SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
| CARVIEW |
Select Language
HTTP/2 301
date: Thu, 02 Oct 2025 01:48:40 GMT
content-type: text/html; charset=iso-8859-1
content-length: 248
x-sc-fargate-level: live
location: https://www.sans.org/white-papers/33901/
set-cookie: visid_incap_1329355=GoX7Lf06Q+m+lPo0NzY/XffZ3WgAAAAAQUIPAAAAAAAvKOufvjS5QyVgqHZSpgXu; expires=Thu, 01 Oct 2026 06:36:21 GMT; HttpOnly; path=/; Domain=.sans.org; Secure; SameSite=None
set-cookie: nlbi_1329355=8BpSMJWivlWhme+83E7M6QAAAACqp9bGHgm2X8ukkCHy0S3D; HttpOnly; path=/; Domain=.sans.org; Secure; SameSite=None
set-cookie: incap_ses_4556_1329355=OWQqab1V1Th3QfFMICo6P/jZ3WgAAAAAltk4lZ6H9Rya6xRQRn4Mmg==; path=/; Domain=.sans.org; Secure; SameSite=None
x-cdn: Imperva
strict-transport-security: max-age=31556926; includeSubdomains
expect-ct: max-age=86400, enforce
x-frame-options: ALLOW FROM https://uat-www.sans.org https://learnmore.sans.org https://shift7-sans.cs67.force.com https://registration.sans.org https://qa-www.sans.org
x-xss-protection: 1; mode=block
referrer-policy: strict-origin-when-cross-origin
x-content-type-options: nosniff
content-security-policy: frame-ancestors 'self' https://registration.sans.org https://learnmore.sans.org https://learnmore.sans.org https://uat-www.sans.org https://qa-www.sans.org
x-iinfo: 43-107660254-107660280 NNNN CT(59 130 0) RT(1759369719849 244) q(0 0 2 0) r(2 2) U11
HTTP/2 308
date: Thu, 02 Oct 2025 01:48:40 GMT
set-cookie: AWSALB=3JykFJxiXK8hFGB5IYtLOF2XLEduuGOn0lOqko+xGtX8mPyBLERYPWq8mhUi3CZcclwe8qe9EMAMq7FGDpNcJcgYXauqsIyG6cxN7FIP5ZzXH1NO0gzXLYmY2g3e; Expires=Thu, 09 Oct 2025 01:48:40 GMT; Path=/
set-cookie: AWSALBCORS=3JykFJxiXK8hFGB5IYtLOF2XLEduuGOn0lOqko+xGtX8mPyBLERYPWq8mhUi3CZcclwe8qe9EMAMq7FGDpNcJcgYXauqsIyG6cxN7FIP5ZzXH1NO0gzXLYmY2g3e; Expires=Thu, 09 Oct 2025 01:48:40 GMT; Path=/; SameSite=None; Secure
location: /white-papers/33901
refresh: 0;url=/white-papers/33901
permissions-policy: camera=(), microphone=(), geolocation=(), payment=()
set-cookie: visid_incap_1329355=GoX7Lf06Q+m+lPo0NzY/XffZ3WgAAAAAQUIPAAAAAAAvKOufvjS5QyVgqHZSpgXu; expires=Thu, 01 Oct 2026 06:36:21 GMT; HttpOnly; path=/; Domain=.sans.org; Secure; SameSite=None
set-cookie: nlbi_1329355_3146539=VtNydVWNC0TwzGK93E7M6QAAAACBPpff/YYlYsQLesSYdQZl; HttpOnly; path=/; Domain=.sans.org; Secure; SameSite=None
x-cdn: Imperva
content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.sans.org/ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://recaptcha.google.com/recaptcha/ https://cdn.jsdelivr.net https://cdn.cookielaw.org https://*.googleapis.com https://*.gstatic.com https://*.google-analytics.com https://*.googletagmanager.com; script-src-elem 'self' 'unsafe-inline' 'unsafe-eval' https://bat.bing.com/ https://*.mountain.com/ https://www.buzzsprout.com/ https://connect.facebook.net/en_US/fbevents.js https://connect.facebook.net/signals/config/ https://www.redditstatic.com/ads/pixel.js https://zn5mzsmkpycxwsqpf-sans.siteintercept.qualtrics.com https://siteintercept.qualtrics.com https://html5.dcatalog.com/dcviewer.js https://cdn.evgnet.com https://*.cdn.optimizely.com https://*.optimizely.com https://addsearch.com https://*.youtube.com/ https://snap.licdn.com/ https://t.vibe.co/ https://s.vibe.co/ https://js.zi-scripts.com/ https://c.lytics.io/ https://*.hotjar.com/ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://recaptcha.google.com/recaptcha/ https://cdn.jsdelivr.net https://cdn.cookielaw.org https://*.googleapis.com https://*.gstatic.com https://*.google-analytics.com https://*.googletagmanager.com; style-src 'self' 'unsafe-inline' https://assets.buzzsprout.com/assets/players/ https://*.sans.org/ https://c.lytics.io/static/pathfora.min.css https://*.googleapis.com; img-src 'self' data: https: blob:; font-src 'self' data: https://script.hotjar.com https://*.gstatic.com; connect-src 'self' https://www.facebook.com/privacy_sandbox/topics/registration/ https://www.redditstatic.com/ads/conversions-config/v1/pixel/ https://pixel-config.reddit.com/pixels/ https://conversions-config.reddit.com/v1/pixel/ https://siteintercept.qualtrics.com https://*.optimizely.com https://sansccybersecurity.us-5.evergage.com https://*.onetrust.com https://personalize-edge.contentstack.com/user-attributes https://*.sans.org/ https://px.ads.linkedin.com/ https://ws.zoominfo.com https://js.zi-scripts.com/ https://t.vibe.co/ https://s.vibe.co/ https://*.sans.org https://*.hotjar.com/ https://*.hotjar.io/ wss://ws.hotjar.com https://www.