SEC504: Hacker Tools, Techniques, and Incident Handling
SEC504Offensive Operations
Offensive Operations, Pen Testing and Red Teaming Training
Outsmart Hackers with Real-World Offensive Security Training
As cyberthreats grow more sophisticated, it is critical to proactively identify and address vulnerabilities before adversaries exploit them. SANS Offensive Operations delivers expert-led training across the entire attack surface, covering everything from penetration testing and red teaming to exploit development and hardware hacking. Through hands-on labs and industry-recognized certifications, we equip professionals to master real-world offensive techniques and adversarial tactics.
What You'll Learn
Penetration Testing
Use real-world tactics, tools and methodologies to identify, exploit, and remediate security vulnerabilities.
Red Teaming
Learn adversary emulation, stealth, and evasion techniques to test and improve an organization's security posture against persistent threats.
Purple Teaming
Bridge the gap between offense and defense, to foster collaboration between red and blue teams and strengthen detection, response, and overall security resilience.
Student Insights
In one week, my instructor built a bridge from typical vulnerability scanning to the true art of penetration testing. Thank you, SANS, for making myself and my company much more capable in information security.
Featured Courses
- Slide 1 of 19
SEC588: Cloud Penetration Testing™
Expert SEC588Cloud Security
- 36 CPEs / 36 Hours (Self-Paced)
- Slide 2 of 19
SEC467: Social Engineering for Security Professionals
Beginner SEC467Offensive Operations
- 2 Days (Instructor-Led)
- 12 CPEs / 12 Hours (Self-Paced)
- Labs: 8 Hours of hands-on instruction
- Slide 3 of 19
SEC568: Product Security Penetration Testing - Safeguarding Supply Chains and Managing Third-Party Risk
Intermediate SEC568Offensive Operations
- 5 Days (Instructor-Led)
- 30 CPEs / 30 Hours (Self-Paced)
- Labs: 20 Hours of hands-on instruction
- Slide 4 of 19
SEC565: Red Team Operations and Adversary Emulation
Intermediate SEC565Offensive Operations
- 6 Days (Instructor-Led)
- 36 CPEs / 36 Hours (Self-Paced)
- Labs: 30 Hours of hands-on instruction
- Slide 5 of 19
SEC560: Enterprise Penetration Testing
Intermediate SEC560Offensive Operations
- GIAC Penetration Tester (GPEN)
- 6 Days (Instructor-Led)
- 36 CPEs / 36 Hours (Self-Paced)
- Labs: 30 Hours of hands-on instruction
- Slide 6 of 19
SEC556: IoT Penetration Testing
Intermediate SEC556Offensive Operations
- 3 Days (Instructor-Led)
- 18 CPEs / 18 Hours (Self-Paced)
- Labs: 13 Hours of hands-on instruction
- Slide 7 of 19
SEC699: Advanced Purple Teaming - Adversary Emulation & Detection Engineering
Advanced SEC699Offensive Operations
- 5 Days (Instructor-Led)
- 36 CPEs / 36 Hours (Self-Paced)
- Labs: 29 Hours of hands-on instruction
- Slide 8 of 19
SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking
Advanced SEC660Offensive Operations
- GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
- 6 Days (Instructor-Led)
- 46 CPEs / 46 Hours (Self-Paced)
- Labs: 30 Hours of hands-on instruction
- Slide 9 of 19
SEC504: Hacker Tools, Techniques, and Incident Handling
Essentials SEC504Offensive Operations- GIAC Certified Incident Handler Certification (GCIH)
- 6 Days (Instructor-Led)
- 38 CPEs / 38 Hours (Self-Paced)
- Labs: 30 Hours of hands-on instruction
- Slide 10 of 19
SEC580: Metasploit for Enterprise Penetration Testing
Intermediate SEC580Offensive Operations
- 12 CPEs / 12 Hours (Self-Paced)
- Labs: 10 Hours of hands-on instruction
- Slide 11 of 19
SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses
Major UpdatesIntermediate SEC599Offensive Operations
- GIAC Defending Advanced Threats (GDAT)
- 6 Days (Instructor-Led)
- 36 CPEs / 36 Hours (Self-Paced)
- Labs: 25 Hours of hands-on instruction
- Slide 12 of 19
SEC617: Wireless Penetration Testing and Ethical Hacking
Advanced SEC617Offensive Operations
- GIAC Assessing and Auditing Wireless Networks
- 6 Days (Instructor-Led)
- 36 CPEs / 36 Hours (Self-Paced)
- Labs: 20 Hours of hands-on instruction
- Slide 13 of 19
SEC760: Advanced Exploit Development for Penetration Testers™
Expert SEC760Offensive Operations- GIAC Advanced Smartphone Forensics (GASF)
- 2 Days (Instructor-Led)
- 46 CPEs / 46 Hours (Self-Paced)
- Slide 14 of 19
SEC542: Web App Penetration Testing and Ethical Hacking
Intermediate SEC542Offensive Operations
- GIAC Web Application Penetration Tester (GWAPT)
- 6 Days (Instructor-Led)
- 36 CPEs / 36 Hours (Self-Paced)
- Labs: 30 Hours of hands-on instruction
- Slide 15 of 19
SEC504J: Hacker Tools, Techniques, and Incident Handling (Japanese)
Essentials SEC504JOffensive Operations- GIAC Certified Incident Handler Certification (GCIH)
- 6 Days (Instructor-Led)
- 38 CPEs / 38 Hours (Self-Paced)
- Labs: 30 Hours of hands-on instruction
- Slide 16 of 19
SEC575: iOS and Android Application Security Analysis and Penetration Testing
Intermediate SEC575Offensive Operations
- GIAC Mobile Device Security Analyst (GMOB)
- 6 Days (Instructor-Led)
- 36 CPEs / 36 Hours (Self-Paced)
- Labs: 20 Hours of hands-on instruction
- Slide 17 of 19
SEC598: Security Automation for Offense, Defense, and Cloud
Intermediate SEC598Offensive Operations
- 6 Days (Instructor-Led)
- 36 CPEs / 36 Hours (Self-Paced)
- Labs: 23 Hours of hands-on instruction
- Slide 18 of 19
SEC535: Offensive AI - Attack Tools and Techniques
betaIntermediate SEC535Offensive Operations
- GIAC Advanced Smartphone Forensics (GASF)
- 24 CPEs / 24 Hours (Self-Paced)
- Labs: 15 Hours of hands-on instruction
- Slide 19 of 19
SEC670: Red Teaming Tools - Developing Windows Implants, Shellcode, Command and Control™
Intermediate SEC670Offensive Operations- 46 CPEs / 46 Hours (Self-Paced)
Meet Your Experts
Erik Van Buggenhout
Co-Founder & PartnerNVISO co-founder and SANS Senior Instructor, leading cybersecurity education in advanced adversary tactics. Experienced in offensive security with extensive background in penetration testing and ethical hacking across Europe.
Learn more
Christopher Elgee
Builder & BreakerChristopher is a senior security analyst for Counter Hack and Operations Officer (S-3) for the Army National Guard's 91st Cyber Brigade. Through his work, he shares his unique insights into cyber security threats to prepare and inspire students.
Learn more
Moses Frost
Solutions ConsultantMoses has built an impressive career as a Network Architect, DevOps Engineer, and Information Security professional. Today, he works in the Offensive Operations space as a Red Team Operator and serves as the course author for SEC588.
Learn more
Jean-François Maes
Director of Offensive SecurityEuropean director of advanced assessment at Neuvik, specializing in penetration testing, red teaming, and adversary emulation. Passionate open-source contributor with extensive experience in offensive security technologies.
Learn more
Jeff McJunkin
CEOJeff McJunkin, Rogue Valley InfoSec founder, has led Fortune 100 pen tests and shaped Core NetWars. His key role in SANS Holiday Hack Challenge and hands-on security innovations continue to elevate the industry, advancing defenses worldwide.
