Cybersecurity Master's Degree

SANS.edu is proud to be an NSA Center of Academic Excellence in Cyber Defense.

Designed for working professionals, the SANS.edu master's degree in cybersecurity develops both hands-on technical skills and the ability to lead.

Format Option: A 100% online option is available
Credits: 36
GIAC Certifications: 9
Duration: 3 – 5 years
Total Program Cost: $54,000 USD


Cybersecurity Master's Degree Designed for Working Professionals

Our Master of Science in Information Security Engineering (MSISE) program is designed to be completed while you work full time, applying the cyber security concepts and technical skills you learn in class on the job. To help you balance work, school, and life, we offer a variety of course delivery options — including a 100% online option — and personalized support from a student advisor from start to finish.

Next application deadline: August 1 to start in October or November 2024

  • Join a free online info session for insider tips on Crafting a Strong Cybersecurity Master's Degree Application on Thursday, June 27 at 12 pm (ET). Register here.

      The SANS.edu Advantage

      Prepare to lead in a career-focused master's in cybersecurity program that develops both hands-on technical expertise and leadership skills.

      GIAC Certifications

      Earn 9 industry-recognized GIAC cybersecurity certifications.


      World-class Faculty

      Learn the latest skills and techniques from the world's top cybersecurity practitioners.


      Powerful Network

      Make connections with some of the most talented students and teachers in the industry.


      Flexible Schedule

      Our programs are designed to fit into your busy life and work schedule.


      100% Online Option

      You have the option of completing the program through live or rewindable online courses.


      SANS.edu Academic Pricing

      Get SANS.edu academic pricing on SANS courses and GIAC certifications.

      InfoSec professional attends SANS.edu info session

      Join an Online Info Session for Graduate Cybersecurity Programs

      • Explore our 9 highly technical, job-specific graduate certificate programs for working professionals. Tue, June 18 at 12 pm (ET). Register here.
      • Get tips on crafting a strong application to our cybersecurity master’s degree program and information on the next steps in the admissions process. Thu, June 27, 12 pm (ET). Register here.
      • Learn more about our cybersecurity master's degree and graduate certificate programs for working professionals. Have questions? We'll answer them. Thu, July 10, 1 pm (ET). Register here.

      “I pursued the master's degree out of delight in studying the technical side of things, but time and again the focus of the program on communication, presentation, and leadership has been on point and much needed." - Tim Collyer, Director of Information Security, Motorola Solutions


      SANS.edu Named One of the Top 10 Innovators in Cybersecurity Education 

      The SANS Technology Institute has been recognized as a global leader in cybersecurity education by Help Net Security, joining the ranks of top institutions like Stanford, MIT, Carnegie Mellon and Oxford.


      Earn 9 GIAC Certifications

      As you complete the program, you’ll earn 9 industry-recognized GIAC certifications that validate the skills and knowledge you have gained.


      Gain Depth of Knowledge in Cybersecurity

      Build your professional reputation by contributing to our collection of peer-reviewed graduate student research papers, considered for publication in the SANS Reading Room and industry journals.

      “I receive compliments from senior leadership when I present — all directly related to feedback I received from my SANS faculty research advisors. When SANS.edu advertises that the program changes careers, this is a concrete example — it's the best graduate program on the planet.” - Jim Horwath, Director of Security Engineering, Guardian Life

      Master's Degree in Cybersecurity Curriculum | 36 credit hours

      The core of the cybersecurity master's degree curriculum is a carefully designed sequence of hands-on technical courses, management courses with leadership experiences, student-designed research, presentation opportunities, and a capstone.

      Our faculty has designed a system of 4 “blocks” to provide the optimal developmental pathway through the courses. In this structure, all course prerequisites are included in prior blocks. This is the curriculum order for this program.

      Block 1 | 9 credit hours

      The master’s curriculum begins with the development of baseline cybersecurity principles and skills for individual practitioners, including the technical and management foundational skills covered in the GSEC, GCIH, and GSTRT certification exams.

      • SANS Course: SEC401: Security Essentials - Network, Endpoint, and Cloud
        Certification: GIAC Security Essentials (GSEC)

        3 Credit Hours

        ISE 5101 is the introductory, technically-oriented survey course in the information security engineering master's program. It establishes the foundations for designing, building, maintaining and assessing security functions at the end-user, network and enterprise levels of an organization. The faculty instruction, readings, lab exercises, and exam are coordinated to introduce and develop the core technical, management, and enterprise-level capabilities that will be developed throughout the information security engineering master's program.

      • SANS Course: SEC504: Hacker Tools, Techniques, and Incident Handling
        Certification: GIAC Certified Incident Handler Certification (GCIH)

        3 Credit Hours

        By adopting the viewpoint of a hacker, ISE 5201 provides an in-depth focus into the critical activity of incident handling. Students are taught how to manage intrusions by first looking at the techniques used by attackers to exploit a system. Students learn responses to those techniques, which can be adopted within the framework of the incident handling process to handle attacks in an organized way. The faculty instruction, lab exercises, and exam are coordinated to develop and test a student's ability to utilize the core capabilities required for incident handling.

