Save $200 on Cyber Security Training at SANS Miami 2018. Ends 12/27.

SANS Instructors

SANS Instructors are world-class technical experts and inspirational teachers. They are subject matter specialists who possess the charisma and presence necessary to bring training to life in the classroom.

SANS cyber security training has achieved its reputation for excellence in part because SANS Instructors are top cyber security experts and practitioners in their respective fields. This means they are able to integrate real-world, current scenarios into the training experience.

Whatever their specialism, be it Defence, Management, DFIR, ICS, Audit, Pen Testing, or Software Development, SANS Instructors are second to none.

Our Instructors are real-world cyber security experts who hold influential security roles in prominent organisations across the globe.

SANS' Instructors are involved daily in the technical cut-and-thrust of IT security. Our Instructors know about the latest threats because it's their job, more often than not, to face them down.




Across our roster of Instructors are experts who work with FTSE100 companies, Fortune 500 enterprises as well as major government and defence departments.

Commonly, they are red team leaders, information warfare officers, technical directors, CISOs, research fellows and senior consultants. They're fascinating, worldly and deeply experienced.

Collectively SANS Instructors hold more than 45 security patents and have written many highly regarded books on cyber security. When they're not working or training, most are heavily involved in blogging, writing, mentoring and sharing invaluable information within the cyber security community.

The Art of Teaching

Along with their highly technical and professional credentials, SANS Instructors are skilled teachers. They understand how to bring their subjects to life and, above all, they are great communicators.

Hands on Learning

SANS has been at the forefront of security training for over twenty-five years. Over that time we've learned a great deal about the business of teaching security skills. SANS believes that people learn better by doing as opposed to being lectured.

As a result, SANS Courses are very practical and hands-on. There are lab exercises, software based exercises and practical explorations. The ability to show how theory can be applied - as opposed to simply explaining a concept - is a skill our Instructors possess.

Instructor Training Delivery

We know people have different requirements, which is why SANS offers a variety of ways to access training.

  1. Students who prefer to be taught by a SANS Instructor in person can attend a SANS Training Event. Training Events take place in cities across the world and feature networking opportunities and additional educational content.
  2. Alternatively students can elect to take SANS Online Training. Here students can work remotely and at their own pace. We provide high quality courseware such as books, videos and recordings of the SANS Instructor giving their direction. Students can access the content online.
  3. SANS Private Training is another alternative. Here, a SANS Instructor travels to an organisation and delivers training in their HQ or office. Such an approach is efficient if a company has a large team looking to receive training. For this training option, a minimum of 25 students is required.

All our training delivery options are subtly different yet the quality of instruction is consistent.

Cyber Defence Courses Instructor List


Chris Christianson

Chris Christianson is an Information Security Consultant based in Northern California, with 20 years of experience and many technical certifications including the GSEC, GCIH, GCIA, GREM, GPEN, GWAPT, GCCC, GISF, GCED, CISSP, CCSE, CCDP, CCNP, IAM, CEH, and IEM. He holds a Bachelor of Science in Management Information Systems from University of Atlanta. Before starting his own Information Security Consultant services, he worked at Travis Credit Union for 21 years.  His last role there was the Assistant Vice President in the Information Technology department at Travis Credit Union (December 2012 - January 2016). Chris has also been an expert speaker at conferences and a contributor to numerous industry articles.

Blog: www.ismellpackets.com

View Upcoming Training for Chris Christianson


Dr. Eric Cole

Dr. Cole is an industry-recognized security expert with over 20 years of hands-on experience. Dr. Cole has experience in information technology with a focus on helping customers focus on the right areas of security by building out a dynamic defense. Dr. Cole has a master's degree in computer science from NYIT and a doctorate from Pace University with a concentration in information security. He served as CTO of McAfee and Chief Scientist for Lockheed Martin. Dr. Cole is the author of several books, including Advanced Persistent Threat, Hackers Beware, Hiding in Plain Sight, Network Security Bible 2nd Edition, and Insider Threat. He is the inventor of over 20 patents and is a researcher, writer, and speaker. He is also a member of the Commission on Cyber Security for the 44th President and several executive advisory boards. Dr. Cole is the founder and an executive leader at Secure Anchor Consulting where he provides leading-edge cyber security consulting services, expert witness work, and leads research and development initiatives to advance the state-of-the-art in information systems security. Dr. Cole was the lone inductee into the InfoSec European Hall of Fame in 2014. Dr. Cole is actively involved with the SANS Technology Institute (STI) and is a SANS faculty Fellow and course author who works with students, teaches, and develops and maintains courseware.

View Upcoming Training for Dr. Eric Cole


Eric Conrad


SANS Senior Instructor Eric Conrad is the lead author of SANS MGT414: SANS Training Program for CISSP® Certification, and coauthor of both SANS SEC511: Continuous Monitoring and Security Operations and SANS SEC542: Web App Penetration Testing and Ethical Hacking. He is also the lead author of the books the CISSP Study Guide, and the Eleventh Hour CISSP: Study Guide.


Eric's career began in 1991 as a UNIX systems administrator for a small oceanographic communications company. He gained information security experience in a variety of industries, including research, education, power, Internet, and health care. He is now CTO of Backshore Communications, a company focusing on hunt teaming, intrusion detection, incident handling, and penetration testing. He is a graduate of the SANS Technology Institute with a master of science degree in information security engineering. In addition to the CISSP, he holds the prestigious GIAC Security Expert (GSE) certification as well as the GIAC GPEN, GCIH, GCIA, GCFA, GAWN, and GSEC certifications. Eric also blogs about information security at www.ericconrad.com.

Eric is fantastic and does an excellent job relating the material to real-life examples. - Robby Croft, Brown Foreman

View Upcoming Training for Eric Conrad


Adrien de Beaupre

Adrien de Beaupre is a certified SANS instructor and works as an independent consultant in beautiful Ottawa, Ontario. His work experience includes technical instruction, vulnerability assessment, penetration testing, intrusion detection, incident response and forensic analysis. He is a member of the SANS Internet Storm Center (isc.sans.edu). He is actively involved with the information security community, and has been working with SANS since 2000. Adrien holds a variety of certifications including the GXPN, GPEN, GWAPT, GCIH, GCIA, GSEC, CISSP, OPST, and OPSA. When not geeking out he can be found with his family, or at the dojo.

Web: www.intru-shun.ca

View Upcoming Training for Adrien de Beaupre


Ted Demopoulos

Ted Demopoulos' first significant exposure to computers was in 1977 when he had unlimited access to his high school's PDP-11 and hacked at it incessantly. He consequently almost flunked out but learned he liked playing with computers a lot.

His business pursuits began in college and have been continuous ever since. His background includes over 25 years of experience in information security and business, including 20+ years as an independent consultant.

Ted helped start a successful information security company, was the CTO at a "textbook failure" of a software startup, and has advised several other businesses. Ted is a frequent speaker at conferences and other events, quoted often by the press, the recipient of a Department of Defense Award of Excellence, and the author of several books including the recent

Infosec Rock Star: How to Accelerate Your Career Because Geek Will Only Get You So Far

In his spare time, he is also a food and wine geek, enjoys flyfishing and playing with his children.

View Upcoming Training for Ted Demopoulos


Russell Eubanks

Russell Eubanks is Vice President and Chief Information Security Officer for the Federal Reserve Bank of Atlanta. He is responsible for developing and executing the Information Security strategy for both the Retail Payments Office and the Atlanta Reserve Bank. Russell has developed information security programs from the ground up and actively seeks opportunities to measurably increase their overall security posture.

Russell is a Handler for the SANS Internet Storm Center, Serves on the Editorial Panel for the Critical Security Controls and maintains securityeverafter.com. He holds a bachelor's degree in computer science from the University of Tennessee at Chattanooga.

View Upcoming Training for Russell Eubanks


Kevin Fiscus

Kevin Fiscus is the founder of and lead consultant for Cyber Defense Advisors where he performs security and risk assessments, vulnerability and penetration testing, security program design, policy development, and security awareness with a focus on serving the needs of small and mid-sized organizations. Kevin has over 20 years of IT experience and has focused exclusively on information security for the past 12. Kevin currently holds the CISA, GPEN, GREM, GMOB, GCED, GCFA-Gold, GCIA-Gold, GCIH, GAWN, GPPA, GCWN, GCSC-Gold, GSEC, SCSA, RCSE, and SnortCP certifications and is proud to have earned the top information security certification in the industry, the GIAC Security Expert. Kevin has also achieved the distinctive title of SANS Cyber Guardian for both red team and blue team. Kevin has taught many of SANS's most popular classes including SEC401, SEC464, SEC503, SEC504, SEC542, SEC560, SEC561, SEC575, FOR508, and MGT414.

You can reach Kevin on Twitter @kevinbfiscus or on LinkedIn at http://www.linkedin.com/in/kevinbfiscus.

Kevin Fiscus is one of the best instructors I have seen! Great find SANS! - David Hoid, Employers Holdings

View Upcoming Training for Kevin Fiscus


Jason Fossen

Jason Fossen is a principal security consultant at Enclave Consulting LLC, a published author, and a frequent public speaker on Microsoft security issues. He is the sole author of the SANS Institute's week-long Securing Windows course (SEC505), maintains the Windows day of Security Essentials (SEC401.5), and has been involved in numerous other SANS projects since 1998. He graduated from the University of Virginia, received his master's degree from the University of Texas at Austin, and holds a number of professional certifications. He currently lives in Dallas, Texas. Jason blogs about Windows Security Issues on the SANS Cyber Defense Blog.

View Upcoming Training for Jason Fossen


Bryce Galbraith

"The world isn't run by weapons anymore, or energy, or money. It's run by little ones and zeroes, little bits of data. It's all just electrons." -- Cosmo, from "Sneakers"

As a contributing author of the internationally bestselling book Hacking Exposed: Network Security Secrets & Solutions, Bryce helped bring the secret world of hacking out of the darkness and into the public eye. Bryce has held security positions at global ISPs and Fortune 500 companies, he was a member of Foundstone's renowned penetration testing team and served as a senior instructor and co-author of Foundstone's Ultimate Hacking: Hands-On course series. Bryce is currently the owner of Layered Security where he provides specialized vulnerability assessment and penetration testing services for clients. He teaches several of the SANS Institute's most popular courses and develops curriculum around current topics. He has taught the art of ethical hacking and countermeasures to thousands of IT professionals from a who's who of top companies, financial institutions, and government agencies around the globe. Bryce is an active member of several security-related organizations, he holds several security certifications and speaks at conferences around the world.

Bryce is an excellent instructor. His knowledge and delivery are exceptional. - Chris Shipp, DM Petroleum Operations Co.

View Upcoming Training for Bryce Galbraith


Jess Garcia

Jess Garcia is the founder and technical lead of One eSecurity, a global Information Security company specialised in Incident Response and Digital Forensics.

With near 20 years in the field, and an active researcher in the area of innovation for Digital Forensics, Incident Response and Malware Analysis, Jess is today an internationally recognised Digital Forensics and Cybersecurity expert, having led the response and forensic investigation of some of the world's biggest incidents in recent times.

In his career Jess has worked in a miriad of highly sensitive projects with top global customers in sectors such as financial & insurance, corporate, media, health, communications, law firms or government, in other Cybersecurity areas as well such as Security Architecture Design and Review, Penetration Tests, Vulnerability Assessments, etc.

A Principal SANS Instructor with almost 15 years of SANS instructing experience, Jess is also a regular invited speaker at Security and DFIR conferences worldwide.

Previously, Jess worked for 10 years as a systems, network and security engineer in the Spanish Space Agency, where he collaborated as a security advisor with the European Space Agency, NASA, and other international organisations.

Jess holds a Masters of Science in Telecommunications Engineering + Computer Science from the Univ. Politecnica de Madrid.

View Upcoming Training for Jess Garcia


Tim Garcia

Timothy Garcia is a seasoned security professional who loves the challenge and continuously changing landscape of defense. Tim started his career as an engineer in IT and after working on a few security incidents related to Code Red and Nimda; he realized he had found his calling. Tim currently works as an Information Security Engineer for a Fortune 100 financial institution where he provides security consulting to project teams to ensure security of IT operations and compliance with policies and regulations.  Tim also leads the team that is tasked with Firewall review, SIEM management and privileged access monitoring and policy compliance. Tim has worked as a Systems Engineer and DBA and has expertise in systems engineering, project management and information security principles and procedures/compliance. Tim previously worked for Intel and served in the United States Navy.  Tim also works with the OnDemand team as an SME, is a mentor for the Vet Success program and provides consulting and content review for the Securing the Human project within SANS.  Tim is a contributor to the Arizona Cyber Warfare Range and works with the local security community giving monthly talks, when not teaching for SANS, on information security tools and techniques. 

Tim is as passionate about teaching security as he is performing it and receives the greatest joy when he sees the look in a student's eye when something they never quite understood finally makes sense.

Tim holds the CISSP, GSEC, GSLC, GISF, GMON, GAWN, GCCC, and GCED as well as the NSA-IAM certifications.  He has extensive knowledge of security procedures and legislation such as Sarbanes-Oxley, GLBA, CobiT, COSO, and ISO 1779.  

When Tim is not defending systems, he enjoys playing sports, snowboarding and most of all spending time with his wife and four children.

View Upcoming Training for Tim Garcia


Jonathan Ham

Jonathan is an independent consultant who specializes in large-scale enterprise security issues, from policy and procedure, through staffing and training, to scalable prevention, detection, and response technology and techniques. With a keen understanding of ROI and TCO (and an emphasis on process over products), he has helped his clients achieve greater success for over 20 years, advising in both the public and private sectors, from small upstarts to the Fortune 500. He's been commissioned to teach NCIS investigators how to use Snort, performed packet analysis from a facility more than 2000 feet underground, and chartered and trained the CIRT for one of the largest U.S. Civilian Federal agencies.

He has variously held the CISSP, GSEC, GCIA, and GCIH certifications, and is a member of the GIAC Advisory Board.

A former combat medic, Jonathan still spends some of his time practicing a different kind of emergency response, volunteering and teaching for both the National Ski Patrol and the American Red Cross.

View Upcoming Training for Jonathan Ham


Paul A. Henry

Paul Henry is a Senior Instructor with the SANS Institute and one of the world's foremost global information security and computer forensic experts with more than 30 years of experience covering all 10 domains of network security. Paul began his career in critical infrastructure / process control supporting power generation and currently manages security initiatives and incident response for Global 2000 enterprises and government organizations worldwide.

Paul is a principal at vNet Security, LLC and is keeping a finger on the pulse of network security as the security and forensic analyst at Lumension Security and as a retained security expert for multiple financial and healthcare firms.

Throughout his career, Paul has played a key strategic role in launching new network security initiatives to meet our ever-changing threat landscape. Paul also advises and consults on some of the world's most challenging and high-risk information security projects, including the National Banking System in Saudi Arabia, the Reserve Bank of Australia, the Department of Defense's Satellite Data Project (USA), and both government as well as telecommunications projects throughout Southeast Asia.

Paul is frequently cited by major and trade print publications as an expert in perimeter security, incident response / computer forensics and general security trends and serves as an expert commentator for network broadcast outlets, such as FOX, NBC, CNN, and CNBC. In addition, Paul regularly authors thought leadership articles on technical security issues, and his expertise and insight help shape the editorial direction of key security publications, such as the Information Security Management Handbook, where he is a consistent contributor. Paul serves as a featured and keynote speaker at seminars and conferences worldwide, delivering presentations on diverse topics including anti-forensics, network access control, cyber crime, DDoS attack risk mitigation, perimeter security, and incident response.

Listen to Paul discuss "Incident Response and Forensics in the Cloud" in this SANS webcast that every DFIR professional should listen to.

View Upcoming Training for Paul A. Henry


David Hoelzer

David Hoelzer is the author of more than twenty days of SANS courseware. He is an expert in a variety of information security fields, having served in most major roles in the IT and security industries over the past twenty-five years. Recently, David was called upon to serve as an expert witness for the Consumer Financial Protection Bureau in a landmark case regarding information security governance within corporations in the financial sector and has previously served as an expert for the Federal Trade Commission for GLBA Privacy Rule litigation and other matters. David has been highly involved in governance at SANS Technology Institute, serving as a member of the Curriculum Committee, Long Range Planning Committee, GIAC Ethics Board, and as Dean of Faculty. As a SANS instructor, David has trained security professionals from organizations including NSA, DHHS, Fortune 500 security engineers and managers, various Department of Defense sites, national laboratories, and many colleges and universities. Outside of SANS, David is a research fellow in the Center for Cybermedia Research, a research fellow for the Identity Theft and Financial Fraud Research Operations Center (ITFF/ROC), an adjunct research associate of the UNLV Cybermedia Research Lab, a research fellow with the Internet Forensics Lab, and an adjunct lecturer in the UNLV School of Informatics. David has written and contributed to more than 15 peer reviewed books, publications, and journal articles. Currently, David serves as the principal examiner and director of research for Enclave Forensics, a New York/Las Vegas based incident response and forensics company. He also serves as the chief information security officer for Cyber-Defense, an open-source security software solution provider. In the past, David served as the director of the GIAC Certification program, bringing the GIAC Security Expert certification to life. David holds a BS in IT and an MS in Computer Science, having spent time either attending or consulting for Stony Brook University, Binghamton University, and American Intercontinental University.

View Upcoming Training for David Hoelzer


David R. Miller

 David has been a network engineer, consultant, security designer and architect, author, and technical instructor since the early 1980's and has specialized in IT security and compliance work in the recent years. David is a certified instructor for The SANS Institute and has been an instructor with SANS since 2012. David is the lead instructor for the CISSP certification course, and his students consistently rate David's lectures as excellent. A recent survey showed that approximately 93% of the students attending his CISSP classes passed the very challenging 6-hour certification exam on their first attempt. David has lectured on information systems security, compliance, and network engineering to prestigious groups including The Smithsonian Institute, the U.S. Military Academy at West Point, the U.S. Army Advanced Battle Command, the U.S. Navy Seventh Fleet, the U.S. Department of the Interior, Cisco Systems, Inc., Oracle Corporation, Symantec Corporation, Hewlett-Packard Company, and JP Morgan Chase & Co. Global Financial Services, to name a few. 

In addition to writing and lecturing, David routinely performs as an IT security and compliance consultant, performing gap analysis and remediation services largely focused in the Payment Card Industry Data Security Standard (PCI-DSS credit card data), and the Healthcare Information Portability and Accountability Act (HIPAA - patients' medical information) for medical practices. He is a Qualified Security Assessor of PCI and a Microsoft Subject Matter Expert on the Windows Active Directory enterprise network operating system platform. He performs as a security designer and architect working with Dell SecureWorks security consulting. 

David is an author, a lecturer, and technical editor of books, curriculum, certification exams and computer based training videos. He has had ten books published to date, with five of them focused on IT security, and the others targeting enterprise level network engineering, network architecture, and operating system administration.

View Upcoming Training for David R. Miller


Michael Murr

Michael has been a forensic analyst with Code-X Technologies for over five years, has conducted numerous investigations and computer forensic examinations, and has performed specialized research and development. Michael has taught SANS SEC504: Hacker Techniques, Exploits, and Incident Handling, SANS FOR508: Computer Forensics, Investigation, and Response, and SANS FOR610: Reverse-Engineering Malware; has led SANS Online Training courses and is a member of the GIAC Advisory Board. Currently, Michael is working on an open-source framework for developing digital forensics applications. Michael holds the GCIH, GCFA, and GREM certifications and has a degree in computer science from California State University at Channel Islands. Michael also blogs about digital forensics on his forensic computing blog.

View Upcoming Training for Michael Murr


Keith Palmgren

Keith Palmgren is a Cybersecurity professional with over 30 years of experience specializing in the IT Security field. He is a SANS Senior Instructor and the author of SANS SEC301; "Introduction to Information Security."  

Keith also runs a successful security consulting practice, working with corporate leadership and security staff to help lower their organization's risk.  Keith divides his remaining time between freelance writing and his family.


Keith began his career in January 1985 with the U.S. Air Force working with cryptographic keys & codes management. He also worked in, what was at the time, the newly-formed Air Force computer security department. Following the Air Force, Keith joined AT&T/Lucent as a Senior Security Architect working on engagements with the DoD and the National Security Agency.

Later, as Security Consulting Practice Manager for Sprint, Keith built and ran the second largest security consulting practice of its time. He was responsible for all Sprint security consulting worldwide and for leading dozens of security professionals on many consulting engagements across all business spectrums.

During his career, Keith has authored 22 training courses.  The American Council on Education certified seven of those courses as eligible for college credit.  

Keith currently holds eleven computer security certifications (CISSP, GSEC, GCIH, GCED, GISF, CEH, Security+, Network+, A+, CTT+).

View Upcoming Training for Keith Palmgren


Hal Pomeranz

"Sometimes there's a moment in a case where I find a crucial piece of evidence hidden away where not many investigators would think to look. And I think to myself, 'I'm glad I was the one to work on this case, because this finding was important.' That's how I know I'm in the right field." ~ Hal Pomeranz

Hal Pomeranz is an independent digital forensic investigator who has consulted on cases ranging from intellectual property theft, to employee sabotage, to organized cybercrime and malicious software infrastructures. He has worked with law enforcement agencies in the United States and Europe, and with global corporations.

While perfectly at home in the Windows and Mac forensics world, Hal is a recognized expert in the analysis of Linux and Unix systems, and has made key contributions in this domain. His EXT3 file recovery tools are used by investigators worldwide. His research on EXT4 file system forensics provided a basis for the development of open source forensic support for this file system. Hal has also contributed a popular tool for automating Linux memory acquisition and analysis. But Hal is fundamentally a practitioner, and that's what drives his research. His EXT3 file recovery tools were the direct result of an investigation, recovering data that led to multiple indictments and successful prosecutions.

Raised in the Open Source tradition, Hal shares his most productive tools and techniques with the community via his GitHub and blogging activity. And nobody can show you how to forensicate with Open Source tools like Hal!

Hal is a SANS faculty fellow and the creator and primary instructor for the Securing Linux/Unix (SEC506) course. In the SANS DFIR curriculum he teaches Advanced Digital Forensics, Incident Response, and Threat Hunting (FOR508), Advanced Network Forensics and Analysis (FOR572), Mac Forensics Analysis (FOR518), and Reverse-Engineering Malware: Malware Analysis Tools and Techniques (FOR610). Hal holds the GIAC certification for the following courses: GCUX, GCFA, GNFA, and GREM.
 

