SANS.edu Suggested Course Sequence
We’re excited to launch this updated and enhanced curriculum beginning in 2025.
Block 1 (Junior Year)
Courses in this block must be taken in the specified order.
- BACS 3275: Security Foundations | SEC275 + GFACTSANS Course: SEC275: Foundations: Computers, Technology, & Security
 Certification: GIAC Foundational Cybersecurity Technologies (GFACT)
 - 6 Credit Hours 
 8 Week Course Term- BACS 3275 is purpose-built to provide students with the fundamental technical knowledge and skills that serve as the baseline for all professionals in cybersecurity, reinforcing key concepts with interactive labs. You'll establish a core understanding of technology component functions and apply that knowledge to security concepts such as reconstructing a crime from digital evidence or locating exploitable flaws in software and websites. The course ensures a solid mastery of computer, hardware, network, and cybersecurity fundamentals, including the study of operating systems, Windows security tools, Linux, programming with Python and C, advanced Google searches, reconnaissance, virtualization, and encryption. You'll explore the inner workings of packets and protocols that allow the internet to function and learn the role of a computer's central processing unit (CPU), how it executes code, its relationship with memory, and the fundamentals of how attackers disrupt intended behavior. 
 
- BACS 3401: Security Essentials | SEC401 + GSECSANS Course: SEC401: Security Essentials - Network, Endpoint, and Cloud
 Certification: GIAC Security Essentials (GSEC)
 - Prerequisites: BACS 3275 
 4 Credit Hours
 8 Week Course Term- BACS 3401 is a technically-oriented survey course in which you'll learn the most effective steps to prevent cyber attacks and detect adversaries. In classes and hands-on labs, you'll learn to develop effective security metrics that provide a focused playbook that IT can implement, auditors can validate, and executives can understand. You'll explore methods to analyze and assess the risk to your environment in order to drive the creation of a security roadmap that focuses on the right areas of security. And you'll learn practical tips and tricks to focus in on high-priority security problems and on the actions required to protect and secure an organization's critical information assets and business systems. 
- BACS 3504: Incident Handling and Hacker Exploits | SEC504 + GCIHSANS Course: SEC504: Hacker Tools, Techniques, and Incident Handling
 Certification: GIAC Certified Incident Handler Certification (GCIH)
 - Prerequisite: BACS 3401 
 4 Credit Hours
 8 Week Course Term- BACS 3504 is an in-depth focus into the critical activity of incident handling. Students are taught how to manage intrusions by first looking at the techniques used by attackers to exploit a system. Students learn responses to those techniques, which can be adopted within the framework of the incident handling process to handle attacks in an organized way. The faculty instruction, lab exercises, and exam are coordinated to develop and test a student’s ability to utilize the core capabilities required for incident handling today. 
- BACS 3402: Effective Cyber Writing and Speaking | SEC402 & SEC403- Prerequisite: BACS 3275 
 2 Credit Hours
 8 Week Course Term- This unique course, built exclusively for those in cybersecurity, will strengthen your writing and speaking skills. During the first half of the course, you will learn the five "golden elements" of effective reports, briefings, emails, and other cybersecurity writing as well as understand how to pick the best words, structure, look, and tone. The second half of the course gives you the skills to put together an effective security briefing, secure the interest and engagement of your audience, and confidently deliver presentations to a variety of groups. 
- BACS 3373: Introductory Python- 3 Credit Hours 
 8 Week Course Term- In this hands-on course, you'll actively write Python code, so you can see successful results and learn by doing. You'll learn how to install and maintain Python programs and modules, and utilize basic Python programming concepts such as functions, Integrated Development Environments (IDEs), modules, lists, and basic file input / output. - Popularity and Versatility: Python is the most popular programming language globally, with extensive usage in various domains such as web development, data science, artificial intelligence, automation, and scripting.
 - Understanding Tools: Reading and understanding code is crucial for security professionals to ensure the safety of their networks, as many security tools are distributed as Python source code.
 - Enhancing Tool Effectiveness: Learning to code allows professionals to create custom tools tailored to their organization's needs.
 - Facilitating Career Advancement: Coding skills are highly beneficial for technical professionals, leading to increased productivity, innovation, and potential promotions.
