17. 11. 2025 Luca Zeni Blue Team, Events, Red Team

SANS 504 – A new Experience in London

My SANS Course in London – April 2025

Back in April, I had the opportunity to attend a SANS course in London, more precisely, SANS 504: Hacker Tools, Techniques, and Incident Handling. The course ran from April 7th to April 12th, and those six days were intense, exciting, and surprisingly fun in ways I didn’t expect. I’ll try to share my personal experience with the course, the environment, and my journey till to the exam day, adding a few hopefully useful tips on how I prepared for the certification.

Let’s start with the location, since we spent most of our time there, and it absolutely deserves a mention. The event took place in a massive building in the center of London, with two full floors dedicated entirely to SANS courses. Each training room was assigned to a different course, and during my class, there were seven other courses running simultaneously. This created a great opportunity to meet and connect with a lot of cybersecurity enthusiasts. The staff were fantastic, super friendly, always available, and helpful. They made sure everyone felt comfortable and knew where to go, which made a big difference, especially on the first day when everyone was still figuring what to do. Each morning started with a solid breakfast and plenty of choices to fuel up for the day. During the sessions, there were snacks, soft drinks, energy drinks, and pretty much anything you might need to keep your attention sharp. Huge compliments to the entire SANS team and event organizers. They created an environment where learning was intense, but never uncomfortable.

Let’s Talk About the Course

SANS 504: Hacker Tools, Techniques, and Incident Handling is a hybrid course in every sense of the word. From a content perspective, it has balance between theory and hands-on practice. You don’t just sit and read slides, but you actually roll up your sleeves and work with a variety of tools and techniques. For people like me, who prefer doing over just reading, this approach was a perfect fit.

It’s also hybrid in terms of focus: it sits right between blue and red team. While the course is centered around incident response, showing you how to detect, defend, mitigate, and recover from attacks, it also takes time to walk you through how attackers think and operate. This dual perspective gives you a valuable, well-rounded view of both sides.

The topics covered are broad, spacing from live system analysis and network traffic inspection, to memory forensics, malware behavior, and basic reverse engineering. It’s a deep dive into both offensive and defensive concepts, helping you not only recognize how attacks happen, but also how to respond to them effectively.

After Hours: Talks, Networking & CTF Madness

One of the best things about the SANS experience is that it doesn’t stop when the daily classes end. Over the week, I had the chance to join a bunch of evening events. There were two evening talks hosted by SANS instructors: one was about AI and how to jailbreaking it, the other one on quantum cryptography. I’m not deeply into either field but these sessions were a great excuse to meet other attendees and casually bond over shared curiosity. Then came the Social Night, basically a break midweek where we all met up at a local pub. It was the perfect setting to relax, talk and meet people from other courses. The funny part was a lucky wheel with some surprisingly “cool” prizes that gifted me a bluetooth speaker.

But the real action? That was during the CTFs…

In total there were two: the NetWars and the final course-specific CTF on Saturday. The difference between the two is that NetWars is cross-course, meaning your team can include people attending other classes, while the Saturday CTF is dedicated to your specific course.

For NetWars, I teamed up with three classmates, I know… probably not the best choice in terms of bonding, but with a long term goal . None of us knew each other very well, but we figured it would be a great chance to test the skills, know each other’s strengths and weaknesses and also understand how the CTF platform worked. Competition was extremely hard, at the point that several team gave up mid competition. We ended up finishing in 4th place, which honestly felt like a very good result considering it was our first time working together, so we decided to team up also for our course CTF.

Then came the big event, the one everybody was waiting for. So far, we weren’t strangers anymore, we were more organized, more focused, and definitely more motivated. We wanted first place.

From the start, the challenges felt doable, our team communication was smooth, our division of tasks worked perfectly and we quickly achived the first place. While other teams were still struggling to solve early stages, we were close to the end. I don’t know if the CTF was easier than expected, or if we were just really in sync, but it worked. With about two hours left, we secured the win and we brought the winner’s coin home. It was the perfect way to wrap up the week: not just because of the win, but because we felt like we’d actually grown, both individually and as a team.

