Graduate Certificate Programs: Cyber Defense Operations

Designed for working InfoSec and IT professionals, the graduate certificate program in Cyber Defense Operations is a sequence of highly technical, hands-on courses that prepare you to defend and secure information assets and business systems.

Format Option: A 100% online option is available
Courses: 4
GIAC Certifications: 4
Credits: 12
Duration: 18-24 months
Total Program Cost: $22,000 USD


Strengthen Your Technical Knowledge and Skills

Gain practical skills you can immediately apply at your job or in a new infosec role.

  • Learn the latest cybersecurity tactics to protect your organization
  • Keep your skills current for career growth and advancement
  • Earn professional GIAC certifications as you complete the program
  • Train on your schedule, to balance work and school
  • Get personalized support from a student advisor 


The SANS.edu Advantage


GIAC Certifications

Earn 4 industry-recognized GIAC cybersecurity certifications.


100% Online Option Available

You have the option of completing the program through live or rewindable online courses.


World-class Faculty

Learn the latest skills and techniques from the world's top cybersecurity practitioners.


Pathway to a Master’s Degree

All credits earned in this program can transfer into our master’s degree program.


SANS.edu Academic Pricing

Get SANS.edu academic pricing on SANS courses and GIAC certifications.


Powerful Network

Make connections with some of the most talented students and teachers in the industry.

InfoSec professional attends SANS.edu info session

Join Us for an Online Info Session

Learn more about the SANS.edu cyber security master's degree and graduate certificate programs. Have questions? We’ll answer them. Wed, Dec 21 at 1:30 pm (ET). Register here.


        “I have a master's degree from another school, and I can tell you that SANS courses are more technical and taught by more experienced instructors. I joined the graduate certificate program in Cyber Defense Operations to advance my hands-on skills and fill the gap left by my previous program.” - Harvey Wargo, Senior Intrusion Analyst, Walmart

        Learn How To:

        • Utilize a broad range of current tools and technologies in the design and implementation of security solutions deployed across organizations.
        • Identify the information assets of an enterprise, classify them by value, and determine what management and technical controls can be used to monitor and audit them effectively.
        • Develop a program for analyzing the risk to the information assets in an enterprise and determining which technical and management controls can mitigate, remove, or transfer that risk.
        • Articulate important attacker techniques, analyze the traffic that flows on networks, and identify indications of an attack, engage in penetration testing within their organization, and respond to incidents associated with these activities within their organization.

        Curriculum | 12 credit hours

        Through our highly technical Cyber Defense Operations courses, you will learn the essential operational techniques used to defend an enterprise and you'll have the opportunity to customize the curriculum toward your specific interests or job role.

        Required Core Courses | 6 credit hours

        • SANS Course: SEC511: Continuous Monitoring and Security Operations
          Certification: GIAC Continuous Monitoring Certification (GMON)

          3 Credit Hours

          ISE 6240 teaches a proactive approach to enterprise security that presumes attackers will penetrate your environment and therefore emphasizes timely incident detection. The Defensible Security Architecture, Network Security Monitoring, Continuous Diagnostics and Mitigation, and Continuous Security Monitoring taught in this course - aligned with the National Institute of Standards and Technology (NIST) guidelines described in NIST SP 800-137 for Continuous Monitoring (CM) -- are designed to enable you and your organization to analyze threats and detect anomalies that could indicate cybercriminal behavior.

        • SANS Course: SEC530: Defensible Security Architecture and Engineering: Implementing Zero Trust for the Hybrid Enterprise
          Certification: GIAC Defensible Security Architecture (GDSA)

          3 Credit Hours

          Effective security requires a balance between detection, prevention, and response capabilities. Defensible Security Architecture and Engineering is designed to help you establish and maintain a holistic and layered approach to security. You’ll explore the fundamentals of up-to-date defensible security architecture and how to engineer it, with a heavy focus on leveraging current infrastructure (and investment), including switches, routers, and firewalls. You’ll learn how to reconfigure these devices to significantly improve your organization’s prevention capabilities in the face of today's dynamic threat landscape. The course will also delve into the latest technologies and their capabilities, strengths, and weaknesses. Multiple hands-on labs will reinforce key points in the course and provide actionable skills you will be able to leverage immediately at work.

        Elective Courses | 6 credit hours

        Students select two of the following.

        • SANS Course: SEC450: Blue Team Fundamentals: Security Operations and Analysis
          Certification: GIAC Security Operations Certified (GSOC)

          3 Credit Hours

          ISE 4450 provides you with technical knowledge and key concepts essential for security operation center (SOC) analysts and new cyber defense team members. You will learn the stages of security operations: how data is collected, where it is collected, and how threats are identified within that data. The class dives deep into tactics for triage and investigation of events that are identified as malicious, as well as how to avoid common mistakes and perform continual high-quality analysis. You will learn the inner workings of the most popular protocols, and how to identify weaponized files as well as attacks within the hosts and data on their network.

          The course employs practical, hands-on instruction using a simulated SOC environment with a real, fully-integrated toolset that includes:

          • Security Information and Event Management (SIEM)
          • An incident tracking and management system
          • A threat intelligence platform
          • Packet capture and analysis
          • Automation tools
        • SANS Course: SEC501: Advanced Security Essentials - Enterprise Defender
          Certification: GIAC Certified Enterprise Defender (GCED)

          3 Credit Hours

          ISE 6215 reinforces the theme that prevention is ideal, but detection is a must. Students will learn how to ensure that their organizations constantly improve their security posture to prevent as many attacks as possible. A key focus is on data protection, securing critical information no matter whether it resides on a server, in robust network architectures, or on a portable device.

