SANS penetration testing instructors are some of the most noted experts in the field of penetration testing, masters of serious black arts dedicated to helping the world improve its security practices. Each is a real-world practitioner who specializes in the subjects they teach. Their instruction is soaked through with their real-world experience in the methods that they teach, the examples they've lived, the stories they share, all wrapped up in their excitement in the course material.

All of our instructors undergo rigorous training and evaluation before earning the much coveted "SANS Certified Instructor" status. This grueling process helps us guarantee that what you learn in class will be up-to-date and directly relevant to your job, providing you with skills that you can use the day that you return to work

Steve Armstrong

Steve Armstrong

Steve Armstrong's career began more than 25 years ago when he joined the UK Royal Air Force (RAF), bringing with him a love of IT and a desire to protect others. When the opportunity to move into information security presented itself, Steve jumped at the chance, eventually leading the RAF's penetration and TEMPEST testing teams and having some memorable work experiences along the way. "There's nothing quite like securing wireless networks under attack while in a warzone with full body armour, loaded weapons, and hacking gear in 50+ degree centigrade heat," he recalls.

After retiring from active duty, Steve founded Logically Secure in 2006 to provide specialist security advice to government departments, defense contractors, the online video gaming industry, and music and film labels worldwide. As the founder, Steve directs the developers of the company's incident response platform, CyberCPR, on the needs of incident response teams, mentors the penetration testers and consultants throughout the world, supports staff development, and delivers in-house training on the latest technologies, security attacks, and detection/response methods.

In 2018 Steve fulfilled many a child's ambition to work for a games company and for Steve this was joining Electronic Arts as their Incident Response Director.  There he leads team of highly skilled responder as they protect the availability of EA's games and the integrity of their networks and account data.  "When you are looking at games with millions of concurrent players it brings a different perspective on the word scale" he recalls to his class.  As he loves a challenge and "cloud gaming is the new console" his team are working to secure the next generation of global infrastructure needed to support players streaming high fidelity immersive games whenever and wherever they want to play.

And while Steve provides penetration testing and incident response services for some of the biggest names in gaming and music media, he also works to support small and medium enterprises. "We give away our IR Management platform (CyberCPR) for free for three users," he says. "This allows many small teams to use an enterprise supported product at no cost to them."

In 2006, Steve became a SANS instructor as another way of helping others, giving back to the community, and "seeing that magical look on peoples faces when they get a earth shattering concept for the first time." Today, you'll find him teaching SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling.

In the classroom, Steve enjoys seeing students make connections, recalling a particularly memorable experience in his SEC617 course. "I explained a DDOS attack vector in the classroom and a student shouted "dang it" and rushed out to make a call," Steve remembers. "He explained later that I had just identified the problem they had been trying to track down for months. With the mitigation I outlined they fixed the problem before the end of the course."

As an instructor, Steve brings years of experience working in a variety of situations, and a good dose of fun, to the classroom. "I've dealt with incidents at scale and for always-on organisations. I have worked on small incidents one of two systems to huge APT incursions with 1500+ systems compromised. I've worked with small organisations with limited tools and almost zero budget and still helped them improve visibility and response times," he says. Steve also takes his curriculum beyond tools, teaching his students how to brief executives in a way understandable to them and how to brief staff in a way that enables them to work faster and more efficiently.

A frequent speaker at 44con, Steelcon, and DefCon (Group DC441452), Steve holds GPEN, GCIH, GCFA, and CISSP certifications. He has appeared on national television and radio discussing cyber security, is regularly quoted in the press, and maintains an active blog.

When he's not working and teaching, you'll find Steve playing TitanFall2 or Battlefield to let off steam, building 3D-printed gadgets for raspberry PIs, developing collaborative DFIR tools, and flying drones.

Summary of Credentials

Qualifications Summary

Get to Know Steve Armstrong

Student Quotes

·        "Steve Armstrong's energy is contagious. Although the day was long, I felt alert and engaged at all times." Amr Zakaa Khalife, Vodafone Egypt


  • GPEN (GIAC Penetration Tester)
  • GCIH (GIAC Certified Incident Handler)
  • GCFA (GIAC Certified Forensic Analyst)
  • GCDA (GIAC Certified Detection Analyst)
  • CISSP (Certified Information Systems Security Professional)

Mark Baggett

Mark Baggett

Mark Baggett's first foray into information security was on the receiving end of hacking, and he was amazed by the experience. "The hackers made my computer do stuff that I didn't think was possible," he says. "It was like magic and I had to know how the trick was done." He immediately became obsessed with understanding all the tricks, how they worked, and how to prevent them from happening again.

Fast forward to today and Mark's infosec career spans nearly 30 years with 15 of those years spent teaching for SANS. Mark is currently a senior instructor for SANS and an independent consultant through his company Indepth Defense providing forensics, incident response, and penetration testing services. Mark has also served as the technical advisor to the DoD for SANS since 2011, where he assists various government organizations in the development of information security capabilities.

Mark still finds information security as fun as the first day he discovered it, and feels that learning about information security should be fun too. "I really want the students to enjoy their classroom experience and look forward to learning skills that will make them more effective information security professionals," he says. And Mark stays busy in the SANS classroom teaching SEC573: Automating Information Security with Python; SEC560: Network Penetration Testing and Ethical Hacking; SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling; and The Essentials of Automating Information Security with Python.

As an instructor, Mark's enjoyment of information security is infectious and his favorite moments are when students solve complex problems they thought were beyond their capability at the beginning of the week. "When students learn how to code and how to apply it to their day jobs it changes their lives forever," he says.

"It is my goal to meet the student where his or her current skill level is and move them forward," says Mark, noting that his most successful students are those who are honest about where their skills are and willing to put in the work to improve. "I'll promise to give them the resources and assistance they need in a way that is both entertaining and judgement-free."

Mark recalls a recent interaction with an SEC573 student that demonstrates the growth potential SANS courses provide. "A student came up to me in class and shared that he had taken 4 years of college courses and 4 months of military training, and he hated programming and really wasn't looking forward to sitting in SEC573 for a week with me," recalls Mark. "But after only four days I had changed his mind about programming. It was fun! He was enjoying the challenges instead of dreading them and said he'd learned more about how to actually use his skills in real world scenarios in 4 days than in all those years of prior training."

Mark sees information security as the evolution of information technology challenges, moving from making computers do what they're supposed to do to getting computers to do what they aren't supposed to do. Something that requires constant learning. "Hacker techniques are constantly changing and in a few cases evolving. When I stop learning, I stop being effective," says Mark.

One of Mark's most challenging and fulfilling roles was working as the chief information security officer for a midsized media company. "I've always been committed to maintaining a high level of technical proficiency and expertise. Being able to use that in an executive position while leading a talented team, educating my peers on the board, setting strategy, and working to secure the organization was extremely challenging but very fulfilling."

Mark has a master's degree in information security engineering and is the 15th person in the world to receive the prestigious GIAC Security Expert certification (GSE). He also holds GPYC, GXPN, GPEN, GCIA, GCIH, GSEC, GWAPT, and GCPM certifications.

An active participant in the information security community, Mark is the founding president of The Greater Augusta Information Systems Security Association (ISSA) chapter which has been extremely successful in bringing networking and educational opportunities to Augusta information technology workers. He's also co-founder of the BSidesAugusta Information Security Conference, and has written a number of articles on information security topics.

Summary of Credentials:

Qualifications Summary

Get to Know Mark Baggett

Student Quotes

"Mark's teaching style is very relevant and sets an atmosphere where you are excited to learn." - Jeff Turner, Lexis Nexis Risk Solutions


  • GSE Number 15 (GIAC Security Expert)
  • GPYC (GIAC Python Coder)
  • GXPN (GIAC Exploit Researcher and Advanced Penetration Tester)
  • GPEN (GIAC Certified Penetration Tester)
  • GCIA (GIAC Certified Incident Analyst)
  • GCIH (GIAC Certified Incident Handler)
  • GSEC (GIAC Security Essentials)
  • GWAPT (GIAC Web Application Penetration Tester)
  • GCPM (GIAC Certified Project Manager)

George Bakos

George Bakos

George Bakos has been interested in computer security since the early 1980s when he discovered the joys of BBSs and corporate databases. These days he is Technical Fellow & Manager of Cyber Threat Assessment & Awareness at Northrop Grumman, a global leader in Cybersecurity, Aerospace & Defense. While at the Institute for Security Technology Studies, George was the developer of Tiny Honeypot and the IDABench intrusion analysis system and led the Dartmouth Distributed Honeynet System, fielding deception systems and studying the actions of attackers worldwide. He developed and taught the U.S. Army National Guard's CERT technical curriculum and ran the NGB's Information Operations Training and Development Center research lab for two years, fielding and supporting Computer Emergency Response Teams throughout the United States. A recognized authority in computer security, he has contributed to numerous books and open source software projects; has been interviewed on radio, television, and online publications; briefed the highest levels of government; and has been a member of the SANS Institute teaching faculty since 2001. Outside the lab, George enjoys the beauties of his home state, Vermont, through skiing, ice and rock climbing, and mountain biking.