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://recaptcha.google.com/recaptcha/ https://cdn.cookielaw.org https://geolocation.onetrust.com https://stats.g.doubleclick.net https://*.google-analytics.com https://*.analytics.google.com https://analytics.google.com https://*.googletagmanager.com https://*.contentstack.io https://*.algolia.io https://*.algolia.net https://*.algolianet.com wss://*.algolia.net; frame-src 'self' https://open.spotify.com/ https://www.buzzsprout.com/ https://app.smartsheet.com/ https://*.cdn.optimizely.com/ https://*.optimizely.com/ https://c.lytics.io/ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://recaptcha.google.com/recaptcha/ https://*.youtube.com https://*.google.com; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; media-src 'self' https://assets.contentstack.io; upgrade-insecure-requests;
strict-transport-security: max-age=31556926; includeSubdomains
expect-ct: max-age=86400, enforce
x-frame-options: Security Headers PathFactory set XFRAMEOPTS
x-xss-protection: 1; mode=block
referrer-policy: strict-origin-when-cross-origin
x-content-type-options: nosniff
x-iinfo: 43-107660254-107660337 NNNN CT(63 67 0) RT(1759369719849 724) q(0 0 1 -1) r(2 2) U9
HTTP/2 200
date: Thu, 02 Oct 2025 01:48:41 GMT
content-type: text/html; charset=utf-8
set-cookie: AWSALB=kV8G4lR1ByM+tz4/N1sLKPJurTttbOvPC6VzYut9Bpk9Oa1QGJ2V6YiKCf+SSLnN6Y1oegY9Zv7ltB1hIr/Q+UmRAqaHCDmYmXrs/S3aKo4UORv9Owh79tamEiga; Expires=Thu, 09 Oct 2025 01:48:41 GMT; Path=/
set-cookie: AWSALBCORS=kV8G4lR1ByM+tz4/N1sLKPJurTttbOvPC6VzYut9Bpk9Oa1QGJ2V6YiKCf+SSLnN6Y1oegY9Zv7ltB1hIr/Q+UmRAqaHCDmYmXrs/S3aKo4UORv9Owh79tamEiga; Expires=Thu, 09 Oct 2025 01:48:41 GMT; Path=/; SameSite=None; Secure
cache-control: public, max-age=300, stale-while-revalidate=60
vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Router-Segment-Prefetch, Accept-Encoding
link: ; rel=preload; as="font"; crossorigin=""; type="font/woff2", ; rel=preload; as="font"; crossorigin=""; type="font/woff2", ; rel=preload; as="font"; crossorigin=""; type="font/woff2", ; rel=preload; as="font"; crossorigin=""; type="font/woff2", ; rel=preload; as="font"; crossorigin=""; type="font/woff2", ; rel=preload; as="font"; crossorigin=""; type="font/woff2", ; rel=preload; as="font"; crossorigin=""; type="font/woff2", ; rel=preload; as="font"; crossorigin=""; type="font/woff2", ; rel=preload; as="font"; crossorigin=""; type="font/woff2", ; rel=preload; as="font"; crossorigin=""; type="font/woff2", ; rel=preload; as="style", ; rel=preload; as="style", ; rel=preload; as="style", ; rel=preload; as="style", ; rel=preload; as="style"
content-encoding: gzip
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
referrer-policy: strict-origin-when-cross-origin
permissions-policy: camera=(), microphone=(), geolocation=(), payment=()
set-cookie: visid_incap_1329355=GoX7Lf06Q+m+lPo0NzY/XffZ3WgAAAAAQUIPAAAAAAAvKOufvjS5QyVgqHZSpgXu; expires=Thu, 01 Oct 2026 06:36:21 GMT; HttpOnly; path=/; Domain=.sans.org; Secure; SameSite=None
x-cdn: Imperva
content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.sans.org/ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://recaptcha.google.com/recaptcha/ https://cdn.jsdelivr.net https://cdn.cookielaw.org https://*.googleapis.com https://*.gstatic.com https://*.google-analytics.com https://*.googletagmanager.com; script-src-elem 'self' 'unsafe-inline' 'unsafe-eval' https://bat.bing.com/ https://*.mountain.com/ https://www.buzzsprout.com/ https://connect.facebook.net/en_US/fbevents.js https://connect.facebook.net/signals/config/ https://www.redditstatic.com/ads/pixel.js https://zn5mzsmkpycxwsqpf-sans.siteintercept.qualtrics.com https://siteintercept.qualtrics.com https://html5.dcatalog.com/dcviewer.js