 
- BACS 3573: Automating Information Security with Python | SEC573 + GPYCSANS Course: SEC573: Automating Information Security with Python
 Certification: GIAC Python Coder (GPYC)
 - Prerequisite: BACS 3504 
 4 Credit Hours
 8 Week Course Term- Note: this course can be taken concurrently with an elective course in the program - This course teaches student in the pen testing specialization, and other students who want to use the Python programming language, how to enhance their overall effectiveness during information security engagements. Students will learn how to apply core programming concepts and techniques learned in other courses through the Python programming language. The course teaches skills and techniques that can enhance an information security professional in penetration tests, security operations, and special projects. Students will create simple Python-based tools to interact with network traffic, create custom executables, test and interact with databases and websites, and parse logs or sets of data. 
- BACS 3001: Portfolio Practicum: Experiential Learning Through Cyber Challenges (Foundational)- Prerequisites: BACS 3275 
 3 Credit Hours
 16 Week Course Term- *Note: This course can be taken concurrently with other courses in Block 1 of the program (except BACS 3275) - This practicum course provides hands-on experiential learning opportunities in cybersecurity through participation in national cyber challenges. You will engage with content that will enhance technical skills, critical thinking abilities, and problem-solving techniques essential for success in cybersecurity competitions. - In this course, you will prepare for and compete in a capture-the-flag competition that will provide experience in solving real-world cybersecurity challenges. By strategically incorporating your experience in a cyber challenge into your resume or portfolio, you will be better placed to effectively demonstrate your skills, knowledge, and passion for cybersecurity to prospective employers. 
Block 2 (Senior Year)
Courses in this block can be taken in any order.
- BACS 3500: Windows Forensic Analysis | FOR500 + GCFESANS Course: FOR500: Windows Forensic Analysis
 Certification: GIAC Certified Forensic Examiner (GCFE)
 - Prerequisites: BACS 3504 
 4 Credit Hours
 8 Week Course Term- This course focuses on the critical knowledge of the Windows Operating System that every digital forensic analyst needs to investigate computer incidents successfully. Students learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that can be used in internal investigations or civil/criminal litigation. The course covers the methodology of in-depth computer forensic examinations, digital investigative analysis, and media exploitation so each student will have complete qualifications to work as a computer forensic investigator helping to solve and fight crime. 
- BACS 3503: Intrusion Detection In-Depth | SEC503 + GCIASANS Course: SEC503: Network Monitoring and Threat Detection In-Depth
 Certification: GIAC Certified Intrusion Analyst Certification (GCIA)
 - Prerequisite: BACS 3504 
 4 Credit Hours | 8 Week Course Term- BACS 4503 delivers the technical knowledge, insight, and hands-on training needed to defend networks with confidence. Students will learn about the underlying theory of TCP/IP and the most used application protocols, such as DNS and HTTP, so that they can intelligently examine network traffic for signs of an intrusion. Daily hands-on exercises suitable for all experience levels reinforce the course book material so that students can transfer knowledge to execution. 
- ACS 4___: Upper Division Specialization Elective | GIAC Certification- Choose any 3-credit course from the list of elective courses below. 
- ACS 4___: Upper Division Specialization Elective | GIAC Certification- Choose any 3-credit course from the list of elective courses below. 
- ACS 4___: Upper Division Specialization Elective | GIAC Certification- Choose any 3-credit course from the list of elective courses below. 
