Graduate Certificate Programs: Incident Response

Graduate Certificate Programs: Incident Response

Graduate Certificate Program in
Incident Response

As digital crime and intrusions have increased, so has the need for professionals inside organizations who can identify and respond to incidents before they are discovered by clients or customers. Designed for working InfoSec and IT professionals, the graduate certificate in Incident Response is a highly technical 13-credit-hour program focused on developing your ability to manage both a computer and network-based forensics investigation as well as the appropriate incident responses.

In this hands-on program, you’ll begin with a foundational course, progress through 3 advanced graduate courses — including a specialized elective of your choice — and test your technical skills in DFIR NetWars Continuous, a graded, online range exercise.

A 100% online option is available.

Applications are accepted monthly. Learn more.

Join Us for a Free Online Info Session

Overview of Graduate Programs
Tuesday, September 28, 11:00 am (ET)
Register here.

Cloud Security Graduate Certificate
Featuring SANS Fellow Frank Kim and SANS Instructor Ryan Nicholson
Thursday, September 30, 6:30 pm (ET)
Register here.

Learn How To

  • Explain the role of digital forensics and incident response in the field of information security, and recognize the benefits of applying these practices to both hosts and networks when investigating a cyber incident.
  • Analyze the structure of common attack techniques in order to evaluate an attacker's footprint, target the ensuing investigation and incident response, and anticipate and mitigate future activity.
  • Evaluate the effectiveness of available digital forensic tools and use them in a way that optimizes the efficiency and quality of digital forensic investigations.
  • Utilize multiple malware analysis approaches and tools to understand how malware programs interact with digital environments and how they were coded, in order to reverse the effects of the program on networks and systems.

Curriculum Updates

  • Foundational course ISE 6420 (Computer Forensic Investigations – Windows) prepares you to use deep-dive digital forensics to help solve Windows data breaches and intrusion cases and perform damage assessments
  • Elective course options give you the flexibility to choose an area of specialization within incident response

Curriculum | 13 credit hours

Click on each course title for a full description.

Core Courses | 10 credit hours:
ISE 6420: Computer Forensic Investigations — Windows | FOR 500, GCFE

SANS class: FOR 500: Windows Forensic Analysis
Assessment: GIAC GCFE
3 Credit Hours

ISE 6420 Computer Forensic Investigations - Windows focuses on the critical knowledge of the Windows Operating System that every digital forensic analyst needs to investigate computer incidents successfully. You’ll learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that can be used in internal investigations or civil/criminal litigation. The course covers the methodology of in-depth computer forensic examinations, digital investigative analysis, and media exploitation, so you’ll emerge with complete qualifications to work as a computer forensic investigator helping to solve and fight crime.

ISE 6425: Adv. Computer Forensic Analysis & Incident Response | FOR 508, GCFA

Content: SANS FOR 508 Advanced Digital Forensics, Incident Response, and Threat Hunting
Assessment: GIAC GCFA Exam
3 Credit Hours

ISE 6425 teaches the necessary capabilities for forensic analysts and incident responders to identify and counter a wide range of threats within enterprise networks, including economic espionage, hacktivism, and financial crime syndicates. The course shows students how to work as digital forensic analysts and incident response team members to identify, contain, and remediate sophisticated threats-including nation-state sponsored Advanced Persistent Threats and financial crime syndicates. Students work in a hands-on lab developed from a real-world targeted attack on an enterprise network in order to learn how to identify what data might be stolen and by whom, how to contain a threat, and how to manage and counter an attack.

ISE 6440: Adv. Network Forensics & Analysis | FOR 572, GNFA

Content: SANS FOR 572 Advanced Network Forensics and Analysis
Assessment: GIAC GNFA Exam
3 Credit Hours

ISE 6440: Advanced Network Forensics and Analysis focuses on teaching you the most critical skills needed to mount efficient and effective post-incident response investigations. Moving beyond the host-focused experiences in ISE 6420 and ISE 6425, ISE 6440 explores the tools, technology, and processes required to integrate network evidence sources into investigations, covering high-level NetFlow analysis, low-level pcap exploration, and ancillary network log examination. Hands-on exercises in ISE 6440 encompass a wide range of open source and commercial tools, and real-world scenarios help you learn the underlying techniques and practices to best evaluate the most common types of network-based attacks.

ISE 6400: Certificate Program Capstone | DFIR NetWars Continuous

Content: DFIR NetWars Continuous
1 Credit Hour

DFIR NetWars Continuous is an incident simulator packed with a vast amount of forensic, malware analysis, threat hunting, and incident response challenges designed to help you gain proficiency without the risk associated when working real-life incidents.