      • SANS Course: LDR514: Security Strategic Planning, Policy, and Leadership
        Certification: GIAC Strategic Planning, Policy, and Leadership (GSTRT)

        3 Credit Hours

        ISE 5601 gives you tools to become a security business leader who can build and execute strategic plans that resonate with other business executives, create effective information security policy, and develop management and leadership skills to better lead, inspire, and motivate your teams. The course will help you to develop strategic plans, create effective information security policy, and develop management and leadership skills using case studies from Harvard Business School, case scenarios, team-based exercises, and discussions that put you in real-world situations.

      Block 2 | 9 credit hours

      You’ll move onto more intermediary skills in Block 2, applying and synthesizing your knowledge at the organizational level, including skills required for the GDSA, GCIA, and SSAP exams. The first half of the program concludes with a hands-on group project and the Core Comprehensive Exam, which ensures you have mastered foundational skills before moving onto more advanced coursework.

      • SANS Course: SEC530: Defensible Security Architecture and Engineering: Implementing Zero Trust for the Hybrid Enterprise
        Certification: GIAC Defensible Security Architect Certification (GDSA)

        3 Credit Hours

        Effective security requires a balance between detection, prevention, and response capabilities. Defensible Security Architecture and Engineering is designed to help you establish and maintain a holistic and layered approach to security. You’ll explore the fundamentals of up-to-date defensible security architecture and how to engineer it, with a heavy focus on leveraging current infrastructure (and investment), including switches, routers, and firewalls. You’ll learn how to reconfigure these devices to significantly improve your organization’s prevention capabilities in the face of today's dynamic threat landscape. The course will also delve into the latest technologies and their capabilities, strengths, and weaknesses. Multiple hands-on labs will reinforce key points in the course and provide actionable skills you will be able to leverage immediately at work.

      • SANS Course: LDR433: Managing Human Risk
        Certification: SANS Security Awareness Professional (SSAP)

        1 Credit Hours

        From phishing attacks and credential stuffing to lost devices or auto-complete in email, human risk has become the primary risk for most organizations. One of the most effective ways for an organization to manage its human risk is to build on their existing technical controls with a mature security awareness program. The program must go beyond just compliance and change organizational behaviors and ultimately, culture. In ISE 5300, you will learn the key concepts and skills to plan, maintain, and measure an effective security awareness program that makes an organization both more secure and compliant. Through a series of labs and exercises, you will develop your security awareness plan and also complete the SSAP exam.

      • SANS Course: SEC503: Network Monitoring and Threat Detection In-Depth
        Certification: GIAC Certified Intrusion Analyst Certification (GCIA)

        3 Credit Hours

        ISE 5401 delivers the technical knowledge, insight, and hands-on training you need to defend your network with confidence. You will learn about the underlying theory of TCP/IP and the most used application protocols, such as DNS and HTTP, so that you can intelligently examine network traffic for signs of an intrusion. You will get plenty of practice learning to master different open source tools like tcpdump, Wireshark, Snort, Bro, tshark, and SiLK. Daily hands-on exercises suitable for all experience levels reinforce the course book material so that you can transfer knowledge to execution.

      • Assessment: Written report
        1 Credit Hour

        In ISE 5701, you and a small group of students will learn and be assessed on your ability to come together as a team, evaluate a situation, develop a response, and prepare recommendations for decision to a C-Level audience within forty-five (45) days. You will be put into a small group with other students and presented with an information security topic prompt. Your group will prepare a plan for researching and reporting on the assignment. Once the plan is prepared, the group will execute the plan, adjusting as necessary, to develop a report of the research completed and recommended actions.

      • 1 Credit Hour

        The Core Comprehensive Exam tests your mastery of the core technical skills required by top security consultants and individual practitioners. Through a series of exercises, you’ll demonstrate your ability to integrate the knowledge, skills, and techniques acquired in ISE 5101, ISE 5201, and ISE 5401 to address common challenges faced by technical leaders in the cybersecurity field.

      Block 3 | 9 credit hours

      In Block 3, you’ll dive into more specialized cybersecurity topics by taking your final management course (GCPM) and 2 elective classes. You can choose to do an optional Special Focus Area and may choose to take up to 2 additional electives.
      • SANS Course: LDR525: Managing Cybersecurity Initiatives & Effective Communication
        Certification: GIAC Certified Project Manager (GCPM)

        3 Credit Hours

        In ISE 5800 you will learn how to improve your project planning methodology and project task scheduling to get the most out of your critical IT resources. The course utilizes project case studies that highlight information technology services as deliverables. ISE 5800 follows the basic project management structure from the PMP® Guide 5th edition and also provides specific techniques for success with information assurance initiatives. All aspects of IT project management are covered — from initiating and planning projects through managing cost, time, and quality while your project is active, to completing, closing, and documenting as your project finishes.

      • 3 Credit Hours

        In Block 3, you’ll choose 3 different technical courses from those listed in the “Elective Courses and Special Focus Areas” section below. You can take a generalist approach and select any 3 electives or choose electives within one of our optional Special Focus Areas.

      • 3 Credit Hours

        In Block 3, you’ll choose 3 different technical courses from those listed in the “Elective Courses and Special Focus Areas” section below. You can take a generalist approach and select any 3 electives or choose electives within one of our optional Special Focus Areas.

      Block 4 | 9 credit hours

      Block 4 is a year of culminating practicums where you will integrate all foundational and specialized skills learned in the program. You’ll finish your electives, hone your skills in NetWars Continuous, demonstrate executive-level communication in a hands-on group project, and contribute to the cybersecurity community through a unique capstone research project of your own design.