- BACS 4499 / BACS 4001: Field Experience Practicum- *Note: Practicum courses can be taken concurrently with other courses in Block 2 of the program - Choose one of the following options: - BACS 4499: Internet Storm Center Internship - Prerequisites: BACS 3504 and BACS 3573 
 Recommended preparation: BACS 3503
 4 Credit Hours | 16 Week Course Term- Much like the World Health Organization and its global disease monitoring network, the SANS Technology Institute, through its research wing in the Internet Storm Center (ISC), maintains and operates the world’s leading global cyber threat detection network. - The ISC depends on continuous input from a series of DShield sensors and web application honeypots. Of course, all that collected data accomplishes nothing if it is not processed, interpreted, analyzed and very quickly reported to the global information security community. This is the role of the ISC handlers, the frontline personnel of global threat detection, whose main task is to take all the input received into the ISC and turn it into "diaries" (https://isc.sans.edu/diaryarchive.html). - This virtual internship as an Apprentice Handler will provide a student with a continuous opportunity over the course of 16 weeks to observe emerging threats, to analyze and report upon those threats, and to gain experience under the mentorship of a Handler or Senior Handler. This hands-on, real-world experience will prepare the student for a first professional cybersecurity role in a way that few other programs can. That experience will include not only a deepening of practical understanding of real-world technical issues, but also the ability to effectively write and communicate about those issues. - BACS 4001 - External Internship in Cybersecurity - Prerequisites: BACS 3504 and BACS 3573 
 Recommended preparation: BACS 3503
 4 Credit Hours | 16 Week Course Term- BACS 4001 provides students with an opportunity to gain hands-on experience in the field of cybersecurity through an approved external internship. By working with an organization in a cybersecurity role, students will apply theoretical knowledge in real-world contexts, enhance technical skills, and build professional networks. The internship must involve a minimum of 80% cybersecurity-related tasks, with limited administrative duties, ensuring the experience aligns with the student’s career aspirations and academic goals. - Students will work under the supervision of a professional mentor, set personal goals for the internship, and complete reflective and evaluative assignments to document their progress and learning. This course supports career development by helping students gain practical, industry-relevant experience while earning academic credit. 
- BACS 3002: Portfolio Practicum: Experiential Learning Through Cyber Challenges (Advanced)- 3 Credit Hours 
 16 Week Course Term- *Note: Practicum courses can be taken concurrently with other courses in Block 2 of the program - This course builds on the foundational cyber challenge experience from Block 1. You will take on more complex CTF scenarios, develop additional skills, and be encouraged to take on leadership roles in team-based challenges. Reflecting on your CTF participation from BACS 3001, you will explore your cybersecurity strengths and weaknesses before participating in a second Capture the Flag (CTF) competition. - You will further develop and demonstrate skills that you can showcase to prospective employers, and will use your advanced CTF experience to enhance your professional portfolio. 
UPPER DIVISION SPECIALIZATION ELECTIVE OPTIONS (choose 3)
Cyber Defense
- ACS 4450: Blue Team Fundamentals: Security Operations and Analysis | SEC450 + GSOCSANS Course: SEC450: Blue Team Fundamentals: Security Operations and Analysis
 Certification: GIAC Security Operations Certified (GSOC)
 - Prerequisite: BACS 3504 
 3 Credit Hours
 8 Week Course Term- ACS 4450 provides students with technical knowledge and key concepts essential for security operation center (SOC) analysts and new cyber defense team members. By providing a detailed explanation of the mission and mindset of a modern cyber defense operation, this course will jumpstart and empower those on their way to becoming the next generation of blue team members. 
- ACS 4501: Advanced Security Essentials | SEC501 + GCEDSANS Course: SEC501: Advanced Security Essentials - Enterprise Defender
 Certification: GIAC Certified Enterprise Defender (GCED)
 - Prerequisite: BACS 3504 
 3 Credit Hours
 8 Week Course Term- ACS 4501 brings together all the elements of a modern cyber defense program. Students learn how to identify threats and build defensible networks to minimize the impact of an attack, use tools to detect adversaries, decode and analyze packets using various tools to identify anomalies, understand how adversaries compromise networks, perform penetration testing against their own organization to find vulnerabilities, apply the six-step incident response plan, use tools to remediate malware infections, and create a data classification program to make data loss protection systems effective. 
- ACS 4511: Cybersecurity Engineering: Advanced Threat Detection and Monitoring | SEC511 + GMONSANS Course: SEC511: Cybersecurity Engineering: Advanced Threat Detection and Monitoring
 Certification: GIAC Continuous Monitoring Certification (GMON)
 - Prerequisite: BACS 3504 
 3 Credit Hours
 8 Week Course Term- A new proactive approach to security is needed to enhance the capabilities of organizations to detect threats that will inevitably slip through their defenses. ACS 4511 teaches this new proactive approach and strengthens student’s skills to undertake that proactive approach. The Defensible Security Architecture, Network Security Monitoring (NSM)/Continuous Diagnostics and Mitigation (CDM)/Continuous Security Monitoring (CSM) taught in this course will help students best position their organization or Security Operations Center (SOC) to analyze threats and detect anomalies that could indicate cybercriminal behavior. 
