SEC504: Hacker Tools, Techniques and Incident Handling

Programme Code D271
Learning Partner(s)
SANS Institute
6 Days
Format In-person
Cyber Threat Hunting Incident Response SOC Operations
Job Roles
Cybersecurity Engineer Cybersecurity Operations Specialist Cybersecurity Policy Developer Public Service Officer (non-ICT&SS) ICT&SS Professional Red Team Engineer Security Testing Engineer


Learn how to implement a dynamic approach to incident response. Using indicators of compromise, you will practice the steps to effectively respond to breaches affecting Windows, Linux, and cloud platforms. Take the skills and hands-on experience gained and apply them immediately back in the office.

This programme mainly focuses on practical exercises. Half of the programme is hands-on where you will attack, defend, and assess the damage done by threat actors. You will work with complex network environments, real-world host platforms and applications, and complex data sets that could resemble your scope of work. You will have access to the lab exercises, which you can revisit as often as needed. All lab exercises come with detailed walkthrough video content to help reinforce the learning concepts in the programme.

Understanding and executing effective incident response is just one part of the equation. In this programme's hands-on environment, you will use the same tools and techniques employed by attackers, gaining valuable insight into their methods and the evidence they leave behind. By adopting the mindset of attackers, you'll understand how they utilise tactics, techniques, and procedures against your organisation, enabling you to anticipate their moves and strengthen defences.

Key Takeaways

At the end of this programme, you will be able to:

  • apply a dynamic approach to incident response
  • identify threats using host, network, and log analysis
  • best practices for effective cloud incident response
  • leverage PowerShell for data collection and cyber threat analysis
  • cyber investigation processes using live analysis, network insight, memory forensics, and malware reverse engineering
  • how to accelerate your incident response using generative AI systems
  • defence spotlight strategies to protect critical assets
  • how attackers leverage cloud systems against organisations
  • attacker techniques to evade endpoint detection tools including EDR and XDR platforms
  • attacker steps for internal discovery and lateral movement after an initial compromise
  • how attackers exploit publicly accessible systems including Microsoft 365

Who Should Attend

  • Please refer to the job roles section.
  • Incident handlers.
  • Leaders of incident response teams.
  • System administrators who are on the front lines defending their systems and responding to attacks.
  • Other security personnel who are first responders when systems come under attack.
  • General security practitioners and security architects who want to design, build, and operate their systems to prevent, detect, and respond to attacks.

What To Bring

Please remember to bring along your own system configured according to the instructions below.

A properly configured system (meeting all the below specifications) is required to fully participate in this programme and hands-on exercises.

It is critical that you back-up your system before class. It is also strongly advised that you do not bring a system storing any sensitive data.


  • 64-bit Intel i5/i7 2.0+ GHz processor
  • CRITICAL NOTE: Apple systems using the M1/M2 processor line cannot perform the necessary virtualisation functionality and therefore cannot be used for this programme.
  • Your system's processor must be a 64-bit Intel i5 or i7 2.0 GHz processor or higher. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About". Your processor information will be listed near the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac".


  • Enabled "Intel-VT"
  • Intel's VT (VT-x) hardware virtualisation technology must be enabled in your system's BIOS or UEFI settings. You must be able to access your system's BIOS to enable this setting in order to complete lab exercises. If your BIOS is password-protected, you must have the password. This is absolutely required.


  • 16 GB RAM is highly recommended for the best experience. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About". Your RAM information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac".

Hard Drive Free Space

  • 100 GB of FREE space on the hard drive is critical to host the VMs and additional files we distribute. SSD drives are also highly recommended, as they allow virtual machines to run much faster than mechanical hard drives.

Operating System

  • Your system must be running either the latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualisation products described below.

Additional Software Requirements

VMware Player Install

  • Install VMware Player 16, VMware Fusion 12, or VMware Workstation 16. Older versions will not work for this programme. Choose the version compatible with your host OS. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site. VMware Workstation Player is a free download that does not need a commercial license but has fewer features than Workstation.
  • Other virtualisation products, such as Hyper-V and VirtualBox, are not supported and will not work with the programme material.

Your programme media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your programme media downloads as you get the link. You will need your programme media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

This programme will cover the following topics:

  • Day 1: Incident Response and Cyber Investigations
  • Day 2: Recon, Scanning, and Enumeration Attacks
  • Day 3: Password and Access Attacks
  • Day 4: Public-Facing and Drive-By Attacks
  • Day 5: Evasion and Post-Exploitation Attacks
  • Day 6: Capture-the-Flag Event

For programme fees, please write in to


Upcoming Classes

Class 1
22 Jul 2024 to 27 Jul 2024 (Full Time)
Duration: 6 days
Time : Day 1: 8.30am to 5pm; Day 2-6: 9am to 5pm


Step 1 Apply through your organisation's training request system.

Step 2 Your organisation's training request system (or relevant HR staff) confirms your organisation's approval for you to take the programme.

Your organisation will send registration information to the academy.

Organisation HR L&D or equivalent staff can click here for details of the registration submission process.

Step 3 GovTech Digital Academy will inform you whether you have been successful in enrolment.