Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Resources
SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

CISO Network

Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations
Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk with an expert
Talk with an expert

SEC450: Blue Team Fundamentals: Security Operations and Analysis

SEC450Cyber Defense
  • 6 Days (Instructor-Led)
  • 36 Hours (Self-Paced)
Course created by:
John Hubbard
John Hubbard
Register NowCourse Preview
SEC450: Blue Team Fundamentals: Security Operations and Analysis
Course created by:
John Hubbard
John Hubbard
Register NowCourse Preview
  • GIAC Security Operations Certified (GSOC)

    Learn about certification

  • 36 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • Beginner Level

    Course content applicable to people with limited or no cyber security experience

  • 20 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Jump to:

This course delivers essential training for Security Operations Center (SOC) analysts, equipping you with the skills to detect, stop cyberattacks, and safeguard your organization’s data and systems.

Featured Quote

I have been waiting a few months to take this training and it is far exceeding my expectations. For a SOC analyst, SEC450 is a must.
Yuri CannavacciuoloUniversity of Miami

Course Overview

SEC450 is a blue team course ideal for those working in cyber defense operations or building and improving a SOC. It offers six days of training, hands-on labs, and a Capstone competition, covering the mission, mindset, and techniques needed for modern cyber defense. The course, paired with the GIAC GSOC certification, provides essential skills for detecting and halting advanced cyberattacks, making it the gold standard in security operations training.

What You’ll Learn

  • Maximize security telemetry, including endpoint, network, and cloud-based sensors
  • Identify and separate commodity attack alerts from high-risk, high-impact advanced attacks
  • Reduce false positives by applying key processes and techniques
  • Minimize burnout and personnel turnover
  • Identify opportunities for SOAR platform and script-based automation
  • Skills needed to add on the GIAC GSOC certification

Business Takeaways

  • A turnkey training solution for SOC analysts, equipping them with the skills to understand key tools, data sources, and defensive priorities needed to combat high-impact cyberattacks
  • Strategic guidance for defining and aligning your security operations team's priorities
  • Practical methods for maximizing the value of security telemetry—from endpoints to networks to cloud-based sensors
  • Proven techniques to minimize false positives and enhance alert accuracy
  • Efficient triage workflows for rapid and reliable incident response
  • Strategies to boost the overall effectiveness, efficiency, and impact of your SOC

Meet Your Author

John Hubbard
John Hubbard

John Hubbard

Senior Instructor

John redefined modern SOC operations by engineering globally adopted blue team strategies and co-creating the GSOC cert. Through the Blueprint podcast and SANS leadership, he’s unified thousands of defenders around real-world detection tactics.

Read more about John Hubbard

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in SEC450: Blue Team Fundamentals: Security Operations and Analysis.

Section 1Security Operations Teams, Tools, And Mission Overview

Section one introduces core SOC concepts, focusing on aligning SOC goals with organizational needs and threat landscapes. It covers analyst workflows, key tools like SIEMs and threat intelligence platforms, and how they integrate for effective detection and response. Labs include log analysis, query building, dashboard creation, and incident management.

Topics covered

  • SOC Foundations, Organization, and Functions
  • SOC Data Collection
  • SIEM Queries, Visualizations, and Dashboards
  • Threat Intelligence Platforms
  • Incident Management Systems and SOAR

Labs

  • Using a SIEM for Log Analysis
  • Advanced SIEM Log Searching
  • Crafting SIEM Visualizations and Dashboards for Threat Hunting
  • Using Threat Intelligence Platforms
  • Incident Management Systems

Section 2Network Traffic Analysis

Day two focuses on building a deep understanding of your network for effective defense. We cover network architecture, visibility points, and traffic capture types, followed by an in-depth look at common services like DNS, HTTP, and TLS. The goal is to help analysts recognize normal data, spot anomalies, and identify attacker tactics using everyday services.

Topics covered

  • Network Architecture
  • Traffic Capture and Analysis
  • DNS Analysis and Attacks
  • HTTP(S) Analysis and Attacks
  • Analyzing Encrypted Traffic for Suspicious Activity

Labs

  • DNS Requests, Traffic, and Analysis
  • Analyzing Malicious DNS
  • Wireshark and HTTP/1.1 Analysis
  • HTTP/2 and HTTP/3 Traffic Analysis with Wireshark
  • Analyzing TLS Encrypted Traffic Without Decryption

Section 3Endpoint Defense, Security Logging, and Malware Identification Overview

Section three covers common endpoint attacks and security controls, with a focus on key Linux and Windows log events. We also explore file structures, teaching students to identify malicious files and understand file signatures, hashes, and formats.

Topics covered

  • Common Endpoint Attack Tactics and Defense
  • Windows and Linux Logging
  • Interpreting Security-Critical Log Events
  • Identifying Potentially Malicious Files
  • Dissecting Commonly Weaponized File Types

Labs

  • Threat Hunting with a SIEM Using Windows Logs
  • Log Enrichment and Visualization
  • Dissecting Common Malware File Types

Section 4Efficient Alert Triage and Email Analysis

This section focuses on mastering analysis techniques, avoiding biases, and sorting opportunistic from targeted attacks. It teaches alert triage methods, offensive and defensive mental models, and prioritizing alerts. The day also covers cyber defense OPSEC, phishing email investigation, email header analysis, and safe investigation of attachments and URLs.

