skills
Blue Team
Operations Security
Cloud Security
Team-Based Training
you’ve learned in our training
Penetration
Testing
Management,
Legal, and Audit Purple Team Training and programs immediately.
DevSecOps

00
Select training and certifications
in alignment with your career path

Contents SANS is dedicated to delivering and

Training Roadmap 2 validating hands-on skills because
Cyber Defense Essentials 4 we understand every member of the
Blue Team Operations 6 cybersecurity team has a role to play in
Penetration Testing 8 establishing that critical line of defense
Incident Response, in this battle against ever-evolving
Threat Hunting, adversaries.
and Digital Forensics 10 The SANS training catalog includes more than 65
Security Management, courses and 35 GIAC certifications across 10 defined
Legal, and Audit 12 focus areas, ensuring you can find and receive the
training that best fits your interests and career path.
DevSecOps 14
No matter what skills training you’re looking for
Industrial Control Systems 15 or which certifications you are after, SANS has you
Team-Based Training 16 covered with curricula spanning baseline defensive
tactics and highly specialized expertise such
Purple Team Training 16
as malware analysis and exploit development.
Cloud Security 16
We have the training and certifications that help
NetWars 17 the full range of cybersecurity professionals build
and validate hands-on skills.

Test Drive If you’re new to SANS or unsure of the subject area

45+ or skill level to select for your next training course,

SANS offers free one-hour course previews via our
SANS OnDemand platform.
Courses Preview our courses at sans.org/demo
Learn the skills you need from the Deepen your knowledge and validate your
best practitioners in the world skills with a GIAC certification
SANS course authors and instructors are renowned GIAC certifications are designed to ensure that
cybersecurity experts who share their knowledge students can apply their knowledge and skills in a
by drawing on their own real-world experiences real-world setting. More than 35 GIAC certifications
and top-shelf curriculum. Gaining access to these align with SANS courses, validating student mastery
highly regarded experts is what keeps cybersecurity for professional use in specialized focus areas and
professionals coming back to SANS training, time job-specific roles.
and again.

Choose training in person or online

Cybersecurity professionals across regions, SANS Online Training offers the same content,
industries, and focus areas come together in person instructors, and learning results as live courses.
for live classroom instruction. SANS events provide More than 45 courses are available via four flexible
focused learning, networking sessions, and evening learning platforms and include live chat and email
skill-building workshops and labs. assistance from SANS subject-matter experts.

Training Events Summits OnDemand Simulcast

At more than 200 training Take part in one- Learn anytime, anywhere Experience live
events held annually, or two-day SANS with flexibility and streaming content
choose to attend one of conferences, featuring convenience to take your direct from a SANS
our many offered courses expert presentations training on your terms. classroom, including
taught by SANS instructors covering a single real-time interaction with
at a single location. topic of interest to the moderators and peers.
cybersecurity community.
Private Courses SelfStudy
Train with your colleagues Enjoy self-paced
at your organization’s learning with course
location and freely discuss books and MP3s.
issues and objectives
specific to your
environment.

120+
extraordinary
SANS-certified
instructors
1
 Training Roadmap
Choose your path
SANS comprehensive course offerings enable
professionals to deepen their technical skills in
Focus Job Roles
key practice areas. The courses also address other
topics and audiences, such as security training for
software developers, industrial control engineers, You are experienced in security, preparing
and non-technical personnel in management, legal, for a specialized job role or focus
and audit. Monitoring & Detection Intrusion Detection, Monitoring Over Time
Scan Packets & Networks
Intrusion
SEC503 Intrusion Detection In-Depth | GCIA
Baseline Skills Detection
Monitoring & SEC511 Continuous Monitoring and Security Operations |
Operations GMON

New to Cyber Security Concepts, Terms, & Skills The detection of what is happening in your environment requires an
increasingly sophisticated set of skills and capabilities. Identifying
Cyber Security
SEC301 Introduction to Cyber Security | GISF security anomalies requires increased depth of understanding to
Fundamentals
deploy detection and monitoring tools and to interpret their output.

