FOR508: Advanced Incident Response and Threat Hunting Course will help you to:
  • Detect how and when a breach occurred
  • Identify compromised and affected systems
  • Determine what attackers took or changed
  • Contain and remediate incidents
  • Develop key sources of threat intelligence
  • Hunt down additional breaches using knowledge of the adversary

Who should Attend?

  • Incident Response Team Members
    who regularly respond to complex security incidents/intrusions from APT groups/advanced adversaries and need to know how to detect, investigate, remediate, and recover from compromised systems across an enterprise.

  • Threat Hunters
    who are seeking to understand threats more fully and how to learn from them in order to more effectively hunt threats and counter their tradecraft.

  • Experienced Digital Forensic Analysts
    who want to consolidate and expand their understanding of memory and timeline forensics, investigation of technically advanced individuals, incident response tactics, and advanced intrusion investigations.

  • Information Security Professionals
    who may encounter data breach incidents and intrusions.

  • Federal Agents and Law Enforcement Professionals
    who want to master advanced intrusion investigations and incident response, and expand their investigative skills beyond traditional host-based digital forensics.

  • Red Team Members, Penetration Testers, and Exploit Developers
    who want to learn how their opponents can identify their actions, how common mistakes can compromise operations on remote systems, and how to avoid those mistakes. This course covers remote system forensics and data collection techniques that can be easily integrated into post-exploit operating procedures and exploit- testing batteries.

  • SANS FOR408 and SEC504 Graduates
    looking to take their skills to the next level.


FOR508 is an advanced incident response and threat hunting course that focuses on detecting and responding to advanced persistent threats and organized crime threat groups. We do not cover the introduction or basics of incident response, Windows digital forensics, or hacker techniques in this course.

We recommend that you should have a background in FOR500: Windows Forensics prior to attending this course.

This course is endorsed under Critical Infocomm Technology Resource Programme Plus (CITREP+) Programme.
To find out more about CITREP+ Funding, please refer to Programme Support under CITREP+ page

Information is accurate as of 28 June 2018