Here is What Students Say About George Bakos:

"George teaches you practical skills and provides real-world examples of IT security issues." - Mark Lian, Northrop Grumman

Eric Conrad

Eric Conrad

SANS Faculty Fellow Eric Conrad is the lead author of SANS MGT414: SANS Training Program for CISSP® Certification, and coauthor of both SANS SEC511: Continuous Monitoring and Security Operations and SANS SEC542: Web App Penetration Testing and Ethical Hacking. He is also the lead author of the books the CISSP Study Guide, and the Eleventh Hour CISSP: Study Guide.

Eric's career began in 1991 as a UNIX systems administrator for a small oceanographic communications company. He gained information security experience in a variety of industries, including research, education, power, Internet, and health care. He is now CTO of Backshore Communications, a company focusing on hunt teaming, intrusion detection, incident handling, and penetration testing. He is a graduate of the SANS Technology Institute with a master of science degree in information security engineering. In addition to the CISSP, he holds the prestigious GIAC Security Expert (GSE) certification as well as the GIAC GPEN, GCIH, GCIA, GCFA, GAWN, and GSEC certifications. Eric also blogs about information security at

Statements from SANS alumni regarding their training experience:

"Eric is fantastic and does an excellent job relating the material to real-life examples." - Robby Croft, Brown Foreman

"I really love the opportunity to take a SANS course from an instructor that authored the material. Eric clearly knows this material inside & out." - Jesse Lane, IAG

Here is a SANS Summit presentation by Eric Conrad:

Christopher Crowley

Christopher Crowley

Mr. Crowley has 15 years of industry experience managing and securing networks. He currently works as an independent consultant in the Washington, DC area focusing on effective computer network defense. His work experience includes penetration testing, security operations, incident response, and forensic analysis.

Mr. Crowley is a Senior Instructor and the course author for SANS Management 517 - Managing Security Operations and SANS Management 535 - Incident Response Team Management. He holds the GSEC, GCIA, GCIH (gold), GCFA, GPEN, GMOB, GASF, GREM, GXPN and CISSP certifications. His teaching experience includes FOR585, MGT517, MGT535, SEC401, SEC503, SEC504, SEC560, SEC575, and SEC580; Apache web server administration and configuration; and shell programming. 

He was awarded the SANS 2009 Local Mentor of the year award. "The Mentor of the Year Award is given to SANS Mentors who excel in leading SANS Mentor Training classes in their local communities." 

Mr. Crowley spends his spare time mountain biking, rock climbing and savoring epicurean treats.

Here is What Students Say About Christopher Crowley:

"Chris really knew his stuff and presented ideas that made me change my mind on some policies and configs we employ ." - William Jeskey, Tarrant County College

"Chris was one of the best instructors I have ever had in any training environment in almost 24 years of service." - Anonymous

Here is a SANS Summit presentation by Chris Crowley:

Chris Dale

Chris Dale

Chris Dale is the Head of Cyber Security at Netsecurity, a mid-sized company based out of Norway. Along with significant security expertise, Chris has a background in System Development, IT-Operations and Security Management. This broad experience in IT is advantageous when managing penetration tests, incidents and while teaching.

Chris is passionate about security -- both physical and in IT, and regularly presents and teaches at conferences and workshops. Chris holds the GCIH, GPEN, GDAT, GSLC, and GMOB certifications. He also has a B.S in Informatics, with specialization in programming from Norwegian University of Science and Technology. He participates in panel debates and is invited to participate in Government related working groups, to recommend and improve the Norwegian private and public sectors.

Currently Chris teaches two SANS courses- MGT535: Incident Response Team Management  and SEC504: Hacking Techniques, Exploits & Incident Handling. SEC504 prepares students for the GIAC Certification in Incident Handling (GCIH).

Here is what students say about Chris Dale:

The fact that he spoke with the same amount of enthusiasm, passion, and energy on Monday morning that he did following lunch on the Friday is a real testament to his professionalism and diligence. I will be recommending colleagues to attend this course particularly if Chris is taking it." ~ Liam M.

"His teaching skills are extra-ordinary and the approach he uses to explain concepts is so unique that keeps the learners so interested. Chris is very highly skilled on Cyber Security, Incident Response and his enthusiastic passion for sharing that knowledge, spicing it with some fun is something special and hard to find in all trainers. I would say he is the best trainer I had until now in my career and recommend him as an excellent cyber security consultant to any firm. Thank You for the beneficial training, Chris." ~ Rini I.

"His experience in cyber security was immediately apparent, as was his enthusiasm for the subject. Chris was a great teacher combining energy with a genuine concern for his pupils. He was a pleasure to spend time with and an inspiration." ~ Jeremy M. 

Visit Chris Dale's blog

Pieter Danhieux

Pieter Danhieux

Pieter Danhieux is a certified instructor for the SANS Institute, teaching military, government, and private organizations offensive techniques on how to target and assess organizations, systems, and individuals for security weaknesses. He is also one of the founders of the security and hacking conference BruCON in Belgium.

Pieter has worked in the cyber security space since 2002. He was one of the youngest persons ever in Belgium to obtain the Certified Information Systems Security Professional (CISSP) certification. He then obtained the Certified Information Systems Auditor (CISA) and the GIAC Certified Forensics Analyst program (GCFA) and is currently one of the select few people worldwide to hold the GIAC Security Expert (GSE) certification.

Pieter is Co-founder and Chief Architect of the Secure Code Warrior platform (, a gamified environment where developers and security testers can learn how to properly identify and fix security weaknesses in software. Until January 2015, he was part of the leadership at BAE Systems APAC in his role as Head of Delivery of the Applied Intelligence business unit. Before that, Pieter worked for seven years at Ernst & Young in Europe as one of their information security experts running a team of attack and penetration resources operating in the financial industry and telecommunication space.

Here is What Students Say About Pieter Danhieux:

"SANS is by far the best hands-on training. Peter is very knowledgeable and knows how to transfer that to students." - Rob Brabers, Sincerus

Adrien de Beaupre

Adrien de Beaupre

Adrien de Beaupre is a Principal SANS instructor and works as an independent consultant in beautiful Ottawa, Ontario. His work experience includes course development, technical instruction, vulnerability assessment, and penetration testing. He is a member of the SANS Internet Storm Center ( and is actively involved with the information security community. When not geeking out he can be found with his family, or at the dojo.


Here is What Students Say About Adrien de Beaupre:

"Adrien has been AMAZING. There are a good amount of slides and no one has been bored. It's a testament to his skill." - Ashwin Venkat, F5 Networks

Mick Douglas

Mick Douglas

Even when his job title has indicated otherwise, Mick Douglas has been doing information security work for over 10 years. He received a bachelor's degree in communications from Ohio State University.  He is the managing partner for InfoSec Innovations.

He is always excited for the opportunity to share with others so they do not have to learn the hard way! By studying with Mick, security professionals of all abilities will gain useful tools and skills that should make their jobs easier. When he's not "geeking out" you'll likely find Mick indulging in one of his numerous hobbies; photography, scuba diving, or hanging around in the great outdoors.

Here is What Students Say About Mick Douglas:

"Mick does an excellent job of delivering the material. His interest in and passion for this class is obvious." - Matt Steinberg

"Priceless information! Best instructor ever." - Mat Rose, capgemini-gs

Matt Edmondson

Matt Edmondson

By day, Matt performs technical duties for the U.S. government and has extensive experience with open-source intelligence (OSINT) and digital forensics including conducting numerous examinations and testifying as an expert witness on multiple occasions. 

By night, he is a Principal at Argelius Labs, where he performs security assessments and consulting work.

A recognized expert in his field with a knack for communicating complicated technical issues to non-technical personnel, Matt routinely provides cybersecurity instruction to individuals from the Department of Defense, Department of Justice, Department of Homeland Security, Department of Interior, as well as other agencies, and has spoken frequently at information security conferences and meetings. 

"I think the thing I love most about teaching the SEC504 for SANS is that it allows me to geek out about both offensive tactics and digital forensics." says Matt. "To be able to cover things like exploit development and memory forensics in the same class is amazing."

Get to Know Matt Edmondson:

Here is What Students Say About Matt Edmondson:

"I''ve taken a few courses that taught cryptosystems. This was the best explanation and most easily understood presentation." - Justin Givhan, FBI

II especially enjoyed how Matt included his personal experiences to reinforce the course content." - Dan McClain, Regions Financial Corp.