You are experienced in technology, but need Penetration Testing Vulnerability Analysis, Ethical Hacking
to learn hands-on, essential security skills Every Pen Tester Should Know
and techniques SEC560 Network Penetration Testing and Ethical Hacking |
Networks
GPEN
Core Techniques Prevent, Defend, Maintain
SEC542 Web App Penetration Testing and Ethical Hacking |
Every Security Professional Should Know Web Apps
GWAPT
Security
SEC401 Security Essentials Bootcamp Style | GSEC The professional who can find weakness is often a different breed
Essentials
than one focused exclusively on building defenses. A basic tenet of red
Hacker SEC504 Hacker Tools, Techniques, Exploits,
Techniques and Incident Handling | GCIH team/blue team deployments is that finding vulnerabilities requires
a different way of thinking, and different tools, but is essential for
All professionals entrusted with hands-on cybersecurity work should defense specialists to improve their defenses.
be trained to possess a common set of capabilities enabling them to
secure systems, practice defense-in-depth, understand how attacks
work, and manage incidents when they occur. To be secure, you should
set a high bar for the baseline set of skills in your security organization.
Incident Response & Threat Hunting Host & Network Forensics
Every Forensics and IR Professional Should Know
FOR500 Windows Forensic Analysis | GCFE
Endpoint
FOR508 Advanced Incident Response, Threat Hunting,
Forensics
and Digital Forensics | GCFA
Network FOR572 Advanced Network Forensics: Threat Hunting,
Forensics Analysis, and Incident Response | GNFA
Whether you’re seeking to maintain a trail of evidence on host or
network systems, or hunting for threats using similar techniques, larger
organizations need specialized professionals who can move beyond
first-response incident handling in order to analyze an attack and
Security Management Managing Technical Security Operations develop an appropriate remediation and recovery plan.
Every Security Manager Should Know
Leadership
MGT512 Security Leadership Essentials for Managers | GSLC
Essentials
Critical SEC566 Implementing and Auditing the Critical Security
Controls Controls – In-Depth | GCCC
With an increasing number of talented technologists, organizations
require effective leaders to manage their teams and processes. Those CISSP®
MGT414 SANS Training Program for CISSP® Certification | GISP
Training
managers will not necessarily perform hands-on work, but they must
know enough about the underlying technologies and frameworks to
help set strategy, develop appropriate policies, interact with skilled
practitioners, and measure outcomes.
 Development Paths

Crucial Skills, Specialized Roles

You are a candidate for advanced or specialized training

Cyber Defense Operations Harden Specific Defenses Industrial Controls
Specialized Defensive Area Every ICS Security Professionals Should Know
Blue Team SEC450 Blue Team Fundamentals: Security Operations and Analysis Essentials ICS410 ICS/SCADA Security Essentials | GICSP
OSINT SEC487 Open-Source Intelligence (OSINT) Gathering and Analysis ICS Defense &
ICS515 ICS Active Defense and Incident Response | GRID
Advanced Generalist SEC501 Advanced Security Essentials – Enterprise Defender | GCED Response

Cloud Security SEC545 Cloud Security Architecture and Operations ICS Security
ICS612 ICS Cyber Security In-Depth
In-Depth
Windows/Powershell SEC505 Securing Windows and PowerShell Automation | GCWN
NERC Protection
Linux/ Unix Defense SEC506 Securing Linux/Unix | GCUX
NERC Security ICS456 Essentials for NERC Critical
SIEM SEC555 SIEM with Tactical Analytics | GCDA Essentials Infrastructure Protection | GCIP
Other Advanced Defense Courses
Security Architecture SEC530 Defensible Security Architecture and Engineering | GDSA DevSecOps
SEC599 Defeating Advanced Adversaries – Purple Team Tactics Every Developer Should Know
Adversary Emulation
and Kill Chain Defenses | GDAT
DEV522 Defending Web Applications
Secure Web Apps
Security Essentials | GWEB
Specialized Penetration Testing Focused Techniques & Areas Secure DevOps SEC540 Cloud Security and DevOps Automation | GCSA
In-Depth Coverage
Vulnerability Assessment SEC460 Enterprise Threat and Vulnerability Assessment | GEVA
SEC660 Advanced Penetration Testing, Exploit Writing,
Networks and Ethical Hacking | GXPN
SEC760 Advanced Exploit Development for Penetration Testers
SEC642 Advanced Web App Testing, Ethical Hacking, and
Web Apps COURSE LISTING KEY:
Exploitation Techniques
Mobile SEC575 Mobile Device Security and Ethical Hacking | GMOB Topic Course Code GIAC Certification
Wireless SEC617 Wireless Penetration Testing and Ethical Hacking | GAWN
Python Coding SEC573 Automating Information Security with Python | GPYC Essentials ICS410 ICS/SCADA Security Essentials | GICSP

Course Title
Digital Forensics, Malware Analysis, & Threat Intel Specialized Investigative Skills
Malware Analysis
FOR610 Reverse-Engineering Malware: Malware Analysis
Malware Analysis
Tools and Techniques | GREM
Threat Intelligence

60+
Cyber Threat Intelligence FOR578 Cyber Threat Intelligence | GCTI
Digital Forensics & Media Exploitation
Battlefield Forensics
FOR498 Battlefield Forensics & Data Acquisition
To learn more hands-on
& Data Acquisition about additional courses
Smartphones FOR585 Smartphone Forensic Analysis In-Depth | GASF SANS courses, go to:
Memory Forensics FOR526 Advanced Memory Forensics & Threat Detection sans.org/courses
Mac Forensics FOR518 Mac and iOS Forensic Analysis and Incident Response

