Michel Coene

Michel’s unique background from working in different environments with a multitude of security tools and methodologies particularly enables him to approach students with experience from all facets of cyber security. First approaching the “red” side to break applications early in his career, then focusing on “blue” skills through digital forensics, incident response and threat intelligence, he quickly advanced from network engineer to security consultant, offering keen insight on attackers. He comments, “Having worked in both offensive and defensive job capacities has provided me with the insight to understand how an attacker works. As such, I can stay one step ahead”, matching perfectly with the purple teaming perspective of SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses.

More About Michel


Michel’s interest in information technology began around the age of 12 when a neighbor taught him how to build a website using HTML. By 16 he had taken the opportunity to take IT course and continued straight through to earning his Master of Science in Digital Investigations and Forensic Computing from University College Dublin.

Landing his first IT job as a network and security engineer, Michel was managing system administration, but also installing firewalls and anti-spam solutions, while securing the network, which would eventually expand his passion for information security. He quickly expanded from trying to break applications in his current role to becoming a senior security consultant for Deloitte in Belgium. There he focused on architecture penetration testing and doing security assessment on large complex networks. Widening that focus, he began catching attackers by doing digital forensics, incident response and threat intelligence.

With SANS, Michel brings his background in penetration testing and having a good view on how attacks work, but more interestingly, his incident response background, as he’s seen pretty much all of these attacks executed in actual environments as well. Linking together his background as a penetration tester and his current role as incident responder has given him a unique view on both sides of the attack chain.

Michel is now the incident response lead at NVISO, where he manages a team of incident responders and forensic analysts that respond to cyber incidents worldwide. Michel specializes in incident response, digital forensics and threat hunting himself as well, where he uses his pragmatic and analytical skills to assist clients in solving security issues. He holds the GCFE, GCFA, GDAT, and GCTI certifications.

In his spare time, Michel likes to wind down by building stuff. He considers himself an amateur woodworker and welder, however he’s skilled enough to produce quite useful items for his home, like custom cabinets and a BBQ smoker.


Tricking modern endpoint security products, May 2020