Security Laboratory

Security Laboratory

The New Pen Testing Course from SANS Institute

Stephen Northcutt and Ed Skoudis
Sometimes on the discussion list for the GIAC Advisory Board ( an honor reserved for students that score 90 or higher on their exams ) it gets pretty lively. We thought you might be interested in this discussion since the subject will probably come up again and again and again. It all started with the observation: "What I noticed was GPEN and GCIH [GPEN and GCIH are the names for the GIAC certifications for two courses taught at SANS] have the same course content and syllabus. Then why do we have 2 different course names with the same content?"

Ed Skoudis, the author of the SANS course on incident handling (Security 504), as well as the new SANS course on Network Penetration Testing and Ethical Hacking (SANS Security 560), wrote back and said, "The contents are totally different, and the skills to be tested are very different as well. I suspect that you saw a place holder for the GPEN, pending the completion of the new course. The new course is now complete, and we're updating details about the associated cert. But, the question comes up a lot... is this a mere recycling or regurgitation of SANS 504? Absolutely not. I prepared a little FAQ that compares the two courses." Here it is:

The SANS Institute is introducing a brand-new course titled SANS Security 560: Network Penetration Testing and Ethical Hacking. This new course addresses in-depth methods used by professional penetration testers and ethical hackers to find and exploit flaws in a target environment. Additionally, SANS offers a course called SANS Security 504: Hacker Techniques, Exploits, and Incident Handling. Although both courses deal with computer attacks, there are some important differences between them. The purpose of this brief FAQ is to answer questions regarding the differences between the two courses.

What is the focus of SANS Security 560, and how does it differ from SANS Security 504?
SANS Security 560 deals with penetration testing and ethical hacking, in depth, covering numerous techniques for finding and exploiting flaws in a target environment using a consistent, high-quality testing regimen. SANS Security 504 focuses on incident handling, addressing practical methods for preparing for, detecting, and responding to computer attacks. In short, 560 covers penetration testing and ethical hacking, while 504 addresses incident handling.

Aren't the courses pretty much the same?
Not at all. 560 is very different from 504. We cover a variety of different tools in each class. Even when both classes cover the same topic or tool, they cover it from a completely different perspective. Take Metasploit and password attacks as examples. In 504, we talk about how these attacks work, emphasizing how to defend against them, and addressing how incident handlers can respond to their use. In 560, we get a lot deeper, talking about how to use each and every tool, with detailed, hands-on exercises that cover some of the features that incident handlers don't really need to know about but pen testers will likely use quite often. The idea is that incident handlers need to know what the attacks are from a broad perspective so that they can detect and respond to them in their environment. But, incident handlers don't need to know how to launch every one of the attacks we cover. Penetration testers, on the other hand, need to be able to use every tool we analyze, not just recognize its use against their environments. Thus, SANS 560 has triple the amount of hands-on exercises as 504, which itself includes numerous useful exercises tailored for incident handlers.

From a bottom-line perspective, 504 is more broad because incident handlers need to know about a lot of attack vectors that are typically not allowed for penetration testers by the rules of engagement. For example, incident handlers need to understand how to respond to bots and rootkits. But, the vast majority of penetration testers are prohibited from installing bots or rootkits on target machines. In the end, 560 is deeper, because penetration testers need hands-on experience with each tool, while 504 is more broad, because incident handlers need to focus on recognizing each tool's use in their environments.

Does 560 supersede 504 or supplant it?
No. 560 does not supersede 504. 504 is still a vital course, which we will continue to update and offer, supporting people in their careers as incident handlers. 560 is for penetration testers and ethical hackers.

I've already taken 504. Should I take 560 as a follow-on?
560 was designed as a perfect follow-on for people who have already taken 504 and are looking to get into more depth with tools used in professional penetration testing and ethical hacking. 560 is not recycled 504 material; it is an entirely new class with an entirely new set of slides and exercises.

I've taken neither 504 nor 560. Where should I start?
If you are more interested in incident handling, 504 is the course for you. If you need to develop your penetration testing skills, start with 560. Neither course is a pre-requisite for the other.

Where can I get more information about each course?
To learn more about SANS Security 504: Hacker Techniques, Exploits, and Incident Handling, go to

To learn more about SANS Security 560: Network Penetration Testing and Ethical Hacking, go to

SANS Penetration Testing and the CEH
Several of the folks on the Advisory board wanted to know how 560 compares to CEH, as well as how 560 compares to 504[again]. These are important questions, and I specifically developed 560 (with a lot of input from some of the best penetration testers I know in the business) to fill a void in really high-quality classes that provide people with hands-on, real-world network penetration testing skills, organized around the work flow of professional pen testers.

To help you understand how it differentiates from CEH, I put together this list of bullet points:

This SANS course, Network Penetration Testing and Ethical Hacking, differs from other penetration testing and ethical hacking courses in several important ways:
    • We get deep into the tools arsenal, with numerous hands-on exercises that show subtle, less-well-known, and undocumented features that are incredibly useful for professional penetration testers and ethical hackers.
    • The course discusses how the tools inter-relate with each other in an overall testing process. Rather than just throwing up a bunch of tools and playing with them, we analyze how to leverage information from one tool to get the most bang out of the next tool.
    • We focus on the work flow of professional penetration testers and ethical hackers, proceeding step-by-step discussing the most effective means for conducting projects.
    • The sessions address common pitfalls that arise in penetration tests and ethical hacking projects, providing real-world strategies and tactics for avoiding these problems to maximize the quality of test results.
    • We cover several time saving tactics based on years of in-the-trenches experience from real penetration testers and ethical hackers, actions that might take hours or days unless you know the little secrets we'll cover that will let you surmount a problem in minutes.
    • The course stresses the mind-set of successful penetration testers and ethical hackers, which involves balancing the often contravening forces of creative "outside-the-box" thinking, methodical trouble- shooting, carefully weighing risks, following a time-tested process, painstakingly documenting results, and creating a high quality final report that achieves management and technical buy-in.
    • We also analyze how penetration testing and ethical hacking should fit into a comprehensive enterprise information security program.

This set of bullets is included in the 560 description at the website. At one point we contemplated creating a Penetration Testing Course for the CEH. But we ran into a quandary. When we were originally working on the course development, Ed called Mason, the lead for business development, on the phone and said, "Mase... I can make a course that will help people get one of the currently available pen test certs, scratching the surface of a whole bunch of tools, but not really getting into the meat of how pro pen testers really apply their craft. OR, I could make the best pen test course I know how, focusing on what people really need to know to be excellent pen testers. What should I do?" Mason responded, "Ed, make the best course you possibly can. Go for it." Ed immediately started brainstorming with a bunch of pen test folks that he knows and trusts immensely, like Jay Beale, Matt Carpenter, Tom Liston, Atlas, and many others, to develop a curriculum that addresses the stuff we look for in professional pen testers. All of us are really excited with the result and so is the community, the course has sold out for its first two offerings.

Who is going to teach the SANS Pen Testing Course and the Incident Handler and Hacker Techniques course?
Right now, as we ramp up the 560 course, Ed is focusing on teaching it. But, we have plenty of bench strength, we've got some other really good folks that have taught 504 (the Incident Handler and Hacker Techniques course) for the past few years continuing to teach it during that time (John Strand, Arrigo Triulzi, George Bakos, Jim Shewmaker, and many others). Then, after the new course (560) is established, I'll be switching back and forth between 504 and 560.

We hope this addresses your questions about the new course. If not, please let us know. We want you to have all the information you require so that you can choose the right course for you.