Looking at taking another SANS Course

I'm looking at taking FOR572 https://www.sans.org/course/advanced-network-forensics-analysis.

Has anyone taken it? How was it? Did you feel like it was worth the money or a rehash of things you already knew?

I already have the GSEC and curious about experiences if anyone wants to share.

Thanks

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

TechGromit

Just be aware that level 500 courses are tougher than level 400 courses. If your going for the certification, it may require more study time than the GSEC. Not sure if the other numbers indicate the course is tougher than the lower numbers. for example I've heard the 503 is a pretty tough exam, but the 504 is easier. You would think numbering wise they be reversed if the course material was tougher to grasp. Actually SANS course numbering is all over the map, I can make no rhythm or reason on how they select course numbers.

UnixGuy

TechGromit is right

What's your background? How comfortable are you with TCPDUMP/WireSHARK/TCPIP and analysing PCAPS?

I haven't taken it but a colleague of mine have, it is tough. What are you career goals ?

I always felt that FOR 508 is more useful in the real world, but all those courses are great anyway

alias454

Thanks for the replies.

I found the GSEC to be basic(I think that is the intent). You can find comments I made on here about it after I took the course/exam. I learned some things but felt let down in the material overall. I just felt it was lacking in the in-depth knowledge I wanted. With that said, I think the whole point of the GSEC is to provide the basics, which is why it's a first step on the roadmap. Generally speaking, I'm looking for a tough course so I can feel challenged.

I recently transitioned from Linux Administrator to Security Analyst and have goals of Security Engineer/Architect in the future. The current career path at least for the time being is analyst->senior analyst->sec engineer->architect. 508 looks like it is geared for a traditional DFIR role, which while I find it interesting, I'm not really passionate about.

I wouldn't consider myself anywhere close to knowledgeable enough but can analyse pcaps, flow data etc. It wasn't that long ago where I was ignorant about NSM as a concept so I dug in pretty hard to learn it. I have an understanding of what's what now and I want to grow that to a very deep level of knowledge.

I'm pretty sure this is a course I want to take but would like some feedback on the reality of it. I am tentatively planning to do Austin, TX in June, right after Circle City Con this year if everything works out.

Regards,

UnixGuy

fair enough, I made a similar career transition 3 years ago. While I don't know your technical background 100%, I would personally vote for SANS SEC 503 (GCIA), but you the one you're looking at is not bad either.

alias454

I reached out to the person teaching the course(Phil Hagen) on Twitter and his reply was

I'd say the best prep would be a decent background on network fundamentals (CIDR notation, switching/routing/firewalling, etc), as well as knowing the ins and outs on the Linux command line. Bonus points for familiarity with tcpdump and wireshark

Given that I have a few months to brush up, I should be GTG.

stephens316

I would use the road map for selecting my next course i think you would like GCIH SANS504 it actually has some teeth in HR community https://www.sans.org/media/security-training/roadmap.pdf

alias454

Thanks, I've looked at 503, 504 and 508 pretty thoroughly but still decided to go with 572. The HR recognition is nice but not really a factor in my choice. I got approval for the FOR572 so I'm going to do that. I'll be in Austin in June so maybe I'll see some of you there.

Regards

UnixGuy

Good luck mate