The most trusted source for

cybersecurity training, certifications,

degrees, and research

Cybersecurity
Career Paths
Find your path. Develop new skills. Prove your knowledge.

65+
hands-on
courses 120+
extraordinary
SANS-certified
instructors

35+
certifications

SANS Focus Areas The SANS Promise

Cyber Defense Incident Response, Industrial Control
Essentials Threat Hunting, and
Digital Forensics
Systems You will be able to use the skills
Blue Team
Operations Security
Cloud Security
Team-Based Training
you’ve learned in our training
Penetration
Testing
Management,
Legal, and Audit Purple Team Training and programs immediately.
DevSecOps

00
Select training and certifications
in alignment with your career path
Contents
Training Roadmap 2
Cyber Defense Essentials 4
Blue Team Operations 6
Penetration Testing 8
Incident Response,
Threat Hunting,
and Digital Forensics 10
Security Management,
Legal, and Audit 12
DevSecOps 14
Industrial Control Systems 15
Team-Based Training 16
Purple Team Training 16
Cloud Security 16
NetWars 17
Test Drive
45+
SANS
Courses
SANS is dedicated to delivering and
validating hands-on skills because
we understand every member of the
cybersecurity team has a role to play in
establishing that critical line of defense
in this battle against ever-evolving
adversaries.
The SANS training catalog includes more than 65
courses and 35 GIAC certifications across 10 defined
focus areas, ensuring you can find and receive the
training that best fits your interests and career path.
No matter what skills training you’re looking for
or which certifications you are after, SANS has you
covered with curricula spanning baseline defensive
tactics and highly specialized expertise such
as malware analysis and exploit development.
We have the training and certifications that help
the full range of cybersecurity professionals build
and validate hands-on skills.
If you’re new to SANS or unsure of the subject area
or skill level to select for your next training course,
SANS offers free one-hour course previews via our
OnDemand platform.
Preview our courses at sans.org/demo
Learn the skills you need from the
best practitioners in the world
SANS course authors and instructors are renowned
cybersecurity experts who share their knowledge
by drawing on their own real-world experiences
and top-shelf curriculum. Gaining access to these
highly regarded experts is what keeps cybersecurity
professionals coming back to SANS training, time
and again.
Deepen your knowledge and validate your
skills with a GIAC certification
GIAC certifications are designed to ensure that
students can apply their knowledge and skills in a
real-world setting. More than 35 GIAC certifications
align with SANS courses, validating student mastery
for professional use in specialized focus areas and
job-specific roles.

Choose training in person or online

Cybersecurity professionals across regions,
industries, and focus areas come together in person
for live classroom instruction. SANS events provide
focused learning, networking sessions, and evening
skill-building workshops and labs.
SANS Online Training offers the same content,
instructors, and learning results as live courses.
More than 45 courses are available via four flexible
learning platforms and include live chat and email
assistance from SANS subject-matter experts.

Training Events Summits OnDemand Simulcast

At more than 200 training
events held annually,
choose to attend one of
our many offered courses
taught by SANS instructors
at a single location.
Private Courses
Train with your colleagues
at your organization’s
location and freely discuss
issues and objectives
specific to your
environment.
Take part in one- Learn anytime, anywhere Experience live
or two-day SANS with flexibility and streaming content
conferences, featuring convenience to take your direct from a SANS
expert presentations training on your terms. classroom, including
covering a single real-time interaction with
topic of interest to the moderators and peers.
cybersecurity community.
SelfStudy
Enjoy self-paced
learning with course
books and MP3s.

120+
extraordinary
SANS-certified
instructors
1
 Training Roadmap
Choose your path
SANS comprehensive course offerings enable
professionals to deepen their technical skills in
Focus Job Roles
key practice areas. The courses also address other
topics and audiences, such as security training for
software developers, industrial control engineers, You are experienced in security, preparing
and non-technical personnel in management, legal, for a specialized job role or focus
and audit. Monitoring & Detection Intrusion Detection, Monitoring Over Time
Scan Packets & Networks
Intrusion
SEC503 Intrusion Detection In-Depth | GCIA
Baseline Skills Detection
Monitoring & SEC511 Continuous Monitoring and Security Operations |
Operations GMON

New to Cyber Security Concepts, Terms, & Skills The detection of what is happening in your environment requires an
increasingly sophisticated set of skills and capabilities. Identifying
Cyber Security
SEC301 Introduction to Cyber Security | GISF security anomalies requires increased depth of understanding to
Fundamentals
deploy detection and monitoring tools and to interpret their output.

