Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Resources
SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

CISO Network

Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations
Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk with an expert
Talk with an expert

SEC541: Cloud Security Threat Detection

SEC541Cloud Security
  • 5 Days (Instructor-Led)
  • 30 Hours (Self-Paced)
Course created by:
Shaun McCulloughRyan Nicholson
Shaun McCullough & Ryan Nicholson
Register NowCourse Preview
SEC541: Cloud Security Attacker Techniques, Monitoring, and Threat Detection
Course created by:
Shaun McCulloughRyan Nicholson
Shaun McCullough & Ryan Nicholson
Register NowCourse Preview
  • GIAC Cloud Threat Detection (GCTD)

    Learn about certification

  • 30 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • Intermediate Skill Level

    Course material is geared for cyber security professionals with hands-on experience

  • 22 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Jump to:

Acquire elite cloud threat detection capabilities to identify, analyze, and respond to sophisticated attacks in AWS and Azure environments.

Featured Quote

I would recommend SEC541 to any cloud security stakeholder that wants to empower all the security tools companies have in order to improve detection, understand protection, and overall increase their security level.
Veronique DupontCloud Cyber Security Architect, Airbus

Course Overview

SEC541: Cloud Security Threat Detection immerses students in hands-on labs that focus on detecting threats and investigating attacks across AWS, Azure, and Microsoft 365 environments. Threat-driven curriculum to equips security professionals with practical cloud threat detection techniques through analyses of real-world attacks.

Students will examine real-world case studies, then implement detection controls and investigate suspicious activities, learning cloud-native logging, API monitoring, and effective detection systems tailored to cloud environments. Students will also gain exposure to cloud threat hunting strategies that enhance proactive detection and reduce response times.

Participants will develop practical skills to detect, investigate, and respond to sophisticated cloud threats. Security professionals will gain expertise beyond theory, implementing cloud threat detection strategies that address the critical differences between on-premises and cloud security monitoring.

What You'll Learn

  • Analyze cloud API logs to detect unauthorized activity
  • Implement effective cloud-native security monitoring
  • Utilize Azure and AWS detection services effectively
  • Apply threat intelligence to cloud security
  • Build automation for incident response in the cloud

Business Takeaways

  • Reduce cloud breach detection time and impact
  • Implement cloud-specific security monitoring strategies
  • Establish effective cloud detection engineering program
  • Enhance visibility across multi-cloud environments
  • Leverage native tooling to minimize security costs
  • Align detection capabilities to actual cloud threats
  • Accelerate incident response with automation

Meet Your Authors

Slide 1 of 0

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in SEC541: Cloud Security Threat Detection.

Section 1Management Plane and Network Attacks

The course begins with an investigation of a real-world cloud attack, breaking down the tactics and demonstrating how to monitor cloud management APIs. Students will analyze API logs, implement network monitoring, and develop detection strategies for unauthorized activities in cloud environments.

Topics covered

  • Cloud attack analysis methodology
  • Cloud API logging configuration
  • JSON log parsing techniques
  • Network traffic analysis in cloud
  • Detection strategy implementation

Labs

  • Cloud environment deployment
  • CloudTrail log analysis with JQ
  • AWS unauthorized activity detection
  • Network traffic investigation
  • API-based detection implementation

Section 2Compute and Application Attacks

Students focus on monitoring compute resources including virtual machines, containers, and serverless functions. Participants then analyze the Tesla Kubernetes attack, implement logging for compute environments, and develop detection strategies for abnormal behavior patterns in cloud workloads.

Topics covered

  • Virtual machine logging architecture
  • Container security monitoring
  • Serverless function activity analysis
  • Data exfiltration detection
  • CloudWatch agent customization

Labs

  • Environment setup for monitoring
  • Application logging with OpenCanary
  • CloudWatch agent customization
  • Detecting suspicious ECS behavior
  • Identifying data exfiltration attempts

Section 3Security Services and Data Discovery

Students learn to implement and leverage cloud-native detection services, discovering the best ways to conduct resource inventory, identify sensitive data in unauthorized locations, and centralize security data for comprehensive threat monitoring across cloud environments.