      • 1 Credit Hour

        This course will prepare you to conduct graduate-level research exploring a current applied cyber security problem. You will learn how to select an appropriate research question, design an experiment, and analyze the experiment's outcome to answer the research question. Students will develop a proposal for the research paper to be written in ISE 5901: Advanced Technical Research & Communication Practicum and learn how to complete the research paper requirements for the practicum.

      • 3 Credit Hours

        In Block 3, you’ll choose 3 different technical courses from those listed in the “Elective Courses and Special Focus Areas” section below. You can take a generalist approach and select any 3 electives or choose electives within one of our optional Special Focus Areas.

      • 1 Credit Hour

        NetWars Continuous is an online training program that guides you through hands-on lessons to locate vulnerabilities, exploit diverse machines, and analyze systems. NetWars provides a forum to test and perfect cyber security skills in a manner that is legal and ethical. You will face challenges derived from real-world environments and actual attacks that businesses, governments, and military organizations must deal with every day.

      • Assessment: Oral Presentation, Writing Exercise
        1 Credit Hour

        In ISE 6101, you and a small group of students will learn and be assessed on your ability to come together as a team, evaluate a situation, demonstrate leadership, develop a response, and prepare and present recommendations for a decision to a C-Level audience within 24-hours. This course builds on what you have learned in other courses and allows you to apply that knowledge. You will be put into a small group with other students and presented with an information security topic prompt. Working as a group, you will analyze the situation, develop a technical response, and establish recommendations for an organizational response to the situation presented. After your team develops a recommended response, the group will provide written and oral reports of recommendations for action to a mixed technical/non-technical audience of executives for decision.

      • 3 Credit Hours

        ISE 5901 is an advanced graduate-level research and presentation course in which you will identify, investigate and analyze a problem. You will write a research paper interpreting the data collected and making recommendations for action. The paper will reflect original work towards a new practice, solution, tool, policy, or paradigm offering the potential for real impact in the field of information security. You will then convert written material to an oral webinar presentation in order to inform a technical audience about the topic.

      Elective Courses and Special Focus Areas

      In Blocks 3 & 4, students in the master’s degree program choose 3 different technical courses from those listed below. Each elective course is 3 credit hours and has a course term of 3 months.

      As a cybersecurity degree candidate, you can choose from two options:

      1. Take a generalist approach and select any 3 electives below, or
      2. Choose electives within one of our six optional Special Focus Areas highlighted below, to deepen your expertise in a specialized area of information security

        Cloud Security | Special Focus Area (Optional)

        To pursue this Special Focus Area, select three of the following courses.

        • SANS Course: SEC488: Cloud Security Essentials
          Certification: GIAC Cloud Security Essentials Certification (GCLD)

          3 Credit Hours

          ISE 6610: Cloud Security Essentials will equip you to implement appropriate security controls in the cloud, often using automation to "inspect what you expect." Mature cloud service providers (CSPs) have created a variety of security services that can help customers use their products in a more secure manner, but much about cloud security still resides with the customer organization. This course covers real-world lessons using security services created by the CSPs as well as open-source tools. Each lesson features hands-on lab exercises to help you practice the lessons learned. You will progressively layer multiple security controls in order to end the course with a functional security architecture implemented in the cloud. The course begins by addressing one of the most crucial aspects of the cloud — Identity and Access Management (IAM). From there, you will learn to secure the cloud through discussion and practical, hands-on exercises related to several key topics to defend various cloud workloads operating in the different CSP models of: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

          You will be able to:

          • Identify the risks and risk control ownership based on the deployment models and service delivery models of the various products offered by cloud service providers (CSPs)
          • Evaluate the trustworthiness of CSPs based on their security documentation, service features, third-party attestations, and position in the global cloud ecosystem
          • Create accounts and use the services of any one the leading CSPs and be comfortable with the self-service nature of the public cloud, including finding documentation, tutorials, pricing, and security features
          • Articulate the business and security implications of a multi-cloud strategy
          • Secure access to the consoles used to access the CSP environments
          • Use command line interfaces to query assets and identities in the cloud environment
          • Use hardening benchmarks, patching, and configuration management to achieve and maintain an engineered state of security for the cloud environment
          • Evaluate the logging services of various CSPs and use those logs to provide the necessary accountability for events that occur in the cloud environment
          • Configure the command line interface (CLI) and properly protect the access keys to minimize the risk of compromised credentials
          • Use basic Bash and Python scripts to automate tasks in the cloud
          • Implement network security controls that are native to both AWS and Azure
          • Employ an architectural pattern to automatically create and provision patched and hardened virtual machine images to multiple AWS accounts
          • Use Azure Security Center to audit the configuration in an Azure deployment and identify security issues
          • Use Terraform to deploy a complete "infrastructure as code" environment to multiple cloud providers
          • Leverage the Cloud Security Alliance Cloud Controls Matrix to select the appropriate security controls for a given cloud network security architecture and assess a CSP's implementation of those controls using audit reports and the CSP's shared responsibility model
          • Follow the penetration testing guidelines put forth by AWS and Azure to invoke your "inner red teamer" to compromise a full stack cloud application
          • Use logs from cloud services and virtual machines hosted in the cloud to detect a security incident and take appropriate steps as a first responder according to a recommended incident response methodology
          • Perform a preliminary forensic file system analysis of a compromised virtual machine to identify indicators of compromise and create a file system timeline
        • SANS Course: SEC510: Cloud Security Controls and Mitigations
          Certification: GIAC Public Cloud Security (GPCS)