You are experienced in technology, but need Penetration Testing Vulnerability Analysis, Ethical Hacking
to learn hands-on, essential security skills Every Pen Tester Should Know
and techniques SEC560 Network Penetration Testing and Ethical Hacking |
Networks
GPEN
Core Techniques Prevent, Defend, Maintain
SEC542 Web App Penetration Testing and Ethical Hacking |
Every Security Professional Should Know Web Apps
GWAPT
Security
SEC401 Security Essentials Bootcamp Style | GSEC The professional who can find weakness is often a different breed
Essentials
than one focused exclusively on building defenses. A basic tenet of red
Hacker SEC504 Hacker Tools, Techniques, Exploits,
Techniques and Incident Handling | GCIH team/blue team deployments is that finding vulnerabilities requires
a different way of thinking, and different tools, but is essential for
All professionals entrusted with hands-on cybersecurity work should defense specialists to improve their defenses.
be trained to possess a common set of capabilities enabling them to
secure systems, practice defense-in-depth, understand how attacks
work, and manage incidents when they occur. To be secure, you should
set a high bar for the baseline set of skills in your security organization.
Incident Response & Threat Hunting Host & Network Forensics
Every Forensics and IR Professional Should Know
FOR500 Windows Forensic Analysis | GCFE
Endpoint
FOR508 Advanced Incident Response, Threat Hunting,
Forensics
and Digital Forensics | GCFA
Network FOR572 Advanced Network Forensics: Threat Hunting,
Forensics Analysis, and Incident Response | GNFA
Whether you’re seeking to maintain a trail of evidence on host or
network systems, or hunting for threats using similar techniques, larger
organizations need specialized professionals who can move beyond
first-response incident handling in order to analyze an attack and
Security Management Managing Technical Security Operations develop an appropriate remediation and recovery plan.
Every Security Manager Should Know
Leadership
MGT512 Security Leadership Essentials for Managers | GSLC
Essentials
Critical SEC566 Implementing and Auditing the Critical Security
Controls Controls – In-Depth | GCCC
With an increasing number of talented technologists, organizations
require effective leaders to manage their teams and processes. Those CISSP®
MGT414 SANS Training Program for CISSP® Certification | GISP
Training
managers will not necessarily perform hands-on work, but they must
know enough about the underlying technologies and frameworks to
help set strategy, develop appropriate policies, interact with skilled
practitioners, and measure outcomes.
 Development Paths

Crucial Skills, Specialized Roles

You are a candidate for advanced or specialized training

Cyber Defense Operations Harden Specific Defenses Industrial Controls
Specialized Defensive Area Every ICS Security Professionals Should Know
Blue Team SEC450 Blue Team Fundamentals: Security Operations and Analysis Essentials ICS410 ICS/SCADA Security Essentials | GICSP
OSINT SEC487 Open-Source Intelligence (OSINT) Gathering and Analysis ICS Defense &
ICS515 ICS Active Defense and Incident Response | GRID
Advanced Generalist SEC501 Advanced Security Essentials – Enterprise Defender | GCED Response

Cloud Security SEC545 Cloud Security Architecture and Operations ICS Security
ICS612 ICS Cyber Security In-Depth
In-Depth
Windows/Powershell SEC505 Securing Windows and PowerShell Automation | GCWN
NERC Protection
Linux/ Unix Defense SEC506 Securing Linux/Unix | GCUX
NERC Security ICS456 Essentials for NERC Critical
SIEM SEC555 SIEM with Tactical Analytics | GCDA Essentials Infrastructure Protection | GCIP
Other Advanced Defense Courses
Security Architecture SEC530 Defensible Security Architecture and Engineering | GDSA DevSecOps
SEC599 Defeating Advanced Adversaries – Purple Team Tactics Every Developer Should Know
Adversary Emulation
and Kill Chain Defenses | GDAT
DEV522 Defending Web Applications
Secure Web Apps
Security Essentials | GWEB
Specialized Penetration Testing Focused Techniques & Areas Secure DevOps SEC540 Cloud Security and DevOps Automation | GCSA
In-Depth Coverage
Vulnerability Assessment SEC460 Enterprise Threat and Vulnerability Assessment | GEVA
SEC660 Advanced Penetration Testing, Exploit Writing,
Networks and Ethical Hacking | GXPN
SEC760 Advanced Exploit Development for Penetration Testers
SEC642 Advanced Web App Testing, Ethical Hacking, and
Web Apps COURSE LISTING KEY:
Exploitation Techniques
Mobile SEC575 Mobile Device Security and Ethical Hacking | GMOB Topic Course Code GIAC Certification
Wireless SEC617 Wireless Penetration Testing and Ethical Hacking | GAWN
Python Coding SEC573 Automating Information Security with Python | GPYC Essentials ICS410 ICS/SCADA Security Essentials | GICSP

Course Title
Digital Forensics, Malware Analysis, & Threat Intel Specialized Investigative Skills
Malware Analysis
FOR610 Reverse-Engineering Malware: Malware Analysis
Malware Analysis
Tools and Techniques | GREM
Threat Intelligence

