Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Resources
SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

CISO Network

Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations
Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk with an expert
Talk with an expert
Major updates

SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses

SEC599Offensive Operations
  • 6 Days (Instructor-Led)
  • 36 Hours (Self-Paced)
Course created by:
Erik Van BuggenhoutStephen Sims
Erik Van Buggenhout & Stephen Sims
Register NowCourse Preview
SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses
Course created by:
Erik Van BuggenhoutStephen Sims
Erik Van Buggenhout & Stephen Sims
Register NowCourse Preview
  • GIAC Defending Advanced Threats (GDAT)

    Learn about certification

  • 36 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • Intermediate Skill Level

    Course material is geared for cyber security professionals with hands-on experience

  • 25 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Jump to:

Learn advanced defensive techniques through hands-on labs and real-world scenarios to effectively prevent, detect, and respond to sophisticated cyber-attacks through a purple team strategy.

Featured Quote

SEC599 has fantastic labs and walkthroughs of present-day offensive techniques and defensive options. I like how there are topics that can help a broad base of environments from the "basics" (e.g. set simple and straightforward policies and configuration) to the more "advanced" (e.g. honeypots and canaries) for various security maturity levels.
Michael EbrahimiAccenture

Course Overview

SEC599 is an intensive, hands-on course designed to equip security professionals with practical skills for defending against advanced cyber threats. Through more than 20 hands-on labs and a culminating full-day Defend-the-Flag exercise, students learn how to implement effective security controls across the entire attack chain. The course combines real-world attack analysis, adversary emulation, and defensive strategy implementation using industry-standard frameworks like MITRE ATT&CK and Cyber Kill Chain.

From building custom sandboxes to detecting lateral movement and preventing command and control communications, students gain practical experience with modern security tools and techniques. The course emphasizes both prevention and detection, ensuring professionals can both stop attacks and quickly identify when defenses have been breached. It also prepares students for the GDAT certification, validating their expertise in purple team tactics and advanced adversary defense.

What You’ll Learn

  • Leverage MITRE ATT&CK for threat-informed defense
  • Deploy custom security controls and sandboxing
  • Implement advanced Windows hardening and detection
  • Build logging and monitoring with Elastic and Sysmon
  • Design threat detection using intel and traffic analysis
  • Practice purple teaming with real-world attack scenarios

Business Takeaways

  • Faster threat detection and response
  • Stronger red and blue team collaboration
  • Defense based on real attacker behaviors
  • Better use of existing security tools
  • Clear metrics for measuring improvements

Meet Your Authors

Slide 1 of 0

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses.

Section 1Introduction and Attack Surface Management

Begin your journey with real-world attack analysis and hands-on experience compromising the SYNCTECHLABS virtual environment. Learn to leverage the Cyber Kill Chain and MITRE ATT&CK framework while understanding purple team methodologies and essential defensive tools.

Topics covered

  • Course objectives and lab environment setup
  • Analysis of current cyber-attack landscapes
  • Extended Kill Chain methodology
  • Purple team concepts and implementation
  • MITRE ATT&CK framework integration

Labs

  • One click is all it takes...Initial compromise simulation
  • Hardening our domain using SCT and STIG
  • Kibana, ATT&CK Navigator
  • Atomic TTP testing using Caldera
  • Attack Surface Mapping with BBOT

Section 2Payload Delivery and Execution

Explore attacker techniques for payload delivery and execution, focusing on prevention and detection methods. Learn to implement controls against malicious executables and scripts, while gaining hands-on experience with YARA for payload description and SIGMA for use-case documentation.

Topics covered

  • Common delivery mechanism analysis
  • Payload delivery prevention strategies
  • Network and removable media controls
  • Mail security and web proxy implementation

Labs

  • Stopping NTLMv2 Sniffing and Relay Attacks in Windows
  • Blocking Typical Phishing Payload Execution
  • Restricting Binary/PowerShell Execution
  • Detection with Sysmon and SIGMA

Section 3Exploitation, Persistence, and Command and Control

Learn to integrate security into the software development lifecycle while implementing effective exploit mitigation techniques. Focus on both compile-time and run-time protections, persistence detection strategies, and command and control channel identification.

