Last Day to Save $200 on Cyber Security Training at SANS San Francisco Summer!

SANS Cyber Defence Course Instructors

Receive hands-on Cyber Defence training from SANS' highly respected Instructors - inspirational teachers and practicing technical experts.

SANS Cyber Defence Instructors are renowned experts in the field. They are professional Cyber Defence practitioners who hold high ranking posts in prestigious, global organisations.

SANS Instructors have one collective mission: to teach how to keep an organisation safe. They're involved in the daily cut-and-thrust of cyber defence, and bring this real-world experience into the classroom.

Along with possessing impeccable technical qualifications, SANS Cyber Defence Instructors understand how people learn, and know how to inspire.

Get GIAC Certified at a SANS Training Event, Online or at a Private Training session with one of our SANS Cyber Defence Instructors.

Cyber Defence Courses Instructors

Thomas Brandstetter

Prof. Thomas Brandstetter is a widely-recognized industrial cybersecurity expert, with 20 years of experience.

Thomas started his Infosec career as a security engineer and penetration tester at Siemens, working on everything ranging from single controllers to entire industrial control and energy automation solutions. Consequently, Thomas became the founder of the Siemens Hack-Proof Products program, their earliest secure product development initiative. This job also led to his role as the appointed lead Stuxnet incident handler for Siemens in 2010. After having worked in both offensive and preventive security, he went into response and founded the Siemens Product Cyber Emergency Readiness Team, which is still one of the most effective industrial vulnerability and incident response teams worldwide today.

Since 2013, he is the founder and managing director of Limes Security, a well-established European cyber security company specializing in top-class industrial security consulting and secure software development coaching.

Thomas has a passion for teaching security courses, as he is convinced that demand continues to outstrip available workforce by far. On the professional side, he is sharing his infosec experience as instructor at the prestigious SANS technology institute, where he has been teaching industrial control system security courses throughout Europe and the Middle East since 2015.

On the academic side, he is Professor for IT Security at University of Applied Sciences St. Poelten, Austria, where he teaches various security courses at bachelor and master security programs. He also was appointed as Honorary Professor for Cyber Security at the esteemed Cyber Technology Institute of DeMontfort University Leicester, UK.

When not in classroom, Thomas still likes to spend as many days as possible in projects, supporting industrial vendors and operators to ramp up their security posture, where he has helped to establish and improve numerous industrial security programs and PSIRTs for multinational corporations.

Thomas presented at top-level security conferences such as Blackhat USA, Blackhat Europe, BSI Conference and SANS ICS summits. Besides speaker engagements, Thomas likes to actively contribute to the security community. He helped to establish the ICS villages at DEFCON and BruCON as well as the hackerspace Segmentation Vault. He is conference chair of the industrial control system cyber security research (ICS-CSR) conference series, program committee member of the ARES as well as SANS ICS conferences and director of the program committee of the annual IT Security Community Exchange (ITSECX) conference series.

He is the inventor of several security-related patents, holds the renown GSEC, GICSP and GRID certifications from GIAC as well as a CISSP, an academic degree in IT security from the University of Applied Sciences Hagenberg, Austria and a Master's degree in business administration from the Universities of Augsburg and Pittsburgh.

View Upcoming Training for Thomas Brandstetter

Mark Bristow

Mark Bristow was born to work in information security as he found his first bug in an ICS system at the age of 10. As a teen, he had a passion for technology and spent a lot of time exploring the possibilities of his computer and the nascent internet. Once he realized he could make a career out of this passion, he jumped at the opportunity and earned a Computer Engineering degree from Penn State. 

Mark loves the ever-changing landscape of security and views it as a puzzle that must be solved. He especially loves the challenges in ICS security as defending the systems where cyber meets physical means there is no greater success than a safe and effective process.

Currently Mark is the Director for the Hunt and Incident Response Team (HIRT) at Department of Homeland Secuirty's Cybersecurity and Infrastructure Security Agency (CISA) where he leverages his expertise in incident response, industrial control systems, network monitoring and defense to support national security interests.  Before ICS-CERT was integrated into HIRT, Mark was the Chief of ICS-CERT incident response.  In Mark's sixteen-year security career he has also worked for CSRA and Securicon where he supported a variety of private and public sector clients.  

Mark has been on the front lines of headline grabbing incident response efforts such as the attack on the Ukrainian power grid, intrusions into US election infrastructure and Russian attempts to gain access to the U.S. power grid.  Mark is a frequent speaker on industrial control systems security issues worldwide.