60+
Cyber Threat Intelligence FOR578 Cyber Threat Intelligence | GCTI
Digital Forensics & Media Exploitation
Battlefield Forensics
FOR498 Battlefield Forensics & Data Acquisition
To learn more hands-on
& Data Acquisition about additional courses
Smartphones FOR585 Smartphone Forensic Analysis In-Depth | GASF SANS courses, go to:
Memory Forensics FOR526 Advanced Memory Forensics & Threat Detection sans.org/courses
Mac Forensics FOR518 Mac and iOS Forensic Analysis and Incident Response

See in-depth course

Advanced Management Advanced Leadership, Audit, Legal descriptions and the digital
version of this roadmap at:
Management Skills
sans.org/roadmap
Planning, Policy, Leadership MGT514 Security Strategic Planning, Policy, and Leadership | GSTRT
Managing Vulnerabilities MGT516 Managing Security Vulnerabilities: Enterprise and Cloud
MGT525 IT Project Management, Effective Communication, and
Project Management
PMP® Exam Prep | GCPM
Audit & Legal

Audit & Monitor

AUD507 Auditing and Monitoring Networks, The most trusted source for
Perimeters & Systems | GSNA cybersecurity training, certifications,
Law & Investigations LEG523 Law of Data Security and Investigations | GLEG degrees, and research
Cyber Defense Essentials

All professionals entrusted with hands-on

cybersecurity work should be trained to possess a
common set of skills to understand how attackers
operate, implement defense in depth, and respond to
incidents to mitigate risks and properly secure systems.
To be secure, you should set a high bar for the baseline set of skills in
your organization. SANS Cyber Defense Essentials courses will teach you to:

• Adopt techniques that focus • Use strategies and tools

on high-priority security
problems within your
organization
• Build a solid foundation of
core policies and practices to
enable you and your security
teams to practice proper
incident response
• Deploy a toolbox of strategies
and techniques to help defend
an enterprise from every angle
• Identify the latest attack vectors
and implement controls to
prevent and detect them
to detect attacks
• Develop effective security
metrics that provide a focused
playbook that IT can implement,
auditors can validate, and
executives can understand
• Implement a comprehensive
security program focused on
preventing, detecting, and
responding to attacks
• Build an internal security
roadmap that can scale
today and into the future

“This training has given me a great overview of Cyber Defense

everything security related ... showing you such a broad Job Roles:
• Security Analyst
amount of information that you will use to determine • Security Engineer
security issues you may not have considered before.” • Technical Manager
• Auditor
— Frank Perrilli, IESO

4
 Fundamentals, Essentials, Advanced

Featured Cyber Defense Essentials Training and Certifications

SEC301 Introduction to Cyber Security SEC501 Advanced Security Essentials –

GISF GIAC Information Security Fundamentals Enterprise Defender

This introductory course is the fastest way to get
up to speed in information security. The entry-level
course includes a broad spectrum of security topics
and real-life examples.
sans.org/SEC301
SEC401 Security Essentials Bootcamp Style
GSEC GIAC Security Essentials
Learn the language and underlying theory of computer
and information security, helping you understand how
security applies to your job. You’ll walk away having
gained the latest knowledge and essential skills
required for effective management of security systems
GCED GIAC Certified Enterprise Defender
A key theme of this course is that prevention is ideal,
but detection is a must. Security professionals must
know how to constantly advance security efforts
in order to prevent as many attacks as possible.
This prevention needs to occur both externally
and internally via portable network and server
environments.
sans.org/SEC501
Additional Courses and Certifications
SEC402 Cybersecurity Writing: Hack the Reader
MGT414 SANS Training Program for CISSP® Certification
GISP Certification

and processes. SEC440 Critical Security Controls: Planning,

Implementing, and Auditing
sans.org/SEC401
Review full course descriptions and demos at sans.org/courses

SEC504 Hacker Tools, Techniques,

Exploits, and Incident Handling
GCIH GIAC Certified Incident Handler
This course will prepare you to turn the tables on
computer attackers. The course addresses the latest
cutting-edge insidious attack vectors, the “oldie- • Cyber Defense NetWars
but-goodie” attacks that are still so prevalent, and Enhance your sans.org/netwars
training with:
everything in between. You will learn a time-tested, • Webcasts, blogs, research,
step-by-step process to respond to computer and other resources
cyber-defense.sans.org
incidents; how attackers undermine systems so you
can prepare, detect, and respond to them; and how to • The SANS Technology
Institute’s undergraduate
discover holes in your system before the bad guys do. and graduate cybersecurity
sans.org/SEC504 programs
sans.edu

5
Blue Team Operations

The term Blue Team comes from the world of military

exercises, during which the Red Team plays the role of
the adversary and the Blue Team acts as the friendly
forces defending itself from Red Team cyber-attacks.
In cybersecurity, the Blue Team’s focus is on defending the organization
from cyber-attacks. Blue Teams develop and implement multiple security
controls in a layered defense-in-depth strategy, verify their effectiveness,
and continuously monitor and improve defenses.
Blue Team Operations courses will teach you to:

• Deploy tools and techniques • Apply a proactive approach to

needed to defend your networks
with insight and awareness
• Implement a modern security
design that allows you to
protect your assets and
defend against threats
• Establish and maintain a
holistic and layered approach
to security
• Detect intrusions and
analyze network traffic
Network Security Monitoring
(NSM)/Continuous Diagnostics
and Mitigation (CDM)/Continuous
Security Monitoring (CSM)
• Use methods and processes
to enhance existing logging
solutions
• Apply technical security
principles and controls
for the cloud

Blue Team Operations

Job Roles:
“Using the techniques from this class, • Security Analyst
I will immediately be able to improve • Network and
our logging and detection capabilities.” Security Architect
• SOC Analyst
— Kendon Emmons, Dart Container • SOC Manager
• Intrusion Analyst
• Incident Investigator
6
 Architect, Monitor, Detect

Featured Blue Team Operations Training and Certifications

SEC450 Blue Team Fundamentals: Security SEC555 SIEM with Tactical Analytics
Operations and Analysis
This course provides an accelerated on-ramp for
new cyber defense team members and SOC managers.
The curriculum introduces students to a defender’s
common tools and packs in essential explanations of
those tools, processes, and data flow that every blue
team member needs to know.
sans.org/SEC450
SEC511 Continuous Monitoring
and Security Operations
GMON GIAC Continuous Monitoring Certification
GCDA GIAC Certified Detection Analyst
SEC555 guides students through the steps of tailoring
and deploying Security Information and Event
Management (SIEM) to full Security Operations Center
(SOC) integration. The underlying theme is to actively
apply continuous monitoring and analysis techniques
by utilizing modern cyber threat attacks. Labs involve
replaying captured attack data to provide real-world
results and visualizations.
sans.org/SEC555
Additional Courses and Certifications

The Defensible Security Architecture and Network SEC455 SIEM Design & Implementation

Security Monitoring taught in this course will best SEC487 Open-Source Intelligence (OSINT) Gathering and Analysis

position your organization or Security Operations
Center (SOC) to analyze threats and detect anomalies
that could indicate cybercriminal behavior.
sans.org/SEC5111
SEC503 Intrusion Detection In-Depth | GCIA Certification
SEC505 Securing Windows and PowerShell Automation
GCWN Certification
SEC506 Securing Linux/Unix | GCUX Certification
SEC524 Cloud Security and Risk Fundamentals

SEC530 Defensible Security Architecture SEC545 Cloud Security Architecture and Operations

and Engineering Review full course descriptions and demos at sans.org/courses

GDSA GIAC Defensible Security Architecture

This course will help you establish and maintain a
holistic and layered approach to security, balancing • Cyber Defense NetWars
Enhance your sans.org/netwars
detection, prevention, and response capabilities with training with:
implementation of appropriate network controls. • A SANS Summit – Blue Team,
Open-Source Intelligence
You’ll learn the fundamentals of engineering a sans.org/summit
defensible security architecture.
• Webcasts, blogs, research,
sans.org/SEC530 and other resources
cyber-defense.sans.org

• The SANS Technology

Institute’s undergraduate
and graduate cybersecurity
programs, including a
Graduate Certificate in
Cyber Defense Operations
sans.edu

7
Penetration Testing

Organizations rely on penetration tests to discover

and understand their system vulnerabilities so they
can work to fix known issues before bad guys attack.
As adversaries evolve and attacks become more sophisticated,
pen testers need to emulate current real-world attack techniques,
discover issues, and properly report those findings in order to
deliver significant value to the security team.
SANS Penetration Testing courses will teach you to:

• Emulate today’s most powerful • Conduct professional and

and common attacks safe testing according to a
carefully designed scope
• Discover vulnerabilities in and rules of engagement
target systems
• Help an organization
• Exploit vulnerabilities under with its goal of properly
controlled circumstances prioritizing resources
• Apply technical excellence to
determine and document risk
and potential business impact

“In one week, my instructor built a bridge from typical Penetration Testing
Job Roles:
vulnerability scanning to the true art of penetration • System/Network
testing. Thank you SANS for making myself and my Penetration Tester

company much more capable in information security.”