See in-depth course

Advanced Management Advanced Leadership, Audit, Legal descriptions and the digital
version of this roadmap at:
Management Skills
sans.org/roadmap
Planning, Policy, Leadership MGT514 Security Strategic Planning, Policy, and Leadership | GSTRT
Managing Vulnerabilities MGT516 Managing Security Vulnerabilities: Enterprise and Cloud
MGT525 IT Project Management, Effective Communication, and
Project Management
PMP® Exam Prep | GCPM
Audit & Legal

Audit & Monitor

AUD507 Auditing and Monitoring Networks, The most trusted source for
Perimeters & Systems | GSNA cybersecurity training, certifications,
Law & Investigations LEG523 Law of Data Security and Investigations | GLEG degrees, and research
Cyber Defense Essentials

All professionals entrusted with hands-on

cybersecurity work should be trained to possess a
common set of skills to understand how attackers
operate, implement defense in depth, and respond to
incidents to mitigate risks and properly secure systems.
To be secure, you should set a high bar for the baseline set of skills in
your organization. SANS Cyber Defense Essentials courses will teach you to:

• Adopt techniques that focus • Use strategies and tools

on high-priority security to detect attacks
problems within your • Develop effective security
organization metrics that provide a focused
• Build a solid foundation of playbook that IT can implement,
core policies and practices to auditors can validate, and
enable you and your security executives can understand
teams to practice proper • Implement a comprehensive
incident response security program focused on
• Deploy a toolbox of strategies preventing, detecting, and
and techniques to help defend responding to attacks
an enterprise from every angle • Build an internal security
• Identify the latest attack vectors roadmap that can scale
and implement controls to today and into the future
prevent and detect them

“This training has given me a great overview of Cyber Defense

everything security related ... showing you such a broad Job Roles:
• Security Analyst
amount of information that you will use to determine • Security Engineer
security issues you may not have considered before.” • Technical Manager
• Auditor
— Frank Perrilli, IESO

4
 Fundamentals, Essentials, Advanced

Featured Cyber Defense Essentials Training and Certifications

SEC301 Introduction to Cyber Security SEC501 Advanced Security Essentials –

GISF GIAC Information Security Fundamentals Enterprise Defender

This introductory course is the fastest way to get GCED GIAC Certified Enterprise Defender
up to speed in information security. The entry-level A key theme of this course is that prevention is ideal,
course includes a broad spectrum of security topics but detection is a must. Security professionals must
and real-life examples. know how to constantly advance security efforts
sans.org/SEC301 in order to prevent as many attacks as possible.
This prevention needs to occur both externally
SEC401 Security Essentials Bootcamp Style and internally via portable network and server
environments.
GSEC GIAC Security Essentials
sans.org/SEC501
Learn the language and underlying theory of computer
Additional Courses and Certifications
and information security, helping you understand how
security applies to your job. You’ll walk away having SEC402 Cybersecurity Writing: Hack the Reader
gained the latest knowledge and essential skills MGT414 SANS Training Program for CISSP® Certification
required for effective management of security systems GISP Certification

and processes. SEC440 Critical Security Controls: Planning,

Implementing, and Auditing
sans.org/SEC401
Review full course descriptions and demos at sans.org/courses

SEC504 Hacker Tools, Techniques,

Exploits, and Incident Handling
GCIH GIAC Certified Incident Handler
This course will prepare you to turn the tables on
computer attackers. The course addresses the latest
cutting-edge insidious attack vectors, the “oldie- • Cyber Defense NetWars
but-goodie” attacks that are still so prevalent, and Enhance your sans.org/netwars
training with:
everything in between. You will learn a time-tested, • Webcasts, blogs, research,
step-by-step process to respond to computer and other resources
cyber-defense.sans.org
incidents; how attackers undermine systems so you
can prepare, detect, and respond to them; and how to • The SANS Technology
Institute’s undergraduate
discover holes in your system before the bad guys do. and graduate cybersecurity
sans.org/SEC504 programs
sans.edu

5
Blue Team Operations

The term Blue Team comes from the world of military

exercises, during which the Red Team plays the role of
the adversary and the Blue Team acts as the friendly
forces defending itself from Red Team cyber-attacks.
In cybersecurity, the Blue Team’s focus is on defending the organization
from cyber-attacks. Blue Teams develop and implement multiple security
controls in a layered defense-in-depth strategy, verify their effectiveness,
and continuously monitor and improve defenses.
Blue Team Operations courses will teach you to:

• Deploy tools and techniques • Apply a proactive approach to

needed to defend your networks Network Security Monitoring
with insight and awareness (NSM)/Continuous Diagnostics
and Mitigation (CDM)/Continuous
• Implement a modern security Security Monitoring (CSM)
design that allows you to
protect your assets and • Use methods and processes
defend against threats to enhance existing logging
solutions
• Establish and maintain a
holistic and layered approach • Apply technical security
to security principles and controls
for the cloud
• Detect intrusions and
analyze network traffic

Blue Team Operations

Job Roles:
“Using the techniques from this class, • Security Analyst
I will immediately be able to improve • Network and
our logging and detection capabilities.” Security Architect
• SOC Analyst
— Kendon Emmons, Dart Container • SOC Manager
• Intrusion Analyst
• Incident Investigator
6
 Architect, Monitor, Detect

Featured Blue Team Operations Training and Certifications

SEC450 Blue Team Fundamentals: Security SEC555 SIEM with Tactical Analytics
Operations and Analysis GCDA GIAC Certified Detection Analyst
This course provides an accelerated on-ramp for SEC555 guides students through the steps of tailoring
new cyber defense team members and SOC managers. and deploying Security Information and Event
The curriculum introduces students to a defender’s Management (SIEM) to full Security Operations Center
common tools and packs in essential explanations of (SOC) integration. The underlying theme is to actively
those tools, processes, and data flow that every blue apply continuous monitoring and analysis techniques
team member needs to know. by utilizing modern cyber threat attacks. Labs involve
sans.org/SEC450
replaying captured attack data to provide real-world
results and visualizations.
SEC511 Continuous Monitoring sans.org/SEC555
and Security Operations
GMON GIAC Continuous Monitoring Certification Additional Courses and Certifications

The Defensible Security Architecture and Network SEC455 SIEM Design & Implementation

Security Monitoring taught in this course will best SEC487 Open-Source Intelligence (OSINT) Gathering and Analysis

position your organization or Security Operations SEC503 Intrusion Detection In-Depth | GCIA Certification
Center (SOC) to analyze threats and detect anomalies SEC505 Securing Windows and PowerShell Automation
GCWN Certification
that could indicate cybercriminal behavior.
SEC506 Securing Linux/Unix | GCUX Certification
sans.org/SEC5111
SEC524 Cloud Security and Risk Fundamentals

SEC530 Defensible Security Architecture SEC545 Cloud Security Architecture and Operations

and Engineering Review full course descriptions and demos at sans.org/courses

GDSA GIAC Defensible Security Architecture

This course will help you establish and maintain a
holistic and layered approach to security, balancing • Cyber Defense NetWars
Enhance your sans.org/netwars
detection, prevention, and response capabilities with training with:
implementation of appropriate network controls. • A SANS Summit – Blue Team,
Open-Source Intelligence
You’ll learn the fundamentals of engineering a sans.org/summit
defensible security architecture.
• Webcasts, blogs, research,
sans.org/SEC530 and other resources
cyber-defense.sans.org

• The SANS Technology

Institute’s undergraduate
and graduate cybersecurity
programs, including a
Graduate Certificate in
Cyber Defense Operations
sans.edu

7
Penetration Testing

Organizations rely on penetration tests to discover

and understand their system vulnerabilities so they
can work to fix known issues before bad guys attack.
As adversaries evolve and attacks become more sophisticated,
pen testers need to emulate current real-world attack techniques,
discover issues, and properly report those findings in order to
deliver significant value to the security team.
SANS Penetration Testing courses will teach you to:

• Emulate today’s most powerful • Conduct professional and

and common attacks safe testing according to a
carefully designed scope
• Discover vulnerabilities in and rules of engagement
target systems
• Help an organization
• Exploit vulnerabilities under with its goal of properly
controlled circumstances prioritizing resources
• Apply technical excellence to
determine and document risk
and potential business impact

“In one week, my instructor built a bridge from typical Penetration Testing
Job Roles:
vulnerability scanning to the true art of penetration • System/Network
testing. Thank you SANS for making myself and my Penetration Tester

company much more capable in information security.”

• Application Penetration Tester
• Incident Handler
— Mike Dozier, Savannah River Nuclear Solutions • Vulnerability Researcher
• Exploit Developer

