Graduate Certificate Programs: Purple Team Operations

Graduate Certificate Programs: Purple Team Operations

Graduate Certificate Program in
Purple Team Operations

Designed for working information security professionals, the graduate certificate in Purple Team Operations is a highly technical 15-credit-hour program focused on merging the applied concepts, skills, and technologies used by blue teams (digital defenders) and red teams (digital attackers) - so you can effectively operate and lead at the intersection of those domains, in the current best practice known as purple operations or purple teams.

As the information security industry continues to evolve and mature, organizations are increasingly implementing a more collaborative alternative to the old-fashioned red team vs. blue team methodology. The SANS Technology Institute's Purple Team Operations graduate certificate is the first program of its kind designed to produce technically proficient leaders who are experienced in both domains and are prepared to lead purple teams and operations in increasingly sophisticated ways.

In this hands-on program, you'll begin with a foundational course, then progress through more advanced courses (both blue and red team electives). The capstone course synthesizes your purple team knowledge and skills, culminating with a Defend-the-Flag challenge. You'll emerge from the Purple Team Operations program with 5 industry-recognized GIAC certifications, earned as you progress through the program, in addition to a graduate certificate.

A 100% online option is available.

Applications are accepted monthly. Learn more.

Join Us for a Free Online Info Session

Overview of Graduate Programs
Thursday, August 12, 1:00 pm (ET)
Register here.

Cybersecurity Management Graduate Certificate
Featuring SANS Fellows David Hoelzer and Frank Kim
Thursday, August 26, 5:30 pm (ET)
Register here.

Learn How To

  • Implement a transformational security vulnerability assessment program using fundamental network security knowledge, skills, and tools.
  • Master essential defensive techniques and identify indications of an attack in order to detect, respond to, and mitigate incident on enterprise networks.
  • Understand and implement attacker techniques and utilize the full range of penetration techniques in order to breach a network, pivot within it, and disrupt, exploit, or exfiltrate data from it.
  • Integrate a broad range of blue team and red team tools, technologies, and mindsets to maximize the synergy of full spectrum purple security activities.

Curriculum | 15 credit hours

Click on each course title for a full description.

Required Courses | 9 credit hours:
ISE 6310: Enterprise Threat and Vulnerability Assessment | SEC 460, GEVA

SANS class: SEC 460 Enterprise Threat and Vulnerability
Assessment: GIAC GEVA
3 Credit Hours

ISE 6310 covers threat management, introduces the core components of comprehensive vulnerability assessment, and provides the hands-on instruction necessary to produce a vigorous defensive strategy. Through a detailed, practical analysis of threat intelligence, modeling, and automation, you will learn not only how to use the tools of the trade, but also how to implement a transformational security vulnerability assessment program to secure networks against even the most advanced intrusions.

ISE 6215: Advanced Security Essentials - Enterprise Defender | SEC 501, GCED

Content: SEC 501 Advanced Security Essentials - Enterprise Defender
Assessment: GIAC GCED
3 Credit Hours

ISE 6215 reinforces the theme that prevention is ideal, but detection is a must. In this advanced survey course, you'll learn how to ensure that your organization constantly improves its security posture to prevent as many attacks as possible. A key focus is on data protection, securing critical information no matter whether it resides on a server, in robust network architectures, or on a portable device. Despite an organization's best effort at preventing attacks and protecting its critical data, some attacks will still be successful. Therefore, you'll also learn how to detect attacks in a timely fashion through an in-depth understanding the traffic that flows on networks, scanning for indications of an attack. The course also includes instruction on performing penetration testing, vulnerability analysis, and forensics.

ISE 6250: (Certificate Program Capstone): Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses | SEC 599, GDAT

Content: SEC 599 Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses
Assessment: GIAC GDAT
3 Credit Hours

ISE 6250 leverages the purple team concept by bringing together red and blue teams for maximum effect. Recognizing that a prevent-only strategy is not sufficient, the course focuses on current attack strategies and how they can be effectively mitigated and detected using a Kill Chain structure. Throughout the course, the purple team principle is maintained, where attack techniques are first explained in-depth, after which effective security controls are introduced and implemented. The course culminates with a Defend-the-Flag challenge in which you will integrate blue team and red team strategies to keep your network secure against advanced adversaries.

