Save $350 on Hands-on Cyber Security Training at SANS Sonoma 2019! Ends 11/21.

SANS DFIR Course Instructors

Learn hands-on DFIR skills from qualified, experienced and globally respected Instructors.

SANS Digital Forensics course Instructors are the people you'd want on your side during and after a security incident.

They are battle-hardened experts who have earned their reputation on cyber security's frontline. Many hold high-ranking DFIR roles for global organisations, others run consultancy firms that are widely sought.

DFIR Instructors do not merely share facts, but share their hands on experience. Depending on the course taken and specialisation, they'll share the latest fraud methods, intrusion mechanisms, insider threats, phishing attacks and more.

Students who take training from an Instructor at a Training Event have the opportunity to earn a DFIR Forensicator Coin.

Individual Instructors specifically specialise in mobile, Windows, OSX, network, memory and malware forensics.

DFIR Courses Instructors


Thomas Brandstetter

A computer security expert with almost 20 years of hands-on experience, Prof. Thomas Brandstetter is already a veteran in his field of expertise, cyber security in the industrial sector. 

He is best known as the incident handler of Stuxnet for Siemens in 2010 as well as the founder of the Siemens Product Cyber Emergency Readiness Team, which is still one of the most effective industrial incident and vulnerability response teams worldwide today.

He currently divides his time on the one hand being managing director of Limes Security, a company specializing in top-notch industrial cyber security consulting and secure software development coaching, on the other as being Professor at the University of Applied Sciences St. Poelten, where he teaches various computer security courses at bachelor and master security degree programs. 

In addition, he is active instructor at the prestigious SANS technology institute, where he regularly teaches courses in the field of industrial control system security throughout Europe and the Middle East. He also was appointed recently as Honorary Professor of Cyber Security at the esteemed Faculty of Technology of DeMontfort University in Leicester, UK. 

Prof. Thomas Brandstetter presented numerous times at world-class security conferences such as Blackhat USA, Blackhat Europe and SANS ICS Summits. Besides those professional security conferences, Thomas also spoke at federal critical infrastructure conferences such as the BSI Summit or Meridian, or academic research-oriented conferences such as IFIP WG11.10, CIRED and ICS-CSR, as keynote or regular presenter.

Besides speaker engagements, he also likes to actively contribute to security community work or to act as advisor or chair for reputable conference boards. He helped to establish the ICS village at DEFCON and BruCON and he is conference chair of the industrial control system cyber security research (ICS-CSR) academic conference series, program committee member of the International Conference on Availability, Reliability and Security (ARES) as well as SANS Industrial Control System Security Summit and director of the program committee of the annual IT Security Community Exchange (ITSECX)conference. 

He holds the renown GSEC, GICSP and CISSP certifications, an academic degree in IT security from the University of Applied Sciences Hagenberg, Austria and a Master's degree in business administration from the Universities of Augsburg and Pittsburgh.

View Upcoming Training for Thomas Brandstetter


Mark Bristow

Mark Bristow was born to work in information security as he found his first bug in an ICS system at the age of 10. As a teen he had a passion for technology and spent a lot of time exploring the possibilities on his computer. Once he realized he could make a career out of this passion, he jumped at the opportunity and earned a Computer Engineering degree from Penn State.

Mark loves the ever-changing landscape of security and views it as a puzzle that must be solved. He especially loves the challenges in ICS security as defending the systems where cyber meets physical means there is no greater success than a safe and effective process.

Currently Mark is the Chief of ICS-CERT Incident Response at the Department of Homeland Security where he leverages his expertise in incident response, industrial control systems, network monitoring and defense to support national security interests. In Mark's twelve- year security career he has also worked for SRA and Securicon where he supported a variety of private and public sector clients.

Mark's experience has led him to the path of sharing his knowledge and helping others learn to protect critical infrastructure. He loves teaching not only to help others, but because he learns something from his students in every class. Mark shares his real-world experiences with students so they can relate the information to scenarios in the field.

When Mark isn't defending ICS systems, he enjoys spending time with his family and scuba diving as much as possible.

View Upcoming Training for Mark Bristow


Jason Christopher

Jason D. Christopher is the Chief Technology Officer for Axio. His responsibilities include providing technical leadership on security and resilience issues relevant to Axio, its partners, and clients, and the development of all Axio technology platforms for security metrics and benchmarking.

Prior to Axio, Jason led the research for cybersecurity metrics and information assurance at the Electric Power Research Institute. Previously, he was the technical lead for cybersecurity capability and risk management at the US Department of Energy, where he managed the Cybersecurity for Energy Delivery Systems Operations program, which included the Cybersecurity Capability Maturity Model and other collaborative efforts. Jason also served as the program lead for both Critical Infrastructure Protection Standards and Smart Grid Security at the Federal Energy Regulatory Commission.

Mr. Christopher has worked on a variety of infrastructure projects, particularly in the field of industrial control systems design and implementation. He has also researched and designed technology systems across multiple industries, including energy, water, transportation, and communications. He has been a representative on the Federal Smart Grid Task Force, the Critical Infrastructure Protection Committee (CIPC), and other technical committees.