8
 Assess, Test, Exploit

Featured Penetration Testing Training and Certifications

SEC460 Enterprise Threat and Vulnerability SEC660 Advanced Penetration Testing,

Assessment Exploit Writing, and Ethical Hacking
GEVA GIAC Enterprise Vulnerability Assessor GXPN GIAC Advanced Penetration Tester
In this course, you will learn to use real industry- SEC660 is a logical progression for students who
standard security tools for vulnerability assessment, have completed SEC560 or for those with existing
management, and mitigation. SEC460 is the only penetration testing experience. The course goes
course that teaches a holistic vulnerability assessment far beyond simply scanning for low-hanging fruit
methodology while focusing on challenges faced in a and teaches you how to model the abilities of an
large enterprise. advanced attacker to find significant flaws in a target
sans.org/SEC460 environment and demonstrate the business risk
associated with these flaws.
SEC560 Network Penetration Testing sans.org/SEC660
and Ethical Hacking
GPEN GIAC Certified Penetration Tester
This course prepares you to conduct high-value
penetration testing projects step by step and end
to end. SEC560 starts with proper planning, scoping
and recon, then dives deep into scanning, target
exploitation, password attacks, and web app
manipulation, with over 30 detailed hands-on labs
throughout.
sans.org/SEC560

• Core NetWars, CyberCity

Additional Courses and Certifications Enhance your sans.org/netwars
training with:
SEC542 Web App Penetration Testing and Ethical Hacking • A SANS Summit –
GWAPT Certification Pen Test HackFest ,
Pen Test West
SEC564 Red Team Exercises and Adversary Emulation sans.org/summit
SEC573 Automating Information Security with Python
• Webcasts, blogs, research,
GPYC Certification
and other resources like the
SEC575 Mobile Device Security and Ethical Hacking Slingshot linux distribution
GMOB Certification pen-testing.sans.org
SEC580 Metasploit Kung Fu for Enterprise Pen Testing
• The SANS Technology Institute’s
SEC617 Wireless Penetration Testing and Ethical Hacking undergraduate and graduate
GAWN Certification cybersecurity programs
sans.edu
SEC642 Advanced Web App Penetration Testing,
Ethical Hacking, and Exploitation Techniques
SEC760 Advanced Exploit Development for Penetration Testers

Review full course descriptions and demos at sans.org/courses

9
Incident Response, Threat Hunting
and Digital Forensics

Organizations of all sizes need personnel who can

master incident response techniques to properly
identify compromised systems, provide effective
containment of the breach, and rapidly remediate
the incident.
Similarly, government and law enforcement agencies require skilled
personnel to perform media exploitation and recover key evidence
from adversary systems and devices. SANS Incident Response,
Threat Hunting and Digital Forensics will teach you to:

• Hunt for the adversary before • Understand the capabilities

and during an incident across of malware to derive threat
your enterprise intelligence, respond to
information security incidents,
• Acquire in-depth digital forensics and fortify defenses
knowledge of Microsoft Windows
and Apple OSX operating systems • Identify, extract, prioritize, and
leverage cyber threat intelligence
• Examine portable smartphone from advanced persistent threat
and mobile devices to look for (APT) intrusions
malware and digital forensic
artifacts • Recognize that a properly trained
incident responder could be the
• Incorporate network forensics only defense an organization has
into your investigations, during a compromise
providing better findings and
getting the job done faster • Properly identify, collect,
preserve, and respond to data
• Leave no stone unturned by from a wide range of storage
incorporating memory forensics devices and repositories,
into your investigations ensuring that the integrity of the
evidence is beyond reproach

Digital Forensics,
IncidentIncident
Response, Threat
“This training is invaluable to a practitioner! Hunting and Digital Forensics
Response, & Threat Hunting
The tools and knowledge that you gain from Job Roles:
Job Roles:

it is just outstanding!” • Forensic Investigator/Analyst

Forensic Investigator/Analyst,
• Incident Responder
— James Tayler, Context Information Security • Threat Hunter
Incident Responder, Threat Hunter,
• Threat Intelligence Analyst
Threat Intelligence Analyst,Professional
• Law Enforcement Law
Enforcement Professional, Security
10
Analyst
 Hunt, Investigate, Respond

Featured Incident Response, Threat Hunting and Digital Forensics Training and Certifications

FOR500 Windows Forensic Analysis FOR572 Advanced Network Forensics: Threat

GCFE GIAC Certified Forensic Examiner Hunting, Analysis, and Incident Response

In this course, you’ll build in-depth and GNFA GIAC Network Forensic Analyst
comprehensive digital forensics knowledge of This course covers the tools, technology, and
Microsoft Windows operating systems by analyzing processes required to integrate network data sources
and authenticating forensic data, tracking detailed into your investigations, with a focus on efficiency and
user activity, and organizing findings. effectiveness. There are many use cases for network
sans.org/FOR500 data, including proactive threat hunting, reactive
forensic analysis, and continuous incident response.
FOR508 Advanced Incident Response, Learn the techniques that can help close gaps in these
Threat Hunting, and Digital Forensics use cases and dive into the full spectrum of network
GCFA GIAC Certified Forensic Analyst evidence, including high-level NetFlow analysis,
low-level pcap exploration, ancillary network log
This course teaches advanced skills to hunt, identify, examination, and more.
counter, and recover from a wide range of threats sans.org/FOR572
within enterprise networks, including advanced
persistent threat (APT) nation-state adversaries,
organized crime syndicates, and hactivists. You’ll use
threat hunting to catch intrusions while they are in
progress, rather than after attackers have attained
their objectives.
sans.org/FOR508