Kevin Fiscus

Kevin Fiscus

Kevin Fiscus is the founder of and lead consultant for Cyber Defense Advisors where he performs security and risk assessments, vulnerability and penetration testing, security program design, policy development, and security awareness with a focus on serving the needs of small and mid-sized organizations. Kevin has over 20 years of IT experience and has focused exclusively on information security for the past 12. Kevin currently holds the CISA, GPEN, GREM, GMOB, GCED, GCFA-Gold, GCIA-Gold, GCIH, GAWN, GPPA, GCWN, GCSC-Gold, GSEC, SCSA, RCSE, and SnortCP certifications and is proud to have earned the top information security certification in the industry, the GIAC Security Expert. Kevin has also achieved the distinctive title of SANS Cyber Guardian for both red team and blue team. Kevin has taught many of SANS's most popular classes including SEC401, SEC464, SEC503, SEC504, SEC542, SEC560, SEC561, SEC575, FOR508, and MGT414.

You can reach Kevin on Twitter @kevinbfiscus or on LinkedIn at

Here is What Students Say About Kevin Fiscus:

"Kevin Fiscus is one of the best instructors I have seen! Great find SANS!" - David Hoid, Employers Holdings

Moses Frost

Moses Frost

Moses Frost (Hernandez) is a seasoned security professional with over 15 years in the IT industry. He has held positions as a network engineer, network architect, security architect, platform engineer, site reliability engineer, and consulting sales engineer. He has a background in complex network systems, systems administration, forensics, penetration testing, and development. He has worked with some of the largest companies in the nation as well as fast-growing, bootstrap startups.

Moses has developed information security regimens safeguarding some of the most sensitive personal data in the nation. He creates custom security software to find and mitigate unknown threats, and works on continually evolving his penetration testing skills. He enjoys building software, networks, systems, and working with business-minded individuals.

Moses's current passions include offensive forensics, building secure systems, finance, economics, history, and music.

Here is What Students Say About Moses Frost (Hernandez):

"Keep on killing it. Moses is the best SANS instructor I have had." - William Kubicz, ARCYBER

Bryce Galbraith

Bryce Galbraith

"The world isn't run by weapons anymore, or energy, or money. It's run by little ones and zeros, little bits of data. It's all just electrons. There's a war out there?and it's not about who's got the most bullets. It's about who controls the information. What we see and hear, how we work, what we think, it's all about information." -- Cosmo from, Sneakers
As a contributing author of the internationally bestselling book, Hacking Exposed: Network Security Secrets & Solutions, Bryce helped bring the secret world of hacking out of the darkness and into the public eye. Bryce was a member of Foundstone's world-renowned penetration testing team and served as a co-author and Senior Instructor of Foundstone's groundbreaking, Ultimate Hacking: Hands-On course series.
Bryce continues to provide highly specialized ethical hacking and cyber security consulting services to clients around the world and teaches thousands of cyber security professionals, from a who's who of top organizations, how to defend against advanced adversaries...

Here is What Students Say About Bryce Galbraith:

"Bryce is an excellent instructor. His knowledge and delivery are exceptional." - Chris Shipp, DM Petroleum Operations Co.

Micah Hoffman

Micah Hoffman

Micah Hoffman has been active in the information technology field since 1998, working with federal government, commercial, and internal customers to discover and quantify cybersecurity weaknesses within their organizations. As a highly active member of the cybersecurity and OSINT communities, Micah uses his real-world Open-Source Intelligence (OSINT), penetration testing, and incident response experience to provide customized solutions to his customers and comprehensive instruction to his students.

Micah found himself drawn to the world of computers from the time he got his first Apple IIe, and that comfort with technology eventually led him to an entry-level help desk job. Later positions in server maintenance and networking helped him move into cybersecurity consulting, working with companies like General Dynamics and Booz Allen Hamilton. In 2018, Micah founded his own consulting company, Spotlight Infosec, that focuses on OSINT and cyber security.

Over the years, Micah has conducted cyber-related tasks like penetration testing, OSINT investigations, APT hunting, and risk assessments for government, internal, and commercial customers. He took his first SANS course in the early 2000s. To date, he has earned several GIAC certifications, as well as a CISSP, and has shared his knowledge with others by speaking at multiple conferences and posting on his blog.

Micah's SANS coursework, cybersecurity expertise, and inherent love of teaching eventually pulled him toward an instructional role, and he's been a SANS Certified Instructor since 2013. He's the author of the SANS course SEC487: Open Source Intelligence Gathering and Analysis, and also teaches both SEC542: Web App Penetration Testing and Ethical Hacking and SEC567: Social Engineering for Penetration Testers.

Here is What Students Say About Micah Hoffman:

"Great instructor, well spoken, excitable about the subject." - Gharrett Worku, Paycom

"Micah's delivery was entertaining and engaging." - Paul Ryan, GDIT

"Instructor keeps students engaged.  Provides assistance when needed, excellent attitude." - Nathan Peterson

"Good pace - good depth of knowledge." - Robert Smith, Intel Corp

"The lessons and instruction was well put together, and I could tell that both Micah and Jeff were experts in the field. They added in actual real world use cases, which makes it much easier to identify how the specific lesson is applied in different settings." - Anonymous

James Lyne

James Lyne

James Lyne is the CTO for SANS Institute. He is a self-professed 'massive geek' and has technical expertise spanning a variety of the security domains from forensics to offensive security. James has worked with many organisations on security strategy, handled a number of severe incidents and is a frequent industry advisor. He is a certified instructor at the SANS Institute and is often a headline presenter at industry conferences.

James firmly believes that one of the biggest challenges we face is in making security accessible and interesting to those outside the industry. As a result, he takes every opportunity to educate on security threats and best practice - always featuring live demonstrations and scenarios of how cyber criminals operate in the real world.

James has given multiple TED talks, including at the main TED event. He's also appeared on a long list of national TV programmes to educate the public including CNN, NBC, BBC News, Bill Maher and John Oliver. As a spokesperson for the industry, he is passionate about talent development, regularly participating in initiatives to identify and develop new talent for the industry.

Here is What Students Say About James Lyne:

"James Lyne made this course a tremendous experience. James made it his personal mission to make sure he carried everyone with him no matter what their skill level is. Outstanding!" - S. Khan, EADS-NA

David Mashburn

David Mashburn

David Mashburn is currently the IT Security Manager for a global non-profit organization in the Washington, D.C. area. He also has experience working as an IT security professional for several civilian federal agencies, and over 15 years of experience in IT. He holds a masters degree in computer science from John Hopkins University, and a B.S. from the University of Maryland at College Park. David holds multiple security-related certifications, including CISSP, GPEN, GCIH, GCIA, and CEH. He is also a member of the SANS / GIAC Advisory Board, and has previously taught courses in the Cybersecurity curriculum at the University of Maryland - University College.

Here is What Students Say About David Mashburn:

"Dave is a top-notch instructor and delivered the material in spectacular fashion. I would absolutely take another course from him." - Dan Veum, Assurant Inc.

Jeff McJunkin

Jeff McJunkin

Jeff McJunkin is the founder of Rogue Valley Information Security, a consulting firm specializing in penetration testing and red team engagements. Jeff has a long background in systems and network administration that he leveraged into web and network penetration testing, especially involving Active Directory. He has taught dozens of classes in network penetration testing for the SANS Institute, and is the author of the "Metasploit Kung Fu for Enterprise Pen Testing" course. He specializes in not only finding end-to-end realistic attack scenarios for clients, but also in helping technical staff as well as senior leadership in understanding the attack, its ramifications, detective controls, and assisting in safe remediation. Jeff has competed in many security competitions and has won many of them, along with designing and presenting several iterations of the SANS Core NetWars Tournaments to thousands of attendees.

His personal blog can be found at

Here is What Students Say About Jeff McJunkin:

"Jeff is an awesome instructor and explains very complex topics in an easy to understand manner! Thank you for this great course!" - Walt Carruth, Real Page

Tim Medin

Tim Medin

After watching the movie Sneakers, Tim Medin knew the career path he wanted to pursue. "I saw the movie and wanted to break into places and hack thinks," he says. Infosec was the perfect fit. "I love hacking, and I can get paid to do it!"

Tim began his security career in 2008 with a role at AgStar Financial Services (now Compeer Financial), and since then has worked for FishNet Security (now Optiv) and Counter Hack. Today, he's the founder and principal consultant at Red Siege where he manages the company and hacks things, his favorite role so far because he gets to lead a team of smart hackers and run a business.

A SANS instructor since 2012, Tim is currently the program director for the SANS Master of Science in Information Security Engineering (MSISE) curriculum, as well as a principal instructor and course author. In the classroom, you'll find him teaching SEC560: Network Penetration Testing and Ethical Hacking and SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking.

Through the course of his career, Tim's had the opportunity to hack some of the best and biggest companies on earth and get a sneak peek inside cutting-edge technology before it's publicly released. He has performed penetration tests on a wide range of organizations and technologies in industries including control systems, higher education, financial services, and manufacturing, and brings years of practical experience and stories from himself and his team to his SANS students.