Hal is a regular contributor to the SANS Digital Forensics and Incident Response blog and co-author of the Command Line Kung Fu blog. He's a former board member for USENIX, BayLISA and BackBayLISA; former technical editor for Sys Admin Magazine; and a respected author and highly rated instructor at industry gatherings worldwide. Hal is an avid baseball fan, so in the summer you'll usually find him at his local minor league ballpark or catching up on major league games. He enjoys travel, theatre, and food (both cooking and eating), but his first priority is keeping up with the interests of his kids: Disney, gymnastics, Legos, and video games.

Get to Know Hal

  • Over 25 years of industry experience
  • Founder and Principal Consultant for Deer Run Associates
  • GIAC Certified Forensic Analyst (GCFA), Network Forensic Analyst (GFNA), Malware Analyst (GREM), and Unix Administrator (GCUX)
  • SANS Faculty Fellow and SANS' longest tenured instructor
  • Hal is a contributor to the SANS Digital Forensics and Incident Response blog

Learn more about Hal Pomeranz in this DFIR Hero interview on the SANS DFIR Blog.

Here's What Students Are Saying about SANS Certified Instructor Hal Pomeranz:

"Great intro to malware analysis. Hal Pomeranz, instructor, was extremely knowledgeable on the subject. Highly recommended." - Jonathon Hinson, Duke Energy

"Hal is one of the finest instructors I've ever had the pleasure the take a class from. He possesses the rare ability to bring information on cutting edge techniques to the classroom and present it in a way that makes his students comfortable with these techniques as if they were old hat." - Chris Calabrese, Medco Health Solutions, Inc.

Listen to Hal discuss Incident Response Event Log Analysis.

View Upcoming Training for Hal Pomeranz


Dave Shackleford

Dave Shackleford is the owner and principal consultant of Voodoo Security and a SANS analyst, senior instructor, and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies. Dave is the author of the Sybex book Virtualization Security:

Protecting Virtualized Environments, as well as the coauthor of Hands-On Information Security from Course Technology. Recently Dave coauthored the first published course on virtualization security for the SANS Institute. Dave currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance. Dave earned his MBA from Georgia State University.

Dave knows his stuff and explains the material in an easy-to-understand way. - Jonathan O'Neal, Monster.com

View Upcoming Training for Dave Shackleford


Bryan Simon

Bryan Simon is an internationally recognized expert in cybersecurity and has been working in the information technology and security field since 1991. Over the course of his career, Bryan has held various technical and managerial positions in the education, environmental, accounting, and financial services sectors. Bryan speaks on a regular basis at international conferences and with the press on matters of cybersecurity. He has instructed individuals from organizations such as the FBI, NATO, and the UN in matters of cybersecurity, on three continents. Bryan has specialized expertise in defensive and offensive capabilities. He has received recognition for his work in I.T. Security, and was most recently profiled by McAfee (part of Intel Security) as an I.T. Hero. Bryan holds 13 GIAC Certifications including GSEC, GCWN, GCIH, GCFA, GPEN, GWAPT, GAWN, GISP, GCIA, GCED, GCUX, GISF, and GMON. Bryan's scholastic achievements have resulted in the honour of sitting as a current member of the Advisory Board for the SANS Institute, and his acceptance into the prestigious SANS Cyber Guardian program. Bryan is a SANS Certified Instructor for SEC401: Security Essentials Bootcamp Style, SEC501: Advanced Security Essentials - Enterprise Defender, SEC505: Securing Windows with Powershell and the Critical Security Controls, and SEC511: Continuous Monitoring and Security Operations.

"Excellent breakdown of difficult concepts-great use of humor."- Steve Kirchmyer

"Really like the example stories. They help illustrate the point of each lesson very effectively." - Kevin Westbur, I.D.A.

"As a former educator, I'm very impressed with Bryan." - Adam Austin, H-Bar Cyber Solutions

"Bryan is a tremendous instructor, one of the best I have had in over 30 years in the IT field. He is able to hold my attention throughout, and he brings real-world experience." - Alan J. Cutler, Westat

View Upcoming Training for Bryan Simon


Stephen Sims

Stephen Sims is an industry expert with over 15 years of experience in information technology and security. Stephen currently works out of San Francisco as a consultant performing reverse engineering, exploit development, threat modeling, and penetration testing. Stephen has a MS in information assurance from Norwich University and is a course author and a Faculty Fellow for the SANS Institute. He is the author of SANS' only 700-level course, SEC760: Advanced Exploit Development for Penetration Testers, which concentrates on complex heap overflows, patch diffing, and client-side exploits. Stephen is also the lead author on SEC660: Advanced Penetration Testing, Exploits, and Ethical Hacking. He holds the GIAC Security Expert (GSE) certification as well as the CISSP, CISA, Immunity NOP, and many other certifications. In his spare time Stephen enjoys snowboarding and writing music.

Looking at everything I have learned from Stephen, I definitely feel I have gained an edge when it comes to the augmentation of my pentest skills. He made the impossible understandable and I am grateful for that. - Alexander Cobblah, Booz Allen Hamilton

View Upcoming Training for Stephen Sims


James Tarala

James Tarala is a principal consultant with Enclave Security and is based out of Venice, Florida. He is a regular speaker and senior instructor with the SANS Institute as well as a courseware author and editor for many SANS auditing and security courses. As a consultant, he has spent the past few years architecting large enterprise IT security and infrastructure architectures, specifically working with many Microsoft-based directory services, e-mail, terminal services, and wireless technologies. He has also spent a large amount of time consulting with organizations to assist them in their security management, operational practices, and regulatory compliance issues, and he often performs independent security audits and assists internal audit groups in developing their internal audit programs. James completed his undergraduate studies at Philadelphia Biblical University and his graduate work at the University of Maryland. He holds numerous professional certifications.

View Upcoming Training for James Tarala


Dr. Johannes Ullrich

Johannes is currently responsible for the SANS Internet Storm Center (ISC) and the GIAC Gold program. In 2000, he founded DShield.org, which is now the data collection engine behind the ISC. His work with the ISC has been widely recognized, and in 2004, Network World named him one of the 50 most powerful people in the networking industry. Prior to working for SANS, Johannes worked as a lead support engineer for a web development company and as a research physicist. Johannes holds a PhD in physics from SUNY Albany and is based in Jacksonville, Florida. His daily podcast summarizes current security news in a concise format. Listen to Johannes discuss "HTML5: Risky Business or Hidden Security Tool Chest for Mobile Web App Authentication" in this SANS webcast.

View Upcoming Training for Dr. Johannes Ullrich


Ismael Valenzuela

Since he founded one of the first IT Security consultancies in Spain, Ismael Valenzuela has participated as a security professional in numerous projects across the globe over the past 17 years.

As a top cybersecurity expert with strong technical background and deep knowledge of penetration testing, security architectures, intrusion detection and computer forensics, Ismael has provided security consultancy, advice and guidance to large government and private organizations, including major EU Institutions and US Government Agencies. 

Prior to his current role as Principal Engineer at McAfee, where he leads research on threat hunting using machine-learning and expert-system driven investigations, Ismael led the delivery of SOC, IR & Forensics services for the Foundstone Services team within Intel globally. Previously, Ismael worked as Global IT Security Manager for iSOFT Group Ltd, one of the world?s largest providers of healthcare IT solutions, managing their security operations in more than 40 countries.

He holds a bachelor's degree in computer science from the University of Malaga (Spain), is certified in business administration, and holds many professional certifications. These include the highly regarded GIAC Security Expert (GSE #132) in addition to GREM, GCFA, GCIA, GCIH, GPEN, GCUX, GCWN, GWAPT, GSNA, GMON, CISSP, ITIL, CISM, and IRCA 27001 Lead Auditor from Bureau Veritas UK.

View Upcoming Training for Ismael Valenzuela


Donald Williams

Donald retired from active duty in 2014 after over 20 years of service in the U.S. Army.  He has extensive experience in incident handling, intrusion analysis, and network auditing.  During his career in the Army, he served as the Defensive Cyber Operations Chief for the Army's Regional Computer Emergency Response Team in South West Asia (RCERT-SWA), directly overseeing the intrusion analysis and incident response teams for one of the Army's largest networks spanning over 10 countries.  Donald holds several GIAC certifications, including the GIAC Security Expert (GSE), GCIH, GCIA, and GSNA certifications, as well as numerous other industry certifications. 

View Upcoming Training for Donald Williams


To see more information about SANS Cyber Defence Instructors click here.

Management Courses Instructor List


Ted Demopoulos

Ted Demopoulos' first significant exposure to computers was in 1977 when he had unlimited access to his high school's PDP-11 and hacked at it incessantly. He consequently almost flunked out but learned he liked playing with computers a lot.

His business pursuits began in college and have been continuous ever since. His background includes over 25 years of experience in information security and business, including 20+ years as an independent consultant.

Ted helped start a successful information security company, was the CTO at a "textbook failure" of a software startup, and has advised several other businesses. Ted is a frequent speaker at conferences and other events, quoted often by the press, the recipient of a Department of Defense Award of Excellence, and the author of several books including the recent

Infosec Rock Star: How to Accelerate Your Career Because Geek Will Only Get You So Far

In his spare time, he is also a food and wine geek, enjoys flyfishing and playing with his children.

View Upcoming Training for Ted Demopoulos


G. Mark Hardy


G. Mark Hardy is founder and President of National Security Corporation. He has been providing cyber security expertise to government, military, and commercial clients for over 35 years, and is an internationally recognized expert and keynote who has spoken at over 250 events world-wide. He provides consulting services as a virtual CISO, expert witness testimony, and domain expertise in blockchain and cryptocurrency.

G. Mark serves on the Advisory Board of CyberWATCH, an Information Assurance/ Information Security Advanced Technology Education Center of the National Science Foundation.  Mr. Hardy is a retired U.S. Navy captain and was entrusted with nine command assignments, including responsibility for leadership training for 70,000 Sailors.  

A graduate of Northwestern University, he holds a BS in computer science, a BA in mathematics, a masters in business administration, a masters in strategic studies, and holds the GSLC, CISSP, CISM and CISA certifications.

View Upcoming Training for G. Mark Hardy


David Hoelzer

David Hoelzer is the author of more than twenty days of SANS courseware. He is an expert in a variety of information security fields, having served in most major roles in the IT and security industries over the past twenty-five years. Recently, David was called upon to serve as an expert witness for the Consumer Financial Protection Bureau in a landmark case regarding information security governance within corporations in the financial sector and has previously served as an expert for the Federal Trade Commission for GLBA Privacy Rule litigation and other matters. David has been highly involved in governance at SANS Technology Institute, serving as a member of the Curriculum Committee, Long Range Planning Committee, GIAC Ethics Board, and as Dean of Faculty. As a SANS instructor, David has trained security professionals from organizations including NSA, DHHS, Fortune 500 security engineers and managers, various Department of Defense sites, national laboratories, and many colleges and universities. Outside of SANS, David is a research fellow in the Center for Cybermedia Research, a research fellow for the Identity Theft and Financial Fraud Research Operations Center (ITFF/ROC), an adjunct research associate of the UNLV Cybermedia Research Lab, a research fellow with the Internet Forensics Lab, and an adjunct lecturer in the UNLV School of Informatics. David has written and contributed to more than 15 peer reviewed books, publications, and journal articles. Currently, David serves as the principal examiner and director of research for Enclave Forensics, a New York/Las Vegas based incident response and forensics company. He also serves as the chief information security officer for Cyber-Defense, an open-source security software solution provider. In the past, David served as the director of the GIAC Certification program, bringing the GIAC Security Expert certification to life. David holds a BS in IT and an MS in Computer Science, having spent time either attending or consulting for Stony Brook University, Binghamton University, and American Intercontinental University.

View Upcoming Training for David Hoelzer


Frank Kim

Founder of ThinkSec, a security consulting and CISO advisory firm. Previously, as CISO at the SANS Institute, Frank led the information risk function for the most trusted source of computer security training and certification in the world. With the SANS Institute, Frank continues to lead the management and software security curricula, helping to develop the next generation of security leaders.

Frank was also executive director of cybersecurity at Kaiser Permanente where he built an innovative security program to meet the unique needs of the nation's largest not-for-profit health plan and integrated health care provider with annual revenue of $60 billion, 10 million members, and 175,000 employees.

Frank holds degrees from the University of California at Berkeley and is the author and instructor of popular courses on strategic planning, leadership, application security, and DevOps.

"Frank provided great real world examples of attacks, course material, and quality. This is the best secure development course I have come across taught by a great instructor with top teaching skills and time management." - Andreas Hegna, Storebrand Livsforsikring AS

"Frank is a very engaging speaker and brings the examples in the class that can actually be used in real world scenarios." - Anthony Head, University of Richmond

View Upcoming Training for Frank Kim


David R. Miller

 David has been a network engineer, consultant, security designer and architect, author, and technical instructor since the early 1980's and has specialized in IT security and compliance work in the recent years. David is a certified instructor for The SANS Institute and has been an instructor with SANS since 2012. David is the lead instructor for the CISSP certification course, and his students consistently rate David's lectures as excellent. A recent survey showed that approximately 93% of the students attending his CISSP classes passed the very challenging 6-hour certification exam on their first attempt. David has lectured on information systems security, compliance, and network engineering to prestigious groups including The Smithsonian Institute, the U.S. Military Academy at West Point, the U.S. Army Advanced Battle Command, the U.S. Navy Seventh Fleet, the U.S. Department of the Interior, Cisco Systems, Inc., Oracle Corporation, Symantec Corporation, Hewlett-Packard Company, and JP Morgan Chase & Co. Global Financial Services, to name a few. 

In addition to writing and lecturing, David routinely performs as an IT security and compliance consultant, performing gap analysis and remediation services largely focused in the Payment Card Industry Data Security Standard (PCI-DSS credit card data), and the Healthcare Information Portability and Accountability Act (HIPAA - patients' medical information) for medical practices. He is a Qualified Security Assessor of PCI and a Microsoft Subject Matter Expert on the Windows Active Directory enterprise network operating system platform. He performs as a security designer and architect working with Dell SecureWorks security consulting. 

David is an author, a lecturer, and technical editor of books, curriculum, certification exams and computer based training videos. He has had ten books published to date, with five of them focused on IT security, and the others targeting enterprise level network engineering, network architecture, and operating system administration.

View Upcoming Training for David R. Miller


Keith Palmgren

Keith Palmgren is a Cybersecurity professional with over 30 years of experience specializing in the IT Security field. He is a SANS Senior Instructor and the author of SANS SEC301; "Introduction to Information Security."  

Keith also runs a successful security consulting practice, working with corporate leadership and security staff to help lower their organization's risk.  Keith divides his remaining time between freelance writing and his family.


Keith began his career in January 1985 with the U.S. Air Force working with cryptographic keys & codes management. He also worked in, what was at the time, the newly-formed Air Force computer security department. Following the Air Force, Keith joined AT&T/Lucent as a Senior Security Architect working on engagements with the DoD and the National Security Agency.

Later, as Security Consulting Practice Manager for Sprint, Keith built and ran the second largest security consulting practice of its time. He was responsible for all Sprint security consulting worldwide and for leading dozens of security professionals on many consulting engagements across all business spectrums.

During his career, Keith has authored 22 training courses.  The American Council on Education certified seven of those courses as eligible for college credit.  

Keith currently holds eleven computer security certifications (CISSP, GSEC, GCIH, GCED, GISF, CEH, Security+, Network+, A+, CTT+).

View Upcoming Training for Keith Palmgren


Clay Risenhoover

Clay is the president of Risenhoover Consulting, Inc., an IT management consulting firm based in Durant, Oklahoma. Founded in 2003, RCI provides IT audit and IT management consulting services to clients in multiple sectors. Clay's past experience includes positions in software development, technical training, LAN and WAN operations, and IT management in both the private and public sector. He has a master's degree in computer science and holds a number of technical and security certifications, including GPEN, GSNA, CISA, CISM, GWEB and CISSP.

View Upcoming Training for Clay Risenhoover


Lance Spitzner

Lance Spitzner has over 20 years of security experience in cyber threat research, awareness and training.  He invented the concept of honeynets, founded the Honeynet Project and published three security books.  Lance has worked and consulted in over 25 countries and helped over 350 organizations plan, maintain and measure their security awareness programs.  In addition, Lance is a  member of the Board of Directors for the National Cyber Security Alliance, frequent presenter, serial tweeter (@lspitzner) and works on numerous community security projects.  Before working in information security, Mr. Spitzner served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.

View Upcoming Training for Lance Spitzner


To see more information about SANS Management Instructors click here.

DFIR Courses Instructor List


Steve Armstrong

Steve began working in the security arena in 1994 whilst serving in the UK Royal Air Force. He specialized in the technical aspects of IT security from 1997 onward, and before retiring from active duty, he lead the RAF's penetration and TEMPEST testing teams. He founded Logically Secure in 2006 to provide specialist security advice to government departments, defense contractors, the online video gaming industry, and both music and film labels worldwide.

When not teaching for SANS, Steve provides penetration testing and incident response services for some of the biggest household names in gaming and music media. To relax Steve enjoys playing Battlefield to loud music and developing collaborative DFIR tools.

Steve Armstrong's energy is contagious. Although the day was long, I felt alert and engaged at all times. - Amr Zakaa Khalife, Vodafone Egypt

View Upcoming Training for Steve Armstrong


George Bakos

George Bakos has been interested in computer security since the early 1980s when he discovered the joys of BBSs and corporate databases. These days he is Technical Fellow & Manager of Cyber Threat Assessment & Awareness at Northrop Grumman, a global leader in Cybersecurity, Aerospace & Defense. While at the Institute for Security Technology Studies, George was the developer of Tiny Honeypot and the IDABench intrusion analysis system and led the Dartmouth Distributed Honeynet System, fielding deception systems and studying the actions of attackers worldwide. He developed and taught the U.S. Army National Guard's CERT technical curriculum and ran the NGB's Information Operations Training and Development Center research lab for two years, fielding and supporting Computer Emergency Response Teams throughout the United States. A recognized authority in computer security, he has contributed to numerous books and open source software projects; has been interviewed on radio, television, and online publications; briefed the highest levels of government; and has been a member of the SANS Institute teaching faculty since 2001. Outside the lab, George enjoys the beauties of his home state, Vermont, through skiing, ice and rock climbing, and mountain biking.

George teaches you practical skills and provides real-world examples of IT security issues. - Mark Lian, Northrop Grumman

View Upcoming Training for George Bakos


Carlos Cajigas

Carlos Cajigas has his heart fully invested in his work. Following the terrorist attacks on September 11, 2001, Carlos was inspired to pursue a career in law enforcement in order to combine his passion for computers with his sense of duty to protect victims of cybercrime and make the world a safer place. Today, Carlos has expanded his pursuits to include being an instructor and blogger, enabling him to share his knowledge and experience with others interested in pursuing a career in digital forensics.

A native of San Juan, Puerto Rico, Carlos began his career with the West Palm Beach Police Department in Florida, first as a police officer and eventually as a digital forensics detective, examiner, and instructor specializing in computer crime investigations. During his law enforcement tenure, Carlos conducted examinations on hundreds of digital devices, from computers and mobile phones to GPS devices, and served as both a fact and expert witness in the State of Florida. In 2013, Carlos taught mobile forensic courses in Latin America for the U.S. State Department's Anti-Terrorism Assistance Program.   

Today, Carlos is a Senior Incident Response Consultant at DXC, where he is responsible for responding to computer and network security threats for clients located in North and South America. Carlos also teaches FOR500: Windows Forensic Analysis and FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting at the SANS Institute, where he brings his experience with law enforcement forensics and enterprise incident response to the classroom.

"My teaching philosophy is simple," Carlos says. "I strive to empower each student by developing their ability to conquer knowledge of a forensic technique, using demonstrations and the sharing of real-life applications and implications as to why a technique is important. I want my students to know which specific artifacts to analyze regardless of the tool chosen for the analysis."

Digital crime has increased dramatically in recent years, and hard drive sizes have expanded exponentially, greatly increasing the amount of cases and devices that need to be analyzed.

"The days of imaging and processing extremely large hard drives for hours before beginning analysis is a thing of the past," says Carlos. "Taking into consideration limited resources and manpower, today's examiners must be as efficient as possible in what we do and how we do it."

To help students overcome these challenges, Carlos shares techniques in his classes on how to directly target specific files and folders that can yield the biggest amount of answers in the least amount of time. "That way you can have answers within minutes rather than within hours," he says. 

Carlos has been involved in hundreds of cases and helped obtain numerous convictions using many of the techniques he teaches in class. As an investigator, he gets great satisfaction knowing that he did his part in protecting victims. As a teacher, seeing students grasp his explanation of an artifact can be just as satisfying, knowing that he is preparing them for the challenges of the future.

Carlos holds bachelor's and master's degrees from Palm Beach Atlantic University in Florida, and has completed numerous training courses, including courses offered by Guidance Software (EnCase), National White Collar Crime Center (NW3C), Access Data (FTK), United States Secret Service, the International Association of Computer Investigative Specialists (IACIS) ,and SANS.

Carlos also holds numerous certifications in the digital forensics field, including EnCase Certified Examiner (EnCE), Certified Digital Forensic Examiner (CDFE) from Mile2, Access Data Certified Examiner (ACE), Certified Forensic Computer Examiner (CFCE) from IACIS, and the GIAC Certified Forensic Analyst (GCFA) and GIAC Certified Forensic Examiner (GCFE) from SANS. Carlos is a Florida Department of Law Enforcement (FDLE) certified instructor with experience teaching digital forensic classes. He is an active member of both the International Association of Computer Investigative Specialists (IACIS) and Miami Electronic Crimes Task Force (MECTF).

Carlos also maintains a computer forensics blog aimed at helping other digital forensic examiners use free open-source Linux-based tools to do their jobs. He hopes to develop and increase awareness in this area and believes that open-source tools can provide examiners with alternatives and/or supplement commercial software.

During his free time, Carlos throws his passion into his pursuit of designing and baking the best homemade pizza.

Qualifications Summary

  • More than 12 years of experience in digital forensics, both as a law enforcement officer and as an incident responder for IBM.
  • Instructor for FOR500: Windows Forensic Analysis at the SANS Institute

Get to Know Carlos Cajigas

Here is what students are saying about SANS Instructor Carlos Cajigas:

  • "The instructor has a great teaching style. He is able to balance course content with personal experience in an efficient manner (to not waste time in class). He explains complex concepts very well." - Luis Martinez, Westchester District Attorney's Office
  • "One of the best instructors I have had." - Patrick O'Leary, NCDOC  
  • "Carlos is a great instructor with a lot of energy to drive the point home." - Jason Hultman, Diplomat Pharmacy
  • "Great instructor, very experienced in teaching a wide audience." - Brian Plummer, CACI

View Upcoming Training for Carlos Cajigas


David Cowen

David Cowen is a Certified SANS Instructor and a Partner at G-C Partners, LLC, where his team of expert digital forensics investigators pushes the boundaries of what is possible on a daily basis. He has been working in digital forensics and incident response since 1999 and has performed investigations covering thousands of systems in the public and private sector. Those investigations have involved everything from revealing insider threats to serving as an expert witness in civil litigation and providing the evidence to put cyber criminals behind bars.  
 
