Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Resources
SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

CISO Network

Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations
Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk with an expert
Talk with an expert

SEC503: Network Monitoring and Threat Detection In-Depth

SEC503Cyber Defense
  • 6 Days (Instructor-Led)
  • 46 Hours (Self-Paced)
Course created by:
Andrew Laman
Andrew Laman
Register NowCourse Preview
SEC503: Network Monitoring and Threat Detection In-Depth
Course created by:
Andrew Laman
Andrew Laman
Register NowCourse Preview
  • GIAC Certified Intrusion Analyst (GCIA)

    Learn about certification

  • 46 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • Intermediate Skill Level

    Course material is geared for cyber security professionals with hands-on experience

  • 37 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Jump to:

Gain technical knowledge in network monitoring and threat detection. Learn to identify emerging threats, perform large-scale correlation for threat hunting, and reconstruct network attacks.

Featured Quote

The concepts learned in SEC503 helped me bridge a gap in knowledge of what we need to better protect our organization.
Greg ThysMary Greeley Medical Center

Course Overview

SEC503 is the threat detection training you need to gain the skills and hands-on experience to defend both traditional and cloud-based networks. It covers TCP/IP theory and key application protocols to help you analyze network traffic effectively. You'll learn how to detect threats, conduct large-scale threat hunting, and reconstruct attacks from network data. This in-depth network monitoring training course also supports preparation for the GCIA certification (GIAC Certified Intrusion Analyst), a respected credential for professionals responsible for network security monitoring and analysis.

What You’ll Learn

  • Analyze traffic to detect threats and anomalies
  • Detect zero-day threats using advanced techniques
  • Configure and tune network security tools
  • Perform network forensics to reconstruct events
  • Understand and differentiate normal and abnormal traffic
  • Develop threat models to enhance detection capabilities
  • Practice hands-on skills through real-world scenarios

Business Takeaways

  • Avoid your organization becoming another front-page headline
  • Augment detection in traditional, hybrid, and cloud network environments
  • Increase efficiency in threat modeling for network activities
  • Decrease attacker dwell time

Meet Your Author

Andrew Laman
Andrew Laman

Andrew Laman

Senior Instructor

Andrew Laman brings over 25 years of experience in threat detection and incident response. As A4 InfoSec founder and a SANS Senior Instructor, he’s widely respected for advancing network defense through hands-on leadership and real-world training.

Read more about Andrew Laman

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in SEC503: Network Monitoring and Threat Detection In-Depth.

Section 1Network Monitoring and Analysis: Part I

Section one dives into TCP/IP fundamentals to build a deep understanding of network traffic and threat detection. Students learn packet analysis using Wireshark and tcpdump, explore real-world traffic, and practice identifying attacker behaviors through hands-on exercises and a Bootcamp-style challenge.

Topics covered

  • Concepts of TCP/IP
  • Introduction to Wireshark
  • Network Access/Link Layer: Layer 2
  • IP Layer: Layer 3
  • UNIX Command Line Processing

Labs

  • TCP/IP
  • Wireshark
  • Network Access Link/Link Payer
  • IP
  • Fragmentation

Section 2Network Monitoring and Analysis: Part II

Section two wraps up "Packets as a Second Language" by diving into transport-layer protocols (TCP, UDP, ICMP) and advanced traffic analysis with Wireshark and tcpdump. Students filter large-scale data to spot threats, expand threat models, and practice real-world packet analysis through hands-on labs and Bootcamp-style exercises.

Topics covered

  • Wireshark Display Filters and Writing BPF Filters
  • TCP
  • UDP
  • ICMP
  • QUIC

Labs

  • Wireshark Display Filters
  • Writing tcpdump Filters
  • TCP
  • UDP/ICMP
  • QUIC

Section 3Signature-Based Threat Detection and Response

Section three shifts to application layer protocols and modern threat detection across cloud, hybrid, and traditional networks. Students learn to read/write Snort/Suricata rules, analyze protocols like DNS and HTTP(S), and their impact on signature-based detection systems.

Topics covered

  • Network Architecture
  • Signature-based Detection Systems
  • HTTPs
  • DNS
  • Microsoft Protocols

Labs

  • Running Snort and Suricata
  • Writing Rules
  • HTTP
  • DNS

Section 4Building Zero-Day Threat Detection Systems

Section four focuses on advanced behavioral detection using Zeek/Corelight. Students explore network architecture, TLS interception, encrypted traffic analysis, and scripting for anomaly detection. The section includes hands-on Zeek labs, Scapy use for testing, and evasion technique analysis, all leading into a real-world Bootcamp scenario.

Topics covered

  • Zeek
  • Scapy
  • IDS/IPS Evasion Theory
  • Extract Payloads/Encryption

Labs

  • Running Zeek and Zeek Output
  • Zeek Signatures
  • Zeek Scripting
  • Evasion Techniques
  • Packet Crafting

Section 5Large-Scale Threat Detection, Forensics, and Analytics

Section five emphasizes hands-on practice in large-scale analysis using NetFlow/IPFIX, traffic analytics, and AI/ML for anomaly detection. Students apply zero-day threat hunting techniques and perform network forensics through real-world incident reconstructions using tools and skills developed throughout the course.

Topics covered

  • Using Network Flow Records
  • Threat Hunting and Visualization
  • Introduction to Network Forensic Analysis

Labs

  • SiLK and NetFlow
  • SiLK Statistics
  • Basic Analytics
  • Researching Anomalies
  • Artificial Intelligence

Section 6Advanced Network Monitoring and Threat Detection Capstone

The course ends with a fun, hands-on capstone where students compete solo or in teams to analyze real-world data from a live-fire incident. Using tools and theory from the course, they answer questions in a timed "ride-along" challenge based on an investigation by professional analysts.