Mark's experience has led him to the path of sharing his knowledge and helping others learn to protect critical infrastructure. He loves teaching not only to help others, but because he learns something from his students in every class. Mark shares his real-world experiences with students so they can relate the information to scenarios in the field.

When Mark isn't defending ICS systems, he enjoys spending time with his family, working toward his pilot's license and SCUBA diving as much as possible.

View Upcoming Training for Mark Bristow

Jason Christopher

Jason D. Christopher is the Chief Technology Officer for Axio. His responsibilities include providing technical leadership on security and resilience issues relevant to Axio, its partners, and clients, and the development of all Axio technology platforms for security metrics and benchmarking.

Prior to Axio, Jason led the research for cybersecurity metrics and information assurance at the Electric Power Research Institute. Previously, he was the technical lead for cybersecurity capability and risk management at the US Department of Energy, where he managed the Cybersecurity for Energy Delivery Systems Operations program, which included the Cybersecurity Capability Maturity Model and other collaborative efforts. Jason also served as the program lead for both Critical Infrastructure Protection Standards and Smart Grid Security at the Federal Energy Regulatory Commission.

Mr. Christopher has worked on a variety of infrastructure projects, particularly in the field of industrial control systems design and implementation. He has also researched and designed technology systems across multiple industries, including energy, water, transportation, and communications. He has been a representative on the Federal Smart Grid Task Force, the Critical Infrastructure Protection Committee (CIPC), and other technical committees.

Independent of his work at Axio, Jason is a member on the Institute of Electrical and Electronics Engineers (IEEE-USA) Energy Policy, Communications Policy, and Research & Development Policy Committees. Over the past decade, Jason has focused on the development of cybersecurity standards and practices for the nation's critical infrastructure.

Outside of the workplace, Jason focuses on Science, Technology, Engineering, and Mathematics (STEM) education issues. He has lectured at several universities across the country and developed cross-disciplinary courses focusing on resilience, sustainable energy, and community design.

Mr. Christopher holds a Bachelor of Science and Master of Engineering from the State University of New York at Binghamton, and Master's of Engineering degree in electrical engineering from Cornell University.

Here is a SANS Summit presentation by Jason Christopher:

View Upcoming Training for Jason Christopher

Tim Conway

Tim serves as the Technical Director - ICS and SCADA programs at SANS, and is responsible for developing, reviewing, and implementing technical components of the SANS ICS and SCADA product offerings. Additionally, performing contract and consulting work in the areas of ICS cyber security with a focus on energy environments.

A recognized leader in CIP operations, he formerly served as the Director of CIP Compliance and Operations Technology at Northern Indiana Public Service Company (NIPSCO), and was responsible for Operations Technology, NERC CIP Compliance, and the NERC training environments for the operations departments within NIPSCO Electric.

Recognizing the need for ICS focused cyber security training throughout critical infrastructure environments and an increased need for NERC CIP hands on training, Tim authored and instructs the ICS curriculums newest course ICS456 - Essentials for NERC Critical Infrastructure Protection.

Outside of SANS, Tim continues to perform contract and consulting work in the areas of ICS cyber security with a focus on the energy sector.

Before accepting the opportunity to join SANS, Tim enjoyed a 15-year career with NIPSCO where he held management and leadership positions as well as EMS Computer Systems Engineer responsibilities over the control system servers and the supporting network infrastructure. During his career, Tim has served as the Chair of the RFC CIPC, Chair of the NERC CIP Interpretation Drafting Team, Chair of the NERC CIPC GridEx Working Group, and Chair of the NBISE Smart Grid Cyber Security panel.

Here is What Students Say About Tim Conway:

"ICS456 is the best-in-class NERC CIP Training. The courseware provides the students valuable compliance approaches and software tools to take home for peer collaboration to build consent on entities CIP implementation gaps." - Jeff Manton, WAPA

"Tim Conway is able to convey information to the class very clearly and adds extra content pertinent to the discussion." - Anthony Napier, AES

 "ICS456 course prepares you for CIP, both technically and practically with a blend of experience and knowledge." - Art Conklin, UH

Here is a SANS Summit presentation by Tim Conway:

View Upcoming Training for Tim Conway

Jason Dely

Jason Dely is responsible for leading the critical infrastructure and industrial control systems (ICS) security practice for Cylance. Prior to joining Cylance, Jason held many roles at Rockwell Automation where he assisted clients with their research, design, integration, testing and response activities across a variety of application, security and infrastructure initiatives. During this time, Jason gained in-depth ICS product, protocol and operational experiences that are invaluable when it comes to evaluating and building defenses within critical infrastructure organizations. His security passion over the past 18 years of experience with ICS is founded upon balancing business requirements against people, process and technologies unique to each organization to ensure their operations are safe, reliable and secure.