Independent of his work at Axio, Jason is a member on the Institute of Electrical and Electronics Engineers (IEEE-USA) Energy Policy, Communications Policy, and Research & Development Policy Committees. Over the past decade, Jason has focused on the development of cybersecurity standards and practices for the nation's critical infrastructure.

Outside of the workplace, Jason focuses on Science, Technology, Engineering, and Mathematics (STEM) education issues. He has lectured at several universities across the country and developed cross-disciplinary courses focusing on resilience, sustainable energy, and community design.

Mr. Christopher holds a Bachelor of Science and Master of Engineering from the State University of New York at Binghamton, and Master's of Engineering degree in electrical engineering from Cornell University.

View Upcoming Training for Jason Christopher


Tim Conway

Tim serves as the Technical Director - ICS and SCADA programs at SANS, and is responsible for developing, reviewing, and implementing technical components of the SANS ICS and SCADA product offerings. Additionally, performing contract and consulting work in the areas of ICS cyber security with a focus on energy environments.

A recognized leader in CIP operations, he formerly served as the Director of CIP Compliance and Operations Technology at Northern Indiana Public Service Company (NIPSCO), and was responsible for Operations Technology, NERC CIP Compliance, and the NERC training environments for the operations departments within NIPSCO Electric.

Recognizing the need for ICS focused cyber security training throughout critical infrastructure environments and an increased need for NERC CIP hands on training, Tim authored and instructs the ICS curriculums newest course ICS456 - Essentials for NERC Critical Infrastructure Protection.

Outside of SANS, Tim continues to perform contract and consulting work in the areas of ICS cyber security with a focus on the energy sector.

Before accepting the opportunity to join SANS, Tim enjoyed a 15-year career with NIPSCO where he held management and leadership positions as well as EMS Computer Systems Engineer responsibilities over the control system servers and the supporting network infrastructure. During his career, Tim has served as the Chair of the RFC CIPC, Chair of the NERC CIP Interpretation Drafting Team, Chair of the NERC CIPC GridEx Working Group, and Chair of the NBISE Smart Grid Cyber Security panel.

Here is What Students Say About Tim Conway:

"ICS456 is the best-in-class NERC CIP Training. The courseware provides the students valuable compliance approaches and software tools to take home for peer collaboration to build consent on entities CIP implementation gaps." - Jeff Manton, WAPA

"Tim Conway is able to convey information to the class very clearly and adds extra content pertinent to the discussion." - Anthony Napier, AES

 "ICS456 course prepares you for CIP, both technically and practically with a blend of experience and knowledge." - Art Conklin, UH

View Upcoming Training for Tim Conway


Jason Dely

Jason Dely is an Industrial Control Systems (ICS) security consultant for Cylance Inc. with over 15 years of professional experience in ICS and Critical Infrastructure security initiatives and solutions spanning multiple industry verticals.  Jason is a leader and contributor in the management, consultation, assessment, planning, designing and implementation of a variety of ICS security and infrastructure projects across industries that include Water Utilities, Oil and Gas, Steel and Chemical.  Before joining Cylance, Jason worked for one of the world's largest ICS vendors where he contributed to clients his security knowledge and integration experiences across ICS and IT technologies.  Jason is frequently a speaker at various industry events and leverages his integration knowledge of securing ICS systems and their vulnerabilities to provide services and guidance to Cylance clients.  Dely is an Electronics Engineering Technologist and is a CISSP, CISM and SANS GIAC certified Exploit Researcher and Advanced Penetration Tester (GXPN).

View Upcoming Training for Jason Dely


Paul A. Henry

Paul Henry is a Senior Instructor with the SANS Institute and one of the world's foremost global information security and computer forensic experts with more than 30 years of experience covering all 10 domains of network security. Paul began his career in critical infrastructure / process control supporting power generation and currently manages security initiatives and incident response for Global 2000 enterprises and government organizations worldwide.

Paul is a principal at vNet Security, LLC and is keeping a finger on the pulse of network security as the security and forensic analyst at Lumension Security and as a retained security expert for multiple financial and healthcare firms.

Throughout his career, Paul has played a key strategic role in launching new network security initiatives to meet our ever-changing threat landscape. Paul also advises and consults on some of the world's most challenging and high-risk information security projects, including the National Banking System in Saudi Arabia, the Reserve Bank of Australia, the Department of Defense's Satellite Data Project (USA), and both government as well as telecommunications projects throughout Southeast Asia.

Paul is frequently cited by major and trade print publications as an expert in perimeter security, incident response / computer forensics and general security trends and serves as an expert commentator for network broadcast outlets, such as FOX, NBC, CNN, and CNBC. In addition, Paul regularly authors thought leadership articles on technical security issues, and his expertise and insight help shape the editorial direction of key security publications, such as the Information Security Management Handbook, where he is a consistent contributor. Paul serves as a featured and keynote speaker at seminars and conferences worldwide, delivering presentations on diverse topics including anti-forensics, network access control, cyber crime, DDoS attack risk mitigation, perimeter security, and incident response.

Listen to Paul discuss "Incident Response and Forensics in the Cloud" in this SANS webcast that every DFIR professional should listen to.