Elective Courses | 3 credit hours:

Students select one of the following.

ISE 5201: Hacking Techniques and Incident Response |   SEC 504, GCIH

SANS class: SANS SEC 504 Hacker Techniques, Exploits & Incident Handling
Assessment: GIAC GCIH Exam
3 Credit Hours

By adopting the viewpoint of a hacker, ISE 5201 provides an in-depth focus into the critical activity of incident handling. You’ll taught how to manage intrusions by first looking at the techniques used by attackers to exploit a system. You’ll learn responses to those techniques, which can be adopted within the framework of the incident handling process to handle attacks in an organized way. The faculty instruction, lab exercises, and exam are coordinated to develop and test your ability to utilize the core capabilities required for incident handling.

ISE 6445: Cyber Threat Intelligence | FOR 578, GCTI

SANS class: FOR 578 Cyber Threat Intelligence
Assessment: GIAC GCTI
3 Credit Hours

ISE 6445 will equip you, your security team, and your organization in the tactical, operational, and strategic level cyber threat intelligence skills and tradecraft required to better understand the evolving threat landscape and to accurately and effectively counter those threats. This course focuses on structured analysis in order to establish a solid foundation for any security skillset and to amplify existing skills.

ISE 6450: Advanced Smartphone Forensics | FOR 585, GASF

SANS class: FOR585: Advanced Smartphone Forensics
Assessment: GIAC GASF
3 Credit Hours

ISE 6450 focuses on the advanced skills of mobile forensics, device file system analysis, mobile application behavior, event artifact analysis and the identification and analysis of mobile device malware. You’ll learn how to detect, decode, decrypt, and correctly interpret evidence recovered from mobile devices. The course features a number of hands-on labs that allow you to analyze different datasets from smart devices and leverage the best forensic tools and custom scripts to learn how smartphone data hide and can be easily misinterpreted by forensic tools.

ISE 6460: Malware Analysis & Reverse Engineering | FOR 610, GREM

Content: SANS FOR 610 Reverse-Engineering Malware: Malware Analysis Tools and Techniques
Assessment: GIAC GREM Exam
3 Credit Hours

ISE 6460 teaches you how to examine and reverse engineer malicious programs — spyware, bots, Trojans, etc. — that target or run on Microsoft Windows, within browser environments such as JavaScript or Flash files, or within malicious document files (including Word and PDF). The course builds a strong foundation for reverse-engineering malicious software using a variety of system and network monitoring utilities, a disassembler, a debugger and other tools. The malware analysis process taught in this class helps students understand how incident responders assess the severity and repercussions of a situation that involves malicious software and plan recovery steps. You’ll also experience how forensics investigators learn to understand key characteristics of malware discovered during the examination, including how to establish indicators of compromise (IOCs) for scoping and containing the incident.

  • "I firmly believe, had it not been for SANS, my career would not be what it is today. My SANS education has enabled me to compete on a completely new level and given me the chance to network with industry greats."

    Steven Romero
    Engineer, Chevron

  • "I have my master's in computer science, but I completed two graduate certificate programs with SANS so I could truly dive deep into technical areas of cybersecurity and learn from instructors who are leading the industry."

    Jeff Sass
    Senior Engineering Manager, Adobe

  • "I chose the SANS graduate program because the technical content and faculty are unparalleled, and the mix of live and online instruction fit into my work life."

    Joshua Lewis
    VP, Threat Intelligence & Incident Response, Umpqua Bank

The SANS Technology Institute Advantage

Online and In-Person Study Options

Flexibility for Working Professionals

  • Monthly admissions windows mean you can start on your schedule and earn the graduate certificate in roughly two years.

Credentials that Showcase Your Skills

  • Earn industry-recognized GIAC certifications that validate your skill set in critical, specialized areas of InfoSec.

World-class Faculty

Pathway to a Master's Degree

  • Credits earned in the certificate program may be applied directly toward the master's degree program should you later apply and be accepted.

Success Stories

Video gaming was the start of what would lead to Jeff Sass's decades-long career at Adobe.

Discover why he chose to pursue 3 graduate certificates at — and how the experience helped him win a promotion to manager.

Read Jeff’s story and other profiles here.

Quick Links

Admissions Deadlines & Application Requirements
Tuition & Options for Funding


We're happy to help.
Email or call (301) 241-7665.