• Application Penetration Tester
• Incident Handler
— Mike Dozier, Savannah River Nuclear Solutions • Vulnerability Researcher
• Exploit Developer

8
 Assess, Test, Exploit

Featured Penetration Testing Training and Certifications

SEC460 Enterprise Threat and Vulnerability SEC660 Advanced Penetration Testing,

Assessment Exploit Writing, and Ethical Hacking
GEVA GIAC Enterprise Vulnerability Assessor GXPN GIAC Advanced Penetration Tester
In this course, you will learn to use real industry- SEC660 is a logical progression for students who
standard security tools for vulnerability assessment, have completed SEC560 or for those with existing
management, and mitigation. SEC460 is the only penetration testing experience. The course goes
course that teaches a holistic vulnerability assessment far beyond simply scanning for low-hanging fruit
methodology while focusing on challenges faced in a and teaches you how to model the abilities of an
large enterprise. advanced attacker to find significant flaws in a target
sans.org/SEC460 environment and demonstrate the business risk
associated with these flaws.
SEC560 Network Penetration Testing sans.org/SEC660
and Ethical Hacking
GPEN GIAC Certified Penetration Tester
This course prepares you to conduct high-value
penetration testing projects step by step and end
to end. SEC560 starts with proper planning, scoping
and recon, then dives deep into scanning, target
exploitation, password attacks, and web app
manipulation, with over 30 detailed hands-on labs
throughout.
sans.org/SEC560

• Core NetWars, CyberCity

Additional Courses and Certifications Enhance your sans.org/netwars
training with:
SEC542 Web App Penetration Testing and Ethical Hacking • A SANS Summit –
GWAPT Certification Pen Test HackFest ,
Pen Test West
SEC564 Red Team Exercises and Adversary Emulation sans.org/summit
SEC573 Automating Information Security with Python
• Webcasts, blogs, research,
GPYC Certification
and other resources like the
SEC575 Mobile Device Security and Ethical Hacking Slingshot linux distribution
GMOB Certification pen-testing.sans.org
SEC580 Metasploit Kung Fu for Enterprise Pen Testing
• The SANS Technology Institute’s
SEC617 Wireless Penetration Testing and Ethical Hacking undergraduate and graduate
GAWN Certification cybersecurity programs
sans.edu
SEC642 Advanced Web App Penetration Testing,
Ethical Hacking, and Exploitation Techniques
SEC760 Advanced Exploit Development for Penetration Testers

Review full course descriptions and demos at sans.org/courses

9
Incident Response, Threat Hunting
and Digital Forensics

Organizations of all sizes need personnel who can

master incident response techniques to properly
identify compromised systems, provide effective
containment of the breach, and rapidly remediate
the incident.
Similarly, government and law enforcement agencies require skilled
personnel to perform media exploitation and recover key evidence
from adversary systems and devices. SANS Incident Response,
Threat Hunting and Digital Forensics will teach you to:

• Hunt for the adversary before • Understand the capabilities

and during an incident across
your enterprise
• Acquire in-depth digital forensics
knowledge of Microsoft Windows
and Apple OSX operating systems
• Examine portable smartphone
and mobile devices to look for
malware and digital forensic
artifacts
• Incorporate network forensics
into your investigations,
providing better findings and
getting the job done faster
• Leave no stone unturned by
incorporating memory forensics
into your investigations
of malware to derive threat
intelligence, respond to
information security incidents,
and fortify defenses
• Identify, extract, prioritize, and
leverage cyber threat intelligence
from advanced persistent threat
(APT) intrusions
• Recognize that a properly trained
incident responder could be the
only defense an organization has
during a compromise
• Properly identify, collect,
preserve, and respond to data
from a wide range of storage
devices and repositories,
ensuring that the integrity of the
evidence is beyond reproach

Digital Forensics,
IncidentIncident
Response, Threat
“This training is invaluable to a practitioner! Hunting and Digital Forensics
Response, & Threat Hunting
The tools and knowledge that you gain from Job Roles:
Job Roles:

it is just outstanding!” • Forensic Investigator/Analyst

Forensic Investigator/Analyst,
• Incident Responder
— James Tayler, Context Information Security • Threat Hunter
Incident Responder, Threat Hunter,
• Threat Intelligence Analyst
Threat Intelligence Analyst,Professional
• Law Enforcement Law
Enforcement Professional, Security
10
Analyst
 Hunt, Investigate, Respond

Featured Incident Response, Threat Hunting and Digital Forensics Training and Certifications

FOR500 Windows Forensic Analysis FOR572 Advanced Network Forensics: Threat

GCFE GIAC Certified Forensic Examiner Hunting, Analysis, and Incident Response

In this course, you’ll build in-depth and
comprehensive digital forensics knowledge of
Microsoft Windows operating systems by analyzing
and authenticating forensic data, tracking detailed
user activity, and organizing findings.
sans.org/FOR500
FOR508 Advanced Incident Response,
Threat Hunting, and Digital Forensics
GCFA GIAC Certified Forensic Analyst
This course teaches advanced skills to hunt, identify,
counter, and recover from a wide range of threats
within enterprise networks, including advanced
persistent threat (APT) nation-state adversaries,
organized crime syndicates, and hactivists. You’ll use
threat hunting to catch intrusions while they are in
progress, rather than after attackers have attained
their objectives.
sans.org/FOR508
GNFA GIAC Network Forensic Analyst
This course covers the tools, technology, and
processes required to integrate network data sources
into your investigations, with a focus on efficiency and
effectiveness. There are many use cases for network
data, including proactive threat hunting, reactive
forensic analysis, and continuous incident response.
Learn the techniques that can help close gaps in these
use cases and dive into the full spectrum of network
evidence, including high-level NetFlow analysis,
low-level pcap exploration, ancillary network log
examination, and more.
sans.org/FOR572

