by Ed Skoudis, SANS Faculty Fellow
The SANS Security 560: Network Penetration Testing and Ethical Hacking, is a course that addresses in-depth methods used by professional penetration testers and ethical hackers to find and exploit flaws in a target environment. Additionally, SANS offers a course called SANS Security 504: Hacker Techniques, Exploits, and Incident Handling.
Although both courses deal with computer attacks, there are some important differences between them. The purpose of this brief FAQ is to answer questions regarding the differences between the two courses.
- Focus of SEC504 vs SEC560
- Are the Courses the Same?
- Examples: Metasploit and Password Attacks
- Does SEC560 Supersede 504
- I Took 504, Should I take 560 Next?
- I've Taken None: Where Should I Start?
- More Info about Each Course
- SEC560 vs Other Ethical Hacking Courses
What is the Focus of SANS SEC560, and How Does it Differ from SANS SEC504?
SANS Security 560 deals with penetration testing and ethical hacking, in depth, covering numerous techniques for finding and exploiting flaws in a target environment using a consistent, high-quality testing regimen. SANS Security 504 focuses on incident handling, addressing practical methods for preparing for, detecting, and responding to computer attacks.
In short, 560 covers penetration testing and ethical hacking, while 504 addresses incident handling.
Aren't The Courses Pretty Much the Same?
Not at all. 560 is very different from 504. We cover a variety of different tools in each class. Even when both classes cover the same topic or tool, they cover it from a completely different perspective.
Take Metasploit and Password Attacks as Examples
In 504, we talk about how these attacks work, emphasizing how to defend against them, and addressing how incident handlers can respond to their use. In 560, we get a lot deeper, talking about how to use each and every tool, with detailed, hands-on exercises that cover some of the features that incident handlers don't really need to know about but pen testers will likely use quite often. Incident handlers and penetration testers both need hands-on experience. However, the idea is that incident handlers need to know what the attacks are from a broad perspective so that they can detect and respond to them in their environment. But, incident handlers don't need to know how to launch every one of the attacks we cover, just some of the most important ones. Penetration testers, on the other hand, need to be able to use every tool we analyze, not just recognize its use against their environments.
Thus, SANS 560 has triple the amount of hands-on exercises as 504, which itself includes numerous useful exercises tailored for incident handlers.
From a bottom-line perspective, 504 is more broad because incident handlers need to know about a lot of attack vectors that are typically not allowed for penetration testers by the rules of engagement. For example, incident handlers need to understand how to respond to bots and rootkits. But, the vast majority of penetration testers are prohibited from installing bots or rootkits on target machines.
In the end, 560 is deeper, because penetration testers need hands-on experience with each tool, while 504 is more broad, because incident handlers need to focus on recognizing each tool's use in their environments.
Does SEC560 Supersede 504 or Supplant it?
No. SEC560 does not supersede SEC504. SEC504 is still a vital course, which we will continue to update and offer, supporting people in their careers as incident handlers. SANS Security 560 is for penetration testers and ethical hackers.
I've Already Taken SEC504. Should I Take SEC560 as a Follow-on?
560 was designed as a perfect follow-on for people who have already taken 504 and are looking to get into more depth with tools used in professional penetration testing and ethical hacking. 560 is not recycled 504 material; it is an entirely new class with an entirely new set of slides and exercises.
I've Taken Neither SEC504 nor SEC560. Where Should I Start?
If you are more interested in incident handling, 504 is the course for you. If you need to develop your penetration testing skills, start with 560. Neither course is a pre-requisite for the other.
Where Can I Get More Information About Each Course?
To learn more about SANS Security 504: Hacker Techniques, Exploits, and Incident Handling, go to:
the SEC504 course description here.
To learn more about SANS Security 560: Network Penetration Testing and Ethical Hacking, go to to:
the SEC560 course description here.
SANS SEC560 vs Other Ethical Hacking Courses
Ed Skoudis, SANS Institute Fellow, specifically developed SANS Security 560 to fill a void in really high-quality classes that provide people with hands-on, real-world network penetration testing and ethical hacking skills, organized around the work flow of professional pen testers.
This SANS course, Network Penetration Testing and Ethical Hacking, differs from other penetration testing and ethical hacking courses offered by other organizations in several important ways:
- We get deep into the tools arsenal, with numerous hands-on exercises that show subtle, less-well-known, and undocumented features that are incredibly useful for professional penetration testers and ethical hackers.
- The course discusses how the tools inter-relate with each other in an overall testing process. Rather than just throwing up a bunch of tools and playing with them, we analyze how to leverage information from one tool to get the most bang out of the next tool.
- We focus on the work flow of professional penetration testers and ethical hackers, proceeding step-by-step discussing the most effective means for conducting projects.
- The sessions address common pitfalls that arise in penetration tests and ethical hacking projects, providing real-world strategies and tactics for avoiding these problems to maximize the quality of test results.
- We cover several time saving tactics based on years of in-the- trenches experience from real penetration testers and ethical hackers, actions that might take hours or days unless you know the little secrets we'll cover that will let you surmount a problem in minutes.
- The course stresses the mind-set of successful penetration testers and ethical hackers, which involves balancing the often contravening forces of creative "outside-the-box" thinking, methodical trouble- shooting, carefully weighing risks, following a time-tested process, painstakingly documenting results, and creating a high quality final report that achieves management and technical buy-in.
- We also analyze how penetration testing and ethical hacking should fit into a comprehensive enterprise information security program.