LDR551: Building and Leading Security Operations Centers

GIAC Security Operations Manager (GSOM)
GIAC Security Operations Manager (GSOM)
  • In Person (5 days)
  • Online
30 CPEs

If you are a SOC manager or leader looking to unlock the power of proactive, intelligence-informed cyber defense, then LDR551 is the perfect course for you! In a world where IT environments and threat actors evolve faster than many teams can track, position your SOC to defend against highly motivated threat actors. Highly dynamic modern environments require a cyber defense capability that is forward-looking, fast-paced, and intelligence-driven. This SOC manager training course will guide you through these critical activities from start to finish and teach you how to design defenses with your organization's unique risk profile in mind. Walk away with the ability to align your SOC activities with organizational goals. 17 hands-on exercises + Cyber42 interactive leadership simulations.

What You Will Learn

Prevent - Detect - Respond | People - Process - Technology

Information technology is so tightly woven into the fabric of modern business that cyber risk has become business risk. SOC managers must align to their organization and demonstrate real value - a challenge when threats are hard to quantify and stakeholder requirements for the security team are often vague and difficult to translate. How does a SOC communicate their value and focus on operations that enable the organization? LDR551 breaks down security operations into clear and atomic functions that can be measured and improved. We then tie these core SOC activities to high-level organizational goals for easy communication with the SOCs constituency. Common questions SOC managers face are:

  • How do we know our security teams are aligned to the unique threats facing our organization?
  • How do we get consistent results and prove that we can identify and respond to threats in time to minimize business impact?
  • How can we build a SOC team that is empowered and continuously improving, where analysts are empowered to solve problems while focusing on the mission at hand?

Whether you are looking to build a new SOC or take your current team to the next level, LDR551 will super-charge your people, tools, and processes. Each section of