Jason frequently speaks at industry events to share his knowledge of the technical operations and integration challenges one faces when securing ICS systems. Likewise, Jason is knowledgeable in the practical application of security standards, guidelines and publications; for example, ISA99, ISA/IEC 62443, NIST Cybersecurity Framework, NIST SP 800 Series, NERC CIP, CPwE, CIS CSC 20. 

With a comprehensive understanding of the industry's technical and operational security challenges, Jason has effectively spearheaded multiple engagements surrounding security assessment, implementation, research and response activities spanning Information Technology (IT) and Operational Technology (OT). In addition, Jason has provided turn-key security improvement solutions for many industries which include the assessment, design and integration of an entire SCADA platform and infrastructure (networks, firewalls, VPN, DMZ applications, jump hosts, virtual server environments, virtual desktop environments).

  • Performed assessment, testing and response activities across all critical infrastructure owners
  • Provided guidance on design and rollout of ISA/IEC 62443 and NIST CSF
  • Industry specific business and operational experience including, but not limited to, Water/Waste Water Utilities, Oil & Gas, Metals, Manufacturing, Mining and Chemical

Education, Certifications and Training 

  • Electronics Engineering Technologist, Niagara College 
  • Multiple ICS Product and Technology Certificates
  • Certified Information Systems Security Professional (CISSP)
  • Certified Information Security Manager (CISM)
  • SANS SEC566: Implementing and Auditing the Twenty Critical Security Controls
  • SANS SEC560: Network Penetration Testing and Ethical Hacking
  • SANS SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking (GXPN Certifiied) 

View Upcoming Training for Jason Dely

Paul A. Henry

Paul Henry is a Senior Instructor with the SANS Institute and one of the world's foremost global information security and computer forensic experts with more than 30 years of experience covering all 10 domains of network security. Paul began his career in critical infrastructure / process control supporting power generation and currently manages security initiatives and incident response for Global 2000 enterprises and government organizations worldwide.

Paul is a principal at vNet Security, LLC and is keeping a finger on the pulse of network security as the security and forensic analyst at Lumension Security and as a retained security expert for multiple financial and healthcare firms.

Throughout his career, Paul has played a key strategic role in launching new network security initiatives to meet our ever-changing threat landscape. Paul also advises and consults on some of the world's most challenging and high-risk information security projects, including the National Banking System in Saudi Arabia, the Reserve Bank of Australia, the Department of Defense's Satellite Data Project (USA), and both government as well as telecommunications projects throughout Southeast Asia.

Paul is frequently cited by major and trade print publications as an expert in perimeter security, incident response / computer forensics and general security trends and serves as an expert commentator for network broadcast outlets, such as FOX, NBC, CNN, and CNBC. In addition, Paul regularly authors thought leadership articles on technical security issues, and his expertise and insight help shape the editorial direction of key security publications, such as the Information Security Management Handbook, where he is a consistent contributor. Paul serves as a featured and keynote speaker at seminars and conferences worldwide, delivering presentations on diverse topics including anti-forensics, network access control, cyber crime, DDoS attack risk mitigation, perimeter security, and incident response.

Listen to Paul discuss "Incident Response and Forensics in the Cloud" in this SANS webcast that every DFIR professional should listen to.

Here is What Students Say About Paul A. Henry:

"Paul is an excellent instructor, his experiences in the field of security makes this course even better." - Bhavesh Bhudia, Bloomberg, LP

"Paul is a fantastic instructor. I really liked his real-life stories and shared experiences." - Manuel Duron, VMWare

View Upcoming Training for Paul A. Henry

Billy Rios

Billy is an accomplished author and speaker. Billy is recognized as one of the world's most respected experts on emerging threats related to Industrial Control Systems (ICS), Critical Infrastructure (CI), and medical devices. He discovered thousands of security vulnerabilities in hardware and software supporting ICS and critical infrastructure. He has been publically credited by the Department of Homeland Security (DHS) over 50 times for his support to the DHS ICS Cyber Emergency Response Team (ICS-CERT).  

Billy is the Founder of WhiteScope LLC which is known as a leading provider of deep security research, world class advisory services, and innovative security solutions.  Prior to venturing into entrepreneurship, Billy served in a number of roles that demonstrated increasing responsibility and security expertise. 

As the Director of Vulnerability Research and Threat Intelligence with Qualys, Billy led the development of product offerings for vulnerability research, threat intelligence, ICS/SCADA, and embedded security. Before Qualys, Billy led the Google front-line response for externally reported security issues and incidents.  Prior to Google, Billy was the Security Program Manager at Internet Explorer (Microsoft).  During his time at Microsoft, Billy led the company's response for several high-profile incidents, including the response for Operation Aurora. Before Microsoft, Billy worked as a penetration tester, an intrusion detection analyst, and served as an active duty Marine Corps Officer.