          3 Credit Hours
          Today's organizations depend on complex, multicloud environments which must support hundreds of different services across multiple clouds. These services are often insecure by default. Similar services in different Cloud Service Providers (CSPs) need to be protected using very different methods. Security teams need a deep understanding of AWS, Azure, and Google Cloud services to lock them down properly. Checking off compliance requirements is not enough to protect the confidentiality, integrity, and availability of your organization's data, nor will it prevent attackers from taking your critical systems down. With the right controls, organizations can reduce their attack surface and prevent security incidents from becoming breaches. Mistakes happen. Limit the impact of the inevitable.

          Skills Learned

          • Make informed decisions in the Big 3 cloud service providers by understanding the inner workings of each of their Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) offerings
          • Implement secure Identity and Access Management (IAM) with multiple layers of defense-in-depth
          • Build and secure multi cloud networks with segmentation and access control
          • Encrypt data at rest and in-transit throughout each cloud
          • Control the confidentiality, integrity, and availability of data in each cloud storage service
          • Support non-traditional computing platforms like Application Services and serverless Functions as a Service (FaaS)
          • Integrate each cloud provider with one another without the use of long-lived credentials
          • Automate security and compliance checks using cloud-native platforms
          • Guide engineering teams in enforcing security controls using Terraform and Infrastructure-as-Code (IaC)
        • SANS Course: SEC522: Application Security: Securing Web Applications, APIs, and Microservices
          Certification: GIAC Certified Web Application Defender (GWEB)

          3 Credit Hours

          ISE 6615 presents mitigation strategies from an infrastructure, architecture, and coding perspective alongside real-world techniques that have been proven to work. The course introduces the nature of each vulnerability to help you understand why it happens, then shows you how to identify the vulnerability and provide options to mitigate it.

          To maximize the benefit for a wider range of audiences, the discussions in this course will be programming language agnostic. The focus will be maintained on security strategies rather than coding-level implementation.

          The course is particularly well suited to application security analysts, developers, application architects, pen testers, auditors who are interested in recommending proper mitigations for web security issues, and infrastructure security professionals who have an interest in enhancing the defense of web applications. The course will also cover additional issues the authors have found to be important in their day-to-day web application development practices.

          The topics covered include:

          • The OWASP Top 10
          • Selected specific web application issues from the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors
          • Infrastructure security and configuration management
          • Securely integrating cloud components into a web application
          • Authentication and authorization mechanisms, including single sign-on patterns
          • Application language configuration
          • Application coding errors like SQL injection, cross-site request forgery, and cross-site scripting
          • Web 2.0 and its use of web services (REST/SOAP)
          • Cross-domain web request security
          • Business logic flaws
          • Protective HTTP headers
        • SANS Course: SEC588: Cloud Penetration Testing
          Certification: GIAC Cloud Penetration Tester (GCPN)

          3 Credit Hours

          ISE 6630 dives into the latest in penetration testing techniques focused on the cloud, how to assess cloud environments, as well as other new topics that appear in the cloud like microservices, in-memory data stores, files in the cloud, serverless functions, Kubernetes meshes, and containers. The course also specifically covers Azure and AWS penetration testing, which is particularly important given that Amazon Web Services and Microsoft account for more than half of the market. The goal is not to demonstrate these technologies, but rather to teach you how to assess and report on the true risk that the organization could face if these services are left insecure.

          Students will be able to:

          • Conduct cloud-based penetration tests
          • Assess cloud environments and bring value back to the business by locating vulnerabilities
          • Understand how cloud environments are constructed and how to scale factors into the gathering of evidence
          • Assess security risks in Amazon and Microsoft Azure environments
        • SANS Course: SEC540: Cloud Security and DevSecOps Automation
          Certification: GIAC Cloud Security Automation (GCSA)

          3 Credit Hours

          ISE 6650 provides development, operations, and security professionals with a methodology to build and deliver secure infrastructure and software using DevOps and cloud services. Students will explore how DevOps principles, practices, and tools of DevOps can improve the reliability, integrity, and security of on-premise and cloud-hosted applications. You will gain hands-on experience using popular tools such as Jenkins, GitLab, Puppet, Vault, and Grafana to automate Configuration Management ("Infrastructure as Code"), Continuous Integration (CI), Continuous Delivery (CD), cloud infrastructure, containerization, micro-segmentation, Functions as a Service (FaaS), Compliance as Code, and Continuous Monitoring.