Tim says an eagerness to learn, and an openness to see things differently are keys for success in his classroom. "I really enjoy seeing students break through their current way of thinking and see technology and data differently," he says.

And those lessons can have a lasting impact. "Years ago I had a high school student in a one-day class who came up to me years later and showed me he was doing penetration testing at a major company," says Tim. "It was amazing to see him develop himself and see his transformation."

Tim is an experienced international speaker and the creator of Kerberoasting, a widely-used technique to extract kerberos tickets in order to offline attack the password of enterprise service accounts. He has an MBA from the University of Texas, holds the GWAPT, GPEN, GMOB, GCED, and GCIH certifications, and previously held the CCNA certification.

In his free time, you'll find Tim watching sports, appreciating a good beer, and running.

Summary of Credentials

Qualifications Summary

Get to Know Tim Medin




Student Quotes

  • "Tim is a great instructor, I really enjoyed the live demos and the style of his teaching. He really keeps you engaged." - Drew Davis, Rook Security


  • GPEN (GIAC Certified Penetration Tester)
  • GWAPT (GIAC Web Application Penetration Tester)
  • GCED (GIAC Certified Enterprise Defender)
  • GMOB (GIAC Mobile Device Security Analyst)
  • GCIH (GIAC Certified Incident Handler)

Seth Misenar

Seth Misenar

Seth Misenar is a Cyber Security Expert who serves as a Faculty Fellow with the SANS Institute and Principal Consultant at Context Security, LLC.  He is numbered among the few security experts worldwide to have achieved the GIAC GSE (#28) credential. Seth teaches a variety of cyber security courses for the SANS Institute including two very popular courses for which he is lead author: the bestselling SEC511: Continuous Monitoring and Security Operations and SEC542: Web Application Penetration Testing and Ethical Hacking. 

Seth's background includes security research, network and web application penetration testing, intrusion analysis, incident response, and security architecture design. He has previously served as a security consultant for Fortune 100 companies, as well as the HIPAA Security Officer for a state government agency.

In addition to serving as lead author for two SANS classes, Seth also co-authored Syngress CISSP® Study Guide, now in its 3rd  Edition, the Eleventh Hour CISSP®: Study Guide and MGT414: SANS Training Program for CISSP® Certification.  Seth has a Bachelor of Science degree in Philosophy from Millsaps College and resides in Jackson, Mississippi with his wife, Rachel, and children, Jude, Hazel, and Shepherd.

Here is What Students Say About Seth Misenar:

"Seth's enthusiasm makes the class work very well. His knowledge is amazing and will certainly be taken back to work with me!" - Kevin Cowell, BT

Michael Murr

Michael Murr

Michael has been a forensic analyst with Code-X Technologies for over five years, has conducted numerous investigations and computer forensic examinations, and has performed specialized research and development. Michael has taught SANS SEC504: Hacker Techniques, Exploits, and Incident Handling, SANS FOR508: Computer Forensics, Investigation, and Response, and SANS FOR610: Reverse-Engineering Malware; has led SANS Online Training courses and is a member of the GIAC Advisory Board. Currently, Michael is working on an open-source framework for developing digital forensics applications. Michael holds the GCIH, GCFA, and GREM certifications and has a degree in computer science from California State University at Channel Islands. Michael also blogs about digital forensics on his forensic computing blog.

Here is What Students Say About Michael Murr:

"Mike is exceptional. His presentation is super smooth, and he's ultra knowledgeable." - Matt McGuirl, Palo Alto Networks

Jorge Orchilles

Jorge Orchilles

Jorge Orchilles has been involved in Information Technology since 2001. He began his career as a network and system administrator for a small private high school. Realizing his passion for IT, he founded The Business Strategy Partners in 2002 providing consulting services to residential, small, and medium businesses. While gaining work experience, he was a very involved, full-time student in Florida International University (FIU). He founded the FIU MIS Club and was later contracted to work on the University's Active Directory Migration Project. After successful and on time completion of the project, he was employed by Terremark in 2007, a datacenter and cloud service provider acquired by Verizon. Jorge helped build and secure Terremark's Infrastructure as a Service (IaaS) solution first called Collocation 2.0 and then "The Enterprise Cloud" in 2008. Jorge developed a large interest in Information Security and was promoted to a Security Operations Center Analyst position in 2009. After a year of defending critical infrastructure for federal and commercial customers, he moved to an offensive analyst position with a large, global financial institution in 2010. Since then, Jorge has performed hundreds of application and infrastructure vulnerability assessments and penetration tests. His leadership gained him various promotions and opportunities to lead various teams within the offensive information security team of over 140 ethical hackers including the Advanced Penetration Team (Red Team), the Responsible Vulnerability Disclosure program, and the Cloud Security program.

Jorge is a contributing author to A Framework for the Regulatory use of Penetration Testing in the Financial Services Industry published by the Global Financial Markets Association. He is also the author of Microsoft Windows 7 Administrator's Reference published by Syngress in 2010.

Jorge contributes to the information security community by serving on the Board of Directors of the South Florida Chapter of the Information Systems Security Association (ISSA) since 2010, including 3 years as Chapter President. Jorge also served as an Advisory Board member for Intralinks (acquired by Synchronoss for $821 Million) as the Information Security Adviser. Jorge is a SANS Certified Instructor teaching various SANS courses since 2010.

Jorge has a post-graduate degree in Advanced Computer Security from Stanford University, Master of Science in Management Information Systems from Florida International University, and a Bachelor of Business Administration in Management Information Systems from Florida International University. 

Jorge holds various certifications from SANS GIAC, ISC2, ISACA, EC-Council, Cisco, Microsoft, and CompTIA:

  • GIAC Exploit Researcher & Advanced Penetration Tester (GXPN)
  • Certified Information Systems Security Professional (CISSP)
  • Certified Information Security Manager (CISM)
  • GIAC Penetration Tester (GPEN)
  • GIAC Certified Forensic Analyst (GCFA)
  • GIAC Certified Incident Handler (GCIH) 
  • EC-Council Certified Ethical Hacker (C|EH)
  • Core Impact Certified Professional (CICP)
  • CompTIA Security+ 2008 Edition
  • Cisco Certified Design Associate (CCDA) 
  • Cisco Security Solutions and Design Specialist (CSSDS) 
  • Microsoft Certified Technology Specialist
    • 70-620 ? Microsoft Windows Vista: Configuring
  • Microsoft Certified Professional
    • 70-282 ? Designing, Deploying, and Managing Network Solutions 
    • 70-284 ? Implementing and Managing Microsoft Exchange Server 2003
    • 70-228 ? Installing, Configuring, and Administering Microsoft SQL 2000

Jorge speaks English, Spanish, and Portuguese in decreasing order of fluency. He also loves to watch and play soccer. For more about Jorge A. Orchilles please visit his LinkedIn page.

Larry Pesce

Larry Pesce

Larry is a Senior Security Analyst with InGuardians after a long stint in security and disaster recovery in healthcare, performing penetration testing, wireless assessments, and hardware hacking. He also diverts a significant portion of his attention co-hosting the PaulDotCom Security Weekly podcast and likes to tinker with all things electronic and wireless, much to the disappointment of his family, friends, warranties, and his second Leatherman Multi-tool. Larry also co-authored Linksys WRT54G Ultimate Hacking and Using Wireshark and Ethereal from Syngress. Larry is an Extra Class Amateur Radio operator (KB1TNF) and enjoys developing hardware and real-world challenges for the Mid-Atlantic Collegiate Cyber Defense Challenge. He is also a SANS certified instructor.

Here is What Students Say About Larry Pesce:

"SEC617 was great and I am still impressed with the consistency from Day 1-6 of Pesce keeping a high level of energy and knowledge throughout." - Philip Mein, JCCC

Chris Pizor

Chris Pizor

Chris Pizor has been interested in technology and computers since childhood, so when he started his career with the United States Air Force (USAF) in 1996 as an active duty service member, communication systems and security was the perfect fit. This was just the start as he learned about a number of communication methods, systems, transmission mediums, and then how to protect and disrupt them, says Chris. He eventually got the chance to move into an intelligence role doing network monitoring, intrusion analysis, and incident response for the U.S. Department of Defense (DoD) and U.S. Government, including a stint with the NSA Threat Operations Center.

Since then, Chris has worked for Tyonek Services, E-volve Technology Systems, and as an independent contractor. Today, he's back with the USAF as a civilian employee serving as the curriculum lead for a USAF Cyberwarfare training course that prepares students to perform network security, assessment, threat hunting, incident response, forensic analysis, and penetration testing. In this role, Chris researches tactics for doing threat hunting and incident response to improve the training methods used by the Air Force, trains instructors on these tactics, builds and reviews curriculum, and occasionally teaches a cyberwarfare operations course.