David has authored three series of books on digital forensics; Hacking Exposed Computer Forensics (1st-3rd editions), Infosec Pro Guide to Computer Forensics, and the Anti Hacker Toolkit (Third Edition). His research into file system journaling forensics has created a new area of analysis that is changing the industry. Combined with Triforce products, David's research enables examiners to go back in time to find previously unknown artifacts and system interactions.
 
David speaks about digital forensics and file system journaling forensics at DFIR and Infosec conferences across the United States. He has taught digital forensics both as a SANS instructor and as a graduate instructor at Southern Methodist University.
 
David is a Certified Information Systems Security Professional (CISSP) and a GIAC Certified Forensic Examiner. He is the winner of the first SANS DFIR NetWars and a SANS Lethal Forensicator whose passion for digital forensics can be seen in everything he does. He started in 1996 as a penetration tester and has kept up his information security knowledge by acting as the Red Team captain for the National Collegiate Cyber Defense Competition for the last nine years.
 
David is the host of the Forensic Lunch, a popular DFIR podcast and live YouTube show, and the author of the award winning Hacking Exposed Computer Forensics Blog. The blog (www.hecfblog.com) contains some 448 articles on digital forensics.  David is a two-time Forensic 4cast award winner for both Digital Forensic Article of the Year and Digital Forensic Blog of the year. The Forensic 4cast award winners are nominated by their peers and voted on by the greater DFIR community.
 
When David is not researching, writing, testifying, or teaching about digital forensics he spends time with his family and working on mastering Texas BBQ.


"David Cowen rocks. He is funny. He is friendly and extremely knowledgeable."  -- Bob Akin, SAIC


"David was awesome, brilliant, and entertaining to learn from." -- Jonathan Reitnauer, Vanguard

"I have had the pleasure of teaching with David multiple times and working with him in the forensics field.  David's passion and knowledge has made him one of the leading minds and innovators in the digital forensics community.  I saw many students loving David's open approach to teaching and the fact you could tell he really cared that they learn and understand the material.  He is one of the finest instructors I have had the pleasure of working with.  He is one of the best I've seen."  --Rob Lee, SANS DFIR Lead


Listen to David Cowen's industry changing research, released on Windows USN Journal Analysis, for real-time tracking of a suspect's activity on a Windows system.

Learn more about David Cowen in this DFIR Hero interview on the SANS DFIR Blog.

View Upcoming Training for David Cowen


Mick Douglas

Even when his job title has indicated otherwise, Mick Douglas has been doing information security work for over 10 years. He received a bachelor's degree in communications from Ohio State University.  He is the managing partner for InfoSec Innovations.

He is always excited for the opportunity to share with others so they do not have to learn the hard way! By studying with Mick, security professionals of all abilities will gain useful tools and skills that should make their jobs easier. When he's not "geeking out" you'll likely find Mick indulging in one of his numerous hobbies; photography, scuba diving, or hanging around in the great outdoors.

"Mick does an excellent job of delivering the material. His interest in and passion for this class is obvious." - Matt Steinberg

"Priceless information! Best instructor ever." - Mat Rose, capgemini-gs

View Upcoming Training for Mick Douglas


Sarah Edwards

A self-described Mac nerd, Sarah Edwards is a forensic analyst, author, speaker, and both author and instructor of SANS FOR518: Mac Forensic Analysis.  She has been a devoted user of Apple devices for many years and has worked specifically in Mac forensics since 2004, carving out a niche for herself when this area of forensics was still new. Although Sarah appreciates digital forensics in all platforms, she has a passion for working within Apple environments and is well known for her work with cutting-edge Mac OS X and iOS, and for her forensic file system expertise.   

Sarah's dynamic classroom and presentation skills have been heralded by both her students and colleagues. She keeps students interested and engaged.  Sarah has more than 12 years of experience in digital forensics, and her passion for teaching is fueled by the ever-increasing presence of Mac devices in today's digital forensic investigations. Given the complexity of most cases and the high probability that an OS X or iOS will be a part of an investigation, deep knowledge of these Operating Systems is crucial to ensure that forensic analysts grasp all the information required in a case and not omit valuable data. 

"Apple devices will continue to grow in popularity, and digital forensic investigators and analysts must start paying more attention to them," Sarah explains. "Windows analysis is the base education in the field of digital forensics, and any additional skills you can acquire set you apart from the crowd, whether it is Mac, mobile, memory, or malware analysis."

Sarah has worked with federal law enforcement agencies on a variety of high-profile investigations in such areas as computer intrusions, criminal cases, counter-intelligence, counter-narcotics, and counter-terrorism.  Her research and analytical interests include Mac forensics, mobile device forensics, digital profiling, and malware reverse engineering.

A frequent presenter, Sarah has spoken at industry conferences including Shmoocon, Enfuse (formerly known as CEIC), DEF CON, BSides New Orleans, BSides Las Vegas, and the SANS DFIR Summit. She has a bachelor's degree in information technology from the Rochester Institute of Technology and a master's in information assurance from Capitol College. Beyond her deep interest in digital forensics and anything Mac, Sarah loves cooking, reading tech books, traveling anywhere, and "making things work".

Here's What Students Are Saying about SANS Certified Instructor Sarah Edwards:

  • "Sarah knows her stuff.  This course gets better each day.  Very useful information.  Well-formed course." - Anthony Cifaretto, Verizon
  • "Sarah gave another great day of presentations - her knowledge is impressive." - Ben Keck, Ciena
  • "Very comprehensive in-depth coverage of the course topic.  Excellent reference materials as a take- away." - Jennifer Barnes, Indiana State Police
  • "Sarah Edwards has spent the last several months putting the (FOR518) material together and I have to say that it is fantastic. The content is very detailed and provides excellent information. I have a fair amount of experience investigating Apple systems. In fact, Apple products appear to be the core (get it?) of what we do these days. As such I would not have expected to learn as much as I did but there were times this week when my jaw dropped at one of Sarah's revelations or one of Hal Pomeranz's demonstrations. I learned a great deal and am delighted at the fact that I was able to attend." - Lee Whitfield, 4:cast

SANS Instructor Endorsements:

"Sarah's expertise in authorship and instructing has led to the successful addition of the FOR518 Mac course to our lineup.  Sarah's classroom and presentation skills continuously pull in record scores.  She is absolutely the best at her trade." - Rob Lee, SANS Fellow and DFIR Curriculum Lead

"Sarah is clearly the Mac subject-matter expert who has designed a top-notch course. She handles student questions with the expertise and grace of the seasoned instructor she is." - Ovie Carroll, SANS Certified Instructor

"Sarah did an amazing job producing an incredibly detailed technical course on Mac Forensics. And then she shows up every time to teach and knocks it out of the park. Students can't help but respond to her total mastery of the material and enthusiasm for the subject matter." - Hal Pomeranz, SANS Fellow

Qualifications Summary:

  • More than 12 years of Mac forensics experience
  • More than 8 years' experience teaching in digital forensics
  • FOR518 Mac Forensics Analysis course and author statement

Get to Know Sarah Edwards"

View Upcoming Training for Sarah Edwards


Kevin Fiscus

Kevin Fiscus is the founder of and lead consultant for Cyber Defense Advisors where he performs security and risk assessments, vulnerability and penetration testing, security program design, policy development, and security awareness with a focus on serving the needs of small and mid-sized organizations. Kevin has over 20 years of IT experience and has focused exclusively on information security for the past 12. Kevin currently holds the CISA, GPEN, GREM, GMOB, GCED, GCFA-Gold, GCIA-Gold, GCIH, GAWN, GPPA, GCWN, GCSC-Gold, GSEC, SCSA, RCSE, and SnortCP certifications and is proud to have earned the top information security certification in the industry, the GIAC Security Expert. Kevin has also achieved the distinctive title of SANS Cyber Guardian for both red team and blue team. Kevin has taught many of SANS's most popular classes including SEC401, SEC464, SEC503, SEC504, SEC542, SEC560, SEC561, SEC575, FOR508, and MGT414.

You can reach Kevin on Twitter @kevinbfiscus or on LinkedIn at http://www.linkedin.com/in/kevinbfiscus.

Kevin Fiscus is one of the best instructors I have seen! Great find SANS! - David Hoid, Employers Holdings

View Upcoming Training for Kevin Fiscus


Mathias Fuchs

"Renaissance man" may be the most fitting description of SANS instructor Mathias Fuchs, who is the Head of Cyberdefense at the Swiss firm InfoGuard AG as well as a volunteer paramedic and a pilot.

Mathias began his career teaching Linux administration and general IT security and quickly moved into penetration testing and red teaming. As his skills improved (and as breaking into customer systems got more repetitive and less demanding), Mathias sought new challenges that would expand his IT security acumen. So, he moved over to digital forensics and incident response, a field where the attacker unintentionally sets the pace and partly controls what an investigator needs to do - rather than that being dictated by the customer or the investigator.

"Any well-funded advanced persistent threat group makes sure that an investigator never runs out of new challenges," Mathias notes.

The exciting pace of the field continues to inspire Mathias. "As an investigator, you get to see the newest kinds of attacks and the best malware available," he explained, adding that he also is constantly expanding his knowledge base as he learns about each customer's business.

At InfoGuard, Mathias is focused on building the incident response practice. He uses his knowledge and experience to shape his team and proactively mediate pitfalls that are more difficult to change later. Taking on these challenges gives him perspective as a SANS instructor, as many students are still getting up to speed and are in the initial phases of preparing their organization to address potential threats.

Prior to InfoGuard, Mathias was a principal consultant at Mandiant, where he led large-scale cybersecurity investigations all over the world. Before that, Mathias served as a lead security architect at Deutsche Telecom subsidiary T-Systems while working in tandem as a security consultant for international clients in the telecommunications, automotive, pharmaceutical, and petroleum industries.

As an instructor for SANS FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting, Mathias draws both on his roots in teaching as well as his experience in the field to frame the subject matter with real-world examples. He believes in teaching by example, and tries to work labs as he would a real-life case. Students in the course need to dig into the smallest pieces of the puzzle but still focus on the big picture in an enterprise-wide investigation.

The starting point for each individual student is different, and Mathias loves leveraging all the knowledge available in class - both his own and that of his students.

"In the end, I want my students to be able to question their procedures and their security products to improve how they do incident response by making them more efficient and effective," he says.

To help students deal with bigger cases than they have ever dealt with before, Mathias shares his mistakes as well as his successes. "While there's no substitute for experience, I want my students to be very conscious of the typical risks when running big investigations," he explains. "Besides, I have a ton of cool stories to tell!"

In one particularly extensive case during his time at Mandiant, Mathias was investigating networks with 100,000+ endpoints. "I quickly figured out that the attacker had only been there for two weeks and we were able to completely record and track every single operation he did," says Mathias. The investigators eventually kicked the attacker out after four weeks when he got too aggressive, and the process provided weeks of valuable intelligence for future cases.

In another investigation, Mathias was able to access a crash dump of the RDP server process when it crashed during the attack. "Dissecting this crash dump gave me a lot of information about the attacker group and was key to further investigation, as it helped to quickly find 50 more machines the attacker accessed without installing any malware."

Mathias stays active even when he?s not teaching or in the midst of an investigation, using his pilot's license to fly small airplanes over the Alps, hiking, mountain biking, snowboarding, and volunteering as a paramedic for his local ambulance service.

Qualifications Summary

Get to Know Mathias Fuchs

Awards

  • Recipient of the Lethal Forensicator Coin

Certifications

  • GCFA - GIAC Certified Forensic Analyst
  • CISA - Certified Information Systems Auditor
  • ITIL v3 Foundation
  • ITIL v2 Foundation
  • PCI Qualified Security Assessor (QSA)

Student Quotes

  • "Mathias has very good teaching skills, gives examples from recent news what is invaluable" Barakat Rita, Gemalto
  • "He is experienced, cool, and delivers solid knowledge in the classroom." Erich Lerch, BIT
  • "Mathias has great knowledge and provides relevant real-world examples." Ian Jones, Lastline

View Upcoming Training for Mathias Fuchs


Bryce Galbraith

"The world isn't run by weapons anymore, or energy, or money. It's run by little ones and zeroes, little bits of data. It's all just electrons." -- Cosmo, from "Sneakers"

As a contributing author of the internationally bestselling book Hacking Exposed: Network Security Secrets & Solutions, Bryce helped bring the secret world of hacking out of the darkness and into the public eye. Bryce has held security positions at global ISPs and Fortune 500 companies, he was a member of Foundstone's renowned penetration testing team and served as a senior instructor and co-author of Foundstone's Ultimate Hacking: Hands-On course series. Bryce is currently the owner of Layered Security where he provides specialized vulnerability assessment and penetration testing services for clients. He teaches several of the SANS Institute's most popular courses and develops curriculum around current topics. He has taught the art of ethical hacking and countermeasures to thousands of IT professionals from a who's who of top companies, financial institutions, and government agencies around the globe. Bryce is an active member of several security-related organizations, he holds several security certifications and speaks at conferences around the world.

Bryce is an excellent instructor. His knowledge and delivery are exceptional. - Chris Shipp, DM Petroleum Operations Co.

View Upcoming Training for Bryce Galbraith


Jess Garcia

Jess Garcia is the founder and technical lead of One eSecurity, a global Information Security company specialised in Incident Response and Digital Forensics.

With near 20 years in the field, and an active researcher in the area of innovation for Digital Forensics, Incident Response and Malware Analysis, Jess is today an internationally recognised Digital Forensics and Cybersecurity expert, having led the response and forensic investigation of some of the world's biggest incidents in recent times.

In his career Jess has worked in a miriad of highly sensitive projects with top global customers in sectors such as financial & insurance, corporate, media, health, communications, law firms or government, in other Cybersecurity areas as well such as Security Architecture Design and Review, Penetration Tests, Vulnerability Assessments, etc.

A Principal SANS Instructor with almost 15 years of SANS instructing experience, Jess is also a regular invited speaker at Security and DFIR conferences worldwide.

Previously, Jess worked for 10 years as a systems, network and security engineer in the Spanish Space Agency, where he collaborated as a security advisor with the European Space Agency, NASA, and other international organisations.

Jess holds a Masters of Science in Telecommunications Engineering + Computer Science from the Univ. Politecnica de Madrid.

View Upcoming Training for Jess Garcia


Philip Hagen

For Phil Hagen, a career in information security chose him even before the movies War Games and Sneakers spurred his broader interest in the field. Phil has been captivated since the early days, working on information security projects since the mid-1990s, but networking grabbed his attention even before that.

"Since installing a 2400bps modem into an Apple //e around 1988, every computer I've used has been able to communicate with others," he says. "Of course the systems themselves are becoming more and more varied, making network analysis a critical component of the investigative process today."

Phil began his studies at the U.S. Air Force Academy's Computer Science Department, where he focused on network security and was an inaugural member of the computer security extracurricular group. He served in the Air Force as a communications officer at Beale AFB and the Pentagon. In 2003, Phil moved over to a position with a government contractor, providing technical services for various IT and information security projects.

Today, Phil's career has spanned the full attack life cycle - tool development, deployment, operations, and the investigative aftermath - giving him rare and deep insight into the artifacts left behind. Phil has covered deep technical tasks, managed an entire computer forensic services portfolio, and handled executive responsibilities. He's supported systems that demanded 24x7x365 functionality, managed a team of 85 computer forensic professionals in the national security sector, and provided forensic consulting services for law enforcement, government, and commercial clients. All of that brings Phil to his role today as the DFIR strategist at Red Canary, where he supports the firm's managed threat detection service.

Phil is also a certified instructor for the SANS Institute, and is the course lead and author of FOR572: Advanced Network Forensics and Analysis. This six-day course provides a hands-on curriculum to learn the skills necessary to perform investigations of network-based incidents, where the hard drives or memory of compromised systems are often missing.

"In each class, I take care to explain the relevance of the concepts to cases I've worked and scenarios I've encountered in the past," says Phil. "In FOR572, our classwork and hands-on materials are all taken from real-world experiences and cases. Our week in class is jam-packed and we deliberately focus our attention on adversary behaviors that have been actively observed in the wild."

Phil also spends time developing and maintaining the SOF-ELK distribution, a virtual appliance that is preconfigured with the ELK stack (Elasticsearch, Logstash, and Kibana). "This takes a lot of time investment, but it's very rewarding to hear from the DFIR community at large when they've used SOF-ELK in their own environments and cases to boost efficiency and effectiveness," he says.

Phil has always been a mentor and teacher at heart, and his relationships with former colleagues and students constitute one of his biggest sources of professional pride. "In my previous job at a large defense contractor, I was responsible for managing the entire computer forensic division," says Phil. "The division consisted of many people in various critical roles, including an exceptional team of site managers that I relied heavily on. Years later, I still stay in touch with most of those managers and many other people from the overall team. They have all grown professionally and it's amazing to see what roles they've taken on. It's humbling to see so many people really pursue the trajectory they set for themselves so many years ago."

In one of his most exciting cases, Phil provided forensic examination and overall investigative support to a law enforcement case involving hundreds of millions of dollars of fraudulent transactions committed against victims around the world. The case lasted several years and involved more than a hundred pieces of media from 10 countries, as well as numerous operating systems, filesystems, and criminal actors. With the ultimate arrest of two subjects high up in the organizational "food chain", the investigative team was successful in completely decapitating the fraudulent scheme itself, due to comprehensively scoping the architecture they used.

When he's not cyber-sleuthing and mentoring students, Phil is an avid runner who has completed two half-marathons and dozens of 5k and 10k races. He tries to run every other day even when he's teaching in order to keep his thoughts clear and his brain geared up.  "I get 'rungry' (run hungry) when I skip a day," he says. Phil also enjoys craft beer because of the passion and creativity that today's craft brewers put into their product. Wherever he travels he searches out the local favorite to sample.

Qualifications Summary:

Get to Know Phil Hagen:

Here's What Students Are Saying about SANS Certified Instructor Philip Hagen:

  • "Philip's speaking style draws you in and he's very personable. Useful tools and nice tour of technology which I was not previously aware of." - Frank J. Quinn
  • "Even by SANS standards, Phil clearly 'goes the extra mile' in depth of information, especially on exercises." -  Dai Morgan, Visa Europe
  • "I really like how Phil incorporates real-life examples into the material. It really helps me visualize it!" -  Ryan Nelson, Motorola

SANS Instructor Endorsements:

"Phil Hagen and I have worked very closely together for many years.  His understanding of networks, underlying technology, and hacker techniques was critical to many operational successes.  Phil managed to begin leading several key operational components while at a defense and intelligence community contractor and was soon running the division with over 85 employees and contracts totaling tens of millions of dollars. Phil has never lost his technical edge and was a key asset while working directly with federal law enforcement tracking organized criminals using cyber as a way to commit financial and credit card attacks." -  Rob Lee, SANS Fellow and DFIR Curriculum Lead

"Phil is an incredibly gifted author, instructor, and member of the DFIR team!  He is well versed in networking protocols and principles, investigative methodology, and advanced analytical techniques.  Phil's teaching skills come from his deep experience in supporting military, government agencies, and Fortune 500 clients over the many years of work in information security. He is able to establish a great rapport with his students and delivers the high-quality classroom experience that SANS attendees have come to appreciate." -  Heather Mahalik, Senior Instructor and FOR585 Course Lead

View Upcoming Training for Philip Hagen


Nick Klein

Nick is the Director of Klein & Co. Computer Forensics, the leading independent computer forensic team from Sydney, Australia. He has over fifteen years of IT experience, specialising in forensic technology investigations and presenting expert evidence in legal and other proceedings. Nick and his team have been engaged as experts in hundreds of cases including commercial litigation and electronic discovery, criminal prosecution and defence, financial fraud, corruption, employee misconduct, theft of intellectual property, computer hacking and system intrusion.

He was previously a senior director in Deloitte Forensic and a team leader in the High Tech Crime Team of the Australian Federal Police, where he worked on international police investigations and intelligence operations including counter terrorism, online child abuse, computer hacking, and traditional crimes facilitated by new technologies.

Nick has presented expert evidence in civil and criminal matters in Australia and overseas, including providing expert testimony in the Bali bombing trials in Indonesia in 2003. He has appeared before Australian State and Commonwealth Parliamentary Committees and participated in Government working groups on cybercrime issues including the Fraud Taskforce of the Australian Banking Association and the Critical Infrastructure Protection forum of the Australian Commonwealth Government. Nick is a regularly presenter at industry forums and a guest lecturer at several institutions including the School of Law at the University of New South Wales and the Centre for Transnational Crime Prevention, Faculty of Law at the University of Wollongong.


Listen to Nick discuss methods to reconstruct anti-forensics in a critical case all DFIR professionals should listen to.

 

View Upcoming Training for Nick Klein


Rob Lee


Rob Lee is an entrepreneur and consultant in the Boston area, specializing in information security, incident response, threat hunting, and digital forensics. Rob is currently the curriculum lead and author for digital forensic and incident response training at the SANS Institute in addition to owning his own firm. Rob has more than 18 years of experience in digital forensics, vulnerability and exploit discovery, intrusion detection/prevention, and incident response.
Rob graduated from the U.S. Air Force Academy and served in the U.S. Air Force as a founding member of the 609th Information Warfare Squadron, the first U.S. military operational unit focused on information operations. Later, he was a member of the Air Force Office of Special Investigations (AFOSI) where he led a team conducting computer crime investigations, incident response, and computer forensics. Prior to starting his own firm, he directly worked with a variety of government agencies, U.S. Department of Defense, and intelligence communities as the technical lead for a vulnerability discovery and an exploit development team, lead for a cyber forensics branch, and lead for a digital forensic and security software development team. Rob was also a director for MANDIANT, a company focused on investigating advanced adversaries, such as the APT, for five years prior to starting his own business.
Rob co-authored the book Know Your Enemy, 2nd Edition. Rob earned his MBA from Georgetown University in Washington DC. Rob is also a co-author of the MANDIANT threat intelligence report M-Trends: The Advanced Persistent Threat.

View Upcoming Training for Rob Lee


Robert M. Lee

SANS certified instructor Robert M. Lee brings to the classroom one of the most valuable and respected of credentials: real-world experience. Robert is the CEO and founder of his own company, Dragos, Inc., that provides cyber security solutions for industrial control system networks. Consider the 2015 attack on the Ukraine power grid when for the first time in history a power grid went down due to an intentional cyberattack. Robert and a few others formed a specialized team to analyze the event and passed information to the impacted parties as well as the U.S. government and private sector. "I was the first in the industry to publicly confirm the attack and wrote the industry standard report on the attack exploring how it occurred, the lessons learned, and what must be done to protect other infrastructure sites," Robert says. He and his team also analyzed the malware from the 2016 cyber attack on Ukraine's Kiev substation and dubbed it CRASHOVERRIDE as the first ever malware tailored to specifically disrupt electric grid operations.

