Graduate Certificate Programs: Incident Response

Graduate Certificate Programs: Incident Response

Graduate Certificate Program in
Incident Response

As digital crime and intrusions have increased, so has the need for professionals inside organizations who can identify and respond to incidents before they are discovered by clients or customers. Designed for working InfoSec and IT professionals, the graduate certificate in Incident Response is a highly technical 13-credit-hour program focused on developing your ability to manage both a computer and network-based forensics investigation as well as the appropriate incident responses.

In this hands-on program, you’ll begin with a foundational course, progress through three advanced graduate courses, and have the opportunity to test real-world techniques in DFIR NetWars Continuous, a graded, online range exercise.

Applications are accepted monthly. Learn more.

Join Us for a Free Online Info Session
Tuesday, April 21, 1 pm (ET)
Register here.

Learn How To

  • Explain the role of digital forensics and incident response in the field of information security, and recognize the benefits of applying these practices to both hosts and networks when investigating a cyber incident.
  • Analyze the structure of common attack techniques in order to evaluate an attacker's footprint, target the ensuing investigation and incident response, and anticipate and mitigate future activity.
  • Evaluate the effectiveness of available digital forensic tools and use them in a way that optimizes the efficiency and quality of digital forensic investigations.
  • Utilize multiple malware analysis approaches and tools to understand how malware programs interact with digital environments and how they were coded, in order to reverse the effects of the program on networks and systems.

Curriculum | 13 credit hours

Click on each course title for a full description.

Required Courses:
ISE 5201: Hacker Tools, Techniques, Exploits, & Incident Handling |   SEC 504, GCIH

Content: SANS SEC 504 Hacker Techniques, Exploits & Incident Handling
Assessment: GIAC GCIH Exam
3 Credit Hours

By adopting the viewpoint of a hacker, ISE 5201 provides an in-depth focus into the critical activity of incident handling. Students are taught how to manage intrusions by first looking at the techniques used by attackers to exploit a system. Students learn responses to those techniques, which can be adopted within the framework of the incident handling process to handle attacks in an organized way. The faculty instruction, lab exercises, and exam are coordinated to develop and test a student's ability to utilize the core capabilities required for incident handling.

ISE 6425: Advanced Digital Forensics, Incident Response, & Threat Hunting |   FOR 508, GCFA

Content: SANS FOR 508 Advanced Digital Forensics, Incident Response, and Threat Hunting
Assessment: GIAC GCFA Exam
3 Credit Hours

ISE 6425 teaches the necessary capabilities for forensic analysts and incident responders to identify and counter a wide range of threats within enterprise networks, including economic espionage, hacktivism, and financial crime syndicates. The course shows students how to work as digital forensic analysts and incident response team members to identify, contain, and remediate sophisticated threats-including nation-state sponsored Advanced Persistent Threats and financial crime syndicates. Students work in a hands-on lab developed from a real-world targeted attack on an enterprise network in order to learn how to identify what data might be stolen and by whom, how to contain a threat, and how to manage and counter an attack.

ISE 6440: Advanced Network Forensics and Analysis   |   FOR 572, GNFA

Content: SANS FOR 572 Advanced Network Forensics and Analysis
Assessment: GIAC GNFA Exam
3 Credit Hours

ISE 6440: Advanced Network Forensics and Analysis focuses on the most critical skills needed to mount efficient and effective post-incident response investigations. Moving beyond the host-focused experiences in ISE 6420 and ISE 6425, ISE 6440 covers the tools, technology, and processes required to integrate network evidence sources into investigations, covering high-level NetFlow analysis, low-level pcap exploration, and ancillary network log examination. Hands-on exercises in FOR 572 cover a wide range of open source and commercial tools, and real-world scenarios help the student learn the underlying techniques and practices to best evaluate the most common types of network-based attacks.

ISE 6460: Reverse-Engineering Malware |   FOR 610, GREM

Content: SANS FOR 610 Reverse-Engineering Malware: Malware Analysis Tools and Techniques
Assessment: GIAC GREM Exam
3 Credit Hours

ISE 6460 teaches students how to examine and reverse engineer malicious programs - spyware, bots, Trojans, etc. - that target or run on Microsoft Windows, within browser environments such as JavaScript or Flash files, or within malicious document files (including Word and PDF). The course builds a strong foundation for reverse-engineering malicious software using a variety of system and network monitoring utilities, a disassembler, a debugger and other tools. The malware analysis process taught in this class helps students understand how incident responders assess the severity and repercussions of a situation that involves malicious software and plan recovery steps. Students also experience how forensics investigators learn to understand key characteristics of malware discovered during the examination, including how to establish indicators of compromise (IOCs) for scoping and containing the incident.

ISE 6400: Certificate Program Capstone | DFIR NetWars Continuous

Content: DFIR NetWars Continuous
1 Credit Hour

DFIR NetWars Continuous is an incident simulator packed with a vast amount of forensic, malware analysis, threat hunting, and incident response challenges designed to help students gain proficiency without the risk associated when working real-life incidents.

  • "I firmly believe, had it not been for SANS, my career would not be what it is today. My SANS education has enabled me to compete on a completely new level and given me the chance to network with industry greats."

    Steven Romero
    Engineer, Chevron

  • "I have my master's in computer science, but I completed two graduate certificate programs with SANS so I could truly dive deep into technical areas of cybersecurity and learn from instructors who are leading the industry."

    Jeff Sass
    Senior Engineering Manager, Adobe

  • "I chose the SANS graduate program because the technical content and faculty are unparalleled, and the mix of live and online instruction fit into my work life."

    Joshua Lewis
    VP, Threat Intelligence & Incident Response, Umpqua Bank

The SANS Technology Institute Advantage

Live and Online Study Options

  • The graduate certificate program can be completed entirely online, through immersive weeklong live courses, or in combination. View course delivery options.

Flexibility for Working Professionals

  • Monthly admissions windows mean you can start on your schedule and earn the graduate certificate in roughly two years.

Credentials that Showcase Your Skills

  • Earn industry-recognized GIAC certifications that validate your skill set in critical, specialized areas of InfoSec.

World-class Faculty

Pathway to a Master's Degree

  • Credits earned in the certificate program may be applied directly toward the master's degree program should you later apply and be accepted.

Quick Links

Admissions Deadlines & Application Requirements
Tuition & Options for Funding


We're happy to help.
Email or call (301) 241-7665.