• DFIR NetWars:
Additional Courses and Certifications Enhance your sans.org/netwars
training with:
FOR498 Battlefield Forensics & Data Acquisition • A SANS Summit –
FOR518 Mac and iOS Forensic Analysis and Incident Response DFIR, Threat Hunting
and Incident Response,
FOR526 Advanced Memory Forensics & Threat Detection
Cyber Threat Intelligence
FOR578 Cyber Threat Intelligence | GCTI Certification sans.org/summit
FOR585 Smartphone Forensic Analysis In-Depth • Webcasts, blogs, research,
GASF Certification and other resources like SIFT
FOR610 Reverse-Engineering Malware: Malware Analysis Workstation and EZ Tools
Tools and Techniques | GREM Certification digital-forensics.sans.org

Review full course descriptions and demos at sans.org/courses • The SANS Technology Institute’s
undergraduate and graduate
cybersecurity programs,
including a Graduate Certificate
in Incident Response
sans.edu

11
Security Management,
Legal, and Audit

As the threat landscape continues to evolve,

cybersecurity has become more valuable to
organizations than ever before. Business leaders
now understand the importance of securing
high-value information assets and the significant
risk associated with a breach or attack.
As a result, organizations need cybersecurity leaders and managers
who can pair their technical knowledge with essential leadership skills
so they can effectively lead projects, teams, and initiatives in support
of business objectives.
The Security Management, Legal, and Audit focus area delivers applicable
and practical approaches to managing cyber risk. This series of hands-on,
interactive courses help current and aspiring cybersecurity leaders take
their management skills to the level of their technical knowledge.
SANS Security Management, Legal, and Audit courses will teach you to:

• Develop your management • Effectively engage and

and leadership skills communicate with key
business stakeholders
• Understand and analyze risk
• Measure the impact of
• Create effective your security program
cybersecurity policy
• Educate your workforce
• Build a vulnerability about the importance of
management program cybersecurity and ways to
• Develop strategic security plans help keep the organization
that incorporate business and protected from threats
organizational goals

Management, Legal, and Audit

Job Roles:
“This training applies to all aspects of my job, from • CISO
network management to project management.” • CIO
• Security Manager
— David Chaulk, Enbridge
• SOC Manager
• Auditor
• Lawyer
• Privacy Officer
12
 Examine, Assess, Lead

Featured Security Management, Legal, and Audit Training and Certifications

MGT512 Security Leadership Essentials for Managers
GSLC GIAC Security Leadership Certification
In this course, managers are empowered with
the technical knowledge and management skills
necessary to lead security teams. The entire security
stack is covered, including data, network, host,
application, and user controls in conjunction with
key management topics that address the overall
security lifecycle.
sans.org/MGT512
MGT514 Security Strategic Planning,
Policy, and Leadership
GSTRT GIAC Strategic Planning,
Policy, and Leadership Certification
This course teaches cybersecurity leaders how to
build and execute strategic plans that resonate with
other business executives, create effective information
security policy, and develop management skills to
better lead, inspire, and motivate teams.
sans.org/MGT514

LEG523 Law of Data Security and Investigations

GLEG GIAC Law of Data Security & Investigations
Certification
This course teaches the law of business, contracts,
fraud, crime, IT security, IT liability and IT policy – all
with a focus on electronically stored and transmitted
records. Investigators will learn how to prepare
credible, defensible reports, whether for cyber crimes,
forensics, incident response, human resources or
other investigations.
sans.org/LEG523

• SEC402: Cybersecurity Writing:

Additional Courses and Certifications Enhance your Hack the Reader
training with: sans.org/SEC402
MGT415 A Practical Introduction to
Cyber Security Risk Management • A SANS Summit –
MGT521 Driving Cybersecurity Change - Establishing Security Awareness
a Culture of Protect, Detect, and Respond sans.org/summit
MGT433 SANS Security Awareness: How to Build, Maintain, • The SANS Technology Institute’s
and Measure a Mature Awareness Program undergraduate and graduate
SSAP Practitioner cybersecurity programs, including
MGT516 Managing Security Vulnerabilities: Enterprise and Cloud a Master of Science in Information
Security Engineering degree
MGT525 IT Project Management, Effective Communication, sans.edu
and PMP® Exam Prep | GCPM Certification
SEC566 Implementing and Auditing the
Critical Security Controls – In-Depth | GCCC Certification