Penetration Testing
- ACS 4542: Web App Penetration Testing & Ethical Hacking | SEC542 + GWAPTSANS Course: SEC542: Web App Penetration Testing and Ethical Hacking
 Certification: GIAC Web Application Penetration Tester (GWAPT)
 - Prerequisite: BACS 3504 
 3 Credit Hours
 8 Week Course Term- With in-depth, hands-on labs and high-quality course content, ACS 4542 helps students move beyond push-button scanning to professional, thorough, and high-value web application testing. This enables students to demonstrate the impact of inadequate security that plagues most organizations’ websites. The addition of a series of enrichment exercises that strengthen students’ ability to work in Python and understand how the networks and operating systems enable web attacks to succeed so as to become even more insightful penetration testers. 
- ACS 4560: Enterprise Penetration Testing | SEC560 + GPENSANS Course: SEC560: Enterprise Penetration Testing
 Certification: GIAC Penetration Tester Certification (GPEN)
 - Prerequisite: BACS 3504 
 3 Credit Hours
 8 Week Course Term- Every organization needs skilled information security personnel who can probe for vulnerabilities that attackers might exploit in networks, web-based applications, and computer systems, and mitigate them. ACS 4560 is specially designed to get you ready for that role. The course starts with proper planning, scoping and recon, then dives deep into scanning, target exploitation, password attacks, and web app manipulation, with over 30 detailed hands-on labs. After building your skills, you'll conduct an end-to-end pen test, applying knowledge, tools, and principles from throughout the course as you discover and exploit vulnerabilities in a realistic sample target organization. 
Security Management
- ACS 4566: Implementing and Auditing the Critical Security Controls In-Depth | SEC566 + GCCCSANS Course: SEC566: Implementing and Auditing CIS Controls
 Certification: GIAC Critical Controls Certification (GCCC)
 - Prerequisite: BACS 3504 
 3 Credit Hours
 8 Week Course Term- Cybersecurity attacks are increasing and evolving so rapidly that is more difficult than ever to prevent and defend against them. ACS 4566 will help you to ensure that your organization has an effective method in place to detect, thwart, and monitor external and internal threats to prevent security breaches. As threats evolve, an organization’s security should too. Standards based implementation takes a prioritized, risk-based approach to security and shows you how standardized controls are the best way to block known attacks and mitigate damage from successful attacks. 
Digital Forensics and Incident Response
- ACS 4498: Battlefield Forensics & Data Acquisition | FOR498 + GBFASANS Course: FOR498: Digital Acquisition and Rapid Triage
 Certification: GIAC Battlefield Forensics and Acquisition (GBFA)
 - Prerequisite: BACS 3504 
 3 Credit Hours
 8 Week Course Term- This course provides the necessary skills to identify the many and varied data storage mediums in use today and how to collect and preserve this data in a forensically sound manner despite how and where it may be stored. It covers digital acquisition from computers, portable devices, networks, and the cloud. It then teaches the student Battlefield Forensics, or the art and science of identifying and starting to extract actionable intelligence from a hard drive in 90 minutes or less. 
- ACS 4500: Windows Forensic Analysis | FOR500 + GCFESANS Course: FOR500: Windows Forensic Analysis
 Certification: GIAC Certified Forensic Examiner (GCFE)
 - Prerequisite: ACS 3504 
 3 Credit Hours
 Course Length: 13 weeks (Standard) or 8 weeks (Accelerated)- This course focuses on the critical knowledge of the Windows Operating System that every digital forensic analyst needs to investigate computer incidents successfully. Students learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that can be used in internal investigations or civil/criminal litigation. The course covers the methodology of in-depth computer forensic examinations, digital investigative analysis, and media exploitation so each student will have complete qualifications to work as a computer forensic investigator helping to solve and fight crime. 
- ACS 4508: Advanced Digital Forensics & Incident Response | FOR508 + GCFASANS Course: FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
 Certification: GIAC Certified Forensic Analyst (GCFA)
 - Prerequisite: BACS 3504 
 3 Credit Hours
 8 Week Course Term- ACS 4508 teaches the necessary capabilities for forensic analysts and incident responders to identify and counter a wide range of threats within enterprise networks. This course is constantly updated and addresses today’s incidents by providing hand-on forensics tactics and techniques that elite responders are successfully using in real-world breach cases. 