"I have had a lot of fun working on some advanced incident response cases, and also doing vulnerability assessments of numerous networks," says Chris. "It is very rewarding to be able to stop an attacker before they gain access and are able to cause damage."

A SANS instructor since 2013, Chris teaches SANS SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling, where he shares the experience he's gained protecting the U.S. DoD network and studying hacking methodologies used by multiple threat actors, including multiple APT groups. "In the classroom, I always try to share lessons I have personally learned or observed over the years," says Chris. "Many of these are of course due to making mistakes and learning a better, more efficient way of doing things."

Among the many rewards of teaching, Chris says helping students grasp new concepts and discover new ways of solving problems rank the highest. "Becoming a SANS instructor is a great opportunity to pass on lessons that I have learned over the years, while expanding my own knowledge through student interactions," says Chris. "We can all learn from each other, no matter how experienced or inexperienced anyone believes themselves to be."

In the classroom, Chris encourages students to ask questions, contribute to discussions, think about new ways of dealing with problems, and learn from each other. And he appreciates seeing students implement what they've learned in the real world.

"I had a student in a class that received a call from her company concerning a large-scale data breach involving over 100,000 pieces of sensitive information," Chris recalls. "She and I were able to discuss the problem, infrastructure, and possible containment steps. The fact that she was able to immediately put the concepts to use that we had just discussed earlier in the week was a truly memorable experience."

Chris holds GIAC GXPN, GPEN, GCFA, GNFA, GCIH, GCIA, GISP, GSEC, and CISSP certifications and is a recipient of the "General John P. Jumper Award for Excellence in Warfighting Integration." He has a bachelor's degree in intelligence studies and information operations from American Military University and a master's in cybersecurity from the University of Maryland University College.

Outside of work, Chris regularly volunteers with his church managing the church's website and network security. He also volunteers with Operation Christmas Child, which delivers gift-filled shoeboxes to impoverished children around the world. In his spare time, Chris enjoys woodworking, fishing, camping, and simply spending time with his family.

Summary of Credentials

Qualifications Summary

  • 20+ years in intelligence, network security, cyberwarfare, incident response, forensic analysis and penetration testing
  • Worked in the NSA Threat Operations Center while active duty in the USAF
  • Instructor for SANS SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
  • Recipient of the "General John P. Jumper Award for Excellence in Warfighting Integration"
  • BS, intelligence studies and information operations, American Military University
  • MS, cybersecurity, University of Maryland University College

Get to know Chris Pizor


  • GIAC GXPN (Exploit Researcher and Advanced Penetration Tester)
  • GIAC GPEN (Certified Penetration Tester)
  • GIAC GCFA (Certified Forensics Analyst)
  • GIAC GNFA (Network Forensic Analyst)
  • GIAC GCIH (Certified Incident Handle)
  • GIAC GCIA (Certified Intrusion Analyst)
  • GIAC GISP (Information Security Professional)
  • GIAC GSEC (Security Essentials Certification)
  • CISSP (Certified Information Systems Security Professional)

Mike Poor

Mike Poor

Mike is a founder and senior security analyst for the DC firm InGuardians, Inc. In the past he has worked for Sourcefire as a research engineer and for SANS leading their intrusion analysis team. As a consultant, Mike conducts incident response, breach analysis, penetration tests, vulnerability assessments, security audits, and architecture reviews. His primary job focus, however, is in intrusion detection, response, and mitigation. Mike currently holds the GCIA certification and is an expert in network engineering and systems and network and Web administration. Mike is an author of the international best selling Snort series of books from Syngress, a member of the Honeynet Project, and a handler for the SANS Internet Storm Center.

Here is What Students Say About Mike Poor:

"Mike respects what we are here for and doesn't rush us out. He takes the time to explain problem areas." - Aaron Didier, Motorola Solutions

Justin Searle

Justin Searle

Justin Searle is the Director of ICS Security at InGuardians, specializing in ICS security architecture design and penetration testing.  Justin led the Smart Grid Security Architecture group in the creation of NIST Interagency Report 7628 and has played key roles in the Advanced Security Acceleration Project for the Smart Grid (ASAP-SG), National Electric Sector Cybersecurity Organization Resources (NESCOR), and Smart Grid Interoperability Panel (SGIP).
Justin has taught courses in hacking techniques, forensics, networking, and intrusion detection for multiple universities, corporations, and security conferences.  Mr. Searle is currently a Senior Instructor for the SANS Institute. In addition to electric power industry conferences, Justin frequently presents at top international security conferences such as Black Hat, DEFCON, OWASP, Nullcon, and AusCERT.  Justin co-leads prominent open source projects including the The Control Thing Platform, Samurai Web Testing Framework (SamuraiWTF), Samurai Security Testing Framework for Utilities (SamuraiSTFU).  Justin has an MBA in International Technology and is a CISSP and SANS GIAC certified Incident Handler (GCIH), Intrusion Analyst (GCIA), Web Application Penetration Tester (GWAPT), and GIAC Industrial Control Security Professional (GICSP).

Dave Shackleford

Dave Shackleford

Dave Shackleford is the owner and principal consultant of Voodoo Security and a SANS analyst, senior instructor, and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies. Dave is the author of the Sybex book Virtualization Security: Protecting Virtualized Environments, as well as the coauthor of Hands-On Information Security from Course Technology. Recently Dave coauthored the first published course on virtualization security for the SANS Institute. Dave currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance. Dave earned his MBA from Georgia State University.

James Shewmaker

James Shewmaker

James Shewmaker is the founder and principal consultant at Bluenotch Corporation, Long Beach, California, which provides customized security services focusing on investigations, penetration testing, and analysis. 

James authored and maintains the post-exploitation content in the SANS Security 660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking course. Before becoming a SANS Certified Instructor in 2009, his creative technical work led him on many adventures, including "The Great Translator Invasion of 2003".

James led the development and operations for NetWars as a US Cyber Challenge game in June 2009. He is currently developing an independent cyber challenge, Bunker011, and is involved in the US Cyber Challenge as an instructor at Cyber Camps. James regularly teaches a Tactical Offense and Defense day at these events.

Raul Siles

Raul Siles

Raul Siles is founder and senior security analyst at DinoSec. For over a decade, he has applied his expertise performing advanced technical security services and innovating offensive and defensive solutions for large enterprises and organisations in various industries worldwide. He has been involved in security architecture design and reviews, penetration tests, incident handling, intrusion and forensic analysis, security assessments and vulnerability disclosure, web applications, mobile and wireless environments, and security research in new technologies. Throughout his career, starting with a strong technical background in networks, systems and applications in mission critical environments, he has worked as an information security expert, engineer, researcher and penetration tester at Hewlett Packard, as an independent consultant, and on his own companies, Taddong and DinoSec.

Raul is a certified instructor for the SANS Institute, regularly teaching penetration testing courses. He is an active speaker at international security conferences and events, such as RootedCON, Black Hat, OWASP, BruCON, etc. Mr. Siles is author of security training courses, blogs, books, articles, and tools, and actively contributes to community and open-source projects. He loves security challenges, and has been a member of international organisations, such as the Honeynet Project or the SANS Internet Storm Center. Raul is one of the few individuals worldwide who have earned the GIAC Security Expert (GSE) designation, as well as many other certifications. Raul holds a master's degree in computer science from UPM (Spain) and a postgraduate in security and e-commerce.

More information at (@raulsiles) and (@dinosec).

Here is What Students Say About Raul Siles:

"Raul is a top bloke, absolute genius, would recommend the course based on his teaching skills alone!!"- Nic Trujillo, VM

Stephen Sims

Stephen Sims

Stephen Sims began working on computers at a young age with a fellow enthusiast: his father. Amazed by how easy it was to change an application's intended behavior, Stephen was quickly hooked. Today, he's an industry expert with over 15 years of experience in information technology and security.

Stephen has worked for Wells Fargo, Charles Schwab, CSC, and is now a full-time consultant helping clients with product security testing, reverse engineering, penetration testing, exploit developing, threat modeling, secure coding, and more, giving him ample opportunity to use his skills in a variety of ways. "You will never know everything in this field and there are so many directions one can take," he says. "If you ever get bored with an area in security you can change over to a hundred other exciting roles."

Shortly after launching his career, Stephen set the goal of becoming a SANS instructor. After attending a SANS training in 2003, he was blown away by the knowledge and presentation skills of the instructor. "SANS also gives so much back to the community through immersion programs and scholarships to veterans and underrepresented groups," says Stephen. "I set becoming a SANS instructor as a goal of mine and went after it."