That experience is what forms his teaching philosophy. "I make it my teaching philosophy to constantly bring in new material into the classroom through my personal experiences and the successes and failures of those I've seen in the industry," says Robert. This augments the traditional classroom material students receive to ensure they get the most relevant and cutting-edge concepts in the industry. But Robert's real-world experience also keeps things interesting. "I enjoy telling and sharing in case studies and stories from the field, looping in bigger concepts into the technical material, and setting a humorous tone so that no matter the seriousness of the topic we all have fun together."

Robert got his start in information security making small control systems for humanitarian missions. He joined the United States Air Force and became a cyberspace warfare operations officer in the U.S. intelligence community. In that role, he created and led a mission examining nation-states targeting ICS, the first mission of its kind in the U.S. intelligence community. For Robert, that intermixing of defense, intrusion analysis, and threat intelligence provided the ultimate thrill.

Robert has worked offense, defense, and intelligence in various government teams. "My time on the offense helped me better appreciate defense and how sometimes we simply get it wrong: defense is not necessarily harder than offense and there are many opportunities we have to defend and make the world a better place," he says.

Robert joined SANS for myriad reasons. He had long been aware of the organization, and followed the career and workings of SANS fellow and DFIR curriculum lead Rob Lee. Also, ongoing encouragement to attend SANS conferences and consider teaching from a number of friends and colleagues such as Dave Shackelford convinced him to give it SANS a shot. His first pitch - a five-day class on identifying and responding to industrial control systems (ICS) attacks - was well-received, and as Robert says, "the rest is history." Today he teaches SANS ICS515: ICS Active Defense and Incident Response, the industry's first and only incident response and threat hunting class for ICS and FOR578: Cyber Threat Intelligence, the industry standard course for threat intelligence training. "The SANS family is amazing, the students are world class, and teaching is what keeps me constantly refreshed and excited in the industry."

In fact, authoring ICS515 and FOR578 have been highlights in his career, Robert says. Industrial control system security as well as cyber threat intelligence are both exciting topics that receive a lot of hype and misconceptions. "I love destroying hype while giving the students the most blunt and actionable information possible," Robert explains, adding that his experiences "gives me a robust view into the problem space and the solutions needed at various levels. My experiences and hard work have afforded me the chance to significantly advance students' skill sets and the way they view the problem."

Central to helping students succeed in their day-to-day careers is ensuring that they understand the big picture, Robert says. That's more than just understanding what command to run on a specific tool or how to use that tool during an incident. Its' about know the larger context of a security strategy is, all its moving pieces, and how to use analysis to help fill knowledge gaps. "This ensures that students who take my classes are not only technically prepared but are also prepared to think differently about the hard challenges their organizations must face when facing the adversary," says Robert.

Robert has a master's degree in cybersecurity and computer forensics from Utica College as well as cyber and warfare training through the U.S. Air Force, and he's pursuing his doctorate in war studies from King's College London. He was named one of Forbes' 30 under 30 in Enterprise Technology in 2016, was awarded EnergySec's 2015 Cyber Security Professional of the Year and named one of Passcode's "Influencers."

Outside of teaching, Robert enjoys running his company Dragos and working with customers in the industrial community. "It allows me to constantly stay relevant, challenge and grow my skills, and directly help people." He also enjoys writing papers and blogs for the industry, and looks for opportunities to travel, snowboard, and play a Steam game or two whenever he can.

Qualifications Summary

Get to Know Robert M. Lee

Publications and Papers

Awards and Honors

  • 2016: Forbes' 30 under 30 in the area of Enterprise Technology
  • 2015: Energy Sector Cyber Security Professional of the Year, awarded by EnergySec
  • 2014: Colonel Sparky Baird Award, awarded by AFCEA
  • 2014: Air Force Association Gill Robb Wilson Award - Air Force Nominee
  • 2013: Air Force Association Gill Robb Wilson Award - Air Force Nominee
  • 2013: AF Information Dominance Award for Outstanding Cyberspace Operations CGO - 693 ISR Gp
  • 2013: Junior Officer (Operator Category) of the Year - Europe/Africa
  • 2013: Military Performer of the Year - Threat Operations Center
  • 2013: CGO of the Year - 693d ISR Gp
  • 2012: Distinguished Young AFCEAN Officer - Central Europe
  • 2012: Outstanding ISR Officer Contributor of the Year - 693rd ISR Group
  • 2011: AFCEA Intelligence Professional of the Year - 693 ISR Group

Student Quotes

  • "Real-world practical insight and the technical skills and tools to create meaningful change." - Billy Glen, Pacific Gas & Electric
  • "Great teaching style - humor - keeps the atmosphere light." - Tim Sanguinett, NCPA
  • "Good pace, kept things moving, stayed enthusiastic the entire day." - Michael Nowatkowsk, Army Cyber Institute

View Upcoming Training for Robert M. Lee


Heather Mahalik

To say that digital forensics is central to Heather Mahalik's life is quite the understatement. Heather has worked on high-stress and high-profile cases, investigating everything from child exploitation to Osama Bin Laden's media. She has helped law enforcement, eDiscovery firms, and the federal government extract and manually decode artifacts used in solving investigations around the world. All told she has more than 14 years of experience in digital forensics, including eight years focused on mobile forensics - there's hardly a device or platform she hasn't researched or examined or a commercial tool she hasn't used.

These days Heather is the Director of Forensic Engineering at ManTech CARD.  At the SANS Institute she is a senior instructor and the course lead for FOR585: Advanced Smartphone Forensics. As if that isn't a full enough schedule, Heather also maintains www.smarterforensics.com, where she blogs and hosts work from the digital forensics community. She is the co-author of Practical Mobile Forensics (1st and 2nd editions), currently a best seller from Pack't Publishing, and the technical editor for Learning Android Forensics from Pack't Publishing.

Heather is passionate about digital forensics because she loves always having to learn something new. "This field moves so quickly. It is literally impossible to get bored," she says. "If you find yourself bored, branch into another realm of digital forensics. The possibilities are endless and so is the fun! I love digging for artifacts and solving the puzzle."

Heather particularly likes working on mobile and third-party applications, a focus of her work. "I love cracking and hacking into apps that are supposed to be secure," she explains.

She cites her role as a SANS instructor as one of the most fulfilling achievements of her career. Heather loves it when students reach out to tell her that, thanks to her course, they put a criminal away for many years. As she says: "Nothing compares to knowing that the effort you put into writing and maintaining a course makes the world a better and safer place. SANS gives me the opportunity to share that with others."

Heather's background in digital forensics and e-discovery covers smartphone, mobile device, and Windows forensics, including acquisition, analysis, advanced exploitation, vulnerability discovery, malware analysis, application reverse-engineering, and manual decoding, as well as instruction on mobile devices, smartphones, and computers covering Windows, Linux and Macintosh operating systems.

What's her favorite topic to teach from that impressive résumé? "Decrypting and decoding the unparsed data!" she says. "I spend almost 90 percent of my day job trying to crack into the tough stuff, and my experience naturally flows into the classroom."

Heather previously led the mobile device team for Basis Technology, where she focused on mobile device exploitation in support of the federal government. She also worked as a forensic examiner at Stroz Friedberg and the U.S. State Department Computer Investigations and Forensics Lab, where she handled a number of high-profile cases. She has also developed and implemented forensic training programs and standard operating procedures.

Outside of work, Heather puts her passions into being a mom, cooking, reading, riding her horse, and drinking fine wine and bourbon.

Summary of Qualifications:

Get to Know Heather Mahalik:

Here's what students are saying about SANS Senior Instructor Heather Mahalik:

  • "I have been working with phones since 2009, and Heather very casually showed me how much I don't know. Excellent!" - Harbin Combee, Metropolitan Police Department, Washington, DC
  • "I am learning so much, it's exciting. Heather is an excellent instructor. Very smart. Knows her stuff." - Tris Matthews, Goodhue County Sheriff's Office
  • "Heather is a great instructor. The only downside will be not being able to bring her back to my office so we can pick her brain every day!" - C. McCollom, Clark County Sheriff's Office
  • "Smartphone Forensics course is the only unbiased course in the world for mobile forensics, it is for those who really want to take their skill to the next level and go beyond what their vendor/tool gives them. Heather is an incredible instructor, regarding mobile forensics, she knows it." - David Bernal, SCTIUM

SANS Instructor Endorsements:
"Heather's cool demeanor and patience with her students shows across the board.  Her expertise shows in her passion for teaching and her interactions with her students.  Her work and connections in government space save lives and are critically important to our nation's security.  I feel very fortunate to have her as part of our DFIR instructor family." Rob Lee, SANS Fellow and DFIR Curriculum Lead

"Heather is one of the most knowledgeable and engaging instructors I've ever had the chance to learn from, let alone work with.  Her ability to present complex topics at an understandable level without compromising the technical details is amazing.  In the classroom, she brings the concepts home with extensive real-world experience - you'll never wonder why a topic is getting coverage - it's because you also know the impact to prior casework. Whether you take one of Heather's classes live in person, live online, or via recording, you'll get a solid learning experience." Phil Hagen, FOR572 author and Certified Instructor

View Upcoming Training for Heather Mahalik


Cindy Murphy

Cindy Murphy served in law enforcement for more than thirty years, including twenty-five years at the Madison, Wisconsin Police Department, where she worked as a detective and a certified digital forensics examiner. While at MPD, she had the opportunity to serve as a detective and as a certified digital forensics examiner for over seventeen years. During her time as an investigator, she saw firsthand the emergence of mobile devices as the primary source of evidence in investigations. This pushed her to grow into the mobile forensics expert she is today and enabled her to co-author the SANS FOR585 Advanced Smartphone Forensics course.  Just recently, Cindy took a leave of absence from the Madison Police Department to launch Gillware Digital Forensics, where she is co-owner and serves as president and lead examiner. As a life-long police officer, Cindy knows the transition from the public to the private sector to private will present new challenges, but she's looking forward to broadening her professional experience even further, which will benefit both Cindy and her students.

Throughout her career, Cindy has always looked for opportunities to help in meaningful ways.  In one recent case, experts spent a year trying to unlock the phone of a 16-year-old girl who was killed in a tragic traffic accident. As the family prepared to spread the girl's ashes in a ceremony a year after her death, Cindy was given the victim's locked phone. She was able to unlock it, enabling the family to see their daughter's last photos. The family sent Cindy a thank you note that said: "We so appreciate this opportunity you've given us to hold onto a piece of our daughter's life we were sure was lost to us."

Digital devices have a huge impact in our world today, and Cindy believes mobile phones have become the diaries of people's lives. That's why mobile forensics is such a vital field. A thorough knowledge of these devices is thus crucial to investigations, since they can provide indispensable evidence that law enforcement can't afford to miss. Cindy knows the tools and programs that support digital forensics, has trained officers how to handle cell phone evidence, and knows how to take care of herself and others when working through tough cases like child pornography. Her extensive experience has given her both the real-world experience and the foundation in training that it takes to excel in the mobile forensics field and share her knowledge with others.

Cindy has been teaching digital forensics since 2002. In 2006, she helped develop the curriculum for a certificate program at Madison Area Technical College. Cindy has served as guest faculty for the National District Attorney's Association, testified as a computer forensics expert in state and federal court on numerous occasions, presented internationally on digital forensics topics, and written frequent articles and whitepapers.  She as a master's degree in science degree in forensic computing and cyber crime investigation from University College in Dublin. Cindy is also a military veteran, a mother, an activist in defense of First Amendment rights, a musician (banjo, cello, tenor guitar, mandolin, and ukulele), and a Brittany Spaniel enthusiast. 

Here's What Students Are Saying about SANS Certified Instructor Cindy Murphy:

"Cindy Murphy is a force to be reckoned with! Very happy I signed up for this class." - Reza Z., DirectTV

"Cindy is Awesome! She fully understands what is happening in the field and how to do our job better." - John P., Shell Oil 

"Good, real-world experience. Clearly, Cindy has been there, done that." - Chris Mallow, University of Oklahoma

Instructor Endorsements:

"Cindy has told me multiple times that teaching others how to do this job was some of the most rewarding work that she can do.  Cindy truly believes that her material, instruction, and experience could make a difference in helping stop bad guys around the world.  She gets how important the role of our work is in developing additional investigators and responders in law enforcement, media exploitation, and information security fields." - Rob Lee, SANS Fellow & DFIR Curriculum Lead

"Cindy is one of the most dedicated people in the field of digital forensics.  She spends tireless hours making herself better at the trade and always gives back to the community through white papers, forensic instruction, conference speaking events, and now through SANS.  Cindy is able to take her law enforcement experience and spin it in a way that dazzles the students with her stories and real-life experience. Anyone can speak to slides ? Cindy can add value to the content and gives the material meaning." - Heather Mahalik, SANS Senior Instructor & FOR585 Advanced Smartphone Forensics Course Lead

Qualifications Summary:

Get to know Cindy Murphy:

View Upcoming Training for Cindy Murphy


Mike Pilkington

Curiosity wins the day! That is Mike Pilkington's teaching philosophy, because from his perspective, you have to be inspired and excited about solving difficult cases if you want to be great at forensics. As Mike says, "you have to be willing to search for the answers that others can't or won't find." Mike's infectious enthusiasm for digital forensics comes through in his work, in his classes, and in his day-to-day life. It's clear that his hobby and his job are one in the same. 

Mike has been an instructor for the SANS Institute since 2008. He currently teaches Windows Forensics In-Depth (FOR500) and Advanced Digital Forensics and Incident Response (FOR508). In addition to teaching, Mike is a dedicated researcher and has published numerous articles for the SANS Forensics Blog.

After spending much of his career as an analyst and incident responder for Halliburton, Mike recently joined the team at Shell. His background working in a large corporate environment gives him a unique perspective among SANS instructors. Mike is also a researcher at heart and will spend hours unraveling the answer to a complicated case or a question from a student. He'll delve deeply into forensic conundrums to identify the best solutions, and then document that knowledge to share with the digital forensics community.

In his current role as a senior incident analyst at Shell, Mike regularly deals with malware and intrusion cases. His work ranges from evaluating and implementing both commercial and open-source forensic tools to consulting with internal groups to resolve intrusions. He has accumulated a broad range of technical expertise, having spent significant time performing software quality assurance, Windows systems administration, LAN and WAN network administration, firewall and IDS/IPS security administration, computer forensic analysis, and incident response. As a forensic analyst, he worked numerous human resource investigations, including cases involving intellectual property theft, inappropriate use of the Internet, employee hacking, IT administrator privilege abuse, and illegal downloading of copyrighted materials.

Mike holds a bachelor's degree in mechanical engineering from the University of Texas, as well as numerous IT security certifications, including the CISSP, EnCE, GCFE, GCFA, and GREM.

Qualifications Summary:

·       Deep background in corporate cybersecurity

·       SANS instructor since 2008

·       Professional qualifications: GCFA, GCFE, GREM, EnCE, CISSP

Get to Know Mike Pilkington:

·       Mike's DFIR blog is available at https://digital-forensics.sans.org/blog/author/mpilkington

·       Mike co-authored the SANS Forensics "Find Evil" poster

·       Mike created an example forensics report for SANS FOR500 students (available upon request)

·       In addition to regularly presenting six-day SANS forensics classes, Mike's additional speaking engagements include the SANS DFIR Summit, SANS conferences, MIRcon, ISSA, and HTCIA

Listen to Mike discuss Privileged Domain Account Protection: How to Limit Credentials Exposure in this SANS webcast.

Here's What Students Are Saying about SANS Certified Instructor Mike Pilkington:

"The level of detail and knowledge that Mike has is above excellent." - Oz Bogovac, JCI

"Once again, Mike's command-line knowledge really became valuable when we tried to stump him with questions. He knew everything!"  - Mike DeZenzo, EY

"The instructor helps by sharing his knowledge in a way it can be understood by the student." - Joseph Selph, IBM

"Very knowledgeable." William Martin, NYSP

Instructor Endorsements:

"Mike's perspective is unique and extremely valuable to our instructor team. He sees things differently as a result of directly fighting adversaries in his larger multinational corporate environment daily, and he isn't afraid to share his experiences with the class. Mike is also a researcher at heart, and his research has directly resulted in our material being updated, corrected, and expanded. It has made our courses at SANS the best and brimming full of information that make SANS truly on the "cutting edge" and not just words we use in marketing."  - Rob Lee, SANS Fellow

"Mike is accomplished, wicked smart, and very passionate about our field. He is that rare individual who doesn't just report a problem - he takes it upon himself to find a solution. As an example, Mike encountered a number of students during his early teaching engagements who were having difficulties grasping the fundamentals of report writing. He took it upon himself to create a sample report that could be shared among instructors. His SANS blog posts are some of my favorites, as he regularly takes it upon himself to look deeper into nagging forensic unknowns and document clever solutions."  - Chad Tilbury, SANS Senior Instructor

"I have watched Mike present and have been thoroughly impressed with his smooth delivery, his ability to competently deliver highly technical material in a way that makes it easy for students to understand, and his ability to handle questions. Mike's background in IT brings a highly valuable perspective to the forensic program and inspires students." -  Ovie Carroll, SANS Certified Instructor

View Upcoming Training for Mike Pilkington


Chris Pizor

Chris Pizor is a civilian employee working for the U.S. Air Force as the lead curriculum designer for cyber warfare operations training. Chris served on active duty in the USAF as a Network Intelligence Analyst before retiring in 2010. He was part of the initial cadre of the NSA Threat Operations Center and helped develop tactics to discover and eradicate intrusions into U.S. government systems.  Chris has worked in the intelligence community for more than 20 years, including 12 years focused on cybersecurity. Over the course of his active duty career, Chris received multiple individual and team awards.

Chris is passionate about security and helping others advance their security knowledge, and he is continuously researching and refining his own skills so he can prepare U.S. airmen and women and other professionals defend their vital networks and critical infrastructure. 

Chris earned a bachelor's degree in intelligence studies and information operations from the American Military University and a master's of science in cybersecurity from University of Maryland University College.  He holds the GSEC, GCIA, GCIH, GPEN, GXPN, GCFA, GISP, and CISSP certifications.  

Chris is also a recipient of the "General John P. Jumper Award for Excellence in Warfighting Integration" for Air Force Space Command. The General Jumper award recognizes individuals for sustained superior performance and outstanding contributions to the integration of Air Force or DoD warfighting and/or operations support capabilities that shorten the kill chain and/or enhance the decision cycle.

When Chris isn't working, he enjoys spending time with his wife and two young children, woodworking, and spending time outdoors.

View Upcoming Training for Chris Pizor


Hal Pomeranz

"Sometimes there's a moment in a case where I find a crucial piece of evidence hidden away where not many investigators would think to look. And I think to myself, 'I'm glad I was the one to work on this case, because this finding was important.' That's how I know I'm in the right field." ~ Hal Pomeranz

Hal Pomeranz is an independent digital forensic investigator who has consulted on cases ranging from intellectual property theft, to employee sabotage, to organized cybercrime and malicious software infrastructures. He has worked with law enforcement agencies in the United States and Europe, and with global corporations.

While perfectly at home in the Windows and Mac forensics world, Hal is a recognized expert in the analysis of Linux and Unix systems, and has made key contributions in this domain. His EXT3 file recovery tools are used by investigators worldwide. His research on EXT4 file system forensics provided a basis for the development of open source forensic support for this file system. Hal has also contributed a popular tool for automating Linux memory acquisition and analysis. But Hal is fundamentally a practitioner, and that's what drives his research. His EXT3 file recovery tools were the direct result of an investigation, recovering data that led to multiple indictments and successful prosecutions.

Raised in the Open Source tradition, Hal shares his most productive tools and techniques with the community via his GitHub and blogging activity. And nobody can show you how to forensicate with Open Source tools like Hal!

Hal is a SANS faculty fellow and the creator and primary instructor for the Securing Linux/Unix (SEC506) course. In the SANS DFIR curriculum he teaches Advanced Digital Forensics, Incident Response, and Threat Hunting (FOR508), Advanced Network Forensics and Analysis (FOR572), Mac Forensics Analysis (FOR518), and Reverse-Engineering Malware: Malware Analysis Tools and Techniques (FOR610). Hal holds the GIAC certification for the following courses: GCUX, GCFA, GNFA, and GREM.
 

Hal is a regular contributor to the SANS Digital Forensics and Incident Response blog and co-author of the Command Line Kung Fu blog. He's a former board member for USENIX, BayLISA and BackBayLISA; former technical editor for Sys Admin Magazine; and a respected author and highly rated instructor at industry gatherings worldwide. Hal is an avid baseball fan, so in the summer you'll usually find him at his local minor league ballpark or catching up on major league games. He enjoys travel, theatre, and food (both cooking and eating), but his first priority is keeping up with the interests of his kids: Disney, gymnastics, Legos, and video games.

Get to Know Hal

  • Over 25 years of industry experience
  • Founder and Principal Consultant for Deer Run Associates
  • GIAC Certified Forensic Analyst (GCFA), Network Forensic Analyst (GFNA), Malware Analyst (GREM), and Unix Administrator (GCUX)
  • SANS Faculty Fellow and SANS' longest tenured instructor
  • Hal is a contributor to the SANS Digital Forensics and Incident Response blog

Learn more about Hal Pomeranz in this DFIR Hero interview on the SANS DFIR Blog.

Here's What Students Are Saying about SANS Certified Instructor Hal Pomeranz:

"Great intro to malware analysis. Hal Pomeranz, instructor, was extremely knowledgeable on the subject. Highly recommended." - Jonathon Hinson, Duke Energy

"Hal is one of the finest instructors I've ever had the pleasure the take a class from. He possesses the rare ability to bring information on cutting edge techniques to the classroom and present it in a way that makes his students comfortable with these techniques as if they were old hat." - Chris Calabrese, Medco Health Solutions, Inc.

Listen to Hal discuss Incident Response Event Log Analysis.

View Upcoming Training for Hal Pomeranz


Dave Shackleford

Dave Shackleford is the owner and principal consultant of Voodoo Security and a SANS analyst, senior instructor, and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies. Dave is the author of the Sybex book Virtualization Security:

Protecting Virtualized Environments, as well as the coauthor of Hands-On Information Security from Course Technology. Recently Dave coauthored the first published course on virtualization security for the SANS Institute. Dave currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance. Dave earned his MBA from Georgia State University.

