FOR508 - Advanced Incident Response, Threat Hunting, and Digital Forensics

Christian Henriksen Christian Henriksen Follow Nov 14, 2023 · 4 mins read
FOR508 - Advanced Incident Response, Threat Hunting, and Digital Forensics
Share this

Advanced Incident Response, Threat Hunting, and Digital Forensics

This is by far the best course I have ever taken. The material, instructor and location was amazing. I can’t say much about the material, so it will be more like my experience of the course.
Difficulty: Hard

Link: https://www.sans.org/cyber-security-courses/advanced-incident-response-threat-hunting-training/

Pricing: $8,525 USD

Course Content

This course teaches you advanced skills for investigating and hunting cyber threats and security incidents. The course covers how to analyze digital evidence in depth, how to examine memory forensics, how to perform timeline analysis, and how to use various tools and methodologies for effective incident response. Here is the outline of the content areas:

  • Advanced Incident Response & Threat Hunting
  • Intrusion Analysis
  • Memory Forensics in Incident Response & Threat Hunting
  • Timeline Analysis
  • Incident Response & Hunting Across the Enterprise
  • Advanced Adversary and Anti-Forensics Detection

The course ends with a APT Incident Response challenge in the end, which was super fun.


I decided to go to a 6 day event in London, where you first got access to the material when you entered the avenue, so I couldn’t prepare much before entering. The location was great, the food was great, and we were given free access to snacks, beverages and lunch & dinner. I would highly recommend that you go to a physical event instead of on-demand. You get to meet so many nice people, who work in various different areas, and when you are drinking a beer together after the course, that’s when the amazing warstories start to rumble.


The instructor I had was Marcus Guevara, a cool guy from Texas who had plenty of experience and knowledge to teach us. He had worked a lot of Incident Response cases, so he definitely knew what he was talking about.

I must say that you need a few years of experience before going into this course. There are a lot of things that are taught, where you need to be familiar with working in different OS, looking at different types of logs and being able to work your way around the different artifacts that are found in the Windows OS. I came from a background, where I have had some experience with different adversary TTPs, which helped me a lot with spotting and alerting on attacks that were found while going through the material. However, Marcus was good at explaining.

The material

The material was top notch, but there was a lot of stuff to get through. There was a good balance between hands-on assignments and theory. The instructor specifically told us on day one, that the purpose was not to go through all of the assignments and the provided material, as there is a lot of knowledge to consume. I really enjoyed the part about the various Active Directory attacks that can be caught and leaves traces on the endpoints, as I have only seen it from the offensive perspective. You are provided with posters, 5 books and some workbooks aswell.


So on one of the last days SANS hosts this super awesome Capture the Flag event called NetWars, where you either team up, or go for the individual challenges. The event is after a day of education, and you are provided with beers, wine and pizzas for you to get through the evening. Trust me, you need it. NetWars It was a great experience, and our team managed to get 3rd on our first NetWars, unfortunately SANS removed giving out coins to first timers who won. Nevertheless, we had so much fun.

Final Challenge

The final challenge was rough, but fun! 5 hours of incident response in the environment, where you had to hunt for the Advanced persistent threat that was suspected to be in the lab. You have to work together with your team to solve this, and it was so much fun, but hectic. My team and I managed to do the most detailed findings and managed to track the adversary across the enterprise, which led us to win the prestigious SANS FOR508 coin.


I say it again. This was one of the best experiences that I have had in this industry! See if you can get your employeer to pay for this, and please consider going for the in-person course. It’s an amazing course, and I agree that there is a lot of value for the money. I’m looking forward to study for the GIAC GCFA which is the certification that follows this course.

Christian Henriksen
Written by Christian Henriksen