          You will be prepared to:

          • Recognize how DevOps works and identify keys to success
          • Utilize Continuous Integration, Continuous Delivery, and Continuous Deployment workflows, patterns, and tools
          • Identify the security risks and issues associated with DevOps and Continuous Delivery
          • Use DevOps practices to secure DevOps tools and workflows
          • Conduct effective risk assessments and threat modeling in a rapidly changing environment
          • Design and write automated security tests and checks in CI/CD
          • Understand the strengths and weaknesses of different automated testing approaches in Continuous Delivery
          • Implement self-serve security services for developers
          • Inventory and patch your software dependencies
          • Threat model and secure your build and deployment environment
          • Automate configuration management using Infrastructure as Code
          • Secure container technologies (such as Docker and Kubernetes)
          • Build continuous monitoring feedback loops from production to engineering
          • Securely manage secrets for continuous integration servers and applications
          • Automate compliance and security policy scanning
          • Understand how to automate cloud architecture components
          • Use CloudFormation and Terraform to create Infrastructure as Code
          • Build CI/CD pipelines using Jenkins and CodePipeline
          • Wire security scanning into Jenkins and CodePipeline workflows
          • Containerize applications with Elastic Container Service and Azure Kubernetes Service
          • Integrate cloud logging and metrics with Grafana
          • Create Slack alerts from CloudWatch metrics
          • Manage secrets with Vault, KMS, and the SSM Parameter store
          • Protect static content with CloudFront Signatures
          • Leverage Elastic Container Service for blue/green deployments
          • Secure REST APIs with API Gateway
          • Implement an API Gateway custom authorization Lambda function
          • Deploy the AWS WAF and build custom WAF rules
          • Perform continuous compliance scans with CloudMapper
          • Enforce cloud configuration policies with Cloud Custodian
        • SANS Course: SEC541: Cloud Security Attacker Techniques, Monitoring, and Threat Detection
          Certification: GIAC Cloud Threat Detection (GCTD)

          3 Credit Hours

          ISE 6655 focuses on cloud threat detection, covering various attack techniques used against cloud infrastructure and teaching the observation, detection, and analysis of cloud telemetry. With 20 hands-on labs and CTF, this course equips security analysts, detection engineers, and threat hunters with practical skills and knowledge to safeguard their organization's cloud infrastructure against potential threats.

        Cyber Defense Operations | Special Focus Area (Optional)

        To pursue this Special Focus Area, select three of the following courses.

        • SANS Course: SEC501: Advanced Security Essentials - Enterprise Defender
          Certification: GIAC Certified Enterprise Defender (GCED)

          3 Credit Hours

          ISE 6215 reinforces the theme that prevention is ideal, but detection is a must. Students will learn how to ensure that their organizations constantly improve their security posture to prevent as many attacks as possible. A key focus is on data protection, securing critical information no matter whether it resides on a server, in robust network architectures, or on a portable device.

          Despite an organization's best effort at preventing attacks and protecting its critical data, some attacks will still be successful. Therefore students will also learn how to detect attacks in a timely fashion through an in-depth understanding the traffic that flows on networks, scanning for indications of an attack. The course also includes instruction on performing penetration testing, vulnerability analysis, and forensics.

        • SANS Course: SEC505: Securing Windows and PowerShell Automation
          Certification: GIAC Certified Windows Security Administrator (GCWN)

          3 Credit Hours

          ISE 6230 shows students how to secure servers, workstations and portable devices running Microsoft Windows. Windows is the most frequent target of hackers and advanced malware. While other courses focus on detection or remediation of a compromise after the fact, the aim of this course is to substantially reduce these compromises in the first place. For scalability and automation, this course includes many hands-on labs with Group Policy and PowerShell scripting. No prior scripting experience is required. Learning at least the basics of PowerShell is an essential skill for anyone who manages Windows servers or clients in an enterprise. 

        • SANS Course: SEC511: Continuous Monitoring and Security Operations
          Certification: GIAC Continuous Monitoring Certification (GMON)

          3 Credit Hours

          ISE 6240 teaches a proactive approach to enterprise security that presumes attackers will penetrate your environment and therefore emphasizes timely incident detection. The Defensible Security Architecture, Network Security Monitoring, Continuous Diagnostics and Mitigation, and Continuous Security Monitoring taught in this course - aligned with the National Institute of Standards and Technology (NIST) guidelines described in NIST SP 800-137 for Continuous Monitoring (CM) -- are designed to enable you and your organization to analyze threats and detect anomalies that could indicate cybercriminal behavior.

        • SANS Course: SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses
          Certification: GIAC Defending Advanced Threats (GDAT)

          3 Credit Hours

          ISE 6250 leverages the purple team concept by bringing together red and blue teams for maximum effect. Recognizing that a prevent-only strategy is not sufficient, the course focuses on current attack strategies and how they can be effectively mitigated and detected using a Kill Chain structure. Throughout the course, the purple team principle will be maintained, where attack techniques are first explained in-depth, after which effective security controls are introduced and implemented.

        • SANS Course: SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
          Certification: GIAC Machine Learning Engineer (GMLE)

          3 Credit Hours

          This course is squarely centered on solving information security problems. This course covers the necessary mathematics theory and fundamentals students absolutely must know to allow them to understand and apply the machine learning tools and techniques effectively. The course progressively introduces and applies various statistic, probabilistic, or mathematic tools (in their applied form), allowing you to leave with the ability to use those tools. The hands-on projects provide a broad base from which you can build your own machine learning solutions. This course teaches how AI tools like ChatGPT really work so that you can intelligently discuss their potential use by organizations and how to build effective solutions to solve real cybersecurity problems using machine learning and AI.

        Incident Response | Special Focus Area (Optional)

        To pursue this Special Focus Area, select three of the following courses.