https://cdn.evgnet.com https://*.cdn.optimizely.com https://*.optimizely.com https://addsearch.com https://*.youtube.com/ https://snap.licdn.com/ https://t.vibe.co/ https://s.vibe.co/ https://js.zi-scripts.com/ https://c.lytics.io/ https://*.hotjar.com/ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://recaptcha.google.com/recaptcha/ https://cdn.jsdelivr.net https://cdn.cookielaw.org https://*.googleapis.com https://*.gstatic.com https://*.google-analytics.com https://*.googletagmanager.com; style-src 'self' 'unsafe-inline' https://assets.buzzsprout.com/assets/players/ https://*.sans.org/ https://c.lytics.io/static/pathfora.min.css https://*.googleapis.com; img-src 'self' data: https: blob:; font-src 'self' data: https://script.hotjar.com https://*.gstatic.com; connect-src 'self' https://www.facebook.com/privacy_sandbox/topics/registration/ https://www.redditstatic.com/ads/conversions-config/v1/pixel/ https://pixel-config.reddit.com/pixels/ https://conversions-config.reddit.com/v1/pixel/ https://siteintercept.qualtrics.com https://*.optimizely.com https://sansccybersecurity.us-5.evergage.com https://*.onetrust.com https://personalize-edge.contentstack.com/user-attributes https://*.sans.org/ https://px.ads.linkedin.com/ https://ws.zoominfo.com https://js.zi-scripts.com/ https://t.vibe.co/ https://s.vibe.co/ https://*.sans.org https://*.hotjar.com/ https://*.hotjar.io/ wss://ws.hotjar.com https://www.google.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://recaptcha.google.com/recaptcha/ https://cdn.cookielaw.org https://geolocation.onetrust.com https://stats.g.doubleclick.net https://*.google-analytics.com https://*.analytics.google.com https://analytics.google.com https://*.googletagmanager.com https://*.contentstack.io https://*.algolia.io https://*.algolia.net https://*.algolianet.com wss://*.algolia.net; frame-src 'self' https://open.spotify.com/ https://www.buzzsprout.com/ https://app.smartsheet.com/ https://*.cdn.optimizely.com/ https://*.optimizely.com/ https://c.lytics.io/ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://recaptcha.google.com/recaptcha/ https://*.youtube.com https://*.google.com; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; media-src 'self' https://assets.contentstack.io; upgrade-insecure-requests;
strict-transport-security: max-age=31556926; includeSubdomains
expect-ct: max-age=86400, enforce
x-frame-options: Security Headers PathFactory set XFRAMEOPTS
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
referrer-policy: strict-origin-when-cross-origin
x-content-type-options: nosniff
x-iinfo: 43-107660254-107660337 PNNN RT(1759369719849 1137) q(0 0 0 -1) r(1 1) U9
Incident Handler's Handbook Talk With an Expert
Training
Featured CourseView All Courses
Get a Free Hour of SANS Training
Experience SANS training through course previews.
Learn MoreCan't find what you are looking for?
Let us help.
Contact usJoin the SANS Community
Become a member for instant access to our free resources.
Sign UpInterested in developing a training plan to fit your organization’s needs?
We're here to help.
Contact UsIncident Handler's Handbook
Incident Handler's Handbook (PDF, 1.97MB)Published: 21 Feb, 2012
Created by:
Patrick Kral
One of the greatest challenges facing today's IT professionals is planning and preparing for the unexpected, especially in response to a security incident. An incident is described as any violation of policy, law, or unacceptable act that involves information assets, such as computers, networks, smartphones, etc (Bejtlich, 2005). The scope of this document is limited to the six phases of the incident handling process and providing the basic information necessary as to what each step entails. Its overall purpose is to provide the basic foundation for IT professionals and managers to be able to create their own incident response policies standards and teams within their organizations. This document will also include an incident handler's checklist (template) that one can use to ensure that each of the incident response steps is being followed during an incident.
