SEC511: Cybersecurity Engineering: Advanced Threat Detection and Monitoring | SANS Institute

SEC511: Cybersecurity Engineering: Advanced Threat Detection and Monitoring | SANS Institute
SEC511: Cybersecurity Engineering: Advanced Threat Detection and Monitoring
SEC511
Cyber Defense
6 Days (Instructor-Led)
46 Hours (Self-Paced)
Course authored by:
Eric Conrad & Seth Misenar
Register Now
Course Preview
Course authored by:
Eric Conrad & Seth Misenar
Register Now
Course Preview
GIAC Continuous Monitoring Certification (GMON)
Learn about certification
46 CPEs
Apply your credits to renew your certifications
In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
Intermediate Skill Level
Course material is geared for cyber security professionals with hands-on experience
18 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Jump to:
Overview
Syllabus
FAQs
Schedule & Pricing
Learn cutting-edge cybersecurity engineering and advanced threat detection skills for cloud, network, and endpoint environments in this comprehensive course.
Featured Quote
I would recommend this course. It hits many core aspects of secure design. Additionally, lack of cloud security architecture and strategy and insecure design have been highlighted as a top risk by organizations like Cloud Security Alliance and OWASP. Cloud security architecture topics need to have more attention and focus in general.
Course Overview
SEC511 prepares defenders to secure hybrid enterprises using tools like Zero Trust, Artificial Intelligence and Machine Learning (AI/ML), Extended Detection and Response (XDR), and cloud technology. With 18+ hands-on labs and a capstone challenge, this course builds real-world skills in detection, response, and cybersecurity engineering across cloud, network, and endpoint environments.
What You'll Learn
Assess current defenses and engineer modern, prioritized improvements
Apply frameworks like MITRE ATT&CK and Zero Trust for threat-informed defense
Hunt threats across networks, endpoints, and cloud using advanced tools and techniques
Build visibility across hybrid, decentralized infrastructure and encrypted traffic
Understand and use CNAPP, CSPM, CIEM, and CWPP for strong cloud security
Analyze and detect threats using NDR, EDR, Suricata, Zeek, Wireshark, and more
Secure identity, endpoints, and AI/LLM apps; enhance SOC with SOAR and automation
Business Takeaways
Develop strong protection and detection strategies for cloud, network, and endpoints
Engineer and refine threat detection and defense capabilities
Use threat-informed defense to optimize security countermeasures
Strengthen overall security operations and SOC performance
Detect and close protection gaps across hybrid environments
Secure GenAI and LLM apps to ensure safe, trustworthy use
Maximize existing infrastructure and rapidly detect intrusions
Meet Your Authors
Slide 1 of 2
Eric Conrad
Fellow
Eric Conrad, a SANS Faculty Fellow and course author, has 28 years of information security experience. Eric is the CTO of Backshore Communications and his specialties include Intrusion Detection, Threat Hunting, and Penetration Testing.
Read more about Eric Conrad
Slide 2 of 2
Seth Misenar
Fellow
Seth, SANS Faculty Fellow and author of SEC411, LDR414, and SEC511, combines cutting-edge consulting and education to equip defenders worldwide. Founder of Context Security and GSE #28, he brings clarity, humor, and purpose to cybersecurity training.
Read more about Seth Misenar
Slide 1 of 0
Course Syllabus
Explore the course syllabus below to view the full range of topics covered in SEC511: Cybersecurity Engineering: Advanced Threat Detection and Monitoring.
Syllabus Overview
Download full syllabus
Justify Training to Your Manager
Use this justification letter template to share the key details of this training and certification opportunity with your boss.
Download the letter
Section 1
Threat Informed Defense: Frameworks, Hunting, and Current State Assessment
This section covers modern cyber defense, shifting from reactive to proactive strategies. Students explore MITRE ATT&CK, Zero Trust, and GenAI risks, and tackle hands-on labs to detect and respond to evolving threats.
Topics covered
Adversary Tactics and Cyber Defense Principles
Introducing Security Onion 2.X
Frameworks/Mental Models
Threat Informed Defense and Hunting
GenAI/LLM Fundamentals
Labs
Detecting Traditional Attack Techniques
Detecting Modern Attack Techniques
Complex Intrusion Analysis: Apache ActiveMQ
NetWars Bootcamp: Immersive Cyber Challenges
Section 2
Cloud, Edge, and Network: Visibility and Protection
This section explores visibility and protection across cloud, edge, and network environments. Students learn about IDS/IPS, TLS/DNS encryption, cloud and edge security tools, and apply skills in hands-on labs and a NetWars Bootcamp.