        • SANS Course: FOR500: Windows Forensic Analysis
          Certification: GIAC Certified Forensic Examiner (GCFE)

          3 Credit Hours

          ISE 6420 Computer Forensic Investigations - Windows focuses on the critical knowledge of the Windows Operating System that every digital forensic analyst needs to investigate computer incidents successfully. Students learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that can be used in internal investigations or civil/criminal litigation. The course covers the methodology of in-depth computer forensic examinations, digital investigative analysis, and media exploitation so each student will have complete qualifications to work as a computer forensic investigator helping to solve and fight crime.

        • SANS Course: FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
          Certification: GIAC Certified Forensic Analyst (GCFA)

          3 Credit Hours

          ISE 6425 teaches the necessary capabilities for forensic analysts and incident responders to identify and counter a wide range of threats within enterprise networks, including economic espionage, hacktivism, and financial crime syndicates. The course shows students how to work as digital forensic analysts and incident response team members to identify, contain, and remediate sophisticated threats-including nation-state sponsored Advanced Persistent Threats and financial crime syndicates. Students work in a hands-on lab developed from a real-world targeted attack on an enterprise network in order to learn how to identify what data might be stolen and by whom, how to contain a threat, and how to manage and counter an attack.

        • SANS Course: FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
          Certification: GIAC Network Forensic Analyst (GNFA)

          3 Credit Hours

          ISE 6440: Advanced Network Forensics and Analysis focuses on the most critical skills needed to mount efficient and effective post-incident response investigations. Moving beyond the host-focused experiences in ISE 6420 and ISE 6425, ISE 6440 covers the tools, technology, and processes required to integrate network evidence sources into investigations, covering high-level NetFlow analysis, low-level pcap exploration, and ancillary network log examination. Hands-on exercises in FOR 572 cover a wide range of open source and commercial tools, and real-world scenarios help the student learn the underlying techniques and practices to best evaluate the most common types of network-based attacks.

        • SANS Course: FOR578: Cyber Threat Intelligence
          Certification: GIAC Cyber Threat Intelligence (GCTI)

          3 Credit Hours

          ISE 6445 will equip you, your security team, and your organization in the tactical, operational, and strategic level cyber threat intelligence skills and tradecraft required to better understand the evolving threat landscape and to counter those threats accurately and effectively. This course focuses on structured analysis to establish a solid foundation for any security skillset and to amplify existing skills.

        • SANS Course: FOR585: Smartphone Forensic Analysis In-Depth
          Certification: GIAC Advanced Smartphone Forensics Certification (GASF)

          3 Credit Hours

          The focus of ISE 6450 is on teaching students how to perform forensic examinations on devices such as mobile phones and tablets. Students will add to their forensics skills with this course's focus on the advanced skills of mobile forensics, device file system analysis, mobile application behavior, event artifact analysis and the identification and analysis of mobile device malware. Students will learn how to detect, decode, decrypt, and correctly interpret evidence recovered from mobile devices. The course features a number of hands-on labs that allow students to analyze different datasets from smart devices and leverage the best forensic tools and custom scripts to learn how smartphone data hide and can be easily misinterpreted by forensic tools.

        • SANS Course: FOR518: Mac and iOS Forensic Analysis and Incident Response
          Certification: GIAC iOS and macOS Examiner (GIME)

          3 Credit Hours

          ISE 6455 provides the techniques and skills necessary to take on any Mac or iOS case without hesitation. The intense hands-on forensic analysis and incident response skills taught in the course will enable students to broaden their capabilities and gain the confidence and knowledge to comfortably analyze any Mac or iOS device. In addition to traditional investigations, the course presents intrusion and incident response scenarios to help analysts learn ways to identify and hunt down attackers that have compromised Apple devices.

        • SANS Course: FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques
          Certification: GIAC Reverse Engineering Malware Certification (GREM)

          3 Credit Hours

          ISE 6460 teaches students how to examine and reverse engineer malicious programs - spyware, bots, Trojans, etc. - that target or run on Microsoft Windows, within browser environments such as JavaScript or Flash files, or within malicious document files (including Word and PDF). The course builds a strong foundation for reverse-engineering malicious software using a variety of system and network monitoring utilities, a disassembler, a debugger and other tools. The malware analysis process taught in this class helps students understand how incident responders assess the severity and repercussions of a situation that involves malicious software and plan recovery steps. Students also experience how forensics investigators learn to understand key characteristics of malware discovered during the examination, including how to establish indicators of compromise (IOCs) for scoping and containing the incident.

        Industrial Control Systems | Special Focus Area (Optional)

        To pursue this Special Focus Area, complete the following three courses.

        • SANS Course: ICS410: ICS/SCADA Security Essentials
          Certification: Global Industrial Cyber Security Professional Certification (GICSP)

          3 Credit Hours

          ISE 6515 ICS/SCADA Security Essentials is an introductory study of how information technologies and operational technologies have converged in today's industrial control system environments. This convergence has led to a greater need than ever for a common understanding between the various groups who support or rely on these systems. Students in ISE 6515 will learn the language, the underlying theory, and the basic tools for industrial control system security in settings across a wide range of industry sectors and applications.

        • SANS Course: ICS515: ICS Visibility, Detection, and Response
          Certification: GIAC Response and Industrial Defense (GRID)

          3 Credit Hours

          ISE 6520 will empower students to understand their networked industrial control system environment, monitor it for threats, perform incident response against identified threats, and learn from interactions with the adversary to enhance network security.