Learn more
Larry Pesce
Vice President of ServicesLarry has revolutionized embedded device security with decades of hands-on offensive research, co-authoring SANS's flagship wireless and IoT penetration testing courses, and pioneering SBOM exploitation techniques for supply chain defense strategies.
Learn moreExplore Careers Within Offensive Operations
Red Teamer
Offensive OperationsIn this role you will be challenged to look at problems and situations from the perspective of an adversary. The focus is on making the Blue Team better by testing and measuring the organization’s detection and response policies, procedures, and technologies. This role includes performing adversary emulation, a type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective similar to those of realistic threats or adversaries. It can also include creating custom implants and C2 frameworks to evade detection.
Explore learning pathPurple Teamer
Offensive OperationsIn this fairly recent job position, you have a keen understanding of both how cybersecurity defenses (“Blue Team”) work and how adversaries operate (“Red Team”). During your day-today activities, you will organize and automate emulation of adversary techniques, highlight possible new log sources and use cases that help increase the detection coverage of the SOC, and propose security controls to improve resilience against the techniques. You will also work to help coordinate effective communication between traditional defensive and offensive roles.
Explore learning pathApplication Pen Tester
Offensive OperationsApplication penetration testers probe the security integrity of a company’s applications and defenses by evaluating the attack surface of all in-scope vulnerable web-based services, clientside applications, servers-side processes, and more. Mimicking a malicious attacker, app pen testers work to bypass security barriers in order to gain access to sensitive information or enter a company’s internal systems through techniques such as pivoting or lateral movement.
Explore learning pathVulnerability Researcher & Exploit Developer
Offensive OperationsIn this role, you will work to find 0-days (unknown vulnerabilities) in a wide range of applications and devices used by organizations and consumers. Find vulnerabilities before the adversaries!
Explore learning pathUpcoming Events
- Slide 1 of 20
Corellium for Mobile Device Security
When analyzing Android apps, we can choose to use either a real device or an emulator, however, for a very long time, the only option for iOS was a real device. Luckily, this has changed, and Corellium now offers iOS and Android virtualization which allows us to analyze applications from either OS on a virtualized device.
WebinarOffensive Operations
- 2 Aug 2022
- 11:00 UTC
- Jeroen Beckers
- Slide 2 of 20
Adopting a Unified Cyber Risk Lifecycle: Benefits Across Your Attack Surface
Over the last five years, most organizations have seen their exploitable attack surface grow dramatically as new processes — such as cloud-native software development — become mainstream. These changes have led to an explosion of new systems used to build applications and new security tools needed to scan them for vulnerabilities. Outdated approaches to vulnerability management simply can’t keep up.
WebinarOffensive Operations
- 3 May 2023
- 15:00 UTC
- SANS Institute
- Slide 3 of 20
An Intro to C for Windows - Part 4
Part 4 of this series will continue where Part 3 left off with the introduction of functions. For this part we will learn how how create functions that accept pointers as arguments, how to validate pointer arguments, SAL annotations, structures, and linked lists.
WebinarOffensive Operations
- 27 Sep 2023
- 15:00 UTC
- Jonathan Reiter
- Slide 4 of 20
Community Night - SANS Offensive Operations Australia
A lot of the traditional techniques we use for incident response, and digital forensics, are too slow when dealing with the challenges of scale and time in a modern intrusion.
WebinarOffensive Operations- 16 Nov 2023
- 18:00 AEDT
- Tarot (Taz) Wake & Brandon McCrillis
- Slide 5 of 20
Attacking User Identities
Identities are the foundational cornerstone of many environments. Identity is typically the front door for web, infrastructure portals, and VPN services. Most organizations should implement additional countermeasures to prevent attackers from breaking into an organization. The perimeter of many environments is de-facto users’ identities. How you protect those identities is critical. Understanding how to attack identities is crucial for those who emulate attack groups.
WebinarOffensive Operations
- 1 Dec 2023
- 15:00 UTC
- Moses Frost
- Slide 6 of 20
An Intro to C for Windows - Part 5
Picking up where Part 4 left off, we will have linked list enumeration where we will look at a real world example of how knowing the underlying structure comes into play. After linked list enumeration, we can finally start to talk about some Windows internals, Windows APIs, and Windows specific structures.