Topics covered

  • Alert Triage, Analysis, and Investigation
  • The Most Important Mental Models for Security Analysts
  • Incident Documentation, Closing and Investigation Quality
  • Analysis OPSEC for Defenders
  • Detecting Malicious Emails through Email Header Analysis

Labs

  • Alert Triage and Prioritization
  • Structured Analysis Challenge
  • High-Quality Incident Documentation
  • Analyzing Phishing Email Content and Headers

Section 5Continuous Improvement, Analytics, and Automation

This section addresses common SOC challenges like repetitive tasks and burnout by focusing on process optimization, analysis design, and efficiency. It aims to improve team engagement by reducing monotonous tasks and allowing analysts to focus on meaningful work. We cover tool tuning, containment techniques, career development, and community involvement.

Topics covered

  • Reducing Burnout and Retention Issues in the SOC
  • False Positive Reduction
  • Alert Tuning Methodology
  • SOC Automation and Orchestration (with and without SOAR)
  • Methods for Quickly Containing Identified Intrusions

Labs

  • Alert Tuning and False Positive Reduction
  • SOC Automation - File Analysis
  • SOC Automation - Incident Containment

Section 6Capstone: Defend the Flag

The course concludes with a day-long, team-based capture-the-flag competition. Using network data and logs from a simulated network attack, day six offers a full day of hands-on experience applying lessons. Teams will be challenged to detect and identify attacks, progressing through various questions to demonstrate mastery of the concepts and data covered.

Things You Need To Know

Relevant Job Roles

Intrusion Detection/SOC Analysts

Digital Forensics and Incident Response

Analyze network and endpoint data to swiftly detect threats, conduct forensic investigations, and proactively hunt adversaries across diverse platforms including cloud, mobile, and enterprise systems.

Explore learning path

Blue Teamer - All Around Defender

Cyber Defense

This job, which may have varying titles depending on the organization, is often characterized by the breadth of tasks and knowledge required. The all-around defender and Blue Teamer is the person who may be a primary security contact for a small organization, and must deal with engineering and architecture, incident triage and response, security tool administration and more.

Explore learning path

SOC Manager

Cyber Defense

Security Operations Center (SOC) managers bridge the gap between business processes and the highly technical work that goes on in the SOC. They direct SOC operations and are responsible for hiring and training, creating and executing cybersecurity strategy, and leading the company’s response to major security threats.

Explore learning path

Infrastructure Support (OPM 521)

NICE: Protection and Defense

Responsible for testing, implementing, deploying, maintaining, and administering infrastructure hardware and software for cybersecurity.

Explore learning path

Intrusion Detection / (SOC) Analyst

Cyber Defense

Security Operations Center (SOC) analysts work alongside security engineers and SOC managers to implement prevention, detection, monitoring, and active response. Working closely with incident response teams, a SOC analyst will address security issues when detected, quickly and effectively. With an eye for detail and anomalies, these analysts see things most others miss.

Explore learning path

Defensive Cybersecurity (OPM 511)

NICE: Protection and Defense

Responsible for analyzing data collected from various cybersecurity defense tools to mitigate risks.

Explore learning path

Cybersecurity Analyst / Engineer

Cyber Defense

As this is one of the highest-paid jobs in the field, the skills required to master the responsibilities involved are advanced. You must be highly competent in threat detection, threat analysis, and threat protection. This is a vital role in preserving the security and integrity of an organization’s data.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us

GIAC Certification Attempt

Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.

OnDemand Course Access

When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.

Filter by:
  • Location & instructor

    Virtual (OnDemand)

    Instructed by John Hubbard
    Date & Time
    OnDemand (Anytime)Self-Paced, 4 months access
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    Self-Paced
  • Location & instructor

    Boston, MA, US & Virtual (live)

    Instructed by John Hubbard
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    London, GB & Virtual (live)

    Instructed by David Mashburn
    Date & Time
    Fetching schedule..View event details
    Course price
    £7,160 GBP*Prices exclude applicable taxes | EUR price available during checkout
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Sydney, NSW, AU & Virtual (live)

    Instructed by David Mashburn
    Date & Time
    Fetching schedule..View event details
    Course price
    A$13,350 AUD*Prices exclude applicable local taxes
    Enrollment options
    Virtual
  • Location & instructor

    Paris, FR

    Instructed by Cristian-Mihai VIDU
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Enrollment options
    In-Person
  • Location & instructor

    Las Vegas, NV, US & Virtual (live)

    Instructed by Mark Jeanmougin
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Riyadh, SA & Virtual (live)

    Instructed by Mark Jeanmougin
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Virtual (live)

    Instructed by Cristian-Mihai VIDU
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Enrollment options
    Virtual
Showing 8 of 11

Learn Alongside Leading Cybersecurity Professionals From Around The World

Slide 1 of 0

Benefits of Learning with SANS

Instructor teaching class with code in the background

Get feedback from the world’s best cybersecurity experts and instructors

Learning via laptop

Choose how you want to learn - online, on demand, or at our live in-person training events

Learning via laptop

Get access to our range of industry-leading courses and resources