Topics covered

  • Cloud resource inventory techniques
  • Metadata service monitoring
  • Sensitive data discovery methods
  • Vulnerability assessment integration
  • Data centralization strategies

Labs

  • Metadata services and GuardDuty setup
  • Cloud inventory implementation
  • Macie configuration for data discovery
  • Inspector deployment for vulnerabilities
  • Centralized logging with Graylog

Section 4Microsoft Ecosystem

Students examine Microsoft 365 and Azure-specific detection capabilities. This section concentrates on techniques to investigate Exchange attacks, utilize Kusto Query Language for log analysis, and implement Microsoft Defender and Sentinel for comprehensive threat detection in Microsoft cloud environments.

Topics covered

  • Microsoft 365 attack analysis
  • Azure log analytics techniques
  • Kusto Query Language fundamentals
  • Microsoft Defender configuration
  • Sentinel implementation strategies

Labs

  • Microsoft 365 Exchange investigation
  • Introduction to Kusto Query Language
  • Log analysis using Azure CLI
  • Microsoft Defender deployment
  • Azure network traffic investigation

Section 5Data Shipping, Automation and CloudWars

Students will begin by automating incident response in cloud environments, and then culminate the course by participating in the CloudWars Challenge. Learners come away with strategies to implement automated forensic workflows, and develop skills in a capstone exercise designed to test their ability to detect and respond to cloud-based threats.

Topics covered

  • Cloud incident response automation
  • Forensic workflow implementation
  • Detection engineering principles
  • Multi-cloud security integration
  • Threat hunting methodologies

Labs

  • Automated forensics workflow setup
  • Results analysis techniques
  • CloudWars Challenge participation
  • Detection capabilities demonstration

Things You Need To Know

Relevant Job Roles

Cloud Security Analyst

Cloud Security

Using cloud security solutions to respond to incidents and enable defenses

Explore learning path

Threat Detection & Response

Cloud Security

Monitor, test, detect, and investigate threats to cloud environments.

Explore learning path

Incident Response (OPM 531)

NICE: Protection and Defense

Responsible for investigating, analyzing, and responding to network cybersecurity incidents.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us

GIAC Certification Attempt

Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.

OnDemand Course Access

When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.

Filter by:
  • Location & instructor

    Virtual (OnDemand)

    Instructed by Shaun McCullough
    Date & Time
    OnDemand (Anytime)Self-Paced, 4 months access
    Course price
    $8,260 USD*Prices exclude applicable local taxes
    Enrollment options
    Self-Paced
  • Location & instructor

    Washington, DC, US & Virtual (live)

    Instructed by Ryan Thompson
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,260 USD*Prices exclude applicable local taxes
    Enrollment options
    Virtual
  • Location & instructor

    Singapore, SG & Virtual (live)

    Instructed by Ryan Thompson
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,375 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Copenhagen, DK

    Instructed by Ryan Nicholson
    Date & Time
    Fetching schedule..View event details
    Course price
    €7,715 EUR*Prices exclude applicable local taxes
    Enrollment options
    In-Person
  • Location & instructor

    Virginia Beach, VA, US & Virtual (live)

    Instructed by Shaun McCullough
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,260 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Virginia Beach, VA, US & Virtual (live)

    Instructed by Shaun McCullough
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,260 USD*Prices exclude applicable local taxes
    Enrollment options
    In-Person
  • Location & instructor

    Paris, FR

    Instructed by Ryan Thompson
    Date & Time
    Fetching schedule..View event details
    Course price
    €7,715 EUR*Prices exclude applicable local taxes
    Enrollment options
    In-Person
  • Location & instructor

    Las Vegas, NV, US & Virtual (live)

    Instructed by Shaun McCullough
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,260 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
Showing 8 of 13

Learn Alongside Leading Cybersecurity Professionals From Around The World

Slide 1 of 0

Benefits of Learning with SANS

Instructor teaching class with code in the background

Get feedback from the world’s best cybersecurity experts and instructors

Learning via laptop

Choose how you want to learn - online, on demand, or at our live in-person training events

Learning via laptop

Get access to our range of industry-leading courses and resources