Exam, Indexing and Final Thoughts

During the class days, I focused on understanding the content, not just memorizing it. I didn’t worry too much about the books, instead, I tried to connect the topics to my daily work, asking myself how I could apply what I was learning. I took lots of handwritten notes based on what the instructor said, which turned out to be a gold mine.

After the course ended, I began my preparation. I carefully read all the books from beginning to end. What really surprised me was how much I already remembered, probably thanks to how clearly the instructor explained everything during the week, which made the reading process much smoother.

While reading, I started building my index. Whenever I came across a topic that seemed like it could turn into a tricky exam question, I added it to the list. The format was simple but effective:

  • Book and page number
  • Keyword or topic
  • A short note or summary of the core idea

Reading and indexing the books didn’t take too much time, definitely not as much as the labs. And I can’t recommend the labs enough. Doing them at least twice, and don’t just rushing through them it’s a game changer. It’s incredibly helpful to understand why you’re running each command, what the output means, and how it connects to the topic. In my opinion, the labs are where theory meets real-world application. If the books teach you what, the labs teach you how. Taking the actual exam, honestly felt like a well-structured exercise and not a real exam. Thanks to the experience I gained through the labs, NetWars, and the final CTF.

In the end I can say the course covers a wide range of topics and gives a solid starting point for exploring different areas of cybersecurity. It’s not advanced, but it teaches the basics well. The focus is more on attack techniques than defense, which actually makes it useful for blue teamers since it shows how attackers act and how to prevent their action.

Luca Zeni

Luca Zeni

Author

Luca Zeni

Latest posts by Luca Zeni

18. 06. 2025 Blue Team, CTF Writeups
Hack The Box Business CTF 2025 – Nexus Breach Journey
31. 12. 2024 Blue Team, SEC4U
That Time I Brought a Velociraptor and a Chainsaw into the SOC
08. 11. 2024 Blue Team, SEC4U, Threat Intelligence
SATAYO And SOC: Exchanging Data For Better Insight
07. 06. 2024 Blue Team, SEC4U
Akira Ransomware: How to Make an Efficient Detection Rule
15. 03. 2024 Blue Team, SEC4U
SATAYO and SOC: in the New Midlands
See All

Related Content

Tags: , , ,

04. 11. 2025 Contribution, Icinga Web 2

Reconstructing Protected or Hidden Custom Variables in Icinga DB Web

Recently Icinga DB Web had a new security release, fixing a vulnerability where protected or hidden custom variables could be inferred by any user with object visibility by abusing comparative filters on those hidden variables. This led to a 5.3/10 Read More
25. 09. 2025 CTF Writeups, Development, Events

Preparing for WP CTF 2025

Summer is over, autumn is here – and so is the most anticipated event of the year for cybersecurity students: WP CTF 2025. Every year, the WP CTF draws cybersecurity students hungry to learn, compete, and put their skills to Read More
13. 09. 2025 Blue Team, SEC4U

A Practical Guide to Working with Windows Authentication Logs – Part 2

Welcome back for the second and last part of our journey into the jungle of Windows logs! In the first part we set out our goal – tracking admin authentications – and learned more about Windows, how authentication events are Read More
03. 07. 2025 Red Team, SEC4U

Security Assessment: More Than a Test… A Training Opportunity for the IT Team

When we talk about security assessments, the first thing that comes to mind is a snapshot of a company’s security posture: vulnerabilities, misconfigurations, uncontrolled access, and so on. But reducing these activities to a mere "test" means missing a key Read More
27. 06. 2025 Azure, Microsoft

Secure Network Integration for Secrets in Microsoft Azure

Scenario: Introduction Think of an organization that maintains most of its IT infrastructure on Azure. It applies a segmentation strategy by branch office, where the assets underlying each regional branch office are deployed to their specific landing zone subscription, i.e. Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

Search by technology

Contact

Contact us
Serviceportal

Archive