        • SANS Course: ICS456: Essentials for NERC Critical Infrastructure Protection
          Certification: GIAC Critical Infrastructure Protection Certification (GCIP)

          3 Credit Hours

          ISE 6525 empowers students with knowledge of the "what" and the "how" of the version 5/6 standards. The course addresses the role of FERC, NERC and the Regional Entities, provides multiple approaches for identifying and categorizing BES Cyber Systems and helps asset owners determine the requirements applicable to specific implementations. Additionally, the course covers implementation strategies for the version 5/6 requirements with a balanced practitioner approach to both cybersecurity benefits, as well as regulatory compliance.

        Penetration Testing | Special Focus Area (Optional)

        To pursue this Special Focus Area, select three of the following courses.

        • SANS Course: SEC542: Web App Penetration Testing and Ethical Hacking
          Certification: GIAC Web Application Penetration Tester (GWAPT)

          3 Credit Hours

          ISE 6315 is a highly technical information security course in offensive strategies where students learn the art of exploiting Web applications so they can find flaws in enterprise Web apps before they are otherwise discovered and exploited. Through detailed, hands-on exercises students learn the four-step process for Web application penetration testing. Students will inject SQL into back-end databases, learning how attackers exfiltrate sensitive data. They then utilize cross-site scripting attacks to dominate a target infrastructure in a unique hands-on laboratory environment. Finally students explore various other Web app vulnerabilities in-depth with tried-and-true techniques for finding them using a structured testing regimen.

        • SANS Course: SEC560: Enterprise Penetration Testing
          Certification: GIAC Penetration Tester Certification (GPEN)

          3 Credit Hours

          ISE 6320 prepares students to conduct successful penetration testing and ethical hacking projects. The course starts with proper planning, scoping and recon, and then dives deep into scanning, target exploitation, password attacks, and wireless and web apps with detailed hands-on exercises and practical tips for doing the job safely and effectively. Students will participate in an intensive, hands-on Capture the Flag exercise, conducting a penetration test against a sample target organization.

        • SANS Course: SEC575: iOS and Android Application Security Analysis and Penetration Testing
          Certification: GIAC Mobile Device Security Analyst (GMOB)

          3 Credit Hours

          ISE 6325 helps students resolve their organization's struggles with mobile device security by equipping then with the skills needed to design, deploy, operate, and assess a well-managed secure mobile environment. From practical policy development to network architecture design and deployment, and mobile code analysis to penetration testing and ethical hacking, this course teaches students to build the critical skills necessary to support the secure deployment and use of mobile phones and tablets in their organization.

        • SANS Course: SEC617: Wireless Penetration Testing and Ethical Hacking
          Certification: GIAC Assessing and Auditing Wireless Networks (GAWN)

          3 Credit Hours

          ISE 6330 takes an in-depth look at the security challenges of many different wireless technologies, exposing students to wireless security threats through the eyes of an attacker. Using readily available and custom-developed tools, students will navigate through the techniques attackers use to exploit WiFi networks, Bluetooth devices, and a variety of other wireless technologies. Using assessment and analysis techniques, this course will show students how to identify the threats that expose wireless technology and build on this knowledge to implement defensive techniques that can be used to protect wireless systems.

        • SANS Course: SEC573: Automating Information Security with Python
          Certification: GIAC Python Coder (GPYC)

          3 Credit Hours

          The ISE 6350 course teaches student in the pen testing specialization, and other students who want to use the Python programming language, how to enhance their overall effectiveness during information security engagements. Students will learn how to apply core programming concepts and techniques learned in other courses through the Python programming language. The course teaches skills and techniques that can enhance an information security professional in penetration tests, security operations, and special projects. Students will create simple Python-based tools to interact with network traffic, create custom executables, test and interact with databases and websites, and parse logs or sets of data.

        • SANS Course: SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking
          Certification: GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)

          3 Credit Hours

          ISE 6360 builds upon ISE 6320 - Enterprise Penetration Testing. This advanced course introduces students to the most prominent and powerful attack vectors, allowing students to perform these attacks in a variety of hands-on scenarios. This course is an elective course in the Penetration Testing & Ethical Hacking certificate program, and an elective choice for the master's program in Information Security Engineering.

        • SANS Course: SEC565: Red Team Operations and Adversary Emulation
          Certification: GIAC Red Team Professional (GRTP)

          3 Credit Hours

          ISE 6370 develops Red Team operators capable of planning and executing consistent and repeatable engagements that are focused on training and on measuring the effectiveness of the people, processes, and technology used to defend environments. You will learn how to plan and execute end-to-end Red Teaming engagements that leverage adversary emulation, including the skills to organize a Red Team, consume threat intelligence to map against adversary tactics, techniques, and procedures (TTPs), emulate those TTPs, report and analyze the results of the Red Team engagement, and ultimately improve the overall security posture of the organization. As part of the course, you will perform an adversary emulation against a target organization modeled on an enterprise environment, including Active Directory, intelligence-rich emails, file servers, and endpoints running in Windows and Linux.  Through this course, you will better understand and be able to show the value that Red Teaming and adversary emulations bring to an organization.

        Security Leadership | Special Focus Area (Optional)

        To pursue this Special Focus Area, complete two of the courses below and any additional elective course listed above.