WebinarOffensive Operations- 22 Dec 2023
- 15:00 UTC
- Jonathan Reiter
- Slide 7 of 20
An Intro to C for Windows - Part 6
After enumerating a list of loaded modules, it's only fitting to get started with what normally comes next, parsing exports of a DLL. Before we can do that, we will have to understand the anatomy of executable images. This means parsing PE headers. It would be great to have the following programs installed before this Part 6: WinDbg, PE Explorer by Pavel.PS: don't forget your files from Part 5; you'll need them!
WebinarOffensive Operations
- 27 Jan 2024
- 14:00 UTC
- Jonathan Reiter
- Slide 8 of 20
Fortifying Resilience: An In-Depth Exploration of the Overall Product Security Assessment Poster
Join SEC568: Product Security Penetration Testing - Safeguarding Supply Chains and Managing Third-Party Risk course author Douglas McKee for an insightful webcast presentation as he walks through the work flow of product security assessment depicted in the Overall Product Security Assessment Process poster.
WebinarOffensive Operations- 1 Feb 2024
- 16:30 UTC
- Douglas McKee
- Slide 9 of 20
From Pentest to Red Team: Overview of The Necessary Skills and Breakdown of Frameworks
Join Jorge Orchilles and Dave Mayer for this informative webcast as they guide you through the essential skills needed for a successful transition from pentesting to red teaming.
WebinarOffensive Operations- 21 Feb 2024
- 12:00 UTC
- David Mayer & Jorge Orchilles
- Slide 10 of 20
SANS Offensive Operations CTF – Virtual Edition!
We’re opening up our Offensive Operations CTF to anyone who wants to join! This special virtual run of our CTF will be open for one day only, February 28th from 10:00am EST to 4:00pm EST.
WebinarOffensive Operations- 28 Feb 2024
- 09:45 UTC
- Slide 11 of 20
Do you trust your hardware appliances? Should you?
Recent news of vulnerabilities in hardware appliances firmware such as Ivanti and Fortinet highlight the difficulty of securing complex digital supply chains. Having an in-depth understanding of what you put on your network is vital to implementing a zero-trust approach and managing risk appropriately.
WebinarOffensive Operations- 8 Mar 2024
- 10:00 UTC
- Douglas McKee & Ismael Valenzuela
- Slide 12 of 20
An Intro to C for Windows - Part 7
On part 6 of the series we learned about the anatomy of executable images and parsing PE headers. We will continue with PE parsing and will explore a few more interesting areas of a PE file.
WebinarOffensive Operations- 8 Mar 2024
- 15:30 UTC
- Jonathan Reiter
- Slide 13 of 20
I'm an Incident Responder, Ask Me Anything
In this engaging session, participants will have the opportunity to delve into the world of incident response alongside SANS Instructor Phill Moore. Drawing from his wealth of experience, Phill will not only address inquiries surrounding the intricacies of being an incident responder but will also enrich the discussion with insightful anecdotes and real-world scenarios.
WebinarOffensive Operations- 13 Mar 2024
- 19:00 UTC
- Phill Moore & Dr. Yee Ching Tok
- Slide 14 of 20
OSINT - Oh My Stars: Using Astronavigation and Other Navigation Techniques for Photo Placement & How about you let me in?
This presentation explores the dynamic landscape of securing Microsoft Azure by addressing the relationship between reconnaissance and password guessing.
WebinarOffensive Operations- 21 Mar 2024
- 18:00 AEDT
- Mick Douglas & Nick Mitropoulos
- Slide 15 of 20
Making Mistakes Publicly: Cloud Edition – Aviata Solo Flight Challenge Chapter 1
Public Cloud Environments can make things, well, rather public. While there are ways to prevent this, and the cloud providers have made strides, retroactive changes are not a thing. As such, we still find very poorly configured environments today.