Dave knows his stuff and explains the material in an easy-to-understand way. - Jonathan O'Neal, Monster.com

View Upcoming Training for Dave Shackleford


John Strand

John Strand is the owner of Black Hills Information Security, a firm specializing in penetration testing, Active Defense and Hunt Teaming services.  He is the also the CTO of Offensive Countermeasures, a firm dedicated to tracking advanced attackers inside and outside your network.

John is an experienced speaker, having done presentations to the FBI, NASA, the NSA and at various industry conferences.  He is a senior instructor with the SANS Institute teaching:

  • SEC504 - Hacker Techniques, Exploits, and Incident Handling
  • SEC560 - Network Penetration Testing and Ethical Hacking
  • SEC580 - Metasploit Kung Fu for Enterprise Pen Testing
  • SEC550 - Offensive Countermeasures, Active Defense and Cyber Deception

And the lead course author of:

SANS 504: Hacker Techniques, Exploits, and Incident Handling

He also co-hosts Security Weekly, the world's largest information security podcast; co-authored Offensive Countermeasures: The Art of Active Defense; and writes loud rock music and makes various futile attempts at fly-fishing.

"Very informative! Mr. John Strand's experience shared through narrative brings course material to life."
 - Christopher Wilson, USAF

Below are some videos of John presenting:

Burn it all, the new security fundamentals

Sacred Cash Cow Tipping: Bypassing Firewalls and DLP

Pentest Trends report 2015

How not to suck at penetration testing

View Upcoming Training for John Strand


Chad Tilbury

"The real voyage of discovery consists not in seeing new sights, but in looking with new eyes." - Proust

This favorite quote of Chad Tilbury has proven to be a recurrent theme throughout his career. When Chad attended the U.S. Air Force Academy, his interest was piqued early on by the thrill and challenge of engaging adversaries in new domains. Chad grew up enthralled by spy novels, so battling real spies with counter-espionage techniques was particularly appealing. A career in computer crime investigations was the perfect fit.

Chad has nearly 20 years of experience working with government agencies, defense contractors, and Fortune 500 companies. And his case list looks like it's been pulled straight from those spy novels he grew up reading: murder, abduction, espionage, fraud, hacking, intellectual property theft, child exploitation, terrorism, and computer intrusions. 

He has served as a Special Agent with the Air Force Office of Special Investigations, where he investigated and conducted computer forensics for a variety of crimes and ushered counter-espionage techniques into the digital age. Chad has also led international forensic teams and was selected to provide computer forensic support to the United Nations Weapons Inspection Team.

In addition, Chad has worked as a computer security engineer and forensic lead for a major defense contractor and served as the vice president of worldwide Internet enforcement for the Motion Picture Association of America. In that role, he managed Internet anti-piracy operations for the seven major Hollywood studios in over 60 countries.

"With so many different skills and cultural perspectives on that team, I learned more about the dark underpinnings of the Internet than I ever could have imagined," says Chad.

Today, Chad brings his wealth of experience to his role as technical director at CrowdStrike, where he specializes in incident response, corporate espionage, and computer forensics. Here at SANS, Chad is a senior instructor and co-author for two six-day courses:  FOR500: Windows Forensics, which focuses on the core skills required to become a certified forensic practitioner, and FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting, which teaches sophisticated computer intrusion analysis and advanced threat hunting techniques.

Chad's experience brings immeasurable depth to his classes. He focuses not only on tools and techniques, but also on understanding how those artifacts can be used to prove or disprove questions students are asked to investigate in their daily jobs. As Chad says, "Forensics is both an art and a science, and I find that hearing about real-world applications provides new perspectives and can help unlock a student's ability to think unconventionally."  

Chad keeps his class goals simple: teach and lead discussions on the most important topics and make sure students have as much time as possible to work on the exercises. "I'm a big believer in hands-on learning," he says, "and we work hard to ensure the exercises in our classes are as realistic as possible. When students put all the pieces of a forensic investigation together themselves, it leads to those 'aha' moments that are so valuable."

The methodologies Chad teaches in his courses are the same ones he has used successfully on countless examinations. "Our exercises are months in the making, and provide realistic, real-world evidence samples on which to practice," says Chad. "I have had numerous students report going back to their teams, blowing them away with a new technique, and promptly becoming the trainer themselves."

One of Chad's most memorable experiences in the classroom brought that immediacy of techniques to a whole new level.

"I was teaching some of my latest research on browser artifacts, recently added to the FOR500 class.  Research showed that a specific browser database could be missing a day or more of information if not properly handled. There happened to be a law enforcement officer in class who was investigating a murder, and in his examination of the suspect's computer he had noted missing data during a critical 24-hour period. From our class discussion, the officer now had a tool and technique to recover the missing data in his case. Not surprisingly, he left class early!"

In addition to being a graduate of the U.S. Air Force Academy, Chad holds B.S. and M.S. degrees in computer science, as well as GCFA, GCIH, GREM, and ENCE certifications.

In his free time, Chad loves to travel and takes full advantage of the unique destinations his career takes him. He spends much of his time at home mountain biking, skiing, snowboarding, and mountaineering. Chad recently took a ski mountaineering trip to Antarctica, about as far away from a Wi-Fi signal as you can get!

Qualifications Summary

Get to Know Chad Tilbury

Student Quote

  • "Chad Tilbury is hands down the best instructor that I ever had in my 20 years of military service. Excellent job. Very relevant and up-to-date. An industry leader in this field." - Dannie Walters, U.S. Army
  • "Chad's real-world examples are a key part of the training. It really helps to have a knowledgeable instructor who currently works in the industry." - Roger Szulc, MDA
  • "I had the immense pleasure of learning from Chad during the SANS Computer Forensics and Investigation course. Chad's ability to break down complex, technically challenging topics and teach them in an understandable manner is second to none. He has helped countless numbers of people including myself gain the GCFA certificate and I wholeheartedly believe he is a true asset to any organization." - Ali Emirlioglu, Senior Security Operations Analyst at Datacom TSS

View Upcoming Training for Chad Tilbury


Alissa Torres

Alissa Torres is an explorer at heart. Uncovering the full story of an attacker's exploits requires digging into known and unknown forensic artifacts, and this excavation is exactly what intrigues her. With more than 15 years of experience in computer and network security spanning government, academic, and corporate environments, Alissa has the deep experience and technical savvy to take on even the most difficult computer forensics challenges that come her way. Her current role as an Incident Response Manager at Cargill provides daily challenges "in the trenches" and demands constant technical growth. Alissa is also founder of her own firm, Sibertor Forensics, and has taught internationally in more than 10 countries.

Memory forensics is a bleeding-edge field of Digital Forensics & Incident Response (DFIR), and Alissa is the lead author as well as an instructor of FOR526: Memory Forensics In-Depth and co-author of the SANS Memory Forensics Poster. She also teaches  FOR500: Windows Forensic Analysis; FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting; and SEC504: Hacker Tools, Techniques, Exploits and Incident Handling.

Alissa was introduced to digital forensics during her four years of service in the U.S. Marine Corps. She moved on to various technical roles at KEYW Corporation, Northrop Grumman Information Systems, and as part of Mandiant's computer incident response team (MCIRT). Alissa has worked as an instructor at the U.S. Cyber Challenge Camps and at the Defense Cyber Investigations Training Academy (DCITA), delivering incident response and network basics to security professionals entering the forensics community. She is passionate about sharing knowledge, presenting annually at regional and national industry conferences and encouraging women's participation in science, technology, engineering, and math through regional outreach programs.

As both an investigator and instructor, Alissa has a constant and infectious desire to always learn more and question everything, an ethos embodied in the SANS DFIR classes. "Our curriculum ensures students gain an understanding of why an artifact matters and how the tools interpret the data." Alissa explains. An inquisitive nature can be the determining factor in investigative success, as Alissa learned when she identified a critical error in one of her team's web proxy timeline procedures. This discovery allowed for the correction of contractual fraud investigations involving the U.S.  government.  Sharing personal success stories like this one gives students real-world applications for the material they are learning and inspires them to evaluate and optimize their own investigative processes, whether in incident response, digital forensic investigations, or internal offensive reconnaissance.

As attackers learn how forensic investigators work, they become increasingly more sophisticated at leaving fewer traces behind. "We are in an arms race where the key difference is training," says Alissa. Toward that end, she encourages her students to ask more questions, grow the common body of knowledge, and make a difference in the digital forensics community. Her teaching style is best described as a type of "exposure therapy" that introduces concepts but then pushes students to get behind the keyboard and apply these concepts themselves.

Alissa's true passion is memory forensics, a rapidly evolving area of expertise for both attackers and defenders. As malware strives for a minimal footprint on the host, the battlefield exists in system memory. Alissa's students take the skills taught in FOR526 and move their investigations forward, in some cases even uncovering new details in their cases before the week-long class ends.

Alissa has a B.S from the University of Virginia and a M.S. in information technology from the University of Maryland. She is a GIAC Certified Forensic Analyst (GCFA), and holds the GCFE, GCIH, GSEC, CISSP, and EnCE certifications. Alissa has served as a member of the GIAC Advisory Board since 2013 and was recognized by SC Magazine as one of its "2016 Women to Watch." Needless to say, she stays pretty busy. When not enmeshed in metadata and memory structures, Alissa catches every soccer game she can, cheering at her kids' games and scheming to attend matches of her favorite team, Everton. In what time she has left from constant cybersecurity vigilance, Alissa enjoys hiking in the Puerto Rican rain forest and scaling rocks at Big Sur.

Qualifications Summary

Certifications:

  • GIAC Security Essentials Certification (GSEC), June 2015
  • GIAC Certified Incident Handler (GCIH), June 2014
  • GIAC Reverse Engineering Malware (GREM), July 2013
  • GIAC Certified Forensic Examiner (GCFE), January 2013
  • Certified Forensic Computer Examiner (CFCE), December 2012
  • GIAC Certified Penetration Tester (GPEN), July 2012
  • GIAC Certified Forensic Analyst (GCFA), November 2011
  • Certified Information Systems Security Professional (CISSP), December 2010
  • EnCase Certified Examiner (EnCE), July 2010 - July 2019

This is what students are saying about SANS Certified Instructor and course author Alissa Torres:

"I love the energy of Alissa Torres' presentation style." - Scott S., US Govt.

"Alissa kept it interesting by pulling from her past experience and demonstrated great passion for the subject." - Matt Leach

"Alissa's teaching skills are remarkable - she is great." - Serge Tumba, GE Capital

"Fantastic- Energetic- Knowledgeable" - Dennis Mooney, Vanguard

"I highly recommend Alissa and SANS computer forensics courses. In April 2015 I attended the SANS Forensics 508: Advanced Digital Forensics and Incident Response (FOR508) course. I had high expectations for the course based on my team lead's recommendation. Alissa and the course exceeded my expectations. Alissa is an outstanding instructor, and SANS FOR508 was the best information security course I have attended. She mixed energy, knowledge, and experience to keep the content productive, relevant, and interesting. I look forward to attending more SANS courses instructed by Alissa." - Chad Rager,  Computer Forensic Engineer at ManTech

"This course is known throughout the industry as THE advanced IR and Threat Hunting course. This combined with Alissa's awesome teaching style makes it worth every penny! Alissa's subject matter expertise, enthusiasm, and insights are second to none! Her personalized attention to simulcast viewers was particularly nice because it felt like we were part of the class."  - Will Harmon, Trustwave

"Instructors like Alissa are why people keep coming back to SANS. Awesomeness and non-stop energy. She is one of my favorite instructors I've had from SANS, right up there with the likes of Ed Skoudis, John Strand, and Eric Cole. A brilliant presenter who keeps it fun, informative, and turns what other people could make sleep inducing, into non-stop engaging." - Eric Donaldson, Discover Financial Services

View Upcoming Training for Alissa Torres


Jake Williams

When a complex cyber attack put a private equity investment of more than $700 million on hold, the stakes couldn't have been higher. But that's exactly the kind of challenge that motivates Jake Williams, a computer science and information security expert, U.S. Army veteran, certified SANS instructor and co-author of FOR526: Memory Forensics In-Depth and FOR578: Cyber Threat Intelligence. To help mitigate the attack, Jake plied his information security expertise, discovered that not one but three different attackers had compromised the firm's network, and went about countering their moves.

Jake relishes the idea of meeting adversaries on the cyber battlefield. "I went into this field because I wanted a challenge," he says. "Infosec is like a game of chess to me. The attacker plays their moves and you play yours."

Jake started his information security career doing classified work with the U.S. government and was awarded the National Security Agency (NSA) Exceptional Civilian Service Award, which is given to fewer than 20 people annually. "I am immensely proud of the things I've accomplished," Jake says. "I'm positive the world is a safer place because of my work."

Today, Jake runs a successful Infosec consultancy. He's been involved in high-profile public sector cases including the malware analysis for the 2015 cyber attack on the Ukraine power grid. He's also tackled a variety of cases in the private sector. In one, Jake discovered attackers compromising a custom service the client had distributed to all its endpoints. Leveraging experience and insight with advanced persistent threats helped Jake "think like the attacker" and determine the attacker's likely hiding spots.

Jake's work has led to his invention of DropSmack, a proof-of-concept tool for highlighting the danger that cloud-based file sharing services pose to corporate networks, and the creation of ADD (Attention Deficit Disorder), a publicly-available memory anti-forensics toolkit.

Jake's work also led him to teaching. "I chose to be a SANS instructor because they are the very best in the business. Others talk about being the best, but SANS actually is the best," he says. "I love teaching people, but it goes beyond teaching for me. With many students, I'm making lasting professional relationships. Students come back again and again and have a lifelong learning relationship with SANS." 

Jake teaches a variety of classes (SEC503, SEC504, SEC660, SEC760, FOR508, FOR526, FOR578, FOR610) and prefers an active learning approach, using demos rather than slides to teach lessons. "It takes me back to my first exploits and I get the chance to relive that magical feeling all over again," he explains.

More importantly, Jake wants students to walk out of class being able to critically analyze a problem, discover a solution, and do something they couldn't do before. "I don't teach button-clicking steps, my goal is to ensure students understand how to take concepts from the class and apply them to their own cases and engagements."

Given his accomplishments, it should come as no surprise that Jake lives, sleeps, and breathes Infosec. When he's not teaching, he's consulting. He's a regular speaker at industry conferences including DC3, BSides (including BSides Las Vegas), DEFCON, Blackhat, Shmoocon, EnFuse, ISSA Summits, ISACA Summits, SANS Summits, and Distributech.  He has also presented security topics to a number of Fortune 100 executives.

Jake is also a two-time victor at the annual DC3 Digital Forensics Challenge. He drew on his passion for hands-on capture-the-flag events to design the critically acclaimed NetWars challenges for the SANS malware reversing and memory forensics courses.

Qualifications Summary:

GIAC Certifications:

  • GIAC Security Expert (GSE), March 2016
  • GIAC Security Essentials Certification (GSEC), June 2015
  • GIAC Exploit Researcher and Advanced Penetration Tester (GXPN), March 2015
  • GIAC Certified Forensic Analyst (GCFA), October 2013
  • GIAC Penetration Tester (GPEN), January 2013
  • GIAC Certified Incident Handler (GCIH), January 2013
  • GIAC Certified Intrusion Analyst (GCIA), December 2012
  • GIAC Certified Windows Security Administrator (GCWN), November 2012
  • GIAC Reverse Engineering Malware (GREM), October 2012
  • GIAC Certified Forensic Examiner (GCFE), September 2012
  • GIAC Systems and Network Auditor (GSNA), February 2012

Get to Know Jake Williams:

Jake teaches the following courses for SANS:

Here's What Students Are Saying about SANS Certified Instructor Jake Williams:

  • "Jake's teaching style and practical experience totally make the course." - Andrew Nelson, Chevron
  • "Jake is awesome! The experience is massive!" - Late Adodo Placca, iProcess International
  • "Provides great balance between structured analytical approaches and technical analysis." -  Ladell Marshall, Goldman Sachs
  • "Jake goes off-book in a good way, sharing useful tools & information in addition to the already-included useful tools & info." - Robin Stuart, Salesforce

View Upcoming Training for Jake Williams


Lenny Zeltser

Aptly called the "Yoda" of malware analysis by his students, Lenny Zeltser keeps his eye on the big picture and focuses on the sum of events rather than individual occurrences. He lives by that philosophy and brings it to his job and classroom.  "Even those professional moments that seem insignificant by themselves can be an important piece of the progressive journey that, hopefully, takes us toward our career objectives and honors our ideals," says Lenny. "And you may not even see the value in those moments until you look back on the path."

A seasoned business and technology leader with extensive information security expertise, Lenny started his professional journey in a variety of technical infosec roles before serving as the national lead of the U.S. security consulting practice at a major cloud services provider. Later in his career he oversaw a portfolio of security services at a Fortune 500 technology company. Today, as VP of Products at Minerva Labs, Lenny designs and builds designs creative anti-malware products. Lenny is also a senior instructor at SANS and the primary author of FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques, a course he designed as an on-ramp into the malware analysis field. The course helps students expand and systematize their approaches to examining malicious software using a variety of techniques.

"My goal is to make this topic as accessible to people as possible," says Lenny. "There is indeed much one needs to know to understand the inner workings of malicious code, but the good news is that people can begin learning how to do this work by building on the technical skills they already have, whether they are grounded in system administration, network security, software development or other aspects of IT."

Like many of his students, Lenny's career path began in an IT role, which lends unique strengths to his information security expertise.

"My first job in IT was Unix system administration, then I moved onto Windows sysadmin, and then I spent a bit of time on software development," Lenny explains. "I found myself gravitating toward the information security aspects of these jobs. For me, Infosec exists at the intersection of many disciplines, and working in this field allows me to make use of the skills and interests I've acquired across various aspects of IT."

Along the way, Lenny earned the prestigious GIAC Security Expert professional designation, and he currently serves on the Board of Directors of SANS Technology Institute. Lenny holds a bachelor's degree in computer science from the University of Pennsylvania and a master's in business administration from MIT Sloan.

A co-author of four books on malware, network security, and digital forensics, Lenny also developed the Linux toolkit REMnux to make it easier to use a variety of freely available malware analysis tools, many of which run well on Linux but can be difficult to find and install. REMnux has grown to become a very popular toolkit and today is used by malware analysts throughout the world. The FOR610 course that Lenny teaches covers many of the tools installed on REMnux.

Lenny gives his students more than technical tools, however, and he says that the most important lesson he teaches his students is: "You can do it."

"It's easy to get discouraged when you run into professional challenges that you're not equipped to handle," Lenny explains. "But when you participate in SANS training, you encounter many new tools and concepts that you will be able to attach to the techniques you already know from prior experience in the field. Much of what you learn will occur after you finish the course and begin applying the concepts to your work outside the classroom. I strive to give students the confidence and the core skills they need to keep learning about and curtailing malware threats even after the class ends."

In his free time, Lenny indulges his love of food both as chef and consumer.  "Eating a delicious meal in good company is always time well spent for me," he says. Lenny also loves to cook as a way to clear his mind, disconnect from the day-to-day challenges of business and IT, and connect with family and friends. Lenny subscribes to several food and cooking magazines and enjoys experimenting with new recipes, ingredients, and spices. "Not everything I cook turns into a great dish- sometimes experiments lead towards unfavorable results- so I keep reminding myself to think about this process as a journey, not as a destination."

Qualifications Summary

  • Senior instructor and member of the Board of Directors at SANS
  • VP of Products & Advisory Board Member at Minerva Labs
  • Recipient of the GIAC Security Expert (GSE) professional designation
  • Co-author of several books on information security, including: Malware: Fighting Malicious Code, Inside Network Perimeter Security: The Definitive Guide to Firewalls, VPNs, Routers, and Intrusion Detection Systems, and CyberForensics: Understanding Information Security Investigations
  • Developed and maintains the REMnux Linux Distribution, a toolkit of free malware analysis tools that makes it easier to start analyzing malware
  • Has worked in the information security industry for more than two decades

Get to Know Lenny Zeltser

This is what student are saying about Senior Instructor Lenny Zeltser:

  • "Lenny presented a wealth of knowledge, tied it together smoothly, and I am leaving with exponentially more knowledge." - David Werden, NGIS
  • "Last week, myself and three of my associates attended SANS GREM training. Based on previous recommendations by prior students, we explicitly attended this session given Lenny was the instructor. As someone who has been responsible for development and delivery of training and education services, Lenny is the best instructor I have ever encountered in my professional life. His approachable demeanor, passion for the learning process, and empathy for his students was just as impressive as his mastery of the curriculum. This praise was unanimous among my three associates." - Colin Sheppard, Vice President of Cyber Security & Fraud, International at First Data Corporation
  • "Lenny is one of the reasons why it's fun to be in the information security community. His extraordinary intellect and talent for research and innovation is matched by his communication and teaching skills. He's a fantastic writer and a wonderful instructor who has mastered the ability to teach complex concepts in a very approachable manner. Lenny is also one of the nicest people you'll ever run into in our field or any other." - Eric Huber, Cyber Fraud Subject-Matter Expert
  • "Lenny Zeltser is another one of those people you read about in magazines and think "Man, I wish I was that guy." A true leader in information security and a great guy all around. Lenny once actually paid me a compliment when I was teaching for SANS, along the lines of being inspired at the time by me being one the folks who happily stood up to teach in front of large crowds (we were both new to the game at the time). I found this humorous since I felt only awe at his own amount of knowledge. I still have the copy of Network Perimeter Security, which he personally sent me to get my opinion of it. I recall that I didn't end up providing my feedback since I felt beneath the ability to comment on it at the time!" - Ed Luck, Principal Consultant, Solutions at Dimension Data
  • "I was part of the group that attended and reviewed Lenny's try-out session as a SANS instructor, and was blown away by the energy, expertise, and focus he displayed. Where others have at times failed to properly handle interruptions, especially from people who were trying to lead them astray and/or force them to stumble, Lenny remained focused, put the interrupter nicely but firmly in his place, and postponed further discussion to the Q&A session at the end of the class. When audience members asked targeted questions, inquiring about their understanding of recent developments in information security, he was able to elaborate on each of the topics and help them improve their grasp on various hot topics. Lenny displays lots of dedication, is very intelligent, has a solid grasp of information security, and is capable of explaining complicated technical concepts in easily understandable terms." - Roland Grefer, Principal, Global Support Services Group

View Upcoming Training for Lenny Zeltser


Eric Zimmerman

When Eric Zimmerman was a Special Agent with the FBI, one of his responsibilities was managing on-scene triage. He identified several gaps in an existing process and started creating solutions to address them. What began as building and expanding a few live response tools took Eric down a path that eventually led to him writing more than 50 programs that are now used by nearly 8,800 law enforcement officers in over 80 countries.