• DFIR NetWars:
Additional Courses and Certifications Enhance your sans.org/netwars
training with:
FOR498 Battlefield Forensics & Data Acquisition • A SANS Summit –
FOR518 Mac and iOS Forensic Analysis and Incident Response DFIR, Threat Hunting
and Incident Response,
FOR526 Advanced Memory Forensics & Threat Detection
Cyber Threat Intelligence
FOR578 Cyber Threat Intelligence | GCTI Certification sans.org/summit
FOR585 Smartphone Forensic Analysis In-Depth • Webcasts, blogs, research,
GASF Certification and other resources like SIFT
FOR610 Reverse-Engineering Malware: Malware Analysis Workstation and EZ Tools
Tools and Techniques | GREM Certification digital-forensics.sans.org

Review full course descriptions and demos at sans.org/courses • The SANS Technology Institute’s
undergraduate and graduate
cybersecurity programs,
including a Graduate Certificate
in Incident Response
sans.edu

11
Security Management,
Legal, and Audit

As the threat landscape continues to evolve,

cybersecurity has become more valuable to
organizations than ever before. Business leaders
now understand the importance of securing
high-value information assets and the significant
risk associated with a breach or attack.
As a result, organizations need cybersecurity leaders and managers
who can pair their technical knowledge with essential leadership skills
so they can effectively lead projects, teams, and initiatives in support
of business objectives.
The Security Management, Legal, and Audit focus area delivers applicable
and practical approaches to managing cyber risk. This series of hands-on,
interactive courses help current and aspiring cybersecurity leaders take
their management skills to the level of their technical knowledge.
SANS Security Management, Legal, and Audit courses will teach you to:

• Develop your management • Effectively engage and

and leadership skills communicate with key
business stakeholders
• Understand and analyze risk
• Measure the impact of
• Create effective your security program
cybersecurity policy
• Educate your workforce
• Build a vulnerability about the importance of
management program cybersecurity and ways to
• Develop strategic security plans help keep the organization
that incorporate business and protected from threats
organizational goals

Management, Legal, and Audit

Job Roles:
“This training applies to all aspects of my job, from • CISO
network management to project management.” • CIO
• Security Manager
— David Chaulk, Enbridge
• SOC Manager
• Auditor
• Lawyer
• Privacy Officer
12
 Examine, Assess, Lead

Featured Security Management, Legal, and Audit Training and Certifications

MGT512 Security Leadership Essentials for Managers MGT514 Security Strategic Planning,
Policy, and Leadership
GSLC GIAC Security Leadership Certification
GSTRT GIAC Strategic Planning,
In this course, managers are empowered with
Policy, and Leadership Certification
the technical knowledge and management skills
necessary to lead security teams. The entire security This course teaches cybersecurity leaders how to
stack is covered, including data, network, host, build and execute strategic plans that resonate with
application, and user controls in conjunction with other business executives, create effective information
key management topics that address the overall security policy, and develop management skills to
security lifecycle. better lead, inspire, and motivate teams.
sans.org/MGT512 sans.org/MGT514

LEG523 Law of Data Security and Investigations

GLEG GIAC Law of Data Security & Investigations
Certification
This course teaches the law of business, contracts,
fraud, crime, IT security, IT liability and IT policy – all
with a focus on electronically stored and transmitted
records. Investigators will learn how to prepare
credible, defensible reports, whether for cyber crimes,
forensics, incident response, human resources or
other investigations.
sans.org/LEG523

• SEC402: Cybersecurity Writing:

Additional Courses and Certifications Enhance your Hack the Reader
training with: sans.org/SEC402
MGT415 A Practical Introduction to
Cyber Security Risk Management • A SANS Summit –
MGT521 Driving Cybersecurity Change - Establishing Security Awareness
a Culture of Protect, Detect, and Respond sans.org/summit
MGT433 SANS Security Awareness: How to Build, Maintain, • The SANS Technology Institute’s
and Measure a Mature Awareness Program undergraduate and graduate
SSAP Practitioner cybersecurity programs, including
MGT516 Managing Security Vulnerabilities: Enterprise and Cloud a Master of Science in Information
Security Engineering degree
MGT525 IT Project Management, Effective Communication, sans.edu
and PMP® Exam Prep | GCPM Certification
SEC566 Implementing and Auditing the
Critical Security Controls – In-Depth | GCCC Certification