Stephen became a SANS instructor in 2006, and today is curriculum lead for SANS Penetration Testing and SANS Cyber Defense and faculty fellow for the SANS Institute. He authored SANS' only 700-level course, SEC760: Advanced Exploit Development for Penetration Testers, which concentrates on complex heap overflows, patch diffing, and client-side exploits. And he's the lead author of SEC660: Advanced Penetration Testing, Exploits, and Ethical Hacking. In the classroom, you'll find him teaching these courses along with SEC401: Security Essentials Bootcamp Style and SEC501: Advanced Security Essentials - Enterprise Defender.

As an instructor, Stephen enjoys watching his students work through a problem to completion, either on their own or in collaboration with another student. "You learn a lot more when you work hard to solve a complex problem without asking for assistance," he says, noting that you should never be afraid to ask for help when you need it. "Sometimes we all need a little nudge in the right direction, but it's always best to exhaust all possibilities first."

Stephen says his most successful students are ones who come to class well-rested and with an open mind. "Be prepared to have to work through solutions and spend additional time after class is over to go back through in order to absorb all of the material," he says.

Stephen is the 9th person in the world to receive the prestigious GIAC Security Expert certification (GSE). He is a Certified Information Systems Auditor (CISA) and certified Immunity Network Offense Professional (Immunity NOP), along with many other certifications.

An author of the Gray Hat Hacking book series, Stephen holds a master's degree in information assurance from Norwich University.  A frequent presenter, Stephen has spoken at RSA USA for the past five years and was keynote speaker for the 2019 event. He's also presented at OWASP AppSec, BSidesCharm, AISA, and more. When he's not working, you'll find him hitting the slopes on his snowboard and writing music.

Summary of Credentials

Qualifications Summary

Get to Know Stephen Sims

Student Quotes

  • "Looking at everything I have learned from Stephen, I definitely feel I have gained an edge when it comes to the augmentation of my pentest skills. He made the impossible understandable and I am grateful for that." - Alexander Cobblah, Booz Allen Hamilton


  • GSE Number 9 (GIAC Security Expert)
  • CISA (Certified Information Systems Auditor)
  • CISSP (Certified Information Systems Security Professional)
  • Immunity NOP (Immunity Network Offense Professional)


Ed Skoudis

Ed Skoudis

Ed Skoudis has taught cyber incident response and advanced penetration testing techniques to more than 12,000 cybersecurity professionals. He is a SANS Faculty Fellow and the lead for the SANS Penetration Testing Curriculum. His courses distill the essence of real-world, front-line case studies he accumulates because he is consistently one of the first experts brought in to provide after-attack analysis on major breaches where credit card and other sensitive financial data is lost.

Ed led the team that built NetWars, the low-cost, widely used cyber training and skills assessment ranges relied upon by military units and corporations with major assets at risk. His team also built CyberCity, the fully authentic urban cyber warfare simulator that was featured on the front page of the Washington Post. He was also the expert called in by the White House to test the security viability of the Trusted Internet Connection (TIC) that now protects US Government networks and lead the team that first publicly demonstrated significant security flaws in virtual machine technology.  He has a rare capability of translating advanced technical knowledge into easy-to-master guidance as the popularity of his step-by-step Counter Hack books testifies. Ed earned an M.S. in Information Networking from Carnegie Mellon University, and his B.S. in Electrical Engineering from the University of Michigan, summa cum laude.

Here is a SANS Summit presentation by Ed Skoudis:

John Strand

John Strand

John Strand is the owner of Black Hills Information Security, a firm specializing in penetration testing, Active Defense and Hunt Teaming services.  He is the also the CTO of Active Countermeasures, a firm dedicated to tracking advanced attackers inside and outside your network.

John is an experienced speaker, having done presentations to the FBI, NASA, the NSA and at various industry conferences.  He is a senior instructor with the SANS Institute teaching:

  • SEC504 - Hacker Techniques, Exploits, and Incident Handling
  • SEC560 - Network Penetration Testing and Ethical Hacking
  • SEC580 - Metasploit Kung Fu for Enterprise Pen Testing
  • SEC550 - Offensive Countermeasures, Active Defense and Cyber Deception

And the lead course author of:

SANS 504: Hacker Techniques, Exploits, and Incident Handling

He also co-hosts Security Weekly, the world's largest information security podcast; co-authored Offensive Countermeasures: The Art of Active Defense; and writes loud rock music and makes various futile attempts at fly-fishing.

Here is What Students Say About John Strand:

"Very informative! Mr. John Strand's experience shared through narrative brings course material to life." - Christopher Wilson, USAF

Below are some videos of John presenting:

Burn it all, the new security fundamentals

Sacred Cash Cow Tipping: Bypassing Firewalls and DLP

Pentest Trends report 2015

How not to suck at penetration testing

Here is a SANS Summit presentation by John Strand:

Peter Szczepankiewicz

Peter Szczepankiewicz

Formerly working with the military, Peter responded to network attacks, and worked with both defensive and offensive red teams. Currently, Peter is a Senior Security Engineer with IBM as well as a certified instructor for the SANS Institute. People lead technology, not the other way around. He works daily to bring actionable intelligence out of disparate security devices for customers, making systems interoperable. Peter expounds, "Putting together networks only to tear them apart, is just plain fun, and allows students to take the information learned from books and this hands-on experience back to their particular work place."

Here is What Students Say About Peter Szczepankiewicz:

"Peter is a great instructor. He is not only knowledgeable in the field, but captured everyone's attention for the full class time. Great instructor!" - Michael B., US Government

Jonathan Thyer

Jonathan Thyer

Jonathan (Joff) is a Senior Security Consultant, Researcher, and Penetration tester with Black Hills Information Security.   Joff has over 20 years of experience in the IT industry as an enterprise network architect, network security defender, information security consultant, software developer and penetration tester.  Joff has extensive experience covering intrusion prevention/detection systems, infrastructure defense, vulnerability analysis, defense bypass, source code analysis, and exploit research with related software development skills in multiple programming languages.

Joff is a certified SANS instructor for SEC573: Automating Information Security with Python, has mentored SANS SEC503, and also taught mastering packet analysis for SANS.    Joff is also a co-host on the Security Weekly podcast, which features latest information security news, research, interviews, and technical information.

Joff holds a B.Sc. in Mathematics, an M.Sc. in Computer Science, and GIAC penetration testing certifications GPEN, GWAPT, and GXPN.

Alissa Torres

Alissa Torres

Alissa Torres is an explorer at heart. Uncovering the full story of an attacker's exploits requires digging into known and unknown forensic artifacts, and this excavation is exactly what intrigues her. With more than 15 years of experience in computer and network security spanning government, academic, and corporate environments, Alissa has the deep experience and technical savvy to take on even the most difficult computer forensics challenges that come her way. Her current role as an Incident Response Manager at Cargill provides daily challenges "in the trenches" and demands constant technical growth. Alissa is also founder of her own firm, Sibertor Forensics, and has taught internationally in more than 10 countries.

Memory forensics is a bleeding-edge field of Digital Forensics & Incident Response (DFIR), and Alissa is the lead author as well as an instructor of FOR526: Memory Forensics In-Depth and co-author of the SANS Memory Forensics Poster. She also teaches  FOR500: Windows Forensic Analysis; FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting; and SEC504: Hacker Tools, Techniques, Exploits and Incident Handling.

Alissa was introduced to digital forensics during her four years of service in the U.S. Marine Corps. She moved on to various technical roles at KEYW Corporation, Northrop Grumman Information Systems, and as part of Mandiant's computer incident response team (MCIRT). Alissa has worked as an instructor at the U.S. Cyber Challenge Camps and at the Defense Cyber Investigations Training Academy (DCITA), delivering incident response and network basics to security professionals entering the forensics community. She is passionate about sharing knowledge, presenting annually at regional and national industry conferences and encouraging women's participation in science, technology, engineering, and math through regional outreach programs.

As both an investigator and instructor, Alissa has a constant and infectious desire to always learn more and question everything, an ethos embodied in the SANS DFIR classes. "Our curriculum ensures students gain an understanding of why an artifact matters and how the tools interpret the data." Alissa explains. An inquisitive nature can be the determining factor in investigative success, as Alissa learned when she identified a critical error in one of her team's web proxy timeline procedures. This discovery allowed for the correction of contractual fraud investigations involving the U.S.  government.  Sharing personal success stories like this one gives students real-world applications for the material they are learning and inspires them to evaluate and optimize their own investigative processes, whether in incident response, digital forensic investigations, or internal offensive reconnaissance.

As attackers learn how forensic investigators work, they become increasingly more sophisticated at leaving fewer traces behind. "We are in an arms race where the key difference is training," says Alissa. Toward that end, she encourages her students to ask more questions, grow the common body of knowledge, and make a difference in the digital forensics community. Her teaching style is best described as a type of "exposure therapy" that introduces concepts but then pushes students to get behind the keyboard and apply these concepts themselves.