Blue Elective Courses | 3 credit hours:

Students select one of the following.

ISE 5401: Intrusion Detection In-Depth | SEC 503, GCIA

Content: SANS SEC 503, Intrusion Detection In-Depth
Assessment: GIAC GCIA Exam
3 Credit Hours

ISE 5401 arms you with the core knowledge, tools, and techniques to prepare you to defend your networks. Hands-on exercises supplement the course book material, allowing you to transfer the knowledge in your head to your keyboard using the Packetrix VMware distribution. As the Packetrix name implies, the distribution contains many of the tricks of the trade to perform packet and traffic analysis. All exercises in the course can be approached in two ways. A basic approach, which assists you by giving hints for answering the questions; or, an advanced approach, which provides no hints, creating a more challenging experience.

ISE 6240: Continuous Monitoring and Security Operations | SEC 511, GMON

Content: SANS SEC 511 Continuous Monitoring and Security Operations
Assessment: GIAC GMON Exam
3 Credit Hours

ISE 6240 prepares you to take a proactive approach to security that is needed to enhance the capabilities of organizations to detect threats that will inevitably slip through their defenses. The Defensible Security Architecture, Network Security Monitoring (NSM)/Continuous Diagnostics and Mitigation (CDM)/Continuous Security Monitoring (CSM) taught in this course will help you best position your organization or Security Operations Center (SOC) to analyze threats and detect anomalies that could indicate cybercriminal behavior.

Red Elective Courses | 3 credit hours:

Students select one of the following.

ISE 6320: Network Penetration Testing and Ethical Hacking | SEC 560, GPEN

Content: SANS SEC 560 Network Penetration Testing and Ethical Hacking
Assessment: GIAC GPEN Exam
3 Credit Hours

ISE 6320 prepares you to conduct successful penetration testing and ethical hacking projects. The course starts with proper planning, scoping and recon, and then dives deep into scanning, target exploitation, password attacks, and wireless and web apps with detailed hands-on exercises and practical tips for doing the job safely and effectively. You will participate in an intensive, hands-on Capture the Flag exercise, conducting a penetration test against a sample target organization.

ISE 6360: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking | SEC 660, GXPN

Content: SANS SEC 660 Advanced Penetration Testing, Exploits, and Ethical Hacking
Assessment: GIAC GXPN Exam
3 Credit Hours

This advanced course for students with penetration testing experience introduces you to the most prominent and powerful attack vectors, allowing you to perform these attacks in a variety of hands-on scenarios. The course goes far beyond simple scanning for low-hanging fruit and shows penetration testers how to model the abilities of an advanced attacker to find significant flaws in a target environment and demonstrate the business risk associated with these flaws.

  • "I firmly believe, had it not been for SANS, my career would not be what it is today. My SANS education has enabled me to compete on a completely new level and given me the chance to network with industry greats."

    Steven Romero
    Engineer, Chevron

  • "I have my master's in computer science, but I completed
    two graduate certificate programs with SANS so I could
    truly dive deep into technical areas of cybersecurity
    and learn from instructors who are leading the industry."

    Jeff Sass
    Senior Engineering Manager, Adobe

  • "Earning a graduate certificate from SANS is what really
    accelerated my career. The technical skills I learned in the
    program have given me the confidence to successfully lead
    my team and prepare them for new challenges."

    David Cox
    Manager, Cyber Threat Management, EY

The SANS Technology Institute Advantage

Online and In-Person Study Options

Flexibility for Working Professionals

  • Monthly admissions windows mean you can start on your schedule and earn the graduate certificate in roughly two years.

Credentials that Showcase Your Skills

  • Earn 5 industry-recognized GIAC certifications that validate your skill set in critical, specialized areas of InfoSec.

World-class Faculty

Pathway to a Master's Degree

  • Credits earned in the certificate program may be applied directly toward the master's degree program should you later apply and be accepted.

Success Stories

Video gaming was the start of what would lead to Jeff Sass's decades-long career at Adobe.

Discover why he chose to pursue 3 graduate certificates at — and how the experience helped him win a promotion to manager.

Read Jeff’s story and other profiles here.

Quick Links

Admissions Deadlines & Application Requirements
Tuition & Options for Funding


We're happy to help.
Email or call (301) 241-7665.