Review full course descriptions and demos at sans.org/courses

13
DevSecOps
Develop, Automate, Deploy

Adoption of DevSecOps has radically changed the way organizations

design, build, deploy, secure and operate modern systems.
DevOps has enabled teams to update products and systems much faster and more frequently
than traditional methods by merging development and operations units and automating
processes that were historically manual. To ensure applications and products are secure,
organizations integrate automated cybersecurity tasks into the DevOps process. This practice,
known as DevSecOps, helps organizations build secure applications while supporting an agile
software development strategy. SANS DevSecOps courses will teach you to:

• Integrate security practices Featured DevSecOps Training and Certifications

and protocols into production
operations
• Apply defensive techniques
to prevent your application
from being compromised
• Use DevOps practices to improve
the state of cybersecurity
• Understand the DevSecOps
methodology and toolchain
• Leverage cloud services to
improve time to market and
automate deployments
• Proactively deploy defensive
mechanisms against adversaries
and recognize common
security vulnerabilities in
web applications
DEV522 Defending Web Applications Security Essentials
GWEB GIAC Certified Web Application Defender
The quantity and importance of data entrusted to web applications
is growing, and defenders need to learn how to secure it. This course
will provide you with a better understanding of web application
vulnerabilities so that you can strengthen defenses where traditional
network defenses like firewalls fall short.
sans.org/DEV522
SEC540 Cloud Security and DevOps Automation
GCSA GIAC Cloud Security Automation Certification
Master the tools needed to build and deliver secure software using
DevOps and cloud services, specifically Amazon Web Services (AWS).
Explore how the principles, practices, and tools of DevOps and AWS
can improve the reliability, integrity, and security of applications.
sans.org/SEC540
• A SANS Summit –
Enhance your Cloud & DevOps Security
training with: sans.org/summit

• Webcasts, blogs, research,

and other resources
software-security.sans.org
“Mind-blowing! If you are a traditional security
architect, tip-toeing around DevOps, attend • The SANS Technology
Institute’s undergraduate
SEC540. It takes you into into the depths of and graduate cybersecurity

DevSecOps and sets you up for the future!” programs

sans.edu
— Jatin Sachdeva, CISCO

14
Industrial Control
Protect Industry and Infrastructure

Systems

The current landscape presents a diverse and chaotic picture of

the threats facing industrial control system owners and operators.
Attacks that cause physical damage or impact physical processes are no longer limited
to theory or speculation. We’re now seeing incidents where malicious actors successfully
intrude, cause system damage, and impact operations using ICS-tailored malware. We need
to be prepared to defend our control systems against increasingly sophisticated adversaries.
SANS Industrial Control Systems Security courses will teach you to:

• Recognize ICS components, Featured Industrial Control Systems Training and Certifications
purposes, deployments,
significant drivers, and ICS410 ICS/SCADA Security Essentials
constraints GICSP Global Industrial Cyber Security Professional

• Identify ICS assets and their
network topologies and how
to monitor ICS hotspots for
abnormalities and threats
• Understand approaches to
system and network defense
architectures and techniques
• Perform ICS incident response
focusing on security operations
and prioritizing the safety and
reliability of operations
• Implement effective cyber
and physical access controls
This course is designed to train the workforce involved in supporting
and defending industrial control systems on how to keep the operational
environment safe, secure, and resilient against current and emerging
threats.
sans.org/ICS410
ICS515 ICS Active Defense and Incident Response
GRID GIAC Response and Industrial Defense
This course will show you how to deconstruct ICS cyber-attacks, leverage
an active defense to identify and counter threats in your ICS, and
maintain the safety and reliability of operations. You’ll better understand
your networked ICS environment, how to monitor it for threats and
perform incident response against identified threats, and how you
can learn from interactions to enhance network security.
sans.org/ICS515

Additional Courses and Certifications

• Grid NetWars, ICS NetWars
ICS612 ICS Cybersecurity In-Depth Enhance your sans.org/netwars
training with:
ICS456 Essentials for NERC Critical Infrastructure Protection • A SANS Summit –
GCIP Certification ICS, Oil & Gas Cybersecurity
sans.org/summit
Review full course descriptions and demos at sans.org/courses
• Webcasts, blogs, forums,
research, and other resources
ics.sans.org
“The training starts with theory and
• The SANS Technology Institute’s
quickly progresses into full hands-on undergraduate and graduate
interaction with all components. cybersecurity programs,
including a Graduate Certificate
This experience is not easy to find.” in Industrial Control Systems
– Bassem Hemida, Deloitte sans.edu
15
Emerging Focus Areas