          Despite an organization's best effort at preventing attacks and protecting its critical data, some attacks will still be successful. Therefore students will also learn how to detect attacks in a timely fashion through an in-depth understanding the traffic that flows on networks, scanning for indications of an attack. The course also includes instruction on performing penetration testing, vulnerability analysis, and forensics.

        • SANS Course: SEC503: Network Monitoring and Threat Detection In-Depth
          Certification: GIAC Certified Intrusion Analyst (GCIA)

          3 Credit Hours

          ISE 5401 delivers the technical knowledge, insight, and hands-on training you need to defend your network with confidence. You will learn about the underlying theory of TCP/IP and the most used application protocols, such as DNS and HTTP, so that you can intelligently examine network traffic for signs of an intrusion. You will get plenty of practice learning to master different open source tools like tcpdump, Wireshark, Snort, Bro, tshark, and SiLK. Daily hands-on exercises suitable for all experience levels reinforce the course book material so that you can transfer knowledge to execution.

        • SANS Course: SEC505: Securing Windows and PowerShell Automation
          Certification: GIAC Certified Windows Security Administrator (GCWN)

          3 Credit Hours

          ISE 6230 shows students how to secure servers, workstations and portable devices running Microsoft Windows. Windows is the most frequent target of hackers and advanced malware. While other courses focus on detection or remediation of a compromise after the fact, the aim of this course is to substantially reduce these compromises in the first place. For scalability and automation, this course includes many hands-on labs with Group Policy and PowerShell scripting. No prior scripting experience is required. Learning at least the basics of PowerShell is an essential skill for anyone who manages Windows servers or clients in an enterprise. 

        • SANS Course: SEC555: SIEM with Tactical Analytics
          Certification: GIAC Certified Detection Analyst (GCDA)

          3 Credit Hours

          These days, it’s easy for security operations to get lost in data saturation. Designed to demystify the Security Information and Event Management (SIEM) architecture and process, this lab heavy course is focused on achieving actionable intelligence from data. To provide hands-on experience, the course navigates students through the steps of tailoring and deploying a SIEM to full Security Operations Center (SOC) integration using SOF-ELK, a SANS sponsored free SIEM solution. Throughout the course, the text and labs will not only show how to manually extract actionable intelligence from log data, correlate the data and gather input into useable formats, and start investigating based on the aggregate data to detect sophisticated intrusions, but how to automate many of these processes.

        • SANS Course: SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses
          Certification: GIAC Defending Advanced Threats (GDAT)

          3 Credit Hours

          ISE 6250 leverages the purple team concept by bringing together red and blue teams for maximum effect. Recognizing that a prevent-only strategy is not sufficient, the course focuses on current attack strategies and how they can be effectively mitigated and detected using a Kill Chain structure. Throughout the course, the purple team principle will be maintained, where attack techniques are first explained in-depth, after which effective security controls are introduced and implemented.

        • SANS Course: SEC573: Automating Information Security with Python
          Certification: GIAC Python Coder (GPYC)

          3 Credit Hours

          The ISE 6350 course teaches student in the pen testing specialization, and other students who want to use the Python programming language, how to enhance their overall effectiveness during information security engagements. Students will learn how to apply core programming concepts and techniques learned in other courses through the Python programming language. The course teaches skills and techniques that can enhance an information security professional in penetration tests, security operations, and special projects. Students will create simple Python-based tools to interact with network traffic, create custom executables, test and interact with databases and websites, and parse logs or sets of data.


        Study with the best faculty in cyber security


        Take Your Next Step

        Need more information? We’re happy to answer your questions. Join us for an info session, email info@sans.edu or call 301.241.7665.

        Ready to apply? We look forward to learning about you and your career goals.


        “I firmly believe, had it not been for SANS, my career would not be what it is today. My SANS education has enabled me to compete on a completely new level and given me the chance to network with industry greats.” - Steven Romero, Engineer, Chevron

        Success Stories


        “You get a lot of personal attention to get through the program because of the student advisors. They are the foundation of the SANS.edu experience.” - Christopher Hurless, Systems Engineer, Northwestern University in Qatar

        Christopher Haller

        SANS.edu Graduate Certificate Student Wins National Cyber League Championship

        Christopher Haller beat out more than 6,000 competitors to earn the #1 individual player ranking in the Spring 2022 National Cyber League competition. See why he chose to pursue a graduate certificate at SANS.edu — and learn about his career path from the US Navy to his current role as Director of Professional Services at Centripetal Networks.

        Course Delivery Options

        Complete any of our cybersecurity degree or certificate programs by taking courses that are 100% online or that start with weeklong in-person events held across the country and around the world. Or you can do a mix of both.

        Join us for a free online info session to learn more.



        Total program cost: $22,000 USD

        Tuition includes the cost of the course, textbooks, and certification tests that serve as mid-term or final exams for courses.

        Get the Credit You Deserve
        Students who have taken SANS training classes and have active GIAC certifications may be able to waive one course and GIAC certification into the program. See our waiver policy.

        Funding Options



        We're happy to help. Email info@sans.edu or call 301.241.7665.

        About the SANS Technology Institute

        Founded in 2005, the SANS Technology Institute (SANS.edu) is the independent, regionally-accredited, VA-approved subsidiary of SANS, the world's largest and most trusted provider of cybersecurity training, certification, and research. Offering graduate and undergraduate programs at the cutting edge of cybersecurity, SANS.edu is strengthening the cyber workforce through a career-focused curriculum built on proven SANS courses and industry-recognized GIAC certifications.

        The SANS Technology Institute is accredited by The Middle States Commission on Higher Education

        (1007 North Orange Street, 4th Floor, MB #166, Wilmington, DE 19801 - 267.284.5000), an institutional accrediting agency recognized by the U.S. Secretary of Education and the Council for Higher Education Accreditation.