        • SANS Course: SEC566: Implementing and Auditing CIS Controls
          Certification: GIAC Critical Controls Certification (GCCC)

          3 Credit Hours

          Cybersecurity attacks are increasing and evolving so rapidly that is more difficult than ever to prevent and defend against them. ISE 6001 will help you to ensure that your organization has an effective method in place to detect, thwart, and monitor external and internal threats to prevent security breaches. As threats evolve, an organization's security should too. Standards based implementation takes a prioritized, risk-based approach to security and shows you how standardized controls are the best way to block known attacks and mitigate damage from successful attacks.

        • SANS Course: LDR551: Building and Leading Security Operations Centers
          Certification: GIAC Security Operations Manager Certification (GSOM)

          3 Credit Hours

          Managing a security operations center (SOC) requires a unique combination of technical knowledge, management skills, and leadership ability. Whether you are looking to build a new SOC or take your current team to the next level, ISE 6700 provides the right balance of these elements to super-charge your people, tools, and processes. You will learn how to build a high-performing SOC tailored to your organization and the threats it faces. You will be given the tools needed to manage an effective defense, measure progress towards your goals, and build out more advanced processes like threat hunting, active defense, and continuous SOC assessment. Each section includes hands-on labs, introductions to some of the industry's best free and open-source tools, and an interactive game in which you will apply your new SOC management skills in real-world scenarios.

        • SANS Course: AUD507: Auditing Systems, Applications, and the Cloud
          Certification: GIAC Systems and Network Auditor Certification (GSNA)

          3 Credit Hours

          ISE 6715 is organized specifically to provide a risk driven method for tackling the enormous task of designing an enterprise security validation program. After covering a variety of high-level audit issues and general audit best practice, students will dive deep into the technical how to for determining the key controls that can be used to provide a level of assurance to an organization. Tips on how to repeatably verify these controls and techniques for continuous monitoring and automatic compliance validation are given from real world examples.

        Study with the best faculty in cybersecurity

        Course Delivery Options

        Your mind has no borders. Why should your college? Our online and in-person course options are designed to fit your life and how you like to learn.

        Take Your Next Step

        Need more information? We’re happy to answer your questions. Join us for an info session, email info@sans.edu or call 301.241.7665.

        Ready to apply? We look forward to learning about you and your career goals.

        “Nothing pays dividends like practical experience. Many programs attempt it, but the SANS Technology Institute helps students use the latest cyber techniques to pursue objectives commonly encountered on the operations floor." - Matthew Toussain, Founder, Open Security

        Nattional Cyber League - Spring 2024

        Join the Winning Team

        At the spring 2024 National Cyber League (NCL) competition, SANS.edu demonstrated its cybersecurity prowess once again.  Among more than 500 participating colleges and universities, SANS.edu stood out as one of just three to achieve Top 10 power rankings in both the Standard Student and Experienced Student brackets.

        • #1 Power Ranking (Experienced Students)
        • #1, #2, #3, and #4 Individual Players (Experienced Students)
        • More than 30% of the Top 100 Individual Players in the Experienced bracket were SANS.edu Sentinels

        Join us for a free online info session to learn more.


        This Program is DoD 8140 Approved

        If you're a Department of Defense (DoD) employee or contractor who wants to earn a career-focused cybersecurity degree or certificate, our DoD 8140 approved college programs can open new doors of opportunity.

        US Department of Defense 8140 Cyber Workforce Qualification Program
        DoD 8140 establishes baseline standards for qualifications that directly support operational needs and workforce readiness. All DoD personnel assigned to positions requiring the performance of cyberspace work are affected by DoD 8140.

        • Service members
        • DoD civilian employees (including non-appropriated fund employees)
        • Contractors
        • Foreign nationals

        Cybersecurity Master's Program Tuition

        Tuition: Approximately $54,000 USD in total

        Tuition includes the cost of the course, textbooks, and certification tests that serve as exams for courses.

        Students who have taken SANS training classes and have active GIAC certifications can waive up to 9 credit hours toward the cyber security master’s degree. View our waiver policy.


          Fund Your SANS.edu Program in Monthly Installments with No Interest

          For students who are U.S. citizens or permanent residents — and don’t use employer education benefits or veterans’ education benefits to fund their SANS.edu program — we offer a Tuition Payment Program (TPP) that enables eligible you to spread out the cost of your program in monthly installments with no interest.


          Finance your education, build new skills, and add value for your company — using your employer-sponsored education benefits.

          If you want to get the best education in cybersecurity while you work, and your organization offers education benefits, let them help you take your next step. SANS.edu cybersecurity degree and certificate programs are designed for working professionals, and your employee benefits package may help cover the cost of pursing your goals.


          We're happy to help. Email info@sans.edu or call 301.241.7665.

          About the SANS Technology Institute

          Founded in 2005, the SANS Technology Institute (SANS.edu) is the independent, regionally-accredited, VA-approved subsidiary of SANS, the world's largest and most trusted provider of cybersecurity training, certification, and research. Offering undergraduate and graduate programs at the cutting edge of cybersecurity, SANS.edu is strengthening the cyber workforce through a career-focused curriculum built on proven SANS courses and industry-recognized GIAC certifications.

          The SANS Technology Institute is accredited by The Middle States Commission on Higher Education (1007 North Orange Street, 4th Floor, MB #166, Wilmington, DE 19801 - 267.284.5000), an institutional accrediting agency recognized by the U.S. Secretary of Education and the Council for Higher Education Accreditation.