WebinarCloud Security- 16 Apr 2024
- 10:00 UTC
- Moses Frost
- Slide 16 of 20
Stay Current, Stay Secure: Unveiling SANS and GIAC's Latest Training Portfolio
Join this webcast to explore SANS and GIAC's latest industry-leading training and certifications to help cyber-practitioners, and the organizations they protect, keep pace with dynamic market conditions. Cut through the noise with this comprehensive showcase and discover the skills you and your teams will need to navigate the evolving landscape of cybersecurity.
WebinarOpen-Source Intelligence
- 17 Apr 2024
- 12:00 UTC
- Rich Greene
- Slide 17 of 20
Spring Cyber Solutions Fest 2024: Emerging Technologies Track
Join us for the inaugural year of SANS Emerging Technologies Track! Are you interested in learning more about new cutting-edge technology in the cybersecurity industry? This is the place for you!Learn from the best and brightest in the industry as selected organizations review their latest tools and solutions that will better equip you for your battle with the bad guys and assist you as your team works hard to keep networks safe from intrusions. This one day track will feature a comprehensive collection of use cases, demos, and solutions for everyday cyber professionals looking to take their arsenal of tools and solutions to the next level. Don't miss this track on April 17, register now!
WebinarCyber Defense- 17 Apr 2024
- 08:30 UTC
- Dave Shackleford, Eric Avigdor, Natalie Hurd + 5 more
- Slide 18 of 20
Spring Cyber Solutions Fest 2024: Attack Surface & Vulnerability Management Track
In its fifth year, SANS Cyber Solutions Fest aims to brings together an ensemble of security professionals, solution providers, gurus and experts ready to share knowledge about the latest developments and innovative technologies in the cybersecurity industry.Join the Attack Surface & Vulnerability Management Track to hear from chairperson Matt Bromiley and a host of leading cyber security experts as they walk through specific use cases and challenges with the goal of helping you understand why your attack surface is critical for identifying and mitigating potential vulnerabilities in your digital presence and protecting systems from adversaries.As part of this forum, we'll look at technologies and techniques to help you proactively fortify your defenses and profile your attack surface before the adversaries take advantage of it.Forum Highlights: Discover how industry leading technologies and techniques can assist you with fortifying your existing attack surface and vulnerability management policies in the workplace Learn from industry leaders as they dive into cutting-edge use case studies and specific examples, while highlighting how the integration of technologies can provide unprecedented insights and advantages Interact with SANS chair Matt Bromiley, speakers and peers in the interactive Slack workspace by posting questions and discussing the forum topic
WebinarCyber Defense- 19 Apr 2024
- 08:30 UTC
- Matt Bromiley, Abhishek "Abhi" Anbazhagan, Ralph Brynard + 9 more
- Slide 19 of 20
An Intro to C for Windows - Part 8
Threads, stacks, and heaps! Part 8 will take a look at using Windows APIs to create threads, heaps, and using a debugger to view stacks. We will also talk about some of the myths around stack growth versus stack usage.
WebinarOffensive Operations
- 29 Apr 2024
- 14:00 UTC
- Jonathan Reiter
- Slide 20 of 20
SANS 2024 Application Security & API Survey: Protecting our Applications and APIs
Our applications and APIs are the gateways to our most sensitive and valuable data. As such, application and API security has become more and more essential to protecting our organizations. On this webcast, SANS certified instructor David Hazar will review the results of our 2024 AppSec/DevSecOps survey, and provide insight into:The best way to provide API securityInvestment trends in automated testing technologiesWhich tests are more important or more effective for APIsRegister for this webcast now, and you will automatically receive the companion white paper upon publication.
WebinarSecurity Awareness- 5 Jun 2024
- 10:30 UTC
- David Hazar, Pablo Estrada & Jonny Stewart
Offensive Operations Insights From The Experts
SEC504: Hacker Tools, Techniques, and Incident Handling
Transform your incident response skills; think like an attacker as you investigate cybersecurity incidents, develop threat intelligence, and apply defense strategies against real-world threats.
Course
Authored byJoshua Wright
- Slide 1 of 3
- Slide 2 of 3
- Slide 3 of 3