Training Opportunities

To register for a training session, you must be registered for the Summit. If you are already registered and you would like to add on a training, you may do so in your personal registration portal which you can access from your registration confirmation email or email NCS@eventpowersupport.com for assistance. If you have not registered for the Summit, you may register now below.

REGISTER NOW
 

Training Sessions | Monday, September 21, 2026

The Adversarial Mindset: A Practical Threat Modeling Workshop for Engineering and Security Teams
Training by: AppSec Mindset
Instructors: Mudassir Syed, Founder
Date: Monday, September 21, 2026 | 9:00 a.m. - 4:00 p.m.
Price: $500.00
Description:
Most teams know they should threat model, but few know how to make it stick, Threat modeling frameworks exist but the harder problem is knowing which to use, when, and how they connect. This workshop bridges STRIDE, OWASP threat categories, MITRE, design principles, and attack paths into a single, cohesive mental model built progressively with each concept reinforcing the last until adversarial thinking becomes instinct.
Designed for developers, security champions, architects, AppSec teams, and technical leaders, the course emphasizes application over theory: not just what each framework offers, but when to reach for it and how to move between them under real design constraints.
Participants leave able to analyze systems across multiple threat lenses, surface realistic attack paths, and translate adversarial thinking into concrete engineering outcomes, the mitigations, security requirements, and design decisions, without defaulting to a single methodology.
The result is a durable mental model that travels into every design conversation.


Ghost-Level Tradecraft:  Building Stealthy AI Operations for Adversary Simulation
Training by: RealHax
Instructors: Royce Davis, Lead Trainer
Date: Monday, September 21, 2026 | 9:00 a.m. - 4:00 p.m.
Price: $650.00
Description:
What happens when you let an AI agent operate on a live beacon? In this hands-on continuation of “Ghost-Level Tradecraft,” participants move beyond manual tooling and build a controlled, AI-driven operator capable of executing tasks autonomously in a live adversary simulation. Students will begin by observing how an unconstrained AI agent behaves in a real environment—often producing noisy, inefficient, or invalid actions that highlight the risks of autonomous operation. From there, they will design a structured orchestration harness that limits execution to well-defined custom capabilities, enabling the agent to operate in a controlled and stealthy manner. The course emphasizes practical techniques for transforming unreliable automation into disciplined, goal-driven workflows. By the end of the session, participants will have a working AI operator capable of performing autonomous host triage and a clear understanding of how to expand its capabilities to support real-world adversary simulation operations using predictable and safe-to-execute tools.


RMF 2.0 in Practice: Operating in Today’s DoD Environment
Training by: Cyber Brews LLC
Instructor: Karen Williams, CEO
Date: Monday, September 21, 2026 | 9:00 a.m. - 4:00 p.m.
Price: $500.00
Description:
As the Department of Defense evolves its approach to cybersecurity risk, many organizations are navigating uncertainty around what is changing and what remains in force.
Despite emerging governance models such as the Cybersecurity Risk Management and Compliance (CSRMC) approach, federal systems continue to operate under established NIST guidance, including NIST SP 800-37 Rev. 2 (Risk Management Framework), 800-53 Rev. 5, and 800-160.
This workshop provides a practical, real-world walkthrough of how RMF 2.0 is being applied across DoD programs today. Participants will gain a working understanding of the RMF lifecycle—Prepare through Monitor—and how it connects to system security engineering, authorization decisions, assessments, and continuous monitoring.
The course emphasizes how RMF impacts not only cybersecurity teams, but also engineers, program managers, and system owners responsible for delivering and sustaining secure systems in operational environments.


Training Sessions | Tuesday, September 22, 2026

Gain Operational and Strategic Leadership Decision Making Experience Through a Fun Interactive Game
Training by: SANS
Instructors: Kevin Garvey, Instructor
Date: Tuesday, September 22, 2026 | 8:00 a.m. - 12:00 p.m.
Price: $175.00
Description:
Being able to make quick yet confident decisions against relevant cybersecurity scenarios even when you may not know all the facts are a cornerstone to strong and successful cybersecurity leaders. Gaining practice in decision making in real world type scenarios will help grow your confidence in making decisions, synthesize differing opinions all while practicing your communications skills in a fun and learning first environment. Key actionable takeaways for each scenario will be shared for each participant to take with to implement the next day and for the rest of the careers. 


Industrial AI Programming
Training by: SANS
Instructors: Don Weber, Instructor
Date: Tuesday, September 22, 2026 | 9:00 a.m. - 4:00 p.m.
Price: $199.00
Description:
Developers, cybersecurity professionals, and threat actors are turning to AI to help program tools and capabilities. This workshop will take the participants through the journey of developing tools that interact with ICS devices and industrial protocols.
The students will focus their development on a specific PLC that can be configured for different types of industrial protocol communications. The PLC capabilities will be analyzed using AI and tools will be developed to interact with the device. Students will use AI to develop Python scripts that gather device specific information using Modbus and EtherNet/IP protocols. They will use AI to develop Nmap Scripting Engine scripts to automate information gathering from the devices over the network.
AI is a new and quickly evolving landscape. This workshop is designed to help participants understand the complexities and benefits of using AI for development. This will help these individuals, and their organizations, have a better understanding of AI tools and how threat actors are using them to achieve their goals. This understand will help with risk evaluations and mitigation strategies.

Learning Objectives:
Students will be introduced to AI development tools.
Students will understand how ICS device configurations and user manuals aid in the development of tools and malware.
Students will have a better understanding of the risk posed by these technologies but also have a better understanding of how it can benefit their own efforts.