Additional resources
Related courses
- Slide 1 of 15
FOR589: Cybercrime Investigations
Intermediate FOR589Digital Forensics and Incident Response
- 5 Days (Instructor-Led)
- 30 CPEs / 30 Hours (Self-Paced)
- Labs: 20 Hands-On Labs
- Slide 2 of 15
FOR585: Smartphone Forensic Analysis In-Depth
Essentials FOR585Digital Forensics and Incident Response
- GIAC Advanced Smartphone Forensics (GASF)
- 6 Days (Instructor-Led)
- 36 CPEs / 36 Hours (Self-Paced)
- Labs: 22 Hands-On Labs
- Slide 3 of 15
FOR608: Enterprise-Class Incident Response & Threat Hunting
Intermediate FOR608Digital Forensics and Incident Response
- GIAC Enterprise Incident Responder (GEIR)
- 6 Days (Instructor-Led)
- 36 CPEs / 36 Hours (Self-Paced)
- Labs: 20 Hands-On Labs
- Slide 4 of 15
FOR518: Mac and iOS Forensic Analysis and Incident Response
updatedIntermediate FOR518Digital Forensics and Incident Response
- GIAC iOS and macOS Examiner (GIME)
- 6 Days (Instructor-Led)
- 36 CPEs / 36 Hours (Self-Paced)
- Labs: 23 Hands-On Labs
- Slide 5 of 15
FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
updatedIntermediate FOR508Digital Forensics and Incident Response
- GIAC Certified Forensic Analyst (GCFA)
- 6 Days (Instructor-Led)
- 36 CPEs / 36 Hours (Self-Paced)
- Labs: 35 Hands-On Labs
- Slide 6 of 15
FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques
Advanced FOR610Digital Forensics and Incident Response
- GIAC Reverse Engineering Malware (GREM)
- 6 Days (Instructor-Led)
- 36 CPEs / 36 Hours (Self-Paced)
- Labs: 48 Hands-On Labs
- Slide 7 of 15
FOR578: Cyber Threat Intelligence
Intermediate FOR578Digital Forensics and Incident Response
- GIAC Cyber Threat Intelligence (GCTI)
- 6 Days (Instructor-Led)
- 36 CPEs / 36 Hours (Self-Paced)
- Labs: 20 Hands-On Labs
- Slide 8 of 15
FOR509: Enterprise Cloud Forensics and Incident Response
Major UpdatesIntermediate FOR509Digital Forensics and Incident Response
- GIAC Cloud Forensics Responder (GCFR)
- 6 Days (Instructor-Led)
- 36 CPEs / 36 Hours (Self-Paced)
- Labs: 23 Hands-On Labs
- Slide 9 of 15
FOR528: Ransomware and Cyber Extortion
Intermediate FOR528Digital Forensics and Incident Response
- 4 Days (Instructor-Led)
- 24 CPEs / 24 Hours (Self-Paced)
- Labs: 13 Hands-On Labs
- Slide 10 of 15
FOR577: LINUX Incident Response and Threat Hunting
Intermediate FOR577Digital Forensics and Incident Response
- GIAC Linux Incident Responder (GLIR)
- 6 Days (Instructor-Led)
- 36 CPEs / 36 Hours (Self-Paced)
- Labs: 23 Hands-On Labs
- Slide 11 of 15
FOR710: Reverse-Engineering Malware: Advanced Code Analysis
Advanced FOR710Digital Forensics and Incident Response
- 36 CPEs / 36 Hours (Self-Paced)
- Labs: 12 Hands-On Labs
- Slide 12 of 15
FOR498: Digital Acquisition and Rapid Triage
Essentials FOR498Digital Forensics and Incident Response
- GIAC Battlefield Forensics and Acquisition (GBFA)
- 6 Days (Instructor-Led)
- 36 CPEs / 36 Hours (Self-Paced)
- Labs: 20 Hands-On Labs
- Slide 13 of 15
FOR563: Applied AI for Digital Forensics and Incident Response: Leveraging Local Large Language Models
newIntermediate FOR563Digital Forensics and Incident Response- 1 Day (Instructor-Led)
- 6 CPEs / 6 Hours (Self-Paced)
- Labs: 4 Hands-On Labs
- Slide 14 of 15
FOR500: Windows Forensic Analysis
Essentials FOR500Digital Forensics and Incident Response
- GIAC Certified Forensic Examiner (GCFE)
- 6 Days (Instructor-Led)
- 36 CPEs / 36 Hours (Self-Paced)
- Labs: 22 Hands-On Labs
- Slide 15 of 15
FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
Advanced FOR572Digital Forensics and Incident Response
- GIAC Network Forensic Analyst (GNFA)
- 6 Days (Instructor-Led)
- 36 CPEs / 36 Hours (Self-Paced)
- Labs: 20 Hands-On Labs