Team-Based Training Purple Team Training and Certifications

This focus area is designed to help cybersecurity
professionals build team skills, leadership abilities,
and communication techniques, along with technical
expertise, all while under fire in a series of increasingly
complex scenarios.
“TBT570 is 90% hands-on, which makes
it unique among course offerings.
These courses help red and blue teams join forces so
that they can effectively create a strong feedback loop
and identify detection and prevention controls that
can be implemented for immediate improvement.
SEC599 Defeating Advanced Adversaries —
Purple Team Tactics & Kill Chain Defenses
GDAT Defending Advanced Threats Certification

The cyber labs were realistic and SEC699 Purple Team Tactics — Adversary Emulation
for Breach Prevention & Detection
hearing from the red team each day
was valuable.” sans.org/purple-team

— Edward Tanner, Booz Allen Hamilton

TBT570 Team-Based Training - Blue Team and Red Cloud Security Training and Certifications
Team Dynamic Workshop
sans.org/TBT This rapidly developing focus area incorporates
hands-on labs and exercises to help cybersecurity
professionals apply their skills within real-world
cloud environments.

SEC540 Cloud Security and DevOps Automation

GCSA Cloud Security Automation Certification
SEC545 Cloud Security Architecture and Operations
MGT516 Managing Security Vulnerabilities:
Enterprise and Cloud
sans.org/cloud-security

Stay at the
Forefront of
Cybersecurity

The threat landscape is constantly evolving, with new attack methods

emerging daily. SANS’ commitment to helping you stay ahead of risks is
not limited to our training courses. Stay engaged with the cybersecurity
community and learn about emerging trends and cutting-edge concepts
through our webcasts, blogs, tools, research, and other resources at
sans.org/security-resources

16
 “Very impressed with SANS
NetWars. The material is
relevant and educational,
and the tournament-style
play is remarkably engaging.
I really like the scoring
system and scoreboard.”
— Adam Tice,
Lockheed Center for Cyber Security

SANS NetWars is a suite of hands-on, interactive

• Designed for all skill levels
learning scenarios that enable information security
• Earn 6 Continuing Professional
professionals to develop and master the real-world, Education credits (CPEs)
in-depth skills they need to excel in their field. and recognition on our
Participants learn in a cyber range while working through various real-time scoreboard
challenge levels, all hands-on, with a focus on mastering the skills • Top-scoring participants receive
information security professionals can use in their jobs every day. a SANS NetWars Challenge Coin

Core NetWars Tournament DFIR NetWars Tournament Grid NetWars

Industry-relevant and
innovative, Core NetWars is the
ultimate cybersecurity range
for powering up your skills in
a fun, multi-disciplinary, and
collaborative environment.
DFIR NetWars is an incident
simulator challenge developed
to help you gain proficiency by
working real-world incidents
in a safe environment without
the associated risks.
Themed for the electricity industry,
Grid NetWars enables Operational
Technology security professionals
to develop their skills by working
to resolve unexplained system
failures.

Cyber Defense ICS NetWars Tournament NetWars Continuous

NetWars Tournament
Cyber Defense NetWars was
designed by cyber defenders
for cyber defenders. Defend the
flag on your own or on a team
in this comprehensive, hands-
on Blue Team challenge.
ICS NetWars helps Operational
Technology security professionals
develop and master the real-
world, in-depth skills needed
to defend industrial control
systems in real time.
Advance your cybersecurity skills
on your schedule and at your pace
with a four-month subscription to
the latest version of Core NetWars
Continuous.

sans.org/netwars | @SANSNetWars THE #NETWARS EXPERIENCE

00
 Create a SANS Account today to enjoy these
Free resources at www.sans.org/account

Newsletters
NewsBites
Twice-weekly, high-level executive summary of the most
important news relevant to cybersecurity professionals.
OUCH!
The world’s leading monthly, free security awareness newsletter
designed for the common computer user.
@RISK: The Consensus Security Alert
A reliable weekly summary of (1) newly
discovered attack vectors, (2) vulnerabilities
with active new exploits, (3) how recent
attacks worked, and (4) other valuable data.

WhatWorks Webcasts
Webcasts The SANS WhatWorks webcasts bring powerful
Ask the Experts Webcasts
customer experiences showing how end users
SANS experts bring current and timely information on relevant resolved specific IT Security issues.
topics in IT Security.
Analyst Webcasts
A follow-on to the SANS Analyst Program, Analyst Webcasts Tool Talks
provide key information from our whitepapers and surveys.
Tool Talks are designed to give you a solid
understanding of a problem and how a vendor’s
commercial tool can be used to solve or mitigate
Other Free Resources that problem.
(No portal account is necessary)
• Security Posters
• InfoSec Reading Room • Thought Leaders
• Top 25 Software Errors • 20 Coolest Careers
• 20 Critical Controls • Security Glossary
• Security Policies • SCORE (Security Consensus Operational
• Intrusion Detection FAQs Readiness Evaluation)
• Tip of the Day

Follow us on our social media channels to stay up-to-date on the latest cyber security
developments and announcements around SANS EMEA events and courses.