Looking at taking another SANS Course

alias454alias454 Posts: 648Member
I'm looking at taking FOR572 https://www.sans.org/course/advanced-network-forensics-analysis.

Has anyone taken it? How was it? Did you feel like it was worth the money or a rehash of things you already knew?

I already have the GSEC and curious about experiences if anyone wants to share.

“I do not seek answers, but rather to understand the question.”


  • TechGromitTechGromit Completely Clueless Ontario, NY Posts: 1,847Member ■■■■■■■□□□
    Just be aware that level 500 courses are tougher than level 400 courses. If your going for the certification, it may require more study time than the GSEC. Not sure if the other numbers indicate the course is tougher than the lower numbers. for example I've heard the 503 is a pretty tough exam, but the 504 is easier. You would think numbering wise they be reversed if the course material was tougher to grasp. Actually SANS course numbering is all over the map, I can make no rhythm or reason on how they select course numbers.
    Still searching for the corner in a round room.
  • UnixGuyUnixGuy Are we having fun yet? Posts: 3,867Mod Mod
    TechGromit is right

    What's your background? How comfortable are you with TCPDUMP/WireSHARK/TCPIP and analysing PCAPS?

    I haven't taken it but a colleague of mine have, it is tough. What are you career goals ?

    I always felt that FOR 508 is more useful in the real world, but all those courses are great anyway
    Goal: MBA, March 2020
  • alias454alias454 Posts: 648Member
    Thanks for the replies.

    I found the GSEC to be basic(I think that is the intent). You can find comments I made on here about it after I took the course/exam. I learned some things but felt let down in the material overall. I just felt it was lacking in the in-depth knowledge I wanted. With that said, I think the whole point of the GSEC is to provide the basics, which is why it's a first step on the roadmap. Generally speaking, I'm looking for a tough course so I can feel challenged.

    I recently transitioned from Linux Administrator to Security Analyst and have goals of Security Engineer/Architect in the future. The current career path at least for the time being is analyst->senior analyst->sec engineer->architect. 508 looks like it is geared for a traditional DFIR role, which while I find it interesting, I'm not really passionate about.

    I wouldn't consider myself anywhere close to knowledgeable enough but can analyse pcaps, flow data etc. It wasn't that long ago where I was ignorant about NSM as a concept so I dug in pretty hard to learn it. I have an understanding of what's what now and I want to grow that to a very deep level of knowledge.

    I'm pretty sure this is a course I want to take but would like some feedback on the reality of it. I am tentatively planning to do Austin, TX in June, right after Circle City Con this year if everything works out.

    “I do not seek answers, but rather to understand the question.”
  • UnixGuyUnixGuy Are we having fun yet? Posts: 3,867Mod Mod
    fair enough, I made a similar career transition 3 years ago. While I don't know your technical background 100%, I would personally vote for SANS SEC 503 (GCIA), but you the one you're looking at is not bad either.
    Goal: MBA, March 2020
  • alias454alias454 Posts: 648Member
    I reached out to the person teaching the course(Phil Hagen) on Twitter and his reply was
    I'd say the best prep would be a decent background on network fundamentals (CIDR notation, switching/routing/firewalling, etc), as well as knowing the ins and outs on the Linux command line. Bonus points for familiarity with tcpdump and wireshark

    Given that I have a few months to brush up, I should be GTG.
    “I do not seek answers, but rather to understand the question.”
  • stephens316stephens316 Posts: 201Member
    I would use the road map for selecting my next course i think you would like GCIH SANS504 it actually has some teeth in HR community https://www.sans.org/media/security-training/roadmap.pdf
    :study:Studying: 8 month CISSP Challenge
    Next Up: GCIH[/B][B]|CISSP[/B][/COLOR][/COLOR][/SIZE][SIZE=2][COLOR=Red][COLOR=Black][B
    Future: [/B]OSCP[/COLOR][/COLOR][/SIZE][SIZE=2][COLOR=Red][COLOR=Black][B

    Reading: Mainly Real Estate Books, CIA Books

  • alias454alias454 Posts: 648Member
    Thanks, I've looked at 503, 504 and 508 pretty thoroughly but still decided to go with 572. The HR recognition is nice but not really a factor in my choice. I got approval for the FOR572 so I'm going to do that. I'll be in Austin in June so maybe I'll see some of you there.

    “I do not seek answers, but rather to understand the question.”
  • UnixGuyUnixGuy Are we having fun yet? Posts: 3,867Mod Mod
    Good luck mate
    Goal: MBA, March 2020
Sign In or Register to comment.