Mike Pilkington

Mike has been an instructor for the SANS Institute since 2008. He is a co-author for the Enterprise-Class Incident Response & Threat Hunting (FOR608) and currently teaches Windows Forensics In-Depth(FOR500) and Advanced Digital Forensics and Incident Response (FOR508). In addition to teaching and co-authoring, Mike is a dedicated researcher and has published numerous articles for the SANS Forensics Blog. After spending much of his career working in large corporate environments in the oil & gas industry (he previously led and US incident response team at Shell), Mike joined SANS in 2017 as a full-time researcher in the SANS Research Operations Center (SROC). His current role focuses on R&D projects in support of the Digital Forensics and Incident Response program.

More About Mike


Curiosity wins the day! That is Mike Pilkington's teaching philosophy, because from his perspective, you have to be inspired and excited about solving difficult cases if you want to be great at forensics. As Mike says, "you have to be willing to search for the answers that others can't or won't find." Mike's infectious enthusiasm for digital forensics comes through in his work, in his classes, and in his day-to-day life. It's clear that his hobby and his job are one in the same.

Before joining SANS full-time, Mike led the US incident response team and the global internal investigations forensics team at Shell. Prior to Shell, Mike had several roles in IT at Halliburton, including senior incident responder for the last several years of his tenure there. Mike's core responsibilities were responding to malware and intrusion cases, leading various enterprise DFIR tooling projects, and consulting with internal groups on security reviews and initiatives.

Over the years, Mike has accumulated a broad range of technical expertise, having spent significant time performing software quality assurance, Windows systems administration, LAN and WAN network administration, firewall and IDS/IPS security administration, computer forensic analysis, and incident response. As a forensic analyst, he worked HR investigations, including cases involving intellectual property theft, inappropriate use of the Internet, employee hacking, IT administrator privilege abuse, and illegal downloading of copyrighted materials. Mike is also a faculty member of the SANS Technology Institute, an NSA Center of Academic Excellence in Cyber Defense and multiple winner of the National Cyber League competition.

Mike holds a bachelor's degree in mechanical engineering from the University of Texas, as well as numerous IT security certifications.

Qualifications Summary:

  • Deep background in corporate cybersecurity
  • SANS instructor since 2008
  • Professional qualifications: GCFA, GCFE, GNFA, GREM, GCTI, EnCE, CISSP

Get to Know Mike Pilkington:

  • Mike's DFIR articles are available at https://digital-forensics.sans.org/blog/author/mpilkington
  • Mike co-authored the SANS Forensics "Find Evil" and "Hunt Evil" posters
  • Mike created an example forensics report for SANS FOR500 students (available upon request)
  • In addition to regularly presenting six-day SANS forensics classes, Mike's additional speaking engagements include the SANS DFIR Summit, SANS conferences, MIRcon, ISSA, and HTCIA

Listen to Mike discuss Privileged Domain Account Protection: How to Limit Credentials Exposure in this SANS webcast.

Mike's Contributions