SEC450 Blue TeamFundamentals: Security Operations Analytics


hide_responciveBundle AddonPriceAdd to Cart
Sans October Exam BundleSGD$1,272.23
Sans October Netwars BundleSGD$2,247.00
Sans October OnDemand BundleSGD$1,272.23

GIAC Security Operations Certified (GSOC)

GIAC Security Operations Certified (GSOC)

What You Will Learn

Is your organization looking for a quick and effective way to onboard new Security Analysts, Engineers, and Architects? Do your Security Operations Center (SOC) managers need additional technical perspective on how to improve analysis quality, reduce turnover, and run an efficient SOC?

SEC450 is an accelerated on-ramp for new cyber defense team members and SOC managers. This course introduces students to the tools common to a defender’s work environment, and packs in all the essential explanations of tools, processes, and data flow that every blue team member needs to know.

Students will learn the stages of security operations: how data is collected, where it is collected, and how threats are identified within that data. The class dives deep into tactics for triage and investigation of events that are identified as malicious, as well as how to avoid common mistakes and perform continual high-quality analysis. Students will learn the inner workings of the most popular protocols, and how to identify weaponized files as well as attacks within the hosts and data on their network.

The course employs practical, hands-on instruction using a simulated SOC environment with a real, fully-integrated toolset that includes:

  • Security Information and Event Management (SIEM)
  • An incident tracking and management system
  • A threat intelligence platform
  • Packet capture and analysis
  • Automation tools

While cyber defense can be a challenging and engaging career, many SOCs are negatively affected by turnover. To preemptively tackle this problem, this course also presents research-backed information on preventing burnout and how to keep engagement high through continuous growth, automation, and false positive reduction. Students will finish the course with a full-scope view of how collection and detection work, how SOC tools are used and fit together, and how to keep their SOC up and running over the long term.

Hands-On Training

It is our belief that hands-on training is a crucial component of classroom learning, so each day of this course will include multiple hands-on exercises. To achieve the most realistic scenario possible, the class virtual machine is loaded with all the tools typically used in a SOC. Students will be introduced to the concepts, interconnections, and workflow associated with each of those tools. Throughout the class we will utilize a SIEM, threat intelligence platform, incident management and ticketing system, automation and orchestration tools, full packet capture, and analysis software, as well as multiple command line, open-source intelligence, and analysis tools. All of these tools have been set up and integrated to work with each other in order to re-create the workplace environment as closely as possible, allowing students to gain experience that they can directly translate to their own setup when they get back to the office.

Some of the highlights of what students will learn include:

  • How SIEM, threat intelligence platforms, incident management systems, and automation should connect and work together to provide a painless workflow for analysts
  • Analysis of common alert types including HTTP(S), DNS, and email-based attacks
  • Identification of post-exploitation attacker activity
  • Mental models for understanding alerts and attack patterns that can help to effectively prioritize alerts
  • How to perform high-quality, bias-free alert analysis and investigation
  • How to identify the most high-risk alerts, and quick ways to verify them
  • How logs are collected throughout the environment and the importance of parsing, enrichment, and correlation capability of the SIEM
  • How to create and tune threat detection analytics to eliminate false positives

What You Will Receive

  • Custom distribution of the Linux Virtual Machine containing a pre-built simulated SOC environment
  • MP3 audio files of the complete course lecture
  • Introduction and walk-through videos of labs
  • Digital Download Package that includes the above and more

GIAC Security Operations Certified

“The GIAC Security Operations Certified (GSOC) is a comprehensive certification covering the conceptual and practical skills for working on a modern cyber defense team. It is a certification that helps defenders differentiate themselves as someone who not only understands security operations but can also continuously improve and lift up any team they are a part of. Holders of the GSOC can proudly demonstrate their dedication to gaining a deep understanding of the mental models, processes, tools, and data required to excel in a modern security operations role. I’m incredibly excited for the availability of the GSOC and view it as an important step towards standardization of security operations team training for the information security industry.” – John Hubbard, SANS SEC450 Course Author

The GSOC certification validates a practitioner’s ability to defend an enterprise using essential blue team incident response tools and techniques. GSOC-certified professionals are well-versed in the technical knowledge and key concepts needed to run a security operations center (SOC).

  • SOC monitoring and incident response using incident management systems, threat intelligence platforms, and SIEMs
  • Analysis and defense against the most common enterprise-targeted attacks
  • Designing, automating, and enriching security operations to increase efficiency


A basic understanding of TCP/IP and general operating system fundamentals is needed for this course. Being accustomed to the Linux command-line, network security monitoring, and SIEM solutions is a bonus. Some basic entry-level security concepts are assumed.

Laptop Requirements

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below. Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course. You also must have 8 GB of RAM or higher for the VM to function properly in the class.

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop.

In addition to having 64-bit capable hardware, AMD-V, Intel VT-x, or the equivalent must be enabled in BIOS/UEFI.

Download and install either VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+ on your system prior to the beginning of class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at its website.


CPU: 64-bit 2.0+ GHz processor or higher-based system is mandatory for this class (Important – Please Read: a 64-bit system processor is mandatory)

BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI

RAM: 8 GB (gigabytes) of RAM or higher is mandatory for this class (Important – Please Read: 8 GB of RAM or higher is mandatory)

Disk: 25 gigabytes of free disk space


  • Wireless Ethernet 802.11 B/G/N/AC
  • USB-A ports or an adapter to use a USB-A thumb drive (version 3.0 compatibility highly recommended)


  • VMware Workstation, Workstation Player, or Fusion.
  • The Linux virtual machine will be provided in class via USB thumb drive.


Please verify before coming to class that you have the administrative permissions required to transfer a virtual machine from a USB drive to your hard disk and start it. Also verify that Windows Device Guard, DLP, or other host-based protections will not interfere with the USB transfer or VM startup. (This is a common issue with company-built PCs, so if you intend to bring a corporate laptop, please test this before the event.)

Your course media will now be delivered via download. The media files for class can be large, some in the 40 – 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

Author Statement

“As someone who has held every position from entry-level analyst to SOC manager at a 100,000-employee company, I thoroughly understand the struggle of starting your first position in cyber defense. While there is a seemingly infinite amount of information to learn, there are certain central concepts that, when explained systematically, can greatly shorten the time required to become a productive member of the team. This course was written to pass this knowledge on to you, giving you both the high- and low-level concepts required to propel your career in cyber defense. It’s packed with the concepts that I expected new employees to understand, as well the thought process we tried to cultivate throughout analysts’ careers to ensure the success of the individual and the organization. I have also worked hard to distill the lessons I’ve learned through the years on staying excited and engaged in cyber defense work. While some believe SOC positions can feel like a grind, they do not need to be that way! This course goes beyond technical knowledge to also teach the concepts that, if implemented in your SOC, will keep you and your colleagues challenged, happy, and constantly growing in your day-to-day work, leading to a successful, life-long career on the blue team!”

John Hubbard

“John has a great presentation style and it really helps drive the lesson home when there are brief anecdotal stories that come with the information.” – Erick Sugimura, Mammoth Hospital