Graduate Certificate Programs: Cyber Defense Operations

Graduate Certificate Programs: Cyber Defense Operations
students main image

Graduate Certificate Program in
Cyber Defense Operations

Designed for working InfoSec and IT professionals, the graduate certificate program in Cyber Defense Operations is a 12-credit-hour sequence of highly technical, hands-on courses focused on teaching the applied technologies used to defend and secure information assets and business systems at an organization.

Because traditional counter defenses are no longer effective in stopping malware, viruses, and other advanced attacks, it is a forgone conclusion that targeted organizations will be compromised. Therefore, proactive and layered defensive tactics are needed to stop the adversary.

In the Cyber Defense Operations graduate certificate program, you'll learn the essential operational techniques used to defend an enterprise and you'll have the opportunity to customize the curriculum toward your specific interests or job role.

A 100% online option is available.

Applications are accepted monthly. Learn more.

Join Us for a Free Online Info Session

Overview of Graduate Programs
Tuesday, September 28, 11:00 am (ET)
Register here.

Cloud Security Graduate Certificate
Featuring SANS Fellow Frank Kim and SANS Instructor Ryan Nicholson
Thursday, September 30, 6:30 pm (ET)
Register here.

Learn How To

  • Utilize a broad range of current tools and technologies in the design and implementation of security solutions deployed across organizations.
  • Identify the information assets of an enterprise, classify them by value, and determine what management and technical controls can be used to monitor and audit them effectively.
  • Develop a program for analyzing the risk to the information assets in an enterprise and determining which technical and management controls can mitigate, remove, or transfer that risk.
  • Articulate important attacker techniques, analyze the traffic that flows on networks, and identify indications of an attack, engage in penetration testing within their organization, and respond to incidents associated with these activities within their organization.

Curriculum | 12 credit hours

Click on each course title for a full description.

Core Courses | 6 credit hours:

NOTE: For students who are early in their career or new to working in a SOC environment, ISE 4450 (listed among the Elective Courses below) is recommended as a prerequisite to ISE 6240.

ISE 6240: Continuous Monitoring and Security Operations   |   SEC 511, GMON

Content: SANS SEC 511 Continuous Monitoring and Security Operations
Assessment: GIAC GMON Exam
3 Credit Hours

ISE 6240 teaches a proactive approach to security that is needed to enhance the capabilities of organizations to detect threats that will inevitably slip through their defenses. The Defensible Security Architecture, Network Security Monitoring (NSM)/Continuous Diagnostics and Mitigation (CDM)/Continuous Security Monitoring (CSM) taught in this course will help students best position their organization or Security Operations Center (SOC) to analyze threats and detect anomalies that could indicate cybercriminal behavior.

ISE 6255: Defensible Security Architecture and Engineering   |   SEC 530, GDSA

Content: SANS SEC 530 Defensible Security Architecture and Engineering
Assessment: GIAC GDSA Exam
3 Credit Hours

Effective security requires a balance between detection, prevention, and response capabilities. Defensible Security Architecture and Engineering is designed to help students establish and maintain a holistic and layered approach to security. Students will learn the fundamentals of up-to-date defensible security architecture and how to engineer it, with a heavy focus on leveraging current infrastructure (and investment), including switches, routers, and firewalls. Students will learn how to reconfigure these devices to significantly improve their organization's prevention capabilities in the face of today's dynamic threat landscape. The course will also delve into the latest technologies and their capabilities, strengths, and weaknesses. Multiple hands-on labs conducted daily will reinforce key points in the course and provide actionable skills that students will be able to leverage as soon as they return to work.

Elective Courses | 6 credit hours:

Students select two of the following courses.

ISE 4450: Security Operations and Analysis   |   SEC 450, GSOC

Content: SANS SEC 450: Blue Team Fundamentals: Security Operations and Analysis
Assessment: GIAC GSOC
3 Credit Hours

ISE 4450 provides you with technical knowledge and key concepts essential for security operation center (SOC) analysts and new cyber defense team members. You will learn the stages of security operations: how data is collected, where it is collected, and how threats are identified within that data. The class dives deep into tactics for triage and investigation of events that are identified as malicious, as well as how to avoid common mistakes and perform continual high-quality analysis. You will learn the inner workings of the most popular protocols, and how to identify weaponized files as well as attacks within the hosts and data on their network.

The course employs practical, hands-on instruction using a simulated SOC environment with a real, fully-integrated toolset that includes:

  • Security Information and Event Management (SIEM)
  • An incident tracking and management system
  • A threat intelligence platform
  • Packet capture and analysis
  • Automation tools
ISE 6215: Advanced Security Essentials   |   SEC 501, GCED

Content: SANS SEC 501 Advanced Security Essentials - Enterprise Defender
Assessment: GIAC GCED Exam
3 Credit Hours

Students will learn how to design and build a secure network that can both prevent attacks and recover after a compromise. They will also learn how to retrofit an existing network to achieve the level of protection that is required. While prevention is important to learn, students will also learn how to detect the indications that the attack is in progress and stop it before significant harm is caused. Packet analysis and intrusion detection are at the core of this study. In the third module, students will learn about the variety of tests that can be run against an organization and how to perform effective penetration testing. To round out the defensive posture, students will learn the practice of identifying, analyzing, and responding effectively to attacks, including the identification of malware and steps that can be taken to prevent data loss.