Here is What Students Say About Paul A. Henry:

"Paul is an excellent instructor, his experiences in the field of security makes this course even better." - Bhavesh Bhudia, Bloomberg, LP

"Paul is a fantastic instructor. I really liked his real-life stories and shared experiences." - Manuel Duron, VMWare

View Upcoming Training for Paul A. Henry


Billy Rios

Billy is an accomplished author and speaker. Billy is recognized as one of the world's most respected experts on emerging threats related to Industrial Control Systems (ICS), Critical Infrastructure (CI), and medical devices. He discovered thousands of security vulnerabilities in hardware and software supporting ICS and critical infrastructure. He has been publically credited by the Department of Homeland Security (DHS) over 50 times for his support to the DHS ICS Cyber Emergency Response Team (ICS-CERT).  

Billy is the Founder of WhiteScope LLC which is known as a leading provider of deep security research, world class advisory services, and innovative security solutions.  Prior to venturing into entrepreneurship, Billy served in a number of roles that demonstrated increasing responsibility and security expertise. 

As the Director of Vulnerability Research and Threat Intelligence with Qualys, Billy led the development of product offerings for vulnerability research, threat intelligence, ICS/SCADA, and embedded security. Before Qualys, Billy led the Google front-line response for externally reported security issues and incidents.  Prior to Google, Billy was the Security Program Manager at Internet Explorer (Microsoft).  During his time at Microsoft, Billy led the company's response for several high-profile incidents, including the response for Operation Aurora. Before Microsoft, Billy worked as a penetration tester, an intrusion detection analyst, and served as an active duty Marine Corps Officer.

Billy currently holds an MBA from Texas A&M University-Commerce and a Master of Science in Information Systems from Hawaii Pacific University.  He was a contributing author for several publications including: Hacking, the Next Generation (O'Reilly), Inside Cyber Warfare (O'Reilly), and The Virtual Battle Field (IOS Press).

Here is What Students Say About Billy Rios:

"Billy is doing everything right! Bringing real life examples help with understanding the material." - Gina Mayfield, University of Delaware

View Upcoming Training for Billy Rios


Kai Thomsen

Kai has been working in various IT Security roles for more than 15 years. Currently he is the DFIR lead at the premium automaker AUDI AG. Kai also designs and runs Red Team exercises at Audi that integrate IT, business, and physical aspects.

Before Audi he worked for more than 12 years at the engineering company SMS Group where he designed and implemented defensible LANs as well as running DFIR in traditional IT and ICS environments.

Kai holds an MA in Computer Science and English and American Literature.

View Upcoming Training for Kai Thomsen


There are different options available for students looking to take SANS DFIR Training:

For a student perspective on our DFIR Training see our Testimonials. To learn about getting certified in security training, read our DFIR GIAC page or select a training event below to book an upcoming training course.

For any questions please see our FAQs or email emea@sans.org.


Training Events Offering DFIR Courses
Event Dates Register
SANS Paris November 2018 Nov 19 - Nov 24, 2018  
SANS Stockholm 2018 Nov 26 - Dec 01, 2018  
SANS Khobar 2018 Dec 01 - Dec 06, 2018  
SANS Dublin 2018 Dec 03 - Dec 08, 2018  
SANS Frankfurt 2018 Dec 10 - Dec 15, 2018  
SANS Amsterdam January 2019 Jan 14 - Jan 19, 2019  
SANS Threat Hunting London 2019 Jan 14 - Jan 19, 2019  
SANS London February 2019 Feb 11 - Feb 16, 2019  
SANS Zurich February 2019 Feb 18 - Feb 23, 2019  
SANS Riyadh February 2019 Feb 23 - Feb 28, 2019  
SANS Brussels February 2019 Feb 25 - Mar 02, 2019  
SANS London March 2019 Mar 11 - Mar 16, 2019  
SANS Munich March 2019 Mar 18 - Mar 23, 2019  
SANS Jeddah March 2019 Mar 23 - Mar 28, 2019  
SANS Madrid March 2019 Mar 25 - Mar 30, 2019  
SANS Cyber Security Middle East Summit Apr 04 - Apr 11, 2019  
SANS London April 2019 Apr 08 - Apr 13, 2019  
SANS Riyadh April 2019 Apr 13 - Apr 18, 2019  
SANS Muscat April 2019 Apr 27 - May 02, 2019  
SANS Stockholm May 2019 May 13 - May 18, 2019  
SANS Milan May 2019 May 13 - May 18, 2019  
SANS Dublin May 2019 May 13 - May 18, 2019  
SANS Amsterdam May 2019 May 20 - May 25, 2019  
SANS Krakow May 2019 May 27 - Jun 01, 2019  
SANS London June 2019 Jun 03 - Jun 08, 2019  
SANS Zurich June 2019 Jun 03 - Jun 08, 2019  
SANS Paris July 2019 Jul 01 - Jul 06, 2019  
Online Training: SANS OnDemand
Event Dates Register
OnDemand - Various Courses Anytime  
Private Training
Event Dates Register
Private Training Course of Your Choice Your Choice