Much of Eric's work involved designing and building software related to investigations of sexual abuse of children. In a single year, Eric's programs led to the rescue of hundreds of these children. As a result, in May 2012, Eric was given a National Center for Missing and Exploited Children's Award, which honors outstanding law enforcement professionals who have performed above and beyond the call of duty. Eric was also presented with the U.S. Attorney's Award for Excellence in Law Enforcement in 2013.

Today, Eric serves as a Senior Director at Kroll in the company's cybersecurity and investigations practice. At SANS, he teaches the FOR508: Advanced Digital Forensics, Incident Response and Threat Hunting course, and is a two-time winner of the SANS DFIR NetWars Tournament (2014, 2015). Eric is also the award-winning author of X-Ways Forensics Practitioner's Guide, and has created many world-class, open-source forensic tools.

Eric is a sought-after instructor and speaker who brings expertise in the cyber realm, complex law enforcement investigations, computer forensics, expert witness testimony, computer systems design, and application architecture to his work and classroom.  

"I enjoy teaching this material because of how much potential there is in it to move cases forward quickly," says Eric. "With the pace at which computer storage continues to grow, it will become more and more important for people to understand the most cost-effective artifacts and techniques so these can be leveraged to move through data more quickly."

Eric's teaching philosophy focuses on the long-term gains achieved by not only understanding the nuts and bolts of how to run a tool and consume output, but also getting a deeper understanding of how tools work "under the hood." Those "a-ha" moments are what has kept Eric coming back to the classroom since 2008. His focus on understanding the big picture of digital forensics prepares students to perform better analysis, do new research of their own, and identify the best tools or techniques to perform successful investigations - all skills that will have a lifelong impact.

And even though work brings him great rewards, Eric understands the value of work/life balance. In his spare time, he enjoys spending time with his family, hiking, going to amusement parks with his two sons, and even fitting in a bit of video gaming when possible.

Qualifications Summary: 

  • Former Federal Bureau of Investigation (FBI) Special Agent
  • Creates and maintains many free world-class, open-source forensic tools
  • Award-winning author of X-Ways Forensics Practitioner's Guide
  • Recipient of the National Center for Missing and Exploited Children's Award and the U.S. Attorney's Award for Excellence in Law Enforcement

Get to Know Eric Zimmerman:

Here's What Students Are Saying about Eric Zimmerman:

  • "It is easy to see how much passion Eric has for the topics he teaches" - Ken Saganowski, Kroll
  • "Deep knowledge - insightful. Gets questions answered thoroughly." - Daniel Lightfoot, PennyMac
  • "Good pace and content, he emphasis on important points." Rueben Rubio, Lord Abbett
  • "Eric epitimizes what it means to be a subject matter expert in this field. He really knows this material inside and out. Thank you for the high quality training." Daniel Huynh

View Upcoming Training for Eric Zimmerman


To see more information about SANS DFIR Instructors click here.

ICS Courses Instructor List


Eric Cornelius

Eric Cornelius is the Director of Critical Infrastructure and Industrial Control Systems (ICS) at Cylance, Inc. where he is responsible for thought leadership, architecture, and consulting implementations. Eric brings a wealth of ICS knowledge and his leadership keeps organizations safe, secure, and resilient against advanced attackers. 
 
Previously, Eric served as the Deputy Director and Chief Technical Analyst for the Control Systems Security Program at the US Department of Homeland Security. 
 
Eric earned a bachelor's degree from the New Mexico Institute of Mining and Technology where he was the recipient of many scholarships and awards including the National Science Foundation's Scholarship for Service. 
 
Eric went on to work at the Army Research Laboratory's Survivability/Lethality Analysis Directorate where he worked to secure field-deployable combat technologies. It was at ARL that Cornelius became interested in non-traditional computing systems, an interest which ultimately led him to the Idaho National Laboratory where he participated in deep-dive vulnerability assessments of a wide range of ICS systems. 
 
Eric is the co-author of "Recommended Practice: Creating Cyber Forensics Plans for Control Systems" as part of the DHS National Cyber Security Division, Control Systems Security Program, 2008 and is also a frequent speaker and instructor at ICS events across the globe.

View Upcoming Training for Eric Cornelius


Robert M. Lee

SANS certified instructor Robert M. Lee brings to the classroom one of the most valuable and respected of credentials: real-world experience. Robert is the CEO and founder of his own company, Dragos, Inc., that provides cyber security solutions for industrial control system networks. Consider the 2015 attack on the Ukraine power grid when for the first time in history a power grid went down due to an intentional cyberattack. Robert and a few others formed a specialized team to analyze the event and passed information to the impacted parties as well as the U.S. government and private sector. "I was the first in the industry to publicly confirm the attack and wrote the industry standard report on the attack exploring how it occurred, the lessons learned, and what must be done to protect other infrastructure sites," Robert says. He and his team also analyzed the malware from the 2016 cyber attack on Ukraine's Kiev substation and dubbed it CRASHOVERRIDE as the first ever malware tailored to specifically disrupt electric grid operations.

That experience is what forms his teaching philosophy. "I make it my teaching philosophy to constantly bring in new material into the classroom through my personal experiences and the successes and failures of those I've seen in the industry," says Robert. This augments the traditional classroom material students receive to ensure they get the most relevant and cutting-edge concepts in the industry. But Robert's real-world experience also keeps things interesting. "I enjoy telling and sharing in case studies and stories from the field, looping in bigger concepts into the technical material, and setting a humorous tone so that no matter the seriousness of the topic we all have fun together."

Robert got his start in information security making small control systems for humanitarian missions. He joined the United States Air Force and became a cyberspace warfare operations officer in the U.S. intelligence community. In that role, he created and led a mission examining nation-states targeting ICS, the first mission of its kind in the U.S. intelligence community. For Robert, that intermixing of defense, intrusion analysis, and threat intelligence provided the ultimate thrill.

Robert has worked offense, defense, and intelligence in various government teams. "My time on the offense helped me better appreciate defense and how sometimes we simply get it wrong: defense is not necessarily harder than offense and there are many opportunities we have to defend and make the world a better place," he says.

Robert joined SANS for myriad reasons. He had long been aware of the organization, and followed the career and workings of SANS fellow and DFIR curriculum lead Rob Lee. Also, ongoing encouragement to attend SANS conferences and consider teaching from a number of friends and colleagues such as Dave Shackelford convinced him to give it SANS a shot. His first pitch - a five-day class on identifying and responding to industrial control systems (ICS) attacks - was well-received, and as Robert says, "the rest is history." Today he teaches SANS ICS515: ICS Active Defense and Incident Response, the industry's first and only incident response and threat hunting class for ICS and FOR578: Cyber Threat Intelligence, the industry standard course for threat intelligence training. "The SANS family is amazing, the students are world class, and teaching is what keeps me constantly refreshed and excited in the industry."

In fact, authoring ICS515 and FOR578 have been highlights in his career, Robert says. Industrial control system security as well as cyber threat intelligence are both exciting topics that receive a lot of hype and misconceptions. "I love destroying hype while giving the students the most blunt and actionable information possible," Robert explains, adding that his experiences "gives me a robust view into the problem space and the solutions needed at various levels. My experiences and hard work have afforded me the chance to significantly advance students' skill sets and the way they view the problem."

Central to helping students succeed in their day-to-day careers is ensuring that they understand the big picture, Robert says. That's more than just understanding what command to run on a specific tool or how to use that tool during an incident. Its' about know the larger context of a security strategy is, all its moving pieces, and how to use analysis to help fill knowledge gaps. "This ensures that students who take my classes are not only technically prepared but are also prepared to think differently about the hard challenges their organizations must face when facing the adversary," says Robert.

Robert has a master's degree in cybersecurity and computer forensics from Utica College as well as cyber and warfare training through the U.S. Air Force, and he's pursuing his doctorate in war studies from King's College London. He was named one of Forbes' 30 under 30 in Enterprise Technology in 2016, was awarded EnergySec's 2015 Cyber Security Professional of the Year and named one of Passcode's "Influencers."

Outside of teaching, Robert enjoys running his company Dragos and working with customers in the industrial community. "It allows me to constantly stay relevant, challenge and grow my skills, and directly help people." He also enjoys writing papers and blogs for the industry, and looks for opportunities to travel, snowboard, and play a Steam game or two whenever he can.

Qualifications Summary

Get to Know Robert M. Lee

Publications and Papers

Awards and Honors

  • 2016: Forbes' 30 under 30 in the area of Enterprise Technology
  • 2015: Energy Sector Cyber Security Professional of the Year, awarded by EnergySec
  • 2014: Colonel Sparky Baird Award, awarded by AFCEA
  • 2014: Air Force Association Gill Robb Wilson Award - Air Force Nominee
  • 2013: Air Force Association Gill Robb Wilson Award - Air Force Nominee
  • 2013: AF Information Dominance Award for Outstanding Cyberspace Operations CGO - 693 ISR Gp
  • 2013: Junior Officer (Operator Category) of the Year - Europe/Africa
  • 2013: Military Performer of the Year - Threat Operations Center
  • 2013: CGO of the Year - 693d ISR Gp
  • 2012: Distinguished Young AFCEAN Officer - Central Europe
  • 2012: Outstanding ISR Officer Contributor of the Year - 693rd ISR Group
  • 2011: AFCEA Intelligence Professional of the Year - 693 ISR Group

Student Quotes

  • "Real-world practical insight and the technical skills and tools to create meaningful change." - Billy Glen, Pacific Gas & Electric
  • "Great teaching style - humor - keeps the atmosphere light." - Tim Sanguinett, NCPA
  • "Good pace, kept things moving, stayed enthusiastic the entire day." - Michael Nowatkowsk, Army Cyber Institute

View Upcoming Training for Robert M. Lee


Justin Searle

Justin Searle is a Managing Partner of UtiliSec, specializing in Smart Grid security architecture design and penetration testing. Justin led the Smart Grid Security Architecture group in the creation of NIST Interagency Report 7628 and played key roles in the Advanced Security Acceleration Project for the Smart Grid (ASAP-SG). He currently leads the testing group at the National Electric Sector Cybersecurity Organization Resources (NESCOR). Justin has taught courses in hacking techniques, forensics, networking, and intrusion detection for multiple universities, corporations, and security conferences. Mr. Searle is currently a Senior instructor for the SANS Institute. In addition to electric power industry conferences, Justin frequently presents at top international security conferences such as Black Hat, DEFCON, OWASP, Nullcon, and AusCERT. Justin co-leads prominent open source projects including the Samurai Web Testing Framework (SamuraiWTF), the Samurai Security Testing Framework for Utilities (SamuraiSTFU), Middler, Yokoso!, and Laudanum. Justin has an MBA in International Technology and is a CISSP and SANS GIAC certified Incident Handler (GCIH), Intrusion Analyst (GCIA), and Web Application Penetration Tester (GWAPT).

View Upcoming Training for Justin Searle


To see more information about SANS ICS Instructors click here.

IT Audit Courses Instructor List


Chris Christianson

Chris Christianson is an Information Security Consultant based in Northern California, with 20 years of experience and many technical certifications including the GSEC, GCIH, GCIA, GREM, GPEN, GWAPT, GCCC, GISF, GCED, CISSP, CCSE, CCDP, CCNP, IAM, CEH, and IEM. He holds a Bachelor of Science in Management Information Systems from University of Atlanta. Before starting his own Information Security Consultant services, he worked at Travis Credit Union for 21 years.  His last role there was the Assistant Vice President in the Information Technology department at Travis Credit Union (December 2012 - January 2016). Chris has also been an expert speaker at conferences and a contributor to numerous industry articles.

Blog: www.ismellpackets.com

View Upcoming Training for Chris Christianson


Russell Eubanks

Russell Eubanks is Vice President and Chief Information Security Officer for the Federal Reserve Bank of Atlanta. He is responsible for developing and executing the Information Security strategy for both the Retail Payments Office and the Atlanta Reserve Bank. Russell has developed information security programs from the ground up and actively seeks opportunities to measurably increase their overall security posture.

Russell is a Handler for the SANS Internet Storm Center, Serves on the Editorial Panel for the Critical Security Controls and maintains securityeverafter.com. He holds a bachelor's degree in computer science from the University of Tennessee at Chattanooga.

View Upcoming Training for Russell Eubanks


David Hoelzer

David Hoelzer is the author of more than twenty days of SANS courseware. He is an expert in a variety of information security fields, having served in most major roles in the IT and security industries over the past twenty-five years. Recently, David was called upon to serve as an expert witness for the Consumer Financial Protection Bureau in a landmark case regarding information security governance within corporations in the financial sector and has previously served as an expert for the Federal Trade Commission for GLBA Privacy Rule litigation and other matters. David has been highly involved in governance at SANS Technology Institute, serving as a member of the Curriculum Committee, Long Range Planning Committee, GIAC Ethics Board, and as Dean of Faculty. As a SANS instructor, David has trained security professionals from organizations including NSA, DHHS, Fortune 500 security engineers and managers, various Department of Defense sites, national laboratories, and many colleges and universities. Outside of SANS, David is a research fellow in the Center for Cybermedia Research, a research fellow for the Identity Theft and Financial Fraud Research Operations Center (ITFF/ROC), an adjunct research associate of the UNLV Cybermedia Research Lab, a research fellow with the Internet Forensics Lab, and an adjunct lecturer in the UNLV School of Informatics. David has written and contributed to more than 15 peer reviewed books, publications, and journal articles. Currently, David serves as the principal examiner and director of research for Enclave Forensics, a New York/Las Vegas based incident response and forensics company. He also serves as the chief information security officer for Cyber-Defense, an open-source security software solution provider. In the past, David served as the director of the GIAC Certification program, bringing the GIAC Security Expert certification to life. David holds a BS in IT and an MS in Computer Science, having spent time either attending or consulting for Stony Brook University, Binghamton University, and American Intercontinental University.

View Upcoming Training for David Hoelzer


Clay Risenhoover

Clay is the president of Risenhoover Consulting, Inc., an IT management consulting firm based in Durant, Oklahoma. Founded in 2003, RCI provides IT audit and IT management consulting services to clients in multiple sectors. Clay's past experience includes positions in software development, technical training, LAN and WAN operations, and IT management in both the private and public sector. He has a master's degree in computer science and holds a number of technical and security certifications, including GPEN, GSNA, CISA, CISM, GWEB and CISSP.

View Upcoming Training for Clay Risenhoover


James Tarala

James Tarala is a principal consultant with Enclave Security and is based out of Venice, Florida. He is a regular speaker and senior instructor with the SANS Institute as well as a courseware author and editor for many SANS auditing and security courses. As a consultant, he has spent the past few years architecting large enterprise IT security and infrastructure architectures, specifically working with many Microsoft-based directory services, e-mail, terminal services, and wireless technologies. He has also spent a large amount of time consulting with organizations to assist them in their security management, operational practices, and regulatory compliance issues, and he often performs independent security audits and assists internal audit groups in developing their internal audit programs. James completed his undergraduate studies at Philadelphia Biblical University and his graduate work at the University of Maryland. He holds numerous professional certifications.

View Upcoming Training for James Tarala


To see more information about SANS IT Audit Instructors click here.

Pen Test Courses Instructor List


Steve Armstrong

Steve began working in the security arena in 1994 whilst serving in the UK Royal Air Force. He specialized in the technical aspects of IT security from 1997 onward, and before retiring from active duty, he lead the RAF's penetration and TEMPEST testing teams. He founded Logically Secure in 2006 to provide specialist security advice to government departments, defense contractors, the online video gaming industry, and both music and film labels worldwide.

When not teaching for SANS, Steve provides penetration testing and incident response services for some of the biggest household names in gaming and music media. To relax Steve enjoys playing Battlefield to loud music and developing collaborative DFIR tools.

Steve Armstrong's energy is contagious. Although the day was long, I felt alert and engaged at all times. - Amr Zakaa Khalife, Vodafone Egypt

View Upcoming Training for Steve Armstrong


Mark Baggett

Mark Baggett is the owner of Indepth Defense, an independent consulting firm that offers incident response and penetration testing services.  Mark has more than 28 years of commercial and government experience ranging from Software Developer to Chief Information Security Officer.  Mark is a Senior Instructor for The SANS Institute and the author of the Python for Penetration testers course (SEC573).  Mark has a Master's Degree in Information Security Engineering and many industry certifications including being 15th person in the world to receive the prestigious GIAC Security Expert certification (GSE).  Mark is very active in the information security community.  Mark is the founding president of The Greater Augusta ISSA (Information Systems Security Association) chapter which has been extremely successful in bringing networking and educational opportunities to Augusta Information Technology workers.  Since January 2011, Mark has served as the Technical Advisor to the DoD for SANS where he assists various government organizations in the development of information security capabilities.

Mark's teaching style is very relevant and sets an atmosphere where you are excited to learn. - Jeff Turner, Lexis Nexis Risk Solutions

View Upcoming Training for Mark Baggett


George Bakos

George Bakos has been interested in computer security since the early 1980s when he discovered the joys of BBSs and corporate databases. These days he is Technical Fellow & Manager of Cyber Threat Assessment & Awareness at Northrop Grumman, a global leader in Cybersecurity, Aerospace & Defense. While at the Institute for Security Technology Studies, George was the developer of Tiny Honeypot and the IDABench intrusion analysis system and led the Dartmouth Distributed Honeynet System, fielding deception systems and studying the actions of attackers worldwide. He developed and taught the U.S. Army National Guard's CERT technical curriculum and ran the NGB's Information Operations Training and Development Center research lab for two years, fielding and supporting Computer Emergency Response Teams throughout the United States. A recognized authority in computer security, he has contributed to numerous books and open source software projects; has been interviewed on radio, television, and online publications; briefed the highest levels of government; and has been a member of the SANS Institute teaching faculty since 2001. Outside the lab, George enjoys the beauties of his home state, Vermont, through skiing, ice and rock climbing, and mountain biking.

George teaches you practical skills and provides real-world examples of IT security issues. - Mark Lian, Northrop Grumman

View Upcoming Training for George Bakos


Chris Christianson

Chris Christianson is an Information Security Consultant based in Northern California, with 20 years of experience and many technical certifications including the GSEC, GCIH, GCIA, GREM, GPEN, GWAPT, GCCC, GISF, GCED, CISSP, CCSE, CCDP, CCNP, IAM, CEH, and IEM. He holds a Bachelor of Science in Management Information Systems from University of Atlanta. Before starting his own Information Security Consultant services, he worked at Travis Credit Union for 21 years.  His last role there was the Assistant Vice President in the Information Technology department at Travis Credit Union (December 2012 - January 2016). Chris has also been an expert speaker at conferences and a contributor to numerous industry articles.

Blog: www.ismellpackets.com

View Upcoming Training for Chris Christianson


Dr. Eric Cole

Dr. Cole is an industry-recognized security expert with over 20 years of hands-on experience. Dr. Cole has experience in information technology with a focus on helping customers focus on the right areas of security by building out a dynamic defense. Dr. Cole has a master's degree in computer science from NYIT and a doctorate from Pace University with a concentration in information security. He served as CTO of McAfee and Chief Scientist for Lockheed Martin. Dr. Cole is the author of several books, including Advanced Persistent Threat, Hackers Beware, Hiding in Plain Sight, Network Security Bible 2nd Edition, and Insider Threat. He is the inventor of over 20 patents and is a researcher, writer, and speaker. He is also a member of the Commission on Cyber Security for the 44th President and several executive advisory boards. Dr. Cole is the founder and an executive leader at Secure Anchor Consulting where he provides leading-edge cyber security consulting services, expert witness work, and leads research and development initiatives to advance the state-of-the-art in information systems security. Dr. Cole was the lone inductee into the InfoSec European Hall of Fame in 2014. Dr. Cole is actively involved with the SANS Technology Institute (STI) and is a SANS faculty Fellow and course author who works with students, teaches, and develops and maintains courseware.

View Upcoming Training for Dr. Eric Cole


Pieter Danhieux

Pieter Danhieux is a certified instructor for the SANS Institute, teaching military, government, and private organizations offensive techniques on how to target and assess organizations, systems, and individuals for security weaknesses. He is also one of the founders of the security and hacking conference BruCON in Belgium.

Pieter has worked in the cyber security space since 2002. He was one of the youngest persons ever in Belgium to obtain the Certified Information Systems Security Professional (CISSP) certification. He then obtained the Certified Information Systems Auditor (CISA) and the GIAC Certified Forensics Analyst program (GCFA) and is currently one of the select few people worldwide to hold the GIAC Security Expert (GSE) certification.

Pieter is Co-founder and Chief Architect of the Secure Code Warrior platform (http://www.securecodewarrior.com), a gamified environment where developers and security testers can learn how to properly identify and fix security weaknesses in software. Until January 2015, he was part of the leadership at BAE Systems APAC in his role as Head of Delivery of the Applied Intelligence business unit. Before that, Pieter worked for seven years at Ernst & Young in Europe as one of their information security experts running a team of attack and penetration resources operating in the financial industry and telecommunication space.

SANS is by far the best hands-on training. Peter is very knowledgeable and knows how to transfer that to students. - Rob Brabers, Sincerus

View Upcoming Training for Pieter Danhieux


Adrien de Beaupre

Adrien de Beaupre is a certified SANS instructor and works as an independent consultant in beautiful Ottawa, Ontario. His work experience includes technical instruction, vulnerability assessment, penetration testing, intrusion detection, incident response and forensic analysis. He is a member of the SANS Internet Storm Center (isc.sans.edu). He is actively involved with the information security community, and has been working with SANS since 2000. Adrien holds a variety of certifications including the GXPN, GPEN, GWAPT, GCIH, GCIA, GSEC, CISSP, OPST, and OPSA. When not geeking out he can be found with his family, or at the dojo.

Web: www.intru-shun.ca

View Upcoming Training for Adrien de Beaupre


Ted Demopoulos

Ted Demopoulos' first significant exposure to computers was in 1977 when he had unlimited access to his high school's PDP-11 and hacked at it incessantly. He consequently almost flunked out but learned he liked playing with computers a lot.

His business pursuits began in college and have been continuous ever since. His background includes over 25 years of experience in information security and business, including 20+ years as an independent consultant.

Ted helped start a successful information security company, was the CTO at a "textbook failure" of a software startup, and has advised several other businesses. Ted is a frequent speaker at conferences and other events, quoted often by the press, the recipient of a Department of Defense Award of Excellence, and the author of several books including the recent

Infosec Rock Star: How to Accelerate Your Career Because Geek Will Only Get You So Far

In his spare time, he is also a food and wine geek, enjoys flyfishing and playing with his children.

View Upcoming Training for Ted Demopoulos


Mick Douglas

Even when his job title has indicated otherwise, Mick Douglas has been doing information security work for over 10 years. He received a bachelor's degree in communications from Ohio State University.  He is the managing partner for InfoSec Innovations.