Billy currently holds an MBA from Texas A&M University-Commerce and a Master of Science in Information Systems from Hawaii Pacific University.  He was a contributing author for several publications including: Hacking, the Next Generation (O'Reilly), Inside Cyber Warfare (O'Reilly), and The Virtual Battle Field (IOS Press).

Here is What Students Say About Billy Rios:

"Billy is doing everything right! Bringing real life examples help with understanding the material." - Gina Mayfield, University of Delaware

View Upcoming Training for Billy Rios

Kai Thomsen

Kai has worked in a wide range of IT security roles for more than 15 years. Currently he is the lead Digital Forensics and Digital Response (DFIR) analyst at premium automaker AUDI AG. He has played a key role in establishing a modern cyber defense team at Audi to protect the enterprise, industrial control system (ICS), and connected car infrastructure.

Before Audi, Kai worked for more than 12 years in the steel industry at the engineering company SMS Group, where he designed and implemented defensible LANs for enterprise and ICS environments in-house as well as for customers' plants. The steel industry was also where Kai delved into Network Security Monitoring and DFIR, building security monitoring solutions for company and customer sites and performing incident response in Europe, Asia, and the United States.

Kai has spoken and taught at various security conferences, including S4 Europe, CS3STHLM, Troopers, ISF, and SIGS SCADA in Switzerland. In 2018, he chaired the SANS Automotive Cybersecurity Summit and the SANS ICS Europe Summit. Kai holds the GIAC Response and Industrial Defense (GRID) certification and has a master's degree in computer science and English and American literature from the University of Siegen.

In the little free time that is left between working in his DFIR job and as a SANS instructor, Kai loves to travel the world, especially mountain regions where climbing, hiking, and skiing look promising.

Kai holds an MA in Computer Science and English and American Literature.

View Upcoming Training for Kai Thomsen

Read what previous SANS Cyber Defence students say about their training experience on our Testimonials page.

See a range of our free cyber security Resources or read our FAQs.

Training Events Offering Cyber Defence Courses
Event Dates Register
SANS Paris July 2019 Jul 01 - Jul 06, 2019  
SANS Munich July 2019 Jul 01 - Jul 06, 2019  
SANS London July 2019 Jul 08 - Jul 13, 2019  
SANS Riyadh July 2019 Jul 28 - Aug 01, 2019  
SANS London August 2019 Aug 05 - Aug 10, 2019  
SANS Prague August 2019 Aug 12 - Aug 17, 2019  
SANS Amsterdam August 2019 Aug 19 - Aug 24, 2019  
SANS Copenhagen August 2019 Aug 26 - Aug 31, 2019  
SANS Munich September 2019 Sep 02 - Sep 07, 2019  
SANS Brussels September 2019 Sep 02 - Sep 07, 2019  
SANS Oslo September 2019 Sep 09 - Sep 14, 2019  
SANS Dubai September 2019 Sep 14 - Sep 19, 2019  
SANS Paris September 2019 Sep 16 - Sep 21, 2019  
SANS Bahrain September 2019 Sep 21 - Sep 26, 2019  
SANS London September 2019 Sep 23 - Sep 28, 2019  
SANS DFIR Europe 2019 Sep 30 - Oct 06, 2019  
SANS Cardiff September 2019 Sep 30 - Oct 05, 2019  
SANS Riyadh October 2019 Oct 05 - Oct 10, 2019  
SANS Doha October 2019 Oct 12 - Oct 17, 2019  
SANS London October 2019 Oct 14 - Oct 19, 2019  
SANS Cairo October 2019 Oct 19 - Oct 24, 2019  
SANS Amsterdam October 2019 Oct 28 - Nov 02, 2019  
SANS London November 2019 Nov 11 - Nov 16, 2019  
SANS Gulf Region 2019 Nov 16 - Nov 28, 2019  
SANS Munich November 2019 Nov 18 - Nov 23, 2019  
SANS SEC401 Madrid November 2019 (in Spanish) Nov 18 - Nov 23, 2019  
SANS Security Operations London 2019 Dec 02 - Dec 07, 2019  
SANS Frankfurt December 2019 Dec 09 - Dec 14, 2019  
Online Training: SANS OnDemand
Event Dates Register
OnDemand - Various Courses Anytime  
Private Training
Event Dates Register
Private Training Course of Your Choice Your Choice