Steve Armstrong

Steve Armstrong’s career began more than 25 years ago when he joined the UK Royal Air Force (RAF), bringing with him a love of IT and a desire to protect others. When the opportunity to move into information security presented itself, Steve jumped at the chance, eventually leading the RAF's penetration and TEMPEST testing teams and having some memorable work experiences along the way. “There’s nothing quite like securing wireless networks under attack while in a warzone with full body armour, loaded weapons, and hacking gear in 50+ degree centigrade heat,” he recalls. Steve is the author of the new MGT553: Cyber Incident Management course and can be found teaching SEC504: Hacker Tools, Techniques, and Incident Handling.

More About Steve


After retiring from active duty, Steve worked at Electronic Arts before founding Logically Secure in 2006 to provide specialist security advice to government departments, defense contractors, the online video gaming industry, and music and film labels worldwide. In his role at the company, Steve directs developers of the company’s incident response platform, CyberCPR, on the needs of incident response teams, coordinates penetration testing and consultants throughout the world, supports staff development, and delivers in-house training on the latest technologies, security attacks, and detection/response methods.

And while Steve provides penetration testing and incident response services for some of the biggest names in gaming and music media, he also works to support small and medium enterprises. “We give away our IR Management platform (CyberCPR) for free for three users,” he says. “This allows many small teams to use an enterprise supported product at no cost to them.”

In 2006, Steve became a SANS instructor as another way of helping others, giving back to the community, and “seeing that magical look on peoples faces when they get an earth shattering concept for the first time.” Today, you’ll find him teaching SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling.

In the classroom, Steve enjoys seeing students make connections, recalling a particularly memorable experience in his SEC617 course. “I explained a DDOS attack vector in the classroom and a student shouted "dang it" and rushed out to make a call,” Steve remembers. “He explained later that I had just identified the problem they had been trying to track down for months. With the mitigation I outlined they fixed the problem before the end of the course.”

As an instructor, Steve brings years of experience working in a variety of situations, and a good dose of fun, to the classroom. “I've dealt with incidents at scale and for always-on organizations. I have worked on small incidents one of two systems to huge APT incursions with 1500+ systems compromised. I've worked with small organizations with limited tools and almost zero budget and still helped them improve visibility and response times,” he says. Steve also takes his curriculum beyond tools, teaching his students how to brief executives in a way understandable to them and how to brief staff in a way that enables them to work faster and more efficiently.

A frequent speaker at 44con, Steelcon, and DefCon (Group DC441452), Steve holds GPEN, GCIH, GCFA, and CISSP certifications. He has appeared on national television and radio discussing cyber security, is regularly quoted in the press, and maintains an active blog.

When he’s not working and teaching, you’ll find Steve playing TitanFall2 or Battlefield to let off steam, building 3D-printed gadgets for raspberry PIs, developing collaborative DFIR tools, and flying drones.

Qualifications Summary


  • GPEN (GIAC Penetration Tester)
  • GCIH (GIAC Certified Incident Handler)
  • GCFA (GIAC Certified Forensic Analyst)
  • CISSP (Certified Information Systems Security Professional)



Preview of new UI for CyberCPR

XFE Mint Linux on a MacBook 2008

IR Metrics – Initial Investigation

IR Metrics – how do you know if you’re getting better?

Getting past “Just Compliance”