Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Resources
SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

CISO Network

Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations
Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk with an expert
Talk with an expert

SEC511: Cybersecurity Engineering: Advanced Threat Detection and Monitoring™

SEC511Cyber Defense
  • 6 Days (Instructor-Led)
  • 46 Hours (Self-Paced)
Course created by:
Eric ConradSeth Misenar
Eric Conrad & Seth Misenar
Register NowCourse Preview
SEC511: Continuous Monitoring and Security Operations
Course created by:
Eric ConradSeth Misenar
Eric Conrad & Seth Misenar
Register NowCourse Preview
  • GIAC Continuous Monitoring Certification (GMON)

    Learn about certification

  • 46 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • Intermediate Skill Level

    Course material is geared for cyber security professionals with hands-on experience

  • 18 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Jump to:

Learn cutting-edge cybersecurity engineering and advanced threat detection skills for cloud, network, and endpoint environments in this comprehensive course.

Featured Quote

I would recommend this course. It hits many core aspects of secure design. Additionally, lack of cloud security architecture and strategy and insecure design have been highlighted as a top risk by organizations like Cloud Security Alliance and OWASP. Cloud security architecture topics need to have more attention and focus in general.
Greg LewisSAP

Course Overview

SEC511 prepares defenders to secure hybrid enterprises using tools like Zero Trust, Artificial Intelligence and Machine Learning (AI/ML), Extended Detection and Response (XDR), and cloud technology. With 18+ hands-on labs and a capstone challenge, this course builds real-world skills in detection, response, and cybersecurity engineering across cloud, network, and endpoint environments.

What You’ll Learn

  • Assess current defenses and engineer modern, prioritized improvements
  • Apply frameworks like MITRE ATT&CK and Zero Trust for threat-informed defense
  • Hunt threats across networks, endpoints, and cloud using advanced tools and techniques
  • Build visibility across hybrid, decentralized infrastructure and encrypted traffic
  • Understand and use CNAPP, CSPM, CIEM, and CWPP for strong cloud security
  • Analyze and detect threats using NDR, EDR, Suricata, Zeek, Wireshark, and more
  • Secure identity, endpoints, and AI/LLM apps; enhance SOC with SOAR and automation

Business Takeaways

  • Develop strong protection and detection strategies for cloud, network, and endpoints
  • Engineer and refine threat detection and defense capabilities
  • Use threat-informed defense to optimize security countermeasures
  • Strengthen overall security operations and SOC performance
  • Detect and close protection gaps across hybrid environments
  • Secure GenAI and LLM apps to ensure safe, trustworthy use
  • Maximize existing infrastructure and rapidly detect intrusions

Meet Your Authors

Slide 1 of 0

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in SEC511: Cybersecurity Engineering: Advanced Threat Detection and Monitoring.

Section 1Threat Informed Defense: Frameworks, Hunting, and Current State Assessment

This section covers modern cyber defense, shifting from reactive to proactive strategies. Students explore MITRE ATT&CK, Zero Trust, and GenAI risks, and tackle hands-on labs to detect and respond to evolving threats.

Topics covered

  • Adversary Tactics and Cyber Defense Principles
  • Introducing Security Onion 2.X
  • Frameworks/Mental Models
  • Threat Informed Defense and Hunting
  • GenAI/LLM Fundamentals

Labs

  • Detecting Traditional Attack Techniques
  • Detecting Modern Attack Techniques
  • Complex Intrusion Analysis: Apache ActiveMQ
  • NetWars Bootcamp: Immersive Cyber Challenges

Section 2Cloud, Edge, and Network: Visibility and Protection

This section explores visibility and protection across cloud, edge, and network environments. Students learn about IDS/IPS, TLS/DNS encryption, cloud and edge security tools, and apply skills in hands-on labs and a NetWars Bootcamp.

Topics covered

  • Security Visibility
  • Encryption
  • Cloud Protection and Detection
  • Edge Security

Labs

  • Web Application Firewalls: ModSecurity
  • Decrypting TLS with Wireshark
  • Detecting Adversaries with Protocol Inspection
  • Intrusion Detection Honeypots
  • NetWars Bootcamp: Immersive Cyber Challenges

Section 3Threat Hunting with Network Detection and Response (NDR)

This section focuses on Network Detection Response (NDR) within Network Security Monitoring (NSM) and Security Information and Event Management (SIEM), teaching students to detect threats using diverse data sources and analytic techniques. Hands-on labs and NetWars Bootcamp reinforce skills in threat hunting and traffic analysis.

Topics covered

  • Network Detection Response (NDR)
  • Network Threat Hunting

Labs

  • Pcap Analysis and Carving with Zeek
  • Security Onion Service-Side Attack Analysis
  • Wireshark Merlin Analysis
  • Detecting TLS Certificate and User-Agent Anomalies
  • NetWars Bootcamp: Immersive Cyber Challenges

Section 4Hybrid Enterprise Security: User and Endpoint Protection and Detection

This section covers endpoint and user security in hybrid environments, focusing on Endpoint Detection and Response (EDR), Endpoint Protection Platforms (EPPs), identity protection, modern authentication, and User and Entity Behavior Analysis (UEBA). Labs and NetWars Bootcamp build hands-on defense and monitoring skills.

Topics covered

  • Endpoint Detection Response (EDR)
  • Endpoint Protection Platform (EPP)
  • Identity/User/Authentication Monitoring

Labs

  • Sysmon
  • CFO Compromise Investigation: Autoruns and Sysmon
  • Application Control with AppLocker
  • Merlin Sysmon Analysis
  • NetWars Bootcamp: Immersive Cyber Challenges

Section 5GenAI Application Defense, Automation, Supply Chain Protection, and SOC

This section covers securing GenAI and Large Language Model (LLM) apps, software supply chains, and SOC automation using SOAR. Students gain hands-on skills in threat hunting, adversary emulation, and ransomware response via labs and NetWars.

Topics covered

  • Defending AI/LLM Applications
  • AI/Software Supply Chain
  • Service and Event Log Monitoring
  • Automation/SOAR/SOC

Labs

  • Ransomware Investigation
  • Windows Event Logs
  • DNS over HTTPS (DoH)
  • NetWars Bootcamp: Immersive Cyber Challenges

Section 6Capstone: Design, Detect, Defend

The course concludes with a full-day, team-based NetWars competition, challenging students to apply and master modern cyber defense skills through hands-on, multi-level design, detection, and defense missions.

Topics covered

  • Modern Cyber Defense: Protection, Detection, and Monitoring
  • Applied NDR, NSM, and EDR
  • Network, Endpoint, and Cloud-Oriented Threat Hunting
  • Analyzing Malicious Traffic and Windows Event Logs
  • Packet and Log Analysis

Things You Need To Know

Relevant Job Roles

Systems Security Analyst (DCWF 461)

DoD 8140: Software Engineering

Ensures systems and software security from development to maintenance by analyzing and improving security across all lifecycle phases.

Explore learning path

Security Architect & Engineer

Cyber Defense

Design, implement, and tune an effective combination of network-centric and data-centric controls to balance prevention, detection, and response. Security architects and engineers are capable of looking at an enterprise defense holistically and building security at every layer. They can balance business and technical requirements along with various security policies and procedures to implement defensible security architectures.

Explore learning path

Cybersecurity Architecture (OPM 652)

NICE: Design and Development

Responsible for ensuring that security requirements are adequately addressed in all aspects of enterprise architecture, including reference models, segment and solution architectures, and the resulting systems that protect and support organizational mission and business processes.

Explore learning path

Information Systems Security Developer (DCWF 631)

DoD 8140: Cybersecurity

Designs and evaluates information system security throughout the software lifecycle to ensure confidentiality, integrity, and availability.

Explore learning path

Network Operations Specialist (DCWF 441)

DoD 8140: Cyber IT

Implements and maintains network services, including hardware and virtual systems, ensuring operational support for infrastructure platforms.

Explore learning path

Information Systems Security Manager (DCWF 722)

DoD 8140: Cybersecurity

Oversees program, system, or enclave cybersecurity, ensuring protection from cyber threats and compliance with organizational standards.

Explore learning path

Control Systems Security Specialist (DCWF 462)

DoD 8140: Cybersecurity

Oversees cybersecurity configuration and daily security operations of control systems, ensuring mission support and stakeholder coordination.

Explore learning path

Intrusion Detection/SOC Analysts

Digital Forensics and Incident Response

Analyze network and endpoint data to swiftly detect threats, conduct forensic investigations, and proactively hunt adversaries across diverse platforms including cloud, mobile, and enterprise systems.

Explore learning path

Blue Teamer - All Around Defender

Cyber Defense

This job, which may have varying titles depending on the organization, is often characterized by the breadth of tasks and knowledge required. The all-around defender and Blue Teamer is the person who may be a primary security contact for a small organization, and must deal with engineering and architecture, incident triage and response, security tool administration and more.

Explore learning path

SOC Manager

Cyber Defense

Security Operations Center (SOC) managers bridge the gap between business processes and the highly technical work that goes on in the SOC. They direct SOC operations and are responsible for hiring and training, creating and executing cybersecurity strategy, and leading the company’s response to major security threats.

Explore learning path

Enterprise Architect (DCWF 651)

DoD 8140: Cyber IT

Develops business and IT process architectures, creating baseline and target architectures to meet mission or enterprise goals.

Explore learning path

Infrastructure Support (OPM 521)

NICE: Protection and Defense

Responsible for testing, implementing, deploying, maintaining, and administering infrastructure hardware and software for cybersecurity.

Explore learning path

Cyber Defense Incident Responder (DCWF 531)

DoD 8140: Cybersecurity

Responds to and investigates network cyber incidents, performing analysis to mitigate threats and maintain cybersecurity in enclave environments.

Explore learning path

Intrusion Detection / (SOC) Analyst

Cyber Defense

Security Operations Center (SOC) analysts work alongside security engineers and SOC managers to implement prevention, detection, monitoring, and active response. Working closely with incident response teams, a SOC analyst will address security issues when detected, quickly and effectively. With an eye for detail and anomalies, these analysts see things most others miss.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us

GIAC Certification Attempt

Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.

OnDemand Course Access

When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.

Filter by:
  • Location & instructor

    Virtual (OnDemand)

    Instructed by Seth Misenar
    Date & Time
    OnDemand (Anytime)Self-Paced, 4 months access
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    Self-Paced
  • Location & instructor

    Amsterdam, NL & Virtual (live)

    Instructed by Eric Conrad
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    San Antonio, TX, US & Virtual (live)

    Instructed by Tim Garcia
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Doha, QA & Virtual (live)

    Instructed by Tim Garcia
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Las Vegas, NV, US & Virtual (live)

    Instructed by Seth Misenar
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Paris, FR

    Instructed by Tim Garcia
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Enrollment options
    In-Person
  • Location & instructor

    Singapore, SG & Virtual (live)

    Instructed by Seth Misenar
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Riyadh, SA & Virtual (live)

    Instructed by Tim Garcia
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
Showing 8 of 16

Learn Alongside Leading Cybersecurity Professionals From Around The World

Slide 1 of 0

Benefits of Learning with SANS

Instructor teaching class with code in the background

Get feedback from the world’s best cybersecurity experts and instructors

Learning via laptop

Choose how you want to learn - online, on demand, or at our live in-person training events

Learning via laptop

Get access to our range of industry-leading courses and resources