He is always excited for the opportunity to share with others so they do not have to learn the hard way! By studying with Mick, security professionals of all abilities will gain useful tools and skills that should make their jobs easier. When he's not "geeking out" you'll likely find Mick indulging in one of his numerous hobbies; photography, scuba diving, or hanging around in the great outdoors.

"Mick does an excellent job of delivering the material. His interest in and passion for this class is obvious." - Matt Steinberg

"Priceless information! Best instructor ever." - Mat Rose, capgemini-gs

View Upcoming Training for Mick Douglas


Kevin Fiscus

Kevin Fiscus is the founder of and lead consultant for Cyber Defense Advisors where he performs security and risk assessments, vulnerability and penetration testing, security program design, policy development, and security awareness with a focus on serving the needs of small and mid-sized organizations. Kevin has over 20 years of IT experience and has focused exclusively on information security for the past 12. Kevin currently holds the CISA, GPEN, GREM, GMOB, GCED, GCFA-Gold, GCIA-Gold, GCIH, GAWN, GPPA, GCWN, GCSC-Gold, GSEC, SCSA, RCSE, and SnortCP certifications and is proud to have earned the top information security certification in the industry, the GIAC Security Expert. Kevin has also achieved the distinctive title of SANS Cyber Guardian for both red team and blue team. Kevin has taught many of SANS's most popular classes including SEC401, SEC464, SEC503, SEC504, SEC542, SEC560, SEC561, SEC575, FOR508, and MGT414.

You can reach Kevin on Twitter @kevinbfiscus or on LinkedIn at http://www.linkedin.com/in/kevinbfiscus.

Kevin Fiscus is one of the best instructors I have seen! Great find SANS! - David Hoid, Employers Holdings

View Upcoming Training for Kevin Fiscus


Bryce Galbraith

"The world isn't run by weapons anymore, or energy, or money. It's run by little ones and zeroes, little bits of data. It's all just electrons." -- Cosmo, from "Sneakers"

As a contributing author of the internationally bestselling book Hacking Exposed: Network Security Secrets & Solutions, Bryce helped bring the secret world of hacking out of the darkness and into the public eye. Bryce has held security positions at global ISPs and Fortune 500 companies, he was a member of Foundstone's renowned penetration testing team and served as a senior instructor and co-author of Foundstone's Ultimate Hacking: Hands-On course series. Bryce is currently the owner of Layered Security where he provides specialized vulnerability assessment and penetration testing services for clients. He teaches several of the SANS Institute's most popular courses and develops curriculum around current topics. He has taught the art of ethical hacking and countermeasures to thousands of IT professionals from a who's who of top companies, financial institutions, and government agencies around the globe. Bryce is an active member of several security-related organizations, he holds several security certifications and speaks at conferences around the world.

Bryce is an excellent instructor. His knowledge and delivery are exceptional. - Chris Shipp, DM Petroleum Operations Co.

View Upcoming Training for Bryce Galbraith


Tim Garcia

Timothy Garcia is a seasoned security professional who loves the challenge and continuously changing landscape of defense. Tim started his career as an engineer in IT and after working on a few security incidents related to Code Red and Nimda; he realized he had found his calling. Tim currently works as an Information Security Engineer for a Fortune 100 financial institution where he provides security consulting to project teams to ensure security of IT operations and compliance with policies and regulations.  Tim also leads the team that is tasked with Firewall review, SIEM management and privileged access monitoring and policy compliance. Tim has worked as a Systems Engineer and DBA and has expertise in systems engineering, project management and information security principles and procedures/compliance. Tim previously worked for Intel and served in the United States Navy.  Tim also works with the OnDemand team as an SME, is a mentor for the Vet Success program and provides consulting and content review for the Securing the Human project within SANS.  Tim is a contributor to the Arizona Cyber Warfare Range and works with the local security community giving monthly talks, when not teaching for SANS, on information security tools and techniques. 

Tim is as passionate about teaching security as he is performing it and receives the greatest joy when he sees the look in a student's eye when something they never quite understood finally makes sense.

Tim holds the CISSP, GSEC, GSLC, GISF, GMON, GAWN, GCCC, and GCED as well as the NSA-IAM certifications.  He has extensive knowledge of security procedures and legislation such as Sarbanes-Oxley, GLBA, CobiT, COSO, and ISO 1779.  

When Tim is not defending systems, he enjoys playing sports, snowboarding and most of all spending time with his wife and four children.

View Upcoming Training for Tim Garcia


Paul A. Henry

Paul Henry is a Senior Instructor with the SANS Institute and one of the world's foremost global information security and computer forensic experts with more than 30 years of experience covering all 10 domains of network security. Paul began his career in critical infrastructure / process control supporting power generation and currently manages security initiatives and incident response for Global 2000 enterprises and government organizations worldwide.

Paul is a principal at vNet Security, LLC and is keeping a finger on the pulse of network security as the security and forensic analyst at Lumension Security and as a retained security expert for multiple financial and healthcare firms.

Throughout his career, Paul has played a key strategic role in launching new network security initiatives to meet our ever-changing threat landscape. Paul also advises and consults on some of the world's most challenging and high-risk information security projects, including the National Banking System in Saudi Arabia, the Reserve Bank of Australia, the Department of Defense's Satellite Data Project (USA), and both government as well as telecommunications projects throughout Southeast Asia.

Paul is frequently cited by major and trade print publications as an expert in perimeter security, incident response / computer forensics and general security trends and serves as an expert commentator for network broadcast outlets, such as FOX, NBC, CNN, and CNBC. In addition, Paul regularly authors thought leadership articles on technical security issues, and his expertise and insight help shape the editorial direction of key security publications, such as the Information Security Management Handbook, where he is a consistent contributor. Paul serves as a featured and keynote speaker at seminars and conferences worldwide, delivering presentations on diverse topics including anti-forensics, network access control, cyber crime, DDoS attack risk mitigation, perimeter security, and incident response.

Listen to Paul discuss "Incident Response and Forensics in the Cloud" in this SANS webcast that every DFIR professional should listen to.

View Upcoming Training for Paul A. Henry


Moses Hernandez

Moses Hernandez is a seasoned security professional with over 15 years in the IT industry. He has held positions as a network engineer, network architect, security architect, platform engineer, site reliability engineer, and consulting sales engineer. He has a background in complex network systems, systems administration, forensics, penetration testing, and development. He has worked with some of the largest companies in the nation as well as fast-growing, bootstrap startups.

Moses has developed information security regimens safeguarding some of the most sensitive personal data in the nation. He creates custom security software to find and mitigate unknown threats, and works on continually evolving his penetration testing skills. He enjoys building software, networks, systems, and working with business-minded individuals.

Moses's current passions include offensive forensics, building secure systems, finance, economics, history, and music.

View Upcoming Training for Moses Hernandez


Micah Hoffman

Micah Hoffman has been working in the information technology field since 1998 supporting federal government, commercial, and internal customers in their searches to discover and quantify information security weaknesses within their organizations. He leverages years of hands-on, real-world penetration testing and incident response experience to provide excellent solutions to his customers. Micah holds GIAC's GMON, GAWN, GWAPT, and GPEN certifications as well as the CISSP and is a SANS Certified Instructor.

Micah is an active member in the NoVAHackers community, writes Recon-ng modules and enjoys tackling issues with the Python scripting language. When not working, teaching, or learning, Micah can be found hiking or backpacking on Appalachian Trail or the many park trails in Maryland. Catch him on Twitter @WebBreacher.

"Great instructor, well spoken, excitable about the subject." - Gharrett Worku, Paycom

"Micah's delivery was entertaining and engaging." - Paul Ryan, GDIT

"Instructor keeps students engaged.  Provides assistance when needed, excellent attitude." - Nathan Peterson

"Good pace - good depth of knowledge." - Robert Smith, Intel Corp

View Upcoming Training for Micah Hoffman


James Lyne

James Lyne is Global Head of Security Research at the security firm Sophos. He is a self-professed 'massive geek' and has technical expertise spanning a variety of the security domains from forensics to offensive security. James has worked with many organisations on security strategy, handled a number of severe incidents and is a frequent industry advisor. He is a certified instructor at the SANS Institute and is often a headline presenter at industry conferences.

James firmly believes that one of the biggest challenges we face is in making security accessible and interesting to those outside the industry. As a result, he takes every opportunity to educate on security threats and best practice - always featuring live demonstrations and scenarios of how cyber criminals operate in the real world.

James has given multiple TED talks, including at the main TED event. He's also appeared on a long list of national TV programmes to educate the public including CNN, NBC, BBC News, Bill Maher and John Oliver. As a spokesperson for the industry, he is passionate about talent development, regularly participating in initiatives to identify and develop new talent for the industry

James Lyne made this course a tremendous experience. James made it his personal mission to make sure he carried everyone with him no matter what their skill level is. Outstanding! - S. Khan, EADS-NA

View Upcoming Training for James Lyne


Tim Medin


Tim Medin is the founder of Red Siege, a company focused to adversary emulation and penetration testing. Through the course of his career, Tim has performed penetration tests on a wide range of organizations and technologies. He gained information security experience in a variety of industries including previous positions in control systems, higher education, financial services, and manufacturing. Tim is an experienced international speaker, having presented to a organizations around the world. Tim is also the creator of the Kerberoasting, a technique to extract kerberos tickets in order to offline attack the password of enterprise service accounts. He is also a project lead of the Laudanum project.

"Tim is a great instructor, I really enjoyed the live demos and the style of his teaching. He really keeps you engaged." - Drew Davis, Rook Security

View Upcoming Training for Tim Medin


David R. Miller

 David has been a network engineer, consultant, security designer and architect, author, and technical instructor since the early 1980's and has specialized in IT security and compliance work in the recent years. David is a certified instructor for The SANS Institute and has been an instructor with SANS since 2012. David is the lead instructor for the CISSP certification course, and his students consistently rate David's lectures as excellent. A recent survey showed that approximately 93% of the students attending his CISSP classes passed the very challenging 6-hour certification exam on their first attempt. David has lectured on information systems security, compliance, and network engineering to prestigious groups including The Smithsonian Institute, the U.S. Military Academy at West Point, the U.S. Army Advanced Battle Command, the U.S. Navy Seventh Fleet, the U.S. Department of the Interior, Cisco Systems, Inc., Oracle Corporation, Symantec Corporation, Hewlett-Packard Company, and JP Morgan Chase & Co. Global Financial Services, to name a few. 

In addition to writing and lecturing, David routinely performs as an IT security and compliance consultant, performing gap analysis and remediation services largely focused in the Payment Card Industry Data Security Standard (PCI-DSS credit card data), and the Healthcare Information Portability and Accountability Act (HIPAA - patients' medical information) for medical practices. He is a Qualified Security Assessor of PCI and a Microsoft Subject Matter Expert on the Windows Active Directory enterprise network operating system platform. He performs as a security designer and architect working with Dell SecureWorks security consulting. 

David is an author, a lecturer, and technical editor of books, curriculum, certification exams and computer based training videos. He has had ten books published to date, with five of them focused on IT security, and the others targeting enterprise level network engineering, network architecture, and operating system administration.

View Upcoming Training for David R. Miller


Michael Murr

Michael has been a forensic analyst with Code-X Technologies for over five years, has conducted numerous investigations and computer forensic examinations, and has performed specialized research and development. Michael has taught SANS SEC504: Hacker Techniques, Exploits, and Incident Handling, SANS FOR508: Computer Forensics, Investigation, and Response, and SANS FOR610: Reverse-Engineering Malware; has led SANS Online Training courses and is a member of the GIAC Advisory Board. Currently, Michael is working on an open-source framework for developing digital forensics applications. Michael holds the GCIH, GCFA, and GREM certifications and has a degree in computer science from California State University at Channel Islands. Michael also blogs about digital forensics on his forensic computing blog.

View Upcoming Training for Michael Murr


Keith Palmgren

Keith Palmgren is a Cybersecurity professional with over 30 years of experience specializing in the IT Security field. He is a SANS Senior Instructor and the author of SANS SEC301; "Introduction to Information Security."  

Keith also runs a successful security consulting practice, working with corporate leadership and security staff to help lower their organization's risk.  Keith divides his remaining time between freelance writing and his family.


Keith began his career in January 1985 with the U.S. Air Force working with cryptographic keys & codes management. He also worked in, what was at the time, the newly-formed Air Force computer security department. Following the Air Force, Keith joined AT&T/Lucent as a Senior Security Architect working on engagements with the DoD and the National Security Agency.

Later, as Security Consulting Practice Manager for Sprint, Keith built and ran the second largest security consulting practice of its time. He was responsible for all Sprint security consulting worldwide and for leading dozens of security professionals on many consulting engagements across all business spectrums.

During his career, Keith has authored 22 training courses.  The American Council on Education certified seven of those courses as eligible for college credit.  

Keith currently holds eleven computer security certifications (CISSP, GSEC, GCIH, GCED, GISF, CEH, Security+, Network+, A+, CTT+).

View Upcoming Training for Keith Palmgren


Larry Pesce

Larry is a Senior Security Analyst with InGuardians after a long stint in security and disaster recovery in healthcare, performing penetration testing, wireless assessments, and hardware hacking. He also diverts a significant portion of his attention co-hosting the PaulDotCom Security Weekly podcast and likes to tinker with all things electronic and wireless, much to the disappointment of his family, friends, warranties, and his second Leatherman Multi-tool. Larry also co-authored Linksys WRT54G Ultimate Hacking and Using Wireshark and Ethereal from Syngress. Larry is an Extra Class Amateur Radio operator (KB1TNF) and enjoys developing hardware and real-world challenges for the Mid-Atlantic Collegiate Cyber Defense Challenge. He is also a SANS certified instructor.

SEC617 was great and I am still impressed with the consistency from Day 1-6 of Pesce keeping a high level of energy and knowledge throughout. - Philip Mein, JCCC

View Upcoming Training for Larry Pesce


Chris Pizor

Chris Pizor is a civilian employee working for the U.S. Air Force as the lead curriculum designer for cyber warfare operations training. Chris served on active duty in the USAF as a Network Intelligence Analyst before retiring in 2010. He was part of the initial cadre of the NSA Threat Operations Center and helped develop tactics to discover and eradicate intrusions into U.S. government systems.  Chris has worked in the intelligence community for more than 20 years, including 12 years focused on cybersecurity. Over the course of his active duty career, Chris received multiple individual and team awards.

Chris is passionate about security and helping others advance their security knowledge, and he is continuously researching and refining his own skills so he can prepare U.S. airmen and women and other professionals defend their vital networks and critical infrastructure. 

Chris earned a bachelor's degree in intelligence studies and information operations from the American Military University and a master's of science in cybersecurity from University of Maryland University College.  He holds the GSEC, GCIA, GCIH, GPEN, GXPN, GCFA, GISP, and CISSP certifications.  

Chris is also a recipient of the "General John P. Jumper Award for Excellence in Warfighting Integration" for Air Force Space Command. The General Jumper award recognizes individuals for sustained superior performance and outstanding contributions to the integration of Air Force or DoD warfighting and/or operations support capabilities that shorten the kill chain and/or enhance the decision cycle.

When Chris isn't working, he enjoys spending time with his wife and two young children, woodworking, and spending time outdoors.

View Upcoming Training for Chris Pizor


Justin Searle

Justin Searle is a Managing Partner of UtiliSec, specializing in Smart Grid security architecture design and penetration testing. Justin led the Smart Grid Security Architecture group in the creation of NIST Interagency Report 7628 and played key roles in the Advanced Security Acceleration Project for the Smart Grid (ASAP-SG). He currently leads the testing group at the National Electric Sector Cybersecurity Organization Resources (NESCOR). Justin has taught courses in hacking techniques, forensics, networking, and intrusion detection for multiple universities, corporations, and security conferences. Mr. Searle is currently a Senior instructor for the SANS Institute. In addition to electric power industry conferences, Justin frequently presents at top international security conferences such as Black Hat, DEFCON, OWASP, Nullcon, and AusCERT. Justin co-leads prominent open source projects including the Samurai Web Testing Framework (SamuraiWTF), the Samurai Security Testing Framework for Utilities (SamuraiSTFU), Middler, Yokoso!, and Laudanum. Justin has an MBA in International Technology and is a CISSP and SANS GIAC certified Incident Handler (GCIH), Intrusion Analyst (GCIA), and Web Application Penetration Tester (GWAPT).

View Upcoming Training for Justin Searle


Dave Shackleford

Dave Shackleford is the owner and principal consultant of Voodoo Security and a SANS analyst, senior instructor, and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies. Dave is the author of the Sybex book Virtualization Security:

Protecting Virtualized Environments, as well as the coauthor of Hands-On Information Security from Course Technology. Recently Dave coauthored the first published course on virtualization security for the SANS Institute. Dave currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance. Dave earned his MBA from Georgia State University.

Dave knows his stuff and explains the material in an easy-to-understand way. - Jonathan O'Neal, Monster.com

View Upcoming Training for Dave Shackleford


Raul Siles

Raul Siles is founder and senior security analyst at DinoSec. For over a decade, he has applied his expertise performing advanced technical security services and innovating offensive and defensive solutions for large enterprises and organisations in various industries worldwide. He has been involved in security architecture design and reviews, penetration tests, incident handling, intrusion and forensic analysis, security assessments and vulnerability disclosure, web applications, mobile and wireless environments, and security research in new technologies. Throughout his career, starting with a strong technical background in networks, systems and applications in mission critical environments, he has worked as an information security expert, engineer, researcher and penetration tester at Hewlett Packard, as an independent consultant, and on his own companies, Taddong and DinoSec.

Raul is a certified instructor for the SANS Institute, regularly teaching penetration testing courses. He is an active speaker at international security conferences and events, such as RootedCON, Black Hat, OWASP, BruCON, etc. Mr. Siles is author of security training courses, blogs, books, articles, and tools, and actively contributes to community and open-source projects. He loves security challenges, and has been a member of international organisations, such as the Honeynet Project or the SANS Internet Storm Center. Raul is one of the few individuals worldwide who have earned the GIAC Security Expert (GSE) designation, as well as many other certifications. Raul holds a master's degree in computer science from UPM (Spain) and a postgraduate in security and e-commerce.

More information at http://www.raulsiles.com (@raulsiles) and http://www.dinosec.com (@dinosec).

Raul is a top bloke, absolute genius, would recommend the course based on his teaching skills alone!! - Nic Trujillo, VM

View Upcoming Training for Raul Siles


Bryan Simon

Bryan Simon is an internationally recognized expert in cybersecurity and has been working in the information technology and security field since 1991. Over the course of his career, Bryan has held various technical and managerial positions in the education, environmental, accounting, and financial services sectors. Bryan speaks on a regular basis at international conferences and with the press on matters of cybersecurity. He has instructed individuals from organizations such as the FBI, NATO, and the UN in matters of cybersecurity, on three continents. Bryan has specialized expertise in defensive and offensive capabilities. He has received recognition for his work in I.T. Security, and was most recently profiled by McAfee (part of Intel Security) as an I.T. Hero. Bryan holds 13 GIAC Certifications including GSEC, GCWN, GCIH, GCFA, GPEN, GWAPT, GAWN, GISP, GCIA, GCED, GCUX, GISF, and GMON. Bryan's scholastic achievements have resulted in the honour of sitting as a current member of the Advisory Board for the SANS Institute, and his acceptance into the prestigious SANS Cyber Guardian program. Bryan is a SANS Certified Instructor for SEC401: Security Essentials Bootcamp Style, SEC501: Advanced Security Essentials - Enterprise Defender, SEC505: Securing Windows with Powershell and the Critical Security Controls, and SEC511: Continuous Monitoring and Security Operations.

"Excellent breakdown of difficult concepts-great use of humor."- Steve Kirchmyer

"Really like the example stories. They help illustrate the point of each lesson very effectively." - Kevin Westbur, I.D.A.

"As a former educator, I'm very impressed with Bryan." - Adam Austin, H-Bar Cyber Solutions

"Bryan is a tremendous instructor, one of the best I have had in over 30 years in the IT field. He is able to hold my attention throughout, and he brings real-world experience." - Alan J. Cutler, Westat

View Upcoming Training for Bryan Simon


Stephen Sims

Stephen Sims is an industry expert with over 15 years of experience in information technology and security. Stephen currently works out of San Francisco as a consultant performing reverse engineering, exploit development, threat modeling, and penetration testing. Stephen has a MS in information assurance from Norwich University and is a course author and a Faculty Fellow for the SANS Institute. He is the author of SANS' only 700-level course, SEC760: Advanced Exploit Development for Penetration Testers, which concentrates on complex heap overflows, patch diffing, and client-side exploits. Stephen is also the lead author on SEC660: Advanced Penetration Testing, Exploits, and Ethical Hacking. He holds the GIAC Security Expert (GSE) certification as well as the CISSP, CISA, Immunity NOP, and many other certifications. In his spare time Stephen enjoys snowboarding and writing music.

Looking at everything I have learned from Stephen, I definitely feel I have gained an edge when it comes to the augmentation of my pentest skills. He made the impossible understandable and I am grateful for that. - Alexander Cobblah, Booz Allen Hamilton

View Upcoming Training for Stephen Sims


John Strand

John Strand is the owner of Black Hills Information Security, a firm specializing in penetration testing, Active Defense and Hunt Teaming services.  He is the also the CTO of Offensive Countermeasures, a firm dedicated to tracking advanced attackers inside and outside your network.

John is an experienced speaker, having done presentations to the FBI, NASA, the NSA and at various industry conferences.  He is a senior instructor with the SANS Institute teaching:

  • SEC504 - Hacker Techniques, Exploits, and Incident Handling
  • SEC560 - Network Penetration Testing and Ethical Hacking
  • SEC580 - Metasploit Kung Fu for Enterprise Pen Testing
  • SEC550 - Offensive Countermeasures, Active Defense and Cyber Deception

And the lead course author of:

SANS 504: Hacker Techniques, Exploits, and Incident Handling

He also co-hosts Security Weekly, the world's largest information security podcast; co-authored Offensive Countermeasures: The Art of Active Defense; and writes loud rock music and makes various futile attempts at fly-fishing.

"Very informative! Mr. John Strand's experience shared through narrative brings course material to life."
 - Christopher Wilson, USAF

Below are some videos of John presenting:

Burn it all, the new security fundamentals

Sacred Cash Cow Tipping: Bypassing Firewalls and DLP

Pentest Trends report 2015

How not to suck at penetration testing

View Upcoming Training for John Strand


Jonathan Thyer

Jonathan (Joff) Thyer is a senior security consultant, researcher, and penetration tester with Black Hills Information Security.   Joff has over 15 years of experience in the IT industry as an enterprise network architect, network security defender, and information security consultant.