Cloud Security
- ACS 4502: Cloud Security Tactical Defense | SEC502 + GCLDSANS Course: SEC502: Cloud Security Tactical Defense
 Certification: GIAC Cloud Security Essentials Certification (GCLD)
 - Prerequisite: BACS 3504 
 3 Credit Hours
 8 Week Course Term- ACS 4502 covers Amazon Web Services, Azure, Google Cloud, and other cloud service providers (CSPs). Like foreign languages, cloud environments have similarities and differences, and this course will introduce you to the language of cloud security. Upon completion of this course, you will be able to advise and speak about a wide range of cybersecurity topics and successfully navigate the challenges and opportunities presented by cloud service providers. 
- ACS 4588: Cloud Penetration Testing | SEC588 + GCPNSANS Course: SEC588: Cloud Penetration Testing
 Certification: GIAC Cloud Penetration Tester (GCPN)
 - Prerequisite: BACS 3504 
 3 Credit Hours
 8 Week Course Term- ACS 4588 equips you with the latest in cloud-focused penetration testing techniques and teaches you how to assess cloud environments. The course dives into topics like cloud-based microservices, in-memory data stores, serverless functions, Kubernetes meshes, and containers, as well as identifying and testing in cloud-first and cloud-native applications. You will also learn specific tactics for penetration testing in Azure and Amazon Web Services, particularly important given that AWS and Microsoft account for more than half the market. 
- ACS 4510: Cloud Security Controls and Mitigations | SEC510 + GPCSSANS Course: SEC510: Cloud Security Controls and Mitigations
 Certification: GIAC Public Cloud Security (GPCS)
 - Prerequisite: BACS 3504 
 3 Credit Hours
 8 Week Course Term- Today's organizations depend on complex, multicloud environments which must support hundreds of different services across multiple clouds. These services are often insecure by default. Similar services in different Cloud Service Providers (CSPs) need to be protected using very different methods. Security teams need a deep understanding of AWS, Azure, and Google Cloud services to lock them down properly. Checking off compliance requirements is not enough to protect the confidentiality, integrity, and availability of your organization's data, nor will it prevent attackers from taking your critical systems down. With the right controls, organizations can reduce their attack surface and prevent security incidents from becoming breaches. Mistakes happen. Limit the impact of the inevitable. 
- ACS 4522: Defending Web Applications Security Essentials | SEC522 + GWEBSANS Course: SEC522: Application Security: Securing Web Applications, APIs, and Microservices
 Certification: GIAC Certified Web Application Defender (GWEB)
 - Prerequisite: BACS 3504 
 3 Credit Hours
 8 Week Course Term- This course covers the OWASP Top 10 and provides students with a better understanding of web application vulnerabilities, enabling them to properly defend organizational web assets. Mitigation strategies from an infrastructure, architecture, and coding perspective are discussed alongside real-world implementations that really work. The testing aspect of vulnerabilities is also covered so students can ensure their application is tested for the vulnerabilities discussed in class. 
- ACS 4540: Cloud Security and DevOps Automation | SEC540 + GCSASANS Course: SEC540: Cloud Native Security and DevSecOps Automation
 Certification: GIAC Cloud Security Automation (GCSA)
 - Prerequisite: BACS 3504 
 3 Credit Hours
 8 Week Course Term- This course provides security professionals with a methodology for securing modern Cloud and DevOps environments. Students learn how to implement over 20 DevSecOps Security Controls for building, testing, deploying, and monitoring cloud infrastructure and services. Immersive hands-on labs ensure students not only understand theory, but how to configure and implement each security control. By embracing the DevOps culture, students will walk away battle tested and ready to build an organization’s Cloud & DevOps Security program. 
Industrial Control Systems Security
- ACS 4410: Security Essentials for Industrial Control Systems | ICS410 + GICSPSANS Course: ICS410: ICS/SCADA Security Essentials
 Certification: Global Industrial Cyber Security Professional Certification (GICSP)
 - Prerequisite: BACS 3504 
 3 Credit Hours
 8 Week Course Term- ACS 4410 is designed to help traditional IT personnel fully understand the design principles underlying control systems and how to support those systems in a manner that ensures availability and integrity. In parallel, the course addresses the need for control system engineers and operators to better understand the important role they play in cybersecurity. Students will learn the language, the underlying theory, and the basic tools for industrial control system security in setting across a wide range of industry sectors and applications. 






















