04. 11. 2025
Contribution, Icinga Web 2
My SANS Course in London – April 2025
Back in April, I had the opportunity to attend a SANS course in London. More precisely, SANS 504: Hacker Tools, Techniques, and Incident Handling. The course ran from April 7th to April 12th, and those six days were intense, exciting, and surprisingly fun in ways I didn’t expect. I’ll try to share my personal experience with the course, the environment, and my journey through to exam day, hopefully adding a few useful tips on how I prepared for the certification.
Let’s start with the location (since we spent most of our time there), it absolutely deserves a mention. The event took place in a massive building in the center of London, with two full floors dedicated entirely to SANS courses. Each training room was assigned to a different course, and during my class there were seven other courses running simultaneously.
This created a great opportunity to meet and connect with a lot of cybersecurity enthusiasts. The staff were fantastic, super friendly, always available, and helpful. They made sure everyone felt comfortable and knew where to go, which made a big difference, especially on the first day when everyone was still figuring what to do.
Each morning started with a solid breakfast and plenty of choices to fuel up for the day. During the sessions, there were snacks, soft drinks, energy drinks, and pretty much anything you might need to keep your attention sharp. Huge compliments to the entire SANS team and event organizers. They created an environment where learning was intense, but never uncomfortable.
Let’s Talk About the Course
SANS 504: Hacker Tools, Techniques, and Incident Handling is a hybrid course in every sense of the word. From a content perspective, it balances theory and hands-on practice. You don’t just sit and read slides, but you actually roll up your sleeves and work with a variety of tools and techniques. For people like me, who prefer doing over just reading, this approach was a perfect fit.
It’s also hybrid in terms of focus: it sits right between blue and red team. While the course is centered around incident response, showing you how to detect, defend, mitigate, and recover from attacks, it also takes the time to walk you through how attackers think and operate. This dual perspective gives you a valuable, well-rounded view of both sides.
The topics covered are broad, ranging from live system analysis and network traffic inspection, to memory forensics, malware behavior, and basic reverse engineering. It’s a deep dive into both offensive and defensive concepts, helping you not only recognize how attacks happen, but also how to respond to them effectively.
After Hours: Talks, Networking & CTF Madness
One of the best things about the SANS experience is that it doesn’t stop when the daily classes end. Over the week, I had the chance to join a bunch of evening events. There were two evening talks hosted by SANS instructors: one was about AI and how to jailbreak it, while the other was on quantum cryptography. I’m not deeply into either field but these sessions were a great excuse to meet other attendees and casually bond over shared curiosity.
Then came Social Night: basically a midweek break where we all met up at a local pub. It was the perfect setting to relax, talk and meet people from other courses. The fun part was a lucky wheel with some surprisingly “cool” prizes where I won a bluetooth speaker.
But the real action? That was during the CTFs…
In total there were two: the NetWars and the final course-specific CTF on Saturday. The difference between the two is that NetWars is cross-course, meaning your team can include people attending other classes, while the Saturday CTF is dedicated to your specific course.
For NetWars, I teamed up with three classmates, I know… probably not the best choice in terms of bonding, but I had a long term goal. None of us knew each other very well, but we figured it would be a great chance to test our skills, find out each other’s strengths and weaknesses, and also understand how the CTF platform worked. The competition was extremely hard, to the point that several teams gave up mid-competition. We ended up finishing in 4th place, which honestly felt like a very good result considering it was our first time working together, so we decided to also team up for our course CTF.
Then came the big event, the one everybody was waiting for. So far, we weren’t strangers anymore: we were more organized, more focused, and definitely more motivated. We wanted first place.
From the start, the challenges felt doable, our team communication was smooth, our division of tasks worked perfectly and we quickly achieved first place. While other teams were still struggling to solve the early stages, we were close to the end. I don’t know if the CTF was easier than expected, or if we were just really in sync, but everything clicked. With about two hours left, we secured the win and brought the winner’s coin home. It was the perfect way to wrap up the week: not just because of the win, but because we felt like we’d actually grown, both individually and as a team.
Exam, Indexing and Final Thoughts
During class days I focused on understanding the content, not just memorizing it. I didn’t worry too much about the books. Instead, I tried to connect the topics to my daily work, asking myself how I could apply what I was learning. I took lots of handwritten notes based on what the instructor said, which turned out to be a gold mine.
After the course ended, I began my preparation. I carefully read all the books from beginning to end. What really surprised me was how much I already remembered, probably thanks to how clearly the instructor explained everything during the week, which made the reading process much smoother.
While reading, I started building my index. Whenever I came across a topic that seemed like it could turn into a tricky exam question, I added it to the list. The format was simple but effective:
- Book and page number
- Keyword or topic
- A short note or summary of the core idea
Reading and indexing the books didn’t take too much time, definitely not as much as the labs. And I can’t recommend the labs enough. Doing them at least twice, and not just rushing through them, is a game changer. It’s incredibly helpful to understand why you’re running each command, what the output means, and how it connects to the topic. In my opinion, the labs are where theory meets real-world application. If the books teach you the what, the labs teach you the how. Taking the actual exam honestly felt like a well-structured exercise and not a real exam, thanks to the experience I gained through the labs, NetWars, and the final CTF.
In the end I can say the course covers a wide range of topics and gives a solid starting point for exploring different areas of cybersecurity. It’s not advanced, but it teaches the basics well. The focus is more on attack techniques than defense, which actually makes it useful for blue teamers since it shows how attackers act and how to prevent those actions.
These Solutions are Engineered by Humans
Did you learn from this article? Perhaps you’re already familiar with some of the techniques above? If you find cybersecurity issues interesting, maybe you could start in a cybersecurity or similar position here at Würth IT Italy.
Luca Zeni
Author
Latest posts by Luca Zeni
08. 11. 2024
Blue Team, SEC4U, Threat Intelligence
SATAYO And SOC: Exchanging Data For Better Insight