Alissa's true passion is memory forensics, a rapidly evolving area of expertise for both attackers and defenders. As malware strives for a minimal footprint on the host, the battlefield exists in system memory. Alissa's students take the skills taught in FOR526 and move their investigations forward, in some cases even uncovering new details in their cases before the week-long class ends.

Alissa has a B.S from the University of Virginia and a M.S. in information technology from the University of Maryland. She is a GIAC Certified Forensic Analyst (GCFA), and holds the GCFE, GCIH, GSEC, CISSP, and EnCE certifications. Alissa has served as a member of the GIAC Advisory Board since 2013 and was recognized by SC Magazine as one of its "2016 Women to Watch." Needless to say, she stays pretty busy. When not enmeshed in metadata and memory structures, Alissa catches every soccer game she can, cheering at her kids' games and scheming to attend matches of her favorite team, Everton. In what time she has left from constant cybersecurity vigilance, Alissa enjoys hiking in the Puerto Rican rain forest and scaling rocks at Big Sur.

Qualifications Summary


  • GIAC Security Essentials Certification (GSEC), June 2015
  • GIAC Certified Incident Handler (GCIH), June 2014
  • GIAC Reverse Engineering Malware (GREM), July 2013
  • GIAC Certified Forensic Examiner (GCFE), January 2013
  • Certified Forensic Computer Examiner (CFCE), December 2012
  • GIAC Certified Penetration Tester (GPEN), July 2012
  • GIAC Certified Forensic Analyst (GCFA), November 2011
  • Certified Information Systems Security Professional (CISSP), December 2010
  • EnCase Certified Examiner (EnCE), July 2010 - July 2019

Here is What Students Say About Alissa Torres:

"I love the energy of Alissa Torres' presentation style." - Scott S., US Govt.

"Alissa kept it interesting by pulling from her past experience and demonstrated great passion for the subject." - Matt Leach

"Alissa's teaching skills are remarkable - she is great." - Serge Tumba, GE Capital

"Fantastic- Energetic- Knowledgeable" - Dennis Mooney, Vanguard

"I highly recommend Alissa and SANS computer forensics courses. In April 2015 I attended the SANS Forensics 508: Advanced Digital Forensics and Incident Response (FOR508) course. I had high expectations for the course based on my team lead's recommendation. Alissa and the course exceeded my expectations. Alissa is an outstanding instructor, and SANS FOR508 was the best information security course I have attended. She mixed energy, knowledge, and experience to keep the content productive, relevant, and interesting. I look forward to attending more SANS courses instructed by Alissa." - Chad Rager,  Computer Forensic Engineer at ManTech

"This course is known throughout the industry as THE advanced IR and Threat Hunting course. This combined with Alissa's awesome teaching style makes it worth every penny! Alissa's subject matter expertise, enthusiasm, and insights are second to none! Her personalized attention to simulcast viewers was particularly nice because it felt like we were part of the class."  - Will Harmon, Trustwave

"Instructors like Alissa are why people keep coming back to SANS. Awesomeness and non-stop energy. She is one of my favorite instructors I've had from SANS, right up there with the likes of Ed Skoudis, John Strand, and Eric Cole. A brilliant presenter who keeps it fun, informative, and turns what other people could make sleep inducing, into non-stop engaging." - Eric Donaldson, Discover Financial Services

Matthew Toussain

Matthew Toussain

When he gets the chance, Matthew Toussain loves to take on an offbeat challenge. He's turned a closet into a server room, a table into a computer and a '76 Mustang into an electric car. He's also built an Alexa-enabled home entertainment system out of a car amp, a Raspberry Pi, a computer power supply unit, sheet metal, and plexiglass. It's that ingenuity that underscores his work as a certified SANS instructor.

Matthew has been a SANS instructor since 2016, and the inspiration that brought him here actually came from another instructor. "A SANS instructor changed my destiny," says Matthew. "The opportunity to have that kind of elemental impact on a newcomer's information security journey is singular, rare, and profound. I'm just glad for the chance to take part."

Since graduating from the U.S. Air Force Academy in 2012 with a B.S. in computer science, he has served as the senior cyber tactics development lead for the U.S. Air Force (USAF) and worked as a security analyst for Black Hills Information Security. In 2014, he started Open Security, which performs full-spectrum vulnerability risk assessments. 

His experience outside the classroom has given him opportunities to work on initiatives designed to protect people from terrorism. "I had a small part in national cyber defense. Specifically, after the Paris bombings on Nov. 13, 2015, I worked on programs designed to provide some additional early warning in the event of similar orchestrated attacks in the future."

For SANS, Matthew teaches SEC460: Enterprise Threat and Vulnerability Assessment and SEC560: Network Penetration Testing and Ethical Hacking. He worked with other SANS instructors to develop SEC460, Enterprise Threat and Vulnerability Assessment. Of the new course, Matthew writes, "Because SEC460 is a foundational course in the SANS penetration testing curriculum, it is itself a herald and a promise. For some newcomers, the first adventure with SANS is the spark of awakening for their inner hacker. It acts as a catalyst facilitating personal evolution and even genesis of a lifelong passion. The course authors, Adrien de Beaupre, Tim Medin, and myself, have meticulously crafted the SEC460 challenge to be a formative experience, attainable by all yet elementary to none."

An avid runner who also plays piano, guitar and violin, Matthew lives in Texas with a multitude of Cisco switches. In addition to teaching at SANS, he is an avid supporter of cyber competitions and participates as a red team member or mentor for the Collegiate Cyber Defense Competition (CCDC), the annual NSA-led event Cybersecurity Defense Exercise (CDX), and SANS Institute"s NetWars.

Summary of Credentials:

Qualifications Summary

  • Information security expert since 2008
  • Certified GIAC Security Expert (GSE)
  • Open source developer - Subterfuge Project, Acheron, Prismatica
  • SANS SEC460 course author
  • Red teamer and/or mentor for the CCDC, the CDX and NetWars 
  • Guest instructor at the University of Texas San Antonio
  • Guest speaker at various infosec conferences, including at the 20th anniversary of DEFCON

Get to Know Matthew Toussain


  • GSE (GIAC Security Expert)
  • CEH (Certified Ethical Hacker)
  • GSEC (GIAC Security Essentials)
  • GCIA (GIAC Certified Incident Analyst)
  • GMOB (GIAC Mobile Device Security Analyst)
  • GPEN (GIAC Certified Penetration Tester)
  • GCIH (GIAC Certified Incident Handler)
  • GCCC (GIAC Critical Controls Certification)
  • GCPM (GIAC Certified Project Manager)
  • Palo Alto EDU-201
  • Security+

Arrigo Triulzi

Arrigo Triulzi

Arrigo Triulzi, trained in Pure Mathematics, holds an MSc in Mathematical Computation from Queen Mary, University of London, and is working towards a PhD in Algebraic Computation. He is co-founder and Chief Security Officer of K2 Defender Limited, a bespoke high-end IDS solutions provider. Arrigo is also a free-lance consultant in IT Security with particular expertise in secure network design, network security analysis, and incident handling. He is also the administrator of the IDS Europe mailing list. Having worked with both popular and less common flavours of Unix he is comfortable working in any heterogeneous networking environment and his knowledge also includes esoteric operating systems such as Guardian/NSK. Arrigo is co-inventor in an EU patent for a high-performance distributed IDS design, and has written on a variety of security topics. Recent work includes web research into IDS deployment on IPv6, firewall verification using IDS, and distributed concept virii. Arrigo is also a certified instructor for the SANS Institute.

Dr. Johannes Ullrich

Dr. Johannes Ullrich

Johannes is currently responsible for the SANS Internet Storm Center (ISC) and the GIAC Gold program. In 2000, he founded, which is now the data collection engine behind the ISC. His work with the ISC has been widely recognized, and in 2004, Network World named him one of the 50 most powerful people in the networking industry. Prior to working for SANS, Johannes worked as a lead support engineer for a web development company and as a research physicist. Johannes holds a PhD in physics from SUNY Albany and is based in Jacksonville, Florida. His daily podcast summarizes current security news in a concise format. Listen to Johannes discuss "HTML5: Risky Business or Hidden Security Tool Chest for Mobile Web App Authentication" in this SANS webcast.

Here is What Students Say About Dr. Johannes Ullrich:

"Dr. Ullrich is a dynamic speaker, very engaging & has good "nerd humor". Keep up good work!" - Shelly Lewis, PwC

Erik Van Buggenhout

Erik Van Buggenhout

Erik Van Buggenhout is the lead author of SEC599 - Defeating Advanced Adversaries. In addition to SEC599, Erik teaches SEC560 - Network Penetration Testing & Ethical Hacking and SEC542 - Web Application Penetration Testing & Ethical Hacking. He has been involved with SANS since 2009, first as a Mentor, working his way to Community Instructor in 2012 and finally becoming a Certified Instructor in 2016.