ISE 5401: Intrusion Detection In-Depth    |   SEC 503, GCIA

Content: SANS SEC 503: Intrusion Detection In-Depth
Assessment: GIAC GCIA
3 Credit Hours

ISE 5401 delivers the technical knowledge, insight, and hands-on training you need to defend your network with confidence. You will learn about the underlying theory of TCP/IP and the most used application protocols, such as DNS and HTTP, so that you can intelligently examine network traffic for signs of an intrusion. You will get plenty of practice learning to master different open source tools like tcpdump, Wireshark, Snort, Bro, tshark, and SiLK. Daily hands-on exercises suitable for all experience levels reinforce the course book material so that you can transfer knowledge to execution.

ISE 6230: Securing Windows & PowerShell Automation | SEC 505, GCWN

Content: SANS SEC 505 Securing Windows and PowerShell Automation
Assessment: GIAC GCWN Exam
3 Credit Hours

ISE 6230 shows students how to secure servers, workstations and portable devices running Microsoft Windows. Windows is the most frequent target of hackers and advanced malware. While other courses focus on detection or remediation of a compromise after the fact, the aim of this course is to substantially reduce these compromises in the first place. For scalability and automation, this course includes many hands-on labs with Group Policy and PowerShell scripting. No prior scripting experience is required. Learning at least the basics of PowerShell is an essential skill for anyone who manages Windows servers or clients in an enterprise.

ISE 6245: SIEM with Technical Analytics | SEC 555, GCDA

Content: SANS SEC 555: SIEM with Tactical Analytics
Assessment: GCDA
3 Credit Hours

These days, it's easy for security operations to get lost in data saturation. Designed to demystify the Security Information and Event Management (SIEM) architecture and process, this lab heavy course is focused on achieving actionable intelligence from data. To provide hands-on experience, the course navigates students through the steps of tailoring and deploying a SIEM to full Security Operations Center (SOC) integration using SOF-ELK, a SANS sponsored free SIEM solution. Throughout the course, the text and labs will not only show how to manually extract actionable intelligence from log data, correlate the data and gather input into useable formats, and start investigating based on the aggregate data to detect sophisticated intrusions, but how to automate many of these processes.

ISE 6250: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses | SEC 599, GDAT

Content: SEC 599 Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses
Assessment: GIAC GDAT
3 Credit Hours

ISE 6250 leverages the purple team concept by bringing together red and blue teams for maximum effect. Recognizing that a prevent-only strategy is not sufficient, the course focuses on current attack strategies and how they can be effectively mitigated and detected using a Kill Chain structure. Throughout the course, the purple team principle is maintained, where attack techniques are first explained in-depth, after which effective security controls are introduced and implemented. The course culminates with a Defend-the-Flag challenge in which you will integrate blue team and red team strategies to keep your network secure against advanced adversaries.

ISE 6350: Automating Information Security with Python | SEC 573, GPYC

Content: SANS SEC 573: Automating Information Security with Python
Assessment: GIAC GPYC
3 Credit Hours

The ISE 6350 course teaches students in the pen testing specialization, and other students who want to use the Python programming language, how to enhance their overall effectiveness during information security engagements. You will learn how to apply core programming concepts and techniques learned in other courses through the Python programming language. The course teaches skills and techniques that can enhance an information security professional in penetration tests, security operations, and special projects. You will create simple Python-based tools to interact with network traffic, create custom executables, test and interact with databases and websites, and parse logs or sets of data.

  • "I firmly believe, had it not been for SANS, my career would not be what it is today. My SANS education has enabled me to compete on a completely new level and given me the chance to network with industry greats."

    Steven Romero
    Engineer, Chevron

  • "I have my master's in computer science, but I completed two graduate certificate programs with SANS so I could truly dive deep into technical areas of cybersecurity and learn from instructors who are leading the industry."

    Jeff Sass
    Senior Engineering Manager, Adobe

  • "I have a master's degree from another school, and I can tell you that SANS courses are more technical and taught by more experienced instructors. I joined the graduate certificate program in Cyber Defense Operations to advance my hands-on skills and fill the gap left by my previous program."

    Harvey Wargo
    Senior Intrusion Analyst, Walmart

Who Should Enroll

The Cyber Defense Operations graduate certificate program is designed for information technology professionals with a year or more of experience working with network infrastructures, or for information security professionals who are or seek to specialize in implementing defense-in-depth strategies and auditing for their effectiveness.

The SANS Technology Institute Advantage

Online and In-Person Study Options

Flexibility for Working Professionals

  • Monthly admissions windows mean you can start on your schedule and earn the graduate certificate in roughly two years.

Credentials that Showcase Your Skills

  • Earn industry-recognized GIAC certifications that validate your skill set in critical, specialized areas of InfoSec.

World-class Faculty

Pathway to a Master's Degree

  • Credits earned in the certificate program may be applied directly toward the master's degree program should you later apply and be accepted.

Success Stories

Video gaming was the start of what would lead to Jeff Sass's decades-long career at Adobe.

Discover why he chose to pursue 3 graduate certificates at — and how the experience helped him win a promotion to manager.

Read Jeff’s story and other profiles here.

Quick Links

Admissions Deadlines & Application Requirements
Tuition & Options for Funding


We're happy to help.
Email or call (301) 241-7665.