Review full course descriptions and demos at sans.org/courses

13
DevSecOps
Develop, Automate, Deploy

Adoption of DevSecOps has radically changed the way organizations

design, build, deploy, secure and operate modern systems.
DevOps has enabled teams to update products and systems much faster and more frequently
than traditional methods by merging development and operations units and automating
processes that were historically manual. To ensure applications and products are secure,
organizations integrate automated cybersecurity tasks into the DevOps process. This practice,
known as DevSecOps, helps organizations build secure applications while supporting an agile
software development strategy. SANS DevSecOps courses will teach you to:

• Integrate security practices Featured DevSecOps Training and Certifications

and protocols into production
operations DEV522 Defending Web Applications Security Essentials
GWEB GIAC Certified Web Application Defender
• Apply defensive techniques
to prevent your application The quantity and importance of data entrusted to web applications
from being compromised is growing, and defenders need to learn how to secure it. This course
will provide you with a better understanding of web application
• Use DevOps practices to improve vulnerabilities so that you can strengthen defenses where traditional
the state of cybersecurity network defenses like firewalls fall short.
sans.org/DEV522
• Understand the DevSecOps
methodology and toolchain
SEC540 Cloud Security and DevOps Automation
• Leverage cloud services to GCSA GIAC Cloud Security Automation Certification
improve time to market and
automate deployments Master the tools needed to build and deliver secure software using
DevOps and cloud services, specifically Amazon Web Services (AWS).
• Proactively deploy defensive Explore how the principles, practices, and tools of DevOps and AWS
mechanisms against adversaries can improve the reliability, integrity, and security of applications.
and recognize common sans.org/SEC540
security vulnerabilities in
web applications
• A SANS Summit –
Enhance your Cloud & DevOps Security
training with: sans.org/summit

• Webcasts, blogs, research,

and other resources
software-security.sans.org
“Mind-blowing! If you are a traditional security
architect, tip-toeing around DevOps, attend • The SANS Technology
Institute’s undergraduate
SEC540. It takes you into into the depths of and graduate cybersecurity

DevSecOps and sets you up for the future!” programs

sans.edu
— Jatin Sachdeva, CISCO

14
Industrial Control
Protect Industry and Infrastructure

Systems

The current landscape presents a diverse and chaotic picture of

the threats facing industrial control system owners and operators.
Attacks that cause physical damage or impact physical processes are no longer limited
to theory or speculation. We’re now seeing incidents where malicious actors successfully
intrude, cause system damage, and impact operations using ICS-tailored malware. We need
to be prepared to defend our control systems against increasingly sophisticated adversaries.
SANS Industrial Control Systems Security courses will teach you to:

• Recognize ICS components, Featured Industrial Control Systems Training and Certifications
purposes, deployments,
significant drivers, and ICS410 ICS/SCADA Security Essentials
constraints GICSP Global Industrial Cyber Security Professional

• Identify ICS assets and their This course is designed to train the workforce involved in supporting
network topologies and how and defending industrial control systems on how to keep the operational
to monitor ICS hotspots for environment safe, secure, and resilient against current and emerging
abnormalities and threats threats.
sans.org/ICS410
• Understand approaches to
system and network defense ICS515 ICS Active Defense and Incident Response
architectures and techniques
GRID GIAC Response and Industrial Defense
• Perform ICS incident response This course will show you how to deconstruct ICS cyber-attacks, leverage
focusing on security operations an active defense to identify and counter threats in your ICS, and
and prioritizing the safety and maintain the safety and reliability of operations. You’ll better understand
reliability of operations your networked ICS environment, how to monitor it for threats and
• Implement effective cyber perform incident response against identified threats, and how you
and physical access controls can learn from interactions to enhance network security.
sans.org/ICS515

Additional Courses and Certifications

• Grid NetWars, ICS NetWars
ICS612 ICS Cybersecurity In-Depth Enhance your sans.org/netwars
training with:
ICS456 Essentials for NERC Critical Infrastructure Protection • A SANS Summit –
GCIP Certification ICS, Oil & Gas Cybersecurity
sans.org/summit
Review full course descriptions and demos at sans.org/courses
• Webcasts, blogs, forums,
research, and other resources
ics.sans.org
“The training starts with theory and
• The SANS Technology Institute’s
quickly progresses into full hands-on undergraduate and graduate
interaction with all components. cybersecurity programs,
including a Graduate Certificate
This experience is not easy to find.” in Industrial Control Systems
– Bassem Hemida, Deloitte sans.edu
15
Emerging Focus Areas