Erik loves explaining deeply technical concepts by using war stories, adding a few funny anecdotes here and there. As a testimony of his technical expertise, he has obtained the GSE, GCIA, GNFA, GPEN, GWAPT, GCIH, and GSEC certifications.

In addition to his work with SANS, Erik is the co-founder of Belgian cyber security firm NVISO, which focuses on high-end cyber security services, specializing in government, defense and the financial sector. Together with his team of 20+ technical experts, Erik delivers a wide array of technical security services, including penetration testing, security monitoring & incident response.

Prior to NVISO, Erik spent five years at Big 4 firm, starting as a junior penetration tester and evolving into a subject matter expert for the EMEA region.

A self-confessed speed walker, if you see Erik rushing around at a conference: feel free to stop him and say "Hi!"

Here is What Students Say About Eric Van Buggenhout:

"Erik is a great instructor. The course as a whole has been amazing, the way Erik prepared and taught it." - Wouter Doerflein, Ordina

Donald Williams

Donald Williams

Donald retired from active duty in 2014 after over 20 years of service in the U.S. Army.  He has extensive experience in incident handling, intrusion analysis, and network auditing.  During his career in the Army, he served as the Defensive Cyber Operations Chief for the Army's Regional Computer Emergency Response Team in South West Asia (RCERT-SWA), directly overseeing the intrusion analysis and incident response teams for one of the Army's largest networks spanning over 10 countries.  Donald holds several GIAC certifications, including the GIAC Security Expert (GSE), GCIH, GCIA, and GSNA certifications, as well as numerous other industry certifications. 

Here is What Students Say About Donald Williams:

"Don has a great sense of humor, fantastic energy and clearly deep deep knowledge." - John Shea, Eaton Vance

Jake Williams

Jake Williams

When a complex cyber attack put a private equity investment of more than $700 million on hold, the stakes couldn't have been higher. But that's exactly the kind of challenge that motivates Jake Williams, a computer science and information security expert, U.S. Army veteran, certified SANS instructor and co-author of FOR526: Memory Forensics In-Depth and FOR578: Cyber Threat Intelligence. To help mitigate the attack, Jake plied his information security expertise, discovered that not one but three different attackers had compromised the firm's network, and went about countering their moves.

Jake relishes the idea of meeting adversaries on the cyber battlefield. "I went into this field because I wanted a challenge," he says. "Infosec is like a game of chess to me. The attacker plays their moves and you play yours."

Jake started his information security career doing classified work with the U.S. government and was awarded the National Security Agency (NSA) Exceptional Civilian Service Award, which is given to fewer than 20 people annually. "I am immensely proud of the things I've accomplished," Jake says. "I'm positive the world is a safer place because of my work."

Today, Jake runs a successful Infosec consultancy. He's been involved in high-profile public sector cases including the malware analysis for the 2015 cyber attack on the Ukraine power grid. He's also tackled a variety of cases in the private sector. In one, Jake discovered attackers compromising a custom service the client had distributed to all its endpoints. Leveraging experience and insight with advanced persistent threats helped Jake "think like the attacker" and determine the attacker's likely hiding spots.

Jake's work has led to his invention of DropSmack, a proof-of-concept tool for highlighting the danger that cloud-based file sharing services pose to corporate networks, and the creation of ADD (Attention Deficit Disorder), a publicly-available memory anti-forensics toolkit.

Jake's work also led him to teaching. "I chose to be a SANS instructor because they are the very best in the business. Others talk about being the best, but SANS actually is the best," he says. "I love teaching people, but it goes beyond teaching for me. With many students, I'm making lasting professional relationships. Students come back again and again and have a lifelong learning relationship with SANS." 

Jake teaches a variety of classes (SEC503, SEC504, SEC660, SEC760, FOR508, FOR526, FOR578, FOR610) and prefers an active learning approach, using demos rather than slides to teach lessons. "It takes me back to my first exploits and I get the chance to relive that magical feeling all over again," he explains.

More importantly, Jake wants students to walk out of class being able to critically analyze a problem, discover a solution, and do something they couldn't do before. "I don't teach button-clicking steps, my goal is to ensure students understand how to take concepts from the class and apply them to their own cases and engagements."

Given his accomplishments, it should come as no surprise that Jake lives, sleeps, and breathes Infosec. When he's not teaching, he's consulting. He's a regular speaker at industry conferences including DC3, BSides (including BSides Las Vegas), DEFCON, Blackhat, Shmoocon, EnFuse, ISSA Summits, ISACA Summits, SANS Summits, and Distributech.  He has also presented security topics to a number of Fortune 100 executives.

Jake is also a two-time victor at the annual DC3 Digital Forensics Challenge. He drew on his passion for hands-on capture-the-flag events to design the critically acclaimed NetWars challenges for the SANS malware reversing and memory forensics courses.

Qualifications Summary:

GIAC Certifications:

  • GIAC Security Expert (GSE), March 2016
  • GIAC Security Essentials Certification (GSEC), June 2015
  • GIAC Exploit Researcher and Advanced Penetration Tester (GXPN), March 2015
  • GIAC Certified Forensic Analyst (GCFA), October 2013
  • GIAC Penetration Tester (GPEN), January 2013
  • GIAC Certified Incident Handler (GCIH), January 2013
  • GIAC Certified Intrusion Analyst (GCIA), December 2012
  • GIAC Certified Windows Security Administrator (GCWN), November 2012
  • GIAC Reverse Engineering Malware (GREM), October 2012
  • GIAC Certified Forensic Examiner (GCFE), September 2012
  • GIAC Systems and Network Auditor (GSNA), February 2012

Get to Know Jake Williams:

Jake teaches the following courses for SANS:

Here's What Students Are Saying about Instructor Jake Williams:

"Jake's teaching style and practical experience totally make the course." - Andrew Nelson, Chevron

"Jake is awesome! The experience is massive!" - Late Adodo Placca, iProcess International

"Provides great balance between structured analytical approaches and technical analysis." -  Ladell Marshall, Goldman Sachs

"Jake goes off-book in a good way, sharing useful tools & information in addition to the already-included useful tools & info." - Robin Stuart, Salesforce

Here is a SANS Summit presentation by Jake Williams:

Joshua Wright

Joshua Wright

Rogue hacker-turned-infosec-professional, Joshua Wright initially got into the infosec field after getting caught hacking, uncovering a vulnerability disclosure in the process. With the threat of a lawsuit looming, Joshua decided to pursue good over evil, launching his infosec career in 1997 with Johnson & Wales University. Since then, he's worked at five companies and today serves as director and senior security analyst for CounterHack, a company devoted to the development of information security challenges for education, evaluation, and competition.

Through his experiences as a penetration tester, Joshua has worked with hundreds of organizations on attacking and defending mobile devices and wireless systems, ethically disclosing significant product and protocol security weaknesses to well-known organizations.

A hacker at heart, Joshua admits that his current role is his most interesting job so far because he gets the chance to hack into credit card processing systems, gambling casinos, and smart shower systems to learn the mistakes developers and system designers make and figure out how to exploit them. He also loves the thrill of developing the annual Holiday Hack Challenge, which gives him the chance to add new and exciting challenges that refect modern technology while appealing to a wide audience of players of different ages and experience levels.

In 2003, Joshua also began teaching for SANS as a way to combine his interests in hacking and teaching. Today, as author of SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling and instructor of SEC575: Mobile Device Security and Ethical Hacking, Joshua turns his experience hacking into customer networks into real-world case studies that students can relate to. "I really enjoy seeing my students make mistakes, realize the mistake, and immediately benefit from the realization," he says.

One of Joshua's favorite student interactions was working with a blind student who never let his physical challenges hold him back from achieving great things. He's found that his most successful students in the classroom are "those who push themselves to struggle and stumble, then recover and accomplish new goals with my support."

In addition to being a SANS instructor, Joshua serves as the technical lead of the innovative SANS NetWars CyberCity, overseeing and managing the development of critical training and educational missions for cyber warriors in the U.S. military, government agencies, and critical infrastructure providers.

Co-author of Hacking Exposed Wireless, 3rd Edition, Joshua is also open-source software advocate who is conducted cutting-edge research resulting in several software tools that are commonly used to evaluate the security of widely deployed technology targeting WiFi, Bluetooth, and ZigBee wireless systems, smart grid deployments, and the Android and Apple iOS mobile device platforms.

Joshua runs websites for several non-profit organizations where he lives in Rhode Island, volunteers as a photographer for non-profit organizations, and contributes his time and talent taking high school senior portraits and headshots for low-income families. When he's not working, you'll find Joshua spending time with his family and dogs, doing photography, playing guitar, writing, exploring alternative printing from the 1800s using noble metals (platinum, silver nitrate, gold, and palladium), and of course hacking.

Summary of Credentials

Qualifications Summary

Get to Know Joshua Wright