Network Security - Protocol Analysis
Training by: SANS
Instructor: Andy Laman, Instructor
Date: Tuesday, September 22, 2026 | 8:00 a.m. - 12:00 p.m.
Price: $175.00
Description:
Modern systems are designed to communicate and this communication is most likely over interconnected networks. With encryption as the default for modern network communications, security analysts face increasing challenges in detecting threats, understanding application behavior, and performing effective analysis. This hands-on workshop provides participants with practical experience analyzing network traffic. Through a series of guided interactive labs, attendees will capture and examine real-world network traffic, identify encrypted protocols, decode and extract meaningful metadata, and leverage traffic analysis methods to infer activity without direct payload visibility. Participants will also explore decryption using Transport Layer Security (TLS) key logging and session key extraction in a controlled lab environments that enable full packet decryption and inspection.

Learning Objectives:
- Participants will learn different techniques for analyzing network protocols.
- Participants will gain experience decoding application protocols and extracting payloads.
- Participants will analyze encrypted traffic and utilize several decryption techniques.
- Participants will create packets to interact with and analyze network traffic.

System Requirements:
- Laptop with a modern 64-bit processor (ARM/AMD/Intel) running Windows 10 or later, MacOS 11.x or later, or Linux (Ubuntu or similar recommended, Linux kernel version 6 or higher). 
- A docker management application installed on the host laptop, examples include Docker Desktop, Rancher Desktop, or Podman.  A docker container will be provided for this workshop.  
- Wireshark should be installed on host laptop.  This is optional but will likely be beneficial.


Operation Phantom Thread: Tracing the Attacker from First Foothold to Final Exfil
Training by: SANS
Instructor: Carlos Cajigas, Instructor
Date: Tuesday, September 22, 2026 | 9:00 a.m. - 4:00 p.m.
Price: $199.00
Description:
Case Scenario Overview:
An international consulting firm detects suspicious outbound traffic from a financial analyst’s workstation. Initial alerting suggests unauthorized access to internal document repositories. As the investigation begins, incident response uncovers signs of a coordinated intrusion campaign affecting multiple hosts across the network.
Over the course of this instructor-guided simulation, attendees will step into the role of a response team working through a multi-phase intrusion. The case begins with initial access via a malicious backdoor, escalates to persistence and credential abuse, and culminates in lateral movement and data exfiltration.
Analysts will be given evidence files and access to all affected systems, and they’ll work to reconstruct the full attack chain, identify compromised accounts, and map the attacker’s path across the enterprise.

Learning Objectives:
By the end of this simulation, attendees will be able to:
·  Identify common forensic artifacts linked to initial access and payload execution
·  Reconstruct attacker behavior across hosts using log data, timeline artifacts, and file system activity
·  Recognize signs of persistence, privilege escalation, and lateral movement using free tools
·  Trace data staging and exfiltration techniques, including use of covert channels
·  Correlate attacker actions to understand timing, objectives, and impact
·  Practice a structured investigation flow that mirrors real-world incident response operations using free, open-source tools and investigative frameworks

Requirements:
People planning to attend this MUST have an Intel-based system to run the Windows VM that will be provided. The expectation is that they are running Vmware Workstation Pro (player may work). Apple systems must be Intel based and M or ARM chips are not going to be able to run the VM. Some Windows systems are ARM based and that will cause problems as well. Linux users will be okay, but there may be challenges. The interface to the PLC will be a USB-to-Ethernet adapter. So, the users have to have administrative rights on their system to connect an ethernet adapter and configure Vmware’s virtual network settings. Some government systems prevent this and VPN clients might prevent this as well.


Threat Hunting and Criminal Infrastructure Analysis
Training by: SANS
Instructor: Sean O'Connor, Instructor
Date: Tuesday, September 22, 2026 | 9:00 a.m. - 4:00 p.m.
Price: $199.00
Description:
Cybercriminals can't operate without infrastructure. Every phishing campaign, malware operation, ransomware deployment, and underground marketplace depends on domains, IP addresses, certificates, hosting providers, and the service ecosystems that quietly enable them. In this full-day, hands-on workshop, you'll learn to find that infrastructure, fingerprint it, and pivot from a single observable into a full picture of an adversary's operation.
Built directly from labs in SANS FOR589: Cybercrime Investigations, this workshop walks you through a structured, repeatable methodology used by working cybercrime investigators and threat intelligence analysts. You'll start by safely accessing and enumerating the cybercrime underground while practicing operational security (OPSEC) to protect an investigator's identity and intent. From there, you'll dig into the analytical core: understanding indicators and identifiers as Atomic, Behavioral, and Computed artifacts, and learning why behavioral ""adversary preference"" traits are often the hardest for a criminal to change and the most valuable for tracking them.
The heart of the day is practical infrastructure analysis. Using free platforms including Shodan and URLscan.io, you'll discover live criminal infrastructure, archive it for evidentiary and analytical purposes, and pivot across domains, IPs, and TLS certificates treated as composite objects rather than flat indicators. You'll fingerprint bulletproof hosting, malware command-and-control (C2) servers, phishing pages, and forum software, and see how small atomic indicators expand into full infrastructure clusters through disciplined, structured pivoting. A guided case study demonstrates how these techniques map a real multi-stage criminal campaign end-to-end, and a closing exercise has you build a working dossier that links the infrastructure back to the personas and adversaries behind it.
By the end of the day, you'll leave with a methodology you can apply Monday morning, whether you're supporting law enforcement investigations, producing threat intelligence, or hunting criminal activity targeting your organization. The technical prerequisites are intentionally minimal, making this an ideal ""New to CTI"" workshop for investigators, analysts, and researchers looking to add criminal infrastructure analysis to their toolkit.
This workshop supports concepts from the following SANS course: FOR589: Cybercrime Investigations.