Team-Based Training Purple Team Training and Certifications

This focus area is designed to help cybersecurity These courses help red and blue teams join forces so
professionals build team skills, leadership abilities, that they can effectively create a strong feedback loop
and communication techniques, along with technical and identify detection and prevention controls that
expertise, all while under fire in a series of increasingly can be implemented for immediate improvement.
complex scenarios.
SEC599 Defeating Advanced Adversaries —
Purple Team Tactics & Kill Chain Defenses
“TBT570 is 90% hands-on, which makes
it unique among course offerings. GDAT Defending Advanced Threats Certification

The cyber labs were realistic and SEC699 Purple Team Tactics — Adversary Emulation
for Breach Prevention & Detection
hearing from the red team each day
was valuable.” sans.org/purple-team

— Edward Tanner, Booz Allen Hamilton

TBT570 Team-Based Training - Blue Team and Red Cloud Security Training and Certifications
Team Dynamic Workshop
sans.org/TBT This rapidly developing focus area incorporates
hands-on labs and exercises to help cybersecurity
professionals apply their skills within real-world
cloud environments.

SEC540 Cloud Security and DevOps Automation

GCSA Cloud Security Automation Certification
SEC545 Cloud Security Architecture and Operations
MGT516 Managing Security Vulnerabilities:
Enterprise and Cloud
sans.org/cloud-security

Stay at the
Forefront of
Cybersecurity

The threat landscape is constantly evolving, with new attack methods

emerging daily. SANS’ commitment to helping you stay ahead of risks is
not limited to our training courses. Stay engaged with the cybersecurity
community and learn about emerging trends and cutting-edge concepts
through our webcasts, blogs, tools, research, and other resources at
sans.org/security-resources

16
 “Very impressed with SANS
NetWars. The material is
relevant and educational,
and the tournament-style
play is remarkably engaging.
I really like the scoring
system and scoreboard.”
— Adam Tice,
Lockheed Center for Cyber Security

SANS NetWars is a suite of hands-on, interactive

• Designed for all skill levels
learning scenarios that enable information security
• Earn 6 Continuing Professional
professionals to develop and master the real-world, Education credits (CPEs)
in-depth skills they need to excel in their field. and recognition on our
Participants learn in a cyber range while working through various real-time scoreboard
challenge levels, all hands-on, with a focus on mastering the skills • Top-scoring participants receive
information security professionals can use in their jobs every day. a SANS NetWars Challenge Coin

Core NetWars Tournament DFIR NetWars Tournament Grid NetWars

Industry-relevant and DFIR NetWars is an incident Themed for the electricity industry,
innovative, Core NetWars is the simulator challenge developed Grid NetWars enables Operational
ultimate cybersecurity range to help you gain proficiency by Technology security professionals
for powering up your skills in working real-world incidents to develop their skills by working
a fun, multi-disciplinary, and in a safe environment without to resolve unexplained system
collaborative environment. the associated risks. failures.

Cyber Defense ICS NetWars Tournament NetWars Continuous

NetWars Tournament ICS NetWars helps Operational Advance your cybersecurity skills
Cyber Defense NetWars was Technology security professionals on your schedule and at your pace
designed by cyber defenders develop and master the real- with a four-month subscription to
for cyber defenders. Defend the world, in-depth skills needed the latest version of Core NetWars
flag on your own or on a team to defend industrial control Continuous.
in this comprehensive, hands- systems in real time.
on Blue Team challenge.

sans.org/netwars | @SANSNetWars THE #NETWARS EXPERIENCE

00
 Create a SANS Account today to enjoy these
Free resources at www.sans.org/account

Newsletters
NewsBites @RISK: The Consensus Security Alert
Twice-weekly, high-level executive summary of the most A reliable weekly summary of (1) newly
important news relevant to cybersecurity professionals. discovered attack vectors, (2) vulnerabilities
OUCH! with active new exploits, (3) how recent
attacks worked, and (4) other valuable data.
The world’s leading monthly, free security awareness newsletter
designed for the common computer user.

WhatWorks Webcasts
Webcasts The SANS WhatWorks webcasts bring powerful
Ask the Experts Webcasts
customer experiences showing how end users
SANS experts bring current and timely information on relevant resolved specific IT Security issues.
topics in IT Security.
Analyst Webcasts
A follow-on to the SANS Analyst Program, Analyst Webcasts Tool Talks
provide key information from our whitepapers and surveys.
Tool Talks are designed to give you a solid
understanding of a problem and how a vendor’s
commercial tool can be used to solve or mitigate
Other Free Resources that problem.
(No portal account is necessary)
• Security Posters
• InfoSec Reading Room • Thought Leaders
• Top 25 Software Errors • 20 Coolest Careers
• 20 Critical Controls • Security Glossary
• Security Policies • SCORE (Security Consensus Operational
• Intrusion Detection FAQs Readiness Evaluation)
• Tip of the Day

Follow us on our social media channels to stay up-to-date on the latest cyber security
developments and announcements around SANS EMEA events and courses.