Mathias Fuchs

"Renaissance man" may be the most fitting description of SANS instructor Mathias Fuchs, who is the Head of Investigation & Intelligence at the Swiss firm InfoGuard AG as well as a volunteer paramedic and a pilot.

Mathias began his career teaching Linux administration and general IT security and quickly moved into penetration testing and red teaming. As his skills improved (and as breaking into customer systems got more repetitive and less demanding), Mathias sought new challenges that would expand his IT security acumen. So, he moved over to digital forensics and incident response, a field where the attacker unintentionally sets the pace and partly controls what an investigator needs to do - rather than that being dictated by the customer or the investigator.

More About Mathias


"Any well-funded advanced persistent threat group makes sure that an investigator never runs out of new challenges," Mathias notes.

The exciting pace of the field continues to inspire Mathias. "As an investigator, you get to see the newest kinds of attacks and the best malware available," he explained, adding that he also is constantly expanding his knowledge base as he learns about each customer's business.

At InfoGuard, Mathias is focused on building the incident response practice. He uses his knowledge and experience to shape his team and proactively mediate pitfalls that are more difficult to change later. Taking on these challenges gives him perspective as a SANS instructor, as many students are still getting up to speed and are in the initial phases of preparing their organization to address potential threats.

Prior to InfoGuard, Mathias was a principal consultant at Mandiant, where he led large-scale cybersecurity investigations all over the world. Before that, Mathias served as a lead security architect at Deutsche Telecom subsidiary T-Systems while working in tandem as a security consultant for international clients in the telecommunications, automotive, pharmaceutical, and petroleum industries.

As an instructor for SANS FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting, Mathias draws both on his roots in teaching as well as his experience in the field to frame the subject matter with real-world examples. He believes in teaching by example, and tries to work labs as he would a real-life case. Students in the course need to dig into the smallest pieces of the puzzle but still focus on the big picture in an enterprise-wide investigation.

The starting point for each individual student is different, and Mathias loves leveraging all the knowledge available in class - both his own and that of his students.

"In the end, I want my students to be able to question their procedures and their security products to improve how they do incident response by making them more efficient and effective," he says.

To help students deal with bigger cases than they have ever dealt with before, Mathias shares his mistakes as well as his successes. "While there's no substitute for experience, I want my students to be very conscious of the typical risks when running big investigations," he explains. "Besides, I have a ton of cool stories to tell!"

In one particularly extensive case during his time at Mandiant, Mathias was investigating networks with 100,000+ endpoints. "I quickly figured out that the attacker had only been there for two weeks and we were able to completely record and track every single operation he did," says Mathias. The investigators eventually kicked the attacker out after four weeks when he got too aggressive, and the process provided weeks of valuable intelligence for future cases.

In another investigation, Mathias was able to access a crash dump of the RDP server process when it crashed during the attack. "Dissecting this crash dump gave me a lot of information about the attacker group and was key to further investigation, as it helped to quickly find 50 more machines the attacker accessed without installing any malware."

Mathias stays active even when he?s not teaching or in the midst of an investigation, using his pilot's license to fly small airplanes over the Alps, hiking, mountain biking, snowboarding, and volunteering as a paramedic for his local ambulance service.

Qualifications Summary

Get to Know Mathias Fuchs


  • Recipient of the Lethal Forensicator Coin


  • GCFA - GIAC Certified Forensic Analyst
  • GREM - GIAC Reverse Engineering Malware
  • GRID - GIAC Response & Industrial Defence
  • CISA - Certified Information Systems Auditor
  • ITIL v3 Foundation
  • ITIL v2 Foundation
  • PCI Qualified Security Assessor (QSA)



From X-rays to hex-rays, March 2020

SANS @MIC Talk - #LevelUpLabs, June 2020