Joff has experience with intrusion detection and prevention systems, vulnerability analysis, penetration testing, engineering network infrastructure defense (including Cisco ISE deployment), and software development.  Joff has taught Mastering Packet Analysis and mentored SEC503 Intrusion Detection in Depth and currently teaches SEC573: Python for Penetration Testers for the SANS Institute.

Joff is also a co-host on the Security Weekly podcast, which features the latest information security news, research, interviews, and technical information.

Joff holds a B.Sc. in mathematics and M.Sc. in computer science. He holds the the GPEN: GIAC Penetration Tester certification.

View Upcoming Training for Jonathan Thyer


Alissa Torres

Alissa Torres is an explorer at heart. Uncovering the full story of an attacker's exploits requires digging into known and unknown forensic artifacts, and this excavation is exactly what intrigues her. With more than 15 years of experience in computer and network security spanning government, academic, and corporate environments, Alissa has the deep experience and technical savvy to take on even the most difficult computer forensics challenges that come her way. Her current role as an Incident Response Manager at Cargill provides daily challenges "in the trenches" and demands constant technical growth. Alissa is also founder of her own firm, Sibertor Forensics, and has taught internationally in more than 10 countries.

Memory forensics is a bleeding-edge field of Digital Forensics & Incident Response (DFIR), and Alissa is the lead author as well as an instructor of FOR526: Memory Forensics In-Depth and co-author of the SANS Memory Forensics Poster. She also teaches  FOR500: Windows Forensic Analysis; FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting; and SEC504: Hacker Tools, Techniques, Exploits and Incident Handling.

Alissa was introduced to digital forensics during her four years of service in the U.S. Marine Corps. She moved on to various technical roles at KEYW Corporation, Northrop Grumman Information Systems, and as part of Mandiant's computer incident response team (MCIRT). Alissa has worked as an instructor at the U.S. Cyber Challenge Camps and at the Defense Cyber Investigations Training Academy (DCITA), delivering incident response and network basics to security professionals entering the forensics community. She is passionate about sharing knowledge, presenting annually at regional and national industry conferences and encouraging women's participation in science, technology, engineering, and math through regional outreach programs.

As both an investigator and instructor, Alissa has a constant and infectious desire to always learn more and question everything, an ethos embodied in the SANS DFIR classes. "Our curriculum ensures students gain an understanding of why an artifact matters and how the tools interpret the data." Alissa explains. An inquisitive nature can be the determining factor in investigative success, as Alissa learned when she identified a critical error in one of her team's web proxy timeline procedures. This discovery allowed for the correction of contractual fraud investigations involving the U.S.  government.  Sharing personal success stories like this one gives students real-world applications for the material they are learning and inspires them to evaluate and optimize their own investigative processes, whether in incident response, digital forensic investigations, or internal offensive reconnaissance.

As attackers learn how forensic investigators work, they become increasingly more sophisticated at leaving fewer traces behind. "We are in an arms race where the key difference is training," says Alissa. Toward that end, she encourages her students to ask more questions, grow the common body of knowledge, and make a difference in the digital forensics community. Her teaching style is best described as a type of "exposure therapy" that introduces concepts but then pushes students to get behind the keyboard and apply these concepts themselves.

Alissa's true passion is memory forensics, a rapidly evolving area of expertise for both attackers and defenders. As malware strives for a minimal footprint on the host, the battlefield exists in system memory. Alissa's students take the skills taught in FOR526 and move their investigations forward, in some cases even uncovering new details in their cases before the week-long class ends.

Alissa has a B.S from the University of Virginia and a M.S. in information technology from the University of Maryland. She is a GIAC Certified Forensic Analyst (GCFA), and holds the GCFE, GCIH, GSEC, CISSP, and EnCE certifications. Alissa has served as a member of the GIAC Advisory Board since 2013 and was recognized by SC Magazine as one of its "2016 Women to Watch." Needless to say, she stays pretty busy. When not enmeshed in metadata and memory structures, Alissa catches every soccer game she can, cheering at her kids' games and scheming to attend matches of her favorite team, Everton. In what time she has left from constant cybersecurity vigilance, Alissa enjoys hiking in the Puerto Rican rain forest and scaling rocks at Big Sur.

Qualifications Summary

Certifications:

  • GIAC Security Essentials Certification (GSEC), June 2015
  • GIAC Certified Incident Handler (GCIH), June 2014
  • GIAC Reverse Engineering Malware (GREM), July 2013
  • GIAC Certified Forensic Examiner (GCFE), January 2013
  • Certified Forensic Computer Examiner (CFCE), December 2012
  • GIAC Certified Penetration Tester (GPEN), July 2012
  • GIAC Certified Forensic Analyst (GCFA), November 2011
  • Certified Information Systems Security Professional (CISSP), December 2010
  • EnCase Certified Examiner (EnCE), July 2010 - July 2019

This is what students are saying about SANS Certified Instructor and course author Alissa Torres:

"I love the energy of Alissa Torres' presentation style." - Scott S., US Govt.

"Alissa kept it interesting by pulling from her past experience and demonstrated great passion for the subject." - Matt Leach

"Alissa's teaching skills are remarkable - she is great." - Serge Tumba, GE Capital

"Fantastic- Energetic- Knowledgeable" - Dennis Mooney, Vanguard

"I highly recommend Alissa and SANS computer forensics courses. In April 2015 I attended the SANS Forensics 508: Advanced Digital Forensics and Incident Response (FOR508) course. I had high expectations for the course based on my team lead's recommendation. Alissa and the course exceeded my expectations. Alissa is an outstanding instructor, and SANS FOR508 was the best information security course I have attended. She mixed energy, knowledge, and experience to keep the content productive, relevant, and interesting. I look forward to attending more SANS courses instructed by Alissa." - Chad Rager,  Computer Forensic Engineer at ManTech

"This course is known throughout the industry as THE advanced IR and Threat Hunting course. This combined with Alissa's awesome teaching style makes it worth every penny! Alissa's subject matter expertise, enthusiasm, and insights are second to none! Her personalized attention to simulcast viewers was particularly nice because it felt like we were part of the class."  - Will Harmon, Trustwave

"Instructors like Alissa are why people keep coming back to SANS. Awesomeness and non-stop energy. She is one of my favorite instructors I've had from SANS, right up there with the likes of Ed Skoudis, John Strand, and Eric Cole. A brilliant presenter who keeps it fun, informative, and turns what other people could make sleep inducing, into non-stop engaging." - Eric Donaldson, Discover Financial Services

View Upcoming Training for Alissa Torres


Erik Van Buggenhout

Erik Van Buggenhout is the lead author of SEC599 - Defeating Advanced Adversaries. In addition to SEC599, Erik teaches SEC560 - Network Penetration Testing & Ethical Hacking and SEC542 - Web Application Penetration Testing & Ethical Hacking. He has been involved with SANS since 2009, first as a Mentor, working his way to Community Instructor in 2012 and finally becoming a Certified Instructor in 2016.

Erik loves explaining deeply technical concepts by using war stories, adding a few funny anecdotes here and there. As a testimony of his technical expertise, he has obtained the GSE, GCIA, GNFA, GPEN, GWAPT, GCIH, and GSEC certifications.

In addition to his work with SANS, Erik is the co-founder of Belgian cyber security firm NVISO, which focuses on high-end cyber security services, specializing in government, defense and the financial sector. Together with his team of 20+ technical experts, Erik delivers a wide array of technical security services, including penetration testing, security monitoring & incident response.

Prior to NVISO, Erik spent five years at Big 4 firm, starting as a junior penetration tester and evolving into a subject matter expert for the EMEA region.

A self-confessed speed walker, if you see Erik rushing around at a conference: feel free to stop him and say "Hi!"

View Upcoming Training for Erik Van Buggenhout


Jake Williams

When a complex cyber attack put a private equity investment of more than $700 million on hold, the stakes couldn't have been higher. But that's exactly the kind of challenge that motivates Jake Williams, a computer science and information security expert, U.S. Army veteran, certified SANS instructor and co-author of FOR526: Memory Forensics In-Depth and FOR578: Cyber Threat Intelligence. To help mitigate the attack, Jake plied his information security expertise, discovered that not one but three different attackers had compromised the firm's network, and went about countering their moves.

Jake relishes the idea of meeting adversaries on the cyber battlefield. "I went into this field because I wanted a challenge," he says. "Infosec is like a game of chess to me. The attacker plays their moves and you play yours."

Jake started his information security career doing classified work with the U.S. government and was awarded the National Security Agency (NSA) Exceptional Civilian Service Award, which is given to fewer than 20 people annually. "I am immensely proud of the things I've accomplished," Jake says. "I'm positive the world is a safer place because of my work."

Today, Jake runs a successful Infosec consultancy. He's been involved in high-profile public sector cases including the malware analysis for the 2015 cyber attack on the Ukraine power grid. He's also tackled a variety of cases in the private sector. In one, Jake discovered attackers compromising a custom service the client had distributed to all its endpoints. Leveraging experience and insight with advanced persistent threats helped Jake "think like the attacker" and determine the attacker's likely hiding spots.

Jake's work has led to his invention of DropSmack, a proof-of-concept tool for highlighting the danger that cloud-based file sharing services pose to corporate networks, and the creation of ADD (Attention Deficit Disorder), a publicly-available memory anti-forensics toolkit.

Jake's work also led him to teaching. "I chose to be a SANS instructor because they are the very best in the business. Others talk about being the best, but SANS actually is the best," he says. "I love teaching people, but it goes beyond teaching for me. With many students, I'm making lasting professional relationships. Students come back again and again and have a lifelong learning relationship with SANS." 

Jake teaches a variety of classes (SEC503, SEC504, SEC660, SEC760, FOR508, FOR526, FOR578, FOR610) and prefers an active learning approach, using demos rather than slides to teach lessons. "It takes me back to my first exploits and I get the chance to relive that magical feeling all over again," he explains.

More importantly, Jake wants students to walk out of class being able to critically analyze a problem, discover a solution, and do something they couldn't do before. "I don't teach button-clicking steps, my goal is to ensure students understand how to take concepts from the class and apply them to their own cases and engagements."

Given his accomplishments, it should come as no surprise that Jake lives, sleeps, and breathes Infosec. When he's not teaching, he's consulting. He's a regular speaker at industry conferences including DC3, BSides (including BSides Las Vegas), DEFCON, Blackhat, Shmoocon, EnFuse, ISSA Summits, ISACA Summits, SANS Summits, and Distributech.  He has also presented security topics to a number of Fortune 100 executives.

Jake is also a two-time victor at the annual DC3 Digital Forensics Challenge. He drew on his passion for hands-on capture-the-flag events to design the critically acclaimed NetWars challenges for the SANS malware reversing and memory forensics courses.

Qualifications Summary:

GIAC Certifications:

  • GIAC Security Expert (GSE), March 2016
  • GIAC Security Essentials Certification (GSEC), June 2015
  • GIAC Exploit Researcher and Advanced Penetration Tester (GXPN), March 2015
  • GIAC Certified Forensic Analyst (GCFA), October 2013
  • GIAC Penetration Tester (GPEN), January 2013
  • GIAC Certified Incident Handler (GCIH), January 2013
  • GIAC Certified Intrusion Analyst (GCIA), December 2012
  • GIAC Certified Windows Security Administrator (GCWN), November 2012
  • GIAC Reverse Engineering Malware (GREM), October 2012
  • GIAC Certified Forensic Examiner (GCFE), September 2012
  • GIAC Systems and Network Auditor (GSNA), February 2012

Get to Know Jake Williams:

Jake teaches the following courses for SANS:

Here's What Students Are Saying about SANS Certified Instructor Jake Williams:

  • "Jake's teaching style and practical experience totally make the course." - Andrew Nelson, Chevron
  • "Jake is awesome! The experience is massive!" - Late Adodo Placca, iProcess International
  • "Provides great balance between structured analytical approaches and technical analysis." -  Ladell Marshall, Goldman Sachs
  • "Jake goes off-book in a good way, sharing useful tools & information in addition to the already-included useful tools & info." - Robin Stuart, Salesforce

View Upcoming Training for Jake Williams


To see more information about SANS Pen Test Instructors click here.

Secure Software Development Courses Instructor List


Pieter Danhieux

Pieter Danhieux is a certified instructor for the SANS Institute, teaching military, government, and private organizations offensive techniques on how to target and assess organizations, systems, and individuals for security weaknesses. He is also one of the founders of the security and hacking conference BruCON in Belgium.

Pieter has worked in the cyber security space since 2002. He was one of the youngest persons ever in Belgium to obtain the Certified Information Systems Security Professional (CISSP) certification. He then obtained the Certified Information Systems Auditor (CISA) and the GIAC Certified Forensics Analyst program (GCFA) and is currently one of the select few people worldwide to hold the GIAC Security Expert (GSE) certification.

Pieter is Co-founder and Chief Architect of the Secure Code Warrior platform (http://www.securecodewarrior.com), a gamified environment where developers and security testers can learn how to properly identify and fix security weaknesses in software. Until January 2015, he was part of the leadership at BAE Systems APAC in his role as Head of Delivery of the Applied Intelligence business unit. Before that, Pieter worked for seven years at Ernst & Young in Europe as one of their information security experts running a team of attack and penetration resources operating in the financial industry and telecommunication space.

SANS is by far the best hands-on training. Peter is very knowledgeable and knows how to transfer that to students. - Rob Brabers, Sincerus

View Upcoming Training for Pieter Danhieux


Adrien de Beaupre

Adrien de Beaupre is a certified SANS instructor and works as an independent consultant in beautiful Ottawa, Ontario. His work experience includes technical instruction, vulnerability assessment, penetration testing, intrusion detection, incident response and forensic analysis. He is a member of the SANS Internet Storm Center (isc.sans.edu). He is actively involved with the information security community, and has been working with SANS since 2000. Adrien holds a variety of certifications including the GXPN, GPEN, GWAPT, GCIH, GCIA, GSEC, CISSP, OPST, and OPSA. When not geeking out he can be found with his family, or at the dojo.

Web: www.intru-shun.ca

View Upcoming Training for Adrien de Beaupre


David Hoelzer

David Hoelzer is the author of more than twenty days of SANS courseware. He is an expert in a variety of information security fields, having served in most major roles in the IT and security industries over the past twenty-five years. Recently, David was called upon to serve as an expert witness for the Consumer Financial Protection Bureau in a landmark case regarding information security governance within corporations in the financial sector and has previously served as an expert for the Federal Trade Commission for GLBA Privacy Rule litigation and other matters. David has been highly involved in governance at SANS Technology Institute, serving as a member of the Curriculum Committee, Long Range Planning Committee, GIAC Ethics Board, and as Dean of Faculty. As a SANS instructor, David has trained security professionals from organizations including NSA, DHHS, Fortune 500 security engineers and managers, various Department of Defense sites, national laboratories, and many colleges and universities. Outside of SANS, David is a research fellow in the Center for Cybermedia Research, a research fellow for the Identity Theft and Financial Fraud Research Operations Center (ITFF/ROC), an adjunct research associate of the UNLV Cybermedia Research Lab, a research fellow with the Internet Forensics Lab, and an adjunct lecturer in the UNLV School of Informatics. David has written and contributed to more than 15 peer reviewed books, publications, and journal articles. Currently, David serves as the principal examiner and director of research for Enclave Forensics, a New York/Las Vegas based incident response and forensics company. He also serves as the chief information security officer for Cyber-Defense, an open-source security software solution provider. In the past, David served as the director of the GIAC Certification program, bringing the GIAC Security Expert certification to life. David holds a BS in IT and an MS in Computer Science, having spent time either attending or consulting for Stony Brook University, Binghamton University, and American Intercontinental University.

View Upcoming Training for David Hoelzer


Micah Hoffman

Micah Hoffman has been working in the information technology field since 1998 supporting federal government, commercial, and internal customers in their searches to discover and quantify information security weaknesses within their organizations. He leverages years of hands-on, real-world penetration testing and incident response experience to provide excellent solutions to his customers. Micah holds GIAC's GMON, GAWN, GWAPT, and GPEN certifications as well as the CISSP and is a SANS Certified Instructor.

Micah is an active member in the NoVAHackers community, writes Recon-ng modules and enjoys tackling issues with the Python scripting language. When not working, teaching, or learning, Micah can be found hiking or backpacking on Appalachian Trail or the many park trails in Maryland. Catch him on Twitter @WebBreacher.

"Great instructor, well spoken, excitable about the subject." - Gharrett Worku, Paycom

"Micah's delivery was entertaining and engaging." - Paul Ryan, GDIT

"Instructor keeps students engaged.  Provides assistance when needed, excellent attitude." - Nathan Peterson

"Good pace - good depth of knowledge." - Robert Smith, Intel Corp

View Upcoming Training for Micah Hoffman


Eric Johnson

Eric Johnson is a Principal Security Consultant at Cypress Data Defense where he leads secure software development lifecycle consulting, web and mobile application penetration testing, secure code review assessments, static source code analysis, security research, and security tools development. He also founded the Puma Scan static analysis open source project, which allows software engineers to run security-focused .NET static analysis rules during development and in continuous integration pipelines.

As a Certified Instructor with the SANS Institute, Eric authors application security courses on DevOps, cloud security, secure coding, and defending mobile apps. He serves on the advisory board for the SANS Securing the Human Developer awareness training program, delivers security training around the world, and has presented his security research at conferences including SANS, BlackHat, OWASP, BSides, JavaOne, UberConf, and ISSA.

Eric completed a bachelor of science degree in Computer Engineering and a master of science degree in Information Assurance at Iowa State University, and currently holds the CISSP, GWAPT, GSSP-.NET, and GSSP-Java certifications. He is located in West Des Moines, IA and outside the office enjoys spending time with his family, attending Iowa State athletic events, and playing golf.

View Upcoming Training for Eric Johnson


Frank Kim

Founder of ThinkSec, a security consulting and CISO advisory firm. Previously, as CISO at the SANS Institute, Frank led the information risk function for the most trusted source of computer security training and certification in the world. With the SANS Institute, Frank continues to lead the management and software security curricula, helping to develop the next generation of security leaders.

Frank was also executive director of cybersecurity at Kaiser Permanente where he built an innovative security program to meet the unique needs of the nation's largest not-for-profit health plan and integrated health care provider with annual revenue of $60 billion, 10 million members, and 175,000 employees.

Frank holds degrees from the University of California at Berkeley and is the author and instructor of popular courses on strategic planning, leadership, application security, and DevOps.

"Frank provided great real world examples of attacks, course material, and quality. This is the best secure development course I have come across taught by a great instructor with top teaching skills and time management." - Andreas Hegna, Storebrand Livsforsikring AS

"Frank is a very engaging speaker and brings the examples in the class that can actually be used in real world scenarios." - Anthony Head, University of Richmond

View Upcoming Training for Frank Kim


Jason Lam


Jason is accountable for cyber security at a large global financial company. He has over 15 years of experience in the information security industry progressing from hands-on research work to securing large-scale enterprise environments. His recent SANS Institute courseware development includes Defending Web Application Security Essentials and Web Application Pen Testing Hands-On Immersion.

Jason started out as a programmer before moving on to an ISP as a network administrator. Handling security incidents for this ISP sparked his interest in information security. Over the years, Jason has performed and led intrusion detection, penetration testing, defense improvement programs and incident response in large enterprise environments. Recently, Jason specializes in building large-scale security operations teams to handle the full cycle of threat identification, response and remediation, in parallel with his passion for directing enterprise web application security programs.

View Upcoming Training for Jason Lam


Justin Searle

Justin Searle is a Managing Partner of UtiliSec, specializing in Smart Grid security architecture design and penetration testing. Justin led the Smart Grid Security Architecture group in the creation of NIST Interagency Report 7628 and played key roles in the Advanced Security Acceleration Project for the Smart Grid (ASAP-SG). He currently leads the testing group at the National Electric Sector Cybersecurity Organization Resources (NESCOR). Justin has taught courses in hacking techniques, forensics, networking, and intrusion detection for multiple universities, corporations, and security conferences. Mr. Searle is currently a Senior instructor for the SANS Institute. In addition to electric power industry conferences, Justin frequently presents at top international security conferences such as Black Hat, DEFCON, OWASP, Nullcon, and AusCERT. Justin co-leads prominent open source projects including the Samurai Web Testing Framework (SamuraiWTF), the Samurai Security Testing Framework for Utilities (SamuraiSTFU), Middler, Yokoso!, and Laudanum. Justin has an MBA in International Technology and is a CISSP and SANS GIAC certified Incident Handler (GCIH), Intrusion Analyst (GCIA), and Web Application Penetration Tester (GWAPT).

View Upcoming Training for Justin Searle


Dave Shackleford

Dave Shackleford is the owner and principal consultant of Voodoo Security and a SANS analyst, senior instructor, and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies. Dave is the author of the Sybex book Virtualization Security:

Protecting Virtualized Environments, as well as the coauthor of Hands-On Information Security from Course Technology. Recently Dave coauthored the first published course on virtualization security for the SANS Institute. Dave currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance. Dave earned his MBA from Georgia State University.

Dave knows his stuff and explains the material in an easy-to-understand way. - Jonathan O'Neal, Monster.com

View Upcoming Training for Dave Shackleford


Raul Siles

Raul Siles is founder and senior security analyst at DinoSec. For over a decade, he has applied his expertise performing advanced technical security services and innovating offensive and defensive solutions for large enterprises and organisations in various industries worldwide. He has been involved in security architecture design and reviews, penetration tests, incident handling, intrusion and forensic analysis, security assessments and vulnerability disclosure, web applications, mobile and wireless environments, and security research in new technologies. Throughout his career, starting with a strong technical background in networks, systems and applications in mission critical environments, he has worked as an information security expert, engineer, researcher and penetration tester at Hewlett Packard, as an independent consultant, and on his own companies, Taddong and DinoSec.

Raul is a certified instructor for the SANS Institute, regularly teaching penetration testing courses. He is an active speaker at international security conferences and events, such as RootedCON, Black Hat, OWASP, BruCON, etc. Mr. Siles is author of security training courses, blogs, books, articles, and tools, and actively contributes to community and open-source projects. He loves security challenges, and has been a member of international organisations, such as the Honeynet Project or the SANS Internet Storm Center. Raul is one of the few individuals worldwide who have earned the GIAC Security Expert (GSE) designation, as well as many other certifications. Raul holds a master's degree in computer science from UPM (Spain) and a postgraduate in security and e-commerce.

More information at http://www.raulsiles.com (@raulsiles) and http://www.dinosec.com (@dinosec).

Raul is a top bloke, absolute genius, would recommend the course based on his teaching skills alone!! - Nic Trujillo, VM

View Upcoming Training for Raul Siles


To see more information about SANS Secure Software Development Instructors click here.