Things You Need To Know

Relevant Job Roles

Security Architect & Engineer

Cyber Defense

Design, implement, and tune an effective combination of network-centric and data-centric controls to balance prevention, detection, and response. Security architects and engineers are capable of looking at an enterprise defense holistically and building security at every layer. They can balance business and technical requirements along with various security policies and procedures to implement defensible security architectures.

Explore learning path

Information Systems Security Developer (DCWF 631)

DoD 8140: Cybersecurity

Designs and evaluates information system security throughout the software lifecycle to ensure confidentiality, integrity, and availability.

Explore learning path

Network Operations Specialist (DCWF 441)

DoD 8140: Cyber IT

Implements and maintains network services, including hardware and virtual systems, ensuring operational support for infrastructure platforms.

Explore learning path

Information Systems Security Manager (DCWF 722)

DoD 8140: Cybersecurity

Oversees program, system, or enclave cybersecurity, ensuring protection from cyber threats and compliance with organizational standards.

Explore learning path

Intrusion Detection/SOC Analysts

Digital Forensics and Incident Response

Analyze network and endpoint data to swiftly detect threats, conduct forensic investigations, and proactively hunt adversaries across diverse platforms including cloud, mobile, and enterprise systems.

Explore learning path

Systems Security Analysis (OPM 461)

NICE: Implementation and Operation

Responsible for developing and analyzing the integration, testing, operations, and maintenance of systems security. Prepares, performs, and manages the security aspects of implementing and operating a system.

Explore learning path

Blue Teamer - All Around Defender

Cyber Defense

This job, which may have varying titles depending on the organization, is often characterized by the breadth of tasks and knowledge required. The all-around defender and Blue Teamer is the person who may be a primary security contact for a small organization, and must deal with engineering and architecture, incident triage and response, security tool administration and more.

Explore learning path

SOC Manager

Cyber Defense

Security Operations Center (SOC) managers bridge the gap between business processes and the highly technical work that goes on in the SOC. They direct SOC operations and are responsible for hiring and training, creating and executing cybersecurity strategy, and leading the company’s response to major security threats.

Explore learning path

Enterprise Architect (DCWF 651)

DoD 8140: Cyber IT

Develops business and IT process architectures, creating baseline and target architectures to meet mission or enterprise goals.

Explore learning path

Cyber Defense Incident Responder (DCWF 531)

DoD 8140: Cybersecurity

Responds to and investigates network cyber incidents, performing analysis to mitigate threats and maintain cybersecurity in enclave environments.

Explore learning path

Intrusion Detection / (SOC) Analyst

Cyber Defense

Security Operations Center (SOC) analysts work alongside security engineers and SOC managers to implement prevention, detection, monitoring, and active response. Working closely with incident response teams, a SOC analyst will address security issues when detected, quickly and effectively. With an eye for detail and anomalies, these analysts see things most others miss.

Explore learning path

Defensive Cybersecurity (OPM 511)

NICE: Protection and Defense

Responsible for analyzing data collected from various cybersecurity defense tools to mitigate risks.

Explore learning path

Cybersecurity Analyst / Engineer

Cyber Defense

As this is one of the highest-paid jobs in the field, the skills required to master the responsibilities involved are advanced. You must be highly competent in threat detection, threat analysis, and threat protection. This is a vital role in preserving the security and integrity of an organization’s data.

Explore learning path

Cyber Defense Analyst (DCWF 511)

DoD 8140: Cybersecurity

Monitors cyber defense tools like IDS and logs to analyze network events, identifying and mitigating potential threats to security environments.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us

GIAC Certification Attempt

Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.

OnDemand Course Access

When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.

Filter by:
  • Location & instructor

    Virtual (OnDemand)

    Instructed by Andrew Laman
    Date & Time
    OnDemand (Anytime)Self-Paced, 4 months access
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    Self-Paced
  • Location & instructor

    Washington, DC, US & Virtual (live)

    Instructed by Andrew Laman
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Melbourne, VIC, AU & Virtual (live)

    Instructed by Benjamin Barnes
    Date & Time
    Fetching schedule..View event details
    Course price
    A$13,350 AUD*Prices exclude applicable local taxes
    Enrollment options
    Virtual
  • Location & instructor

    Melbourne, VIC, AU & Virtual (live)

    Date & Time
    Fetching schedule..View event details
    Course price
    A$13,350 AUD
    Enrollment options
  • Location & instructor

    Virtual (live)

    Instructed by Andrew Laman
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Enrollment options
    Virtual
  • Location & instructor

    Las Vegas, NV, US & Virtual (live)

    Instructed by Andrew Laman
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Austin, TX, US & Virtual (live)

    Instructed by Andrew Laman
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
  • Location & instructor

    Singapore, SG & Virtual (live)

    Instructed by Andrew Laman
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Enrollment options
    In-PersonVirtual
Showing 8 of 15

Learn Alongside Leading Cybersecurity Professionals From Around The World

Slide 1 of 0

Benefits of Learning with SANS

Instructor teaching class with code in the background

Get feedback from the world’s best cybersecurity experts and instructors

Learning via laptop

Choose how you want to learn - online, on demand, or at our live in-person training events

Learning via laptop

Get access to our range of industry-leading courses and resources