Topics covered
Security Visibility
Encryption
Cloud Protection and Detection
Edge Security
Labs
Web Application Firewalls: ModSecurity
Decrypting TLS with Wireshark
Detecting Adversaries with Protocol Inspection
Intrusion Detection Honeypots
NetWars Bootcamp: Immersive Cyber Challenges
Section 3
Threat Hunting with Network Detection and Response (NDR)
This section focuses on Network Detection Response (NDR) within Network Security Monitoring (NSM) and Security Information and Event Management (SIEM), teaching students to detect threats using diverse data sources and analytic techniques. Hands-on labs and NetWars Bootcamp reinforce skills in threat hunting and traffic analysis.
Topics covered
Network Detection Response (NDR)
Network Threat Hunting
Labs
Pcap Analysis and Carving with Zeek
Security Onion Service-Side Attack Analysis
Wireshark Merlin Analysis
Detecting TLS Certificate and User-Agent Anomalies
NetWars Bootcamp: Immersive Cyber Challenges
Section 4
Hybrid Enterprise Security: User and Endpoint Protection and Detection
This section covers endpoint and user security in hybrid environments, focusing on Endpoint Detection and Response (EDR), Endpoint Protection Platforms (EPPs), identity protection, modern authentication, and User and Entity Behavior Analysis (UEBA). Labs and NetWars Bootcamp build hands-on defense and monitoring skills.
Topics covered
Endpoint Detection Response (EDR)
Endpoint Protection Platform (EPP)
Identity/User/Authentication Monitoring
Labs
Sysmon
CFO Compromise Investigation: Autoruns and Sysmon
Application Control with AppLocker
Merlin Sysmon Analysis
NetWars Bootcamp: Immersive Cyber Challenges
Section 5
GenAI Application Defense, Automation, Supply Chain Protection, and SOC
This section covers securing GenAI and Large Language Model (LLM) apps, software supply chains, and SOC automation using SOAR. Students gain hands-on skills in threat hunting, adversary emulation, and ransomware response via labs and NetWars.
Topics covered
Defending AI/LLM Applications
AI/Software Supply Chain
Service and Event Log Monitoring
Automation/SOAR/SOC
Labs
Ransomware Investigation
Windows Event Logs
DNS over HTTPS (DoH)
NetWars Bootcamp: Immersive Cyber Challenges
Section 6
Capstone: Design, Detect, Defend
The course concludes with a full-day, team-based NetWars competition, challenging students to apply and master modern cyber defense skills through hands-on, multi-level design, detection, and defense missions.
Topics covered
Modern Cyber Defense: Protection, Detection, and Monitoring
Applied NDR, NSM, and EDR
Network, Endpoint, and Cloud-Oriented Threat Hunting
Analyzing Malicious Traffic and Windows Event Logs
Packet and Log Analysis
Things You Need To Know
Relevant Job Roles
Protection
SCyWF: Protection And Defense
This role uses cybersecurity tools to protect information, systems and networks from cyber threats. Find the SANS courses that map to the Protection SCyWF Work Role.
Explore learning path
Security Architect Training, Salary, and Career Path
Cyber Defense
Design, implement, and tune an effective combination of network-centric and data-centric controls to balance prevention, detection, and response. Security architects and engineers are capable of looking at an enterprise defense holistically and building security at every layer. They can balance business and technical requirements along with various security policies and procedures to implement defensible security architectures.
Explore learning path
Cybersecurity Architecture (OPM 652)
NICE: Design and Development
Responsible for ensuring that security requirements are adequately addressed in all aspects of enterprise architecture, including reference models, segment and solution architectures, and the resulting systems that protect and support organizational mission and business processes.
Explore learning path
Information Systems Security Developer (DCWF 631)
DoD 8140: Cybersecurity
Designs and evaluates information system security throughout the software lifecycle to ensure confidentiality, integrity, and availability.
Explore learning path
Cyber Defense Infrastructure Support Specialist (DCWF 521)
DoD 8140: Cybersecurity
Deploys, configures, maintains infrastructure software and hardware to support secure and effective IT operations across organizational systems.