Topics covered

  • Software development lifecycle security integration
  • Patch management strategies
  • Exploit mitigation techniques
  • Persistence strategy analysis

Labs

  • Exploit Mitigation Using Compile-Time Controls
  • Exploit Mitigation Using Exploit Guard
  • Catching Persistence Using Autoruns and Osquery
  • Detecting C2 Channels

Section 4Lateral Movement

Focus on defending against lateral movement. Examine credential protection, Windows privilege escalation, and various attack strategies while implementing effective detection and deception techniques.

Topics covered

  • Active Directory and Entra ID security fundamentals
  • Principle of Least Privilege and UAC
  • Privilege escalation prevention
  • Credential theft protection
  • Attack path mapping using BloodHound

Labs

  • Mapping Attack Paths Using BloodHound
  • Implementing LAPS
  • Local Windows Privilege Escalation Techniques
  • Hardening Windows against Credential Compromise
  • Kerberos Attack Strategies

Section 5Action on Objectives, Threat Hunting, and Incident Response

Address final attack stages including domain dominance prevention and data exfiltration detection. Learn to leverage threat intelligence effectively and perform incident response, with hands-on practice using advanced forensics tools.

Topics covered

  • Domain dominance prevention strategies
  • Data exfiltration detection methods
  • Threat intelligence implementation
  • Proactive threat hunting
  • Incident response procedures

Labs

  • Domain Dominance
  • Defending against Ransomware
  • Leveraging Threat Intelligence with MISP and Thor Lite
  • Hunting Your Environment Using Velociraptor
  • Finding Malware Using MemProcFS

Section 6Capture-The-Flag Challenge

Apply your newly acquired skills in a comprehensive, team-based Capture-The-Flag competition. Your environment is under attack and it’s up to you to identify how they got in, and what they’re doing once they obtained access.

Topics covered

  • Practical exercises based on real-world cases
  • Analyze identified malware
  • Perform network analysis to identify intrusions
  • Examine memory captures to identify artefacts
  • Find potential attack paths in your environment

Things You Need To Know

Relevant Job Roles

Purple Teamer

Offensive Operations

In this fairly recent job position, you have a keen understanding of both how cybersecurity defenses (“Blue Team”) work and how adversaries operate (“Red Team”). During your day-today activities, you will organize and automate emulation of adversary techniques, highlight possible new log sources and use cases that help increase the detection coverage of the SOC, and propose security controls to improve resilience against the techniques. You will also work to help coordinate effective communication between traditional defensive and offensive roles.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us

GIAC Certification Attempt

Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.

OnDemand Course Access

When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.

Filter by:
  • Location & instructor

    Virtual (OnDemand)

    Instructed by Erik Van Buggenhout
    Date & Time
    OnDemand (Anytime)Self-Paced, 4 months access
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    Self-Paced
  • Location & instructor

    Canberra, ACT, AU & Virtual (live)

    Instructed by Brian Almond
    Date & Time
    Fetching schedule..View event details
    Course price
    A$13,350 AUD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Riyadh, SA & Virtual (live)

    Instructed by Michel Coene
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Washington, DC, US & Virtual (live)

    Instructed by Erik Van Buggenhout
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    Virtual
  • Location & instructor

    Tallinn, EE

    Instructed by Erik Van Buggenhout
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Enrollment options
    In-Person
  • Location & instructor

    Las Vegas, NV, US & Virtual (live)

    Instructed by Brian Almond
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Paris, FR

    Instructed by Michel Coene
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Enrollment options
    In-Person
  • Location & instructor

    Amsterdam, NL & Virtual (live)

    Instructed by Erik Van Buggenhout
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
Showing 8 of 12

Learn Alongside Leading Cybersecurity Professionals From Around The World

Slide 1 of 0

Benefits of Learning with SANS

Instructor teaching class with code in the background

Get feedback from the world’s best cybersecurity experts and instructors

Learning via laptop

Choose how you want to learn - online, on demand, or at our live in-person training events

Learning via laptop

Get access to our range of industry-leading courses and resources