Explore learning path
Information Systems Security Manager (DCWF 722)
DoD 8140: Cybersecurity
Oversees program, system, or enclave cybersecurity, ensuring protection from cyber threats and compliance with organizational standards.
Explore learning path
Defense
SCyWF: Protection And Defense
This role uses monitoring and analysis tools to identify and analyze events and to detect incidents. Find the SANS courses that map to the Defense SCyWF Work Role.
Explore learning path
Control Systems Security Specialist (DCWF 462)
DoD 8140: Cybersecurity
Oversees cybersecurity configuration and daily security operations of control systems, ensuring mission support and stakeholder coordination.
Explore learning path
Course Schedule and Pricing
Have Questions?
GIAC Certification Attempt
Add a GIAC certification attempt and receive two free practice tests. View pricing in the info icons below.
OnDemand Course Access
When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.
Group and Private Pricing
Enroll your team as a group or arrange a private session for your organization. We’ll help you choose the format that fits your goals.
Contact Sales
Location & instructor
Date & Time
Course price
Registration Options
Location & instructor
Virtual (OnDemand)
Instructed by
Seth Misenar
Date & Time
OnDemand (Anytime)
Self-Paced, 4 months access
Course price
$8,780 USD
*Prices exclude applicable local taxes
Registration Options
Self-Paced
Location & instructor
SANS Amsterdam April 2026
Amsterdam, NL & Virtual (live)
Instructed by
Eric Conrad
Date & Time
Fetching schedule..
Course price
€8,230 EUR
*Prices exclude applicable local taxes
Registration Options
Virtual
Location & instructor
SANS AI Cybersecurity Summit & Training 2026
Virtual (live)
Instructed by
Seth Misenar
Date & Time
Fetching schedule..
Course price
$8,780 USD
*Prices exclude applicable local taxes
Registration Options
Virtual
Location & instructor
SANS Munich June 2026
Munich, DE
Instructed by
Eric Conrad
Date & Time
Fetching schedule..
Course price
€8,230 EUR
*Prices exclude applicable local taxes
Registration Options
In-Person
Location & instructor
SANSFIRE 2026
Washington, DC, US & Virtual (live)
Instructed by
Eric Conrad
Date & Time
Fetching schedule..
Course price
$8,780 USD
*Prices exclude applicable local taxes
Registration Options
In-Person
Virtual
Location & instructor
SANS Amsterdam August 2026
Amsterdam, NL
Instructed by
Eric Conrad
Date & Time
Fetching schedule..
Course price
€8,230 EUR
*Prices exclude applicable local taxes
Registration Options
In-Person
Location & instructor
SANS Virginia Beach 2026
Virginia Beach, VA, US & Virtual (live)
Instructed by
Seth Misenar
Date & Time
Fetching schedule..
Course price
$8,780 USD
*Prices exclude applicable local taxes
Registration Options
In-Person
Virtual
Location & instructor
SANS Network Security 2026
Las Vegas, NV, US & Virtual (live)
Instructed by
Tim Garcia
Date & Time
Fetching schedule..
Course price
$8,780 USD
*Prices exclude applicable local taxes
Registration Options
In-Person
Virtual
Location & instructor
SANS Paris September 2026
Paris, FR
Instructed by
Eric Conrad
Date & Time
Fetching schedule..
Course price
€8,230 EUR
*Prices exclude applicable local taxes
Registration Options
In-Person
Location & instructor
SANS October Singapore 2026
Singapore, SG & Virtual (live)
Instructed by
Seth Misenar
Date & Time
Fetching schedule..
Course price
S$11,390 SGD
*Prices exclude applicable local taxes
Registration Options
In-Person
Virtual
Showing
10
of
15
Learn Alongside Leading Cybersecurity Professionals From Around The World
Slide 1 of 4
The comprehensive training in SEC511 was directly relevant to my day-to-day responsibilities at work and has opened up numerous job opportunities for me in the cybersecurity sector.
Slide 2 of 4
SEC511's lab sessions provided critical practical experience that helped solidify the theoretical concepts.
Slide 3 of 4
I run SOCs and this course will and does provide a gut check against what we are doing today.
Slide 4 of 4
The labs and exercises were excellent and provided additional supplementary, hands-on learning that helped solidify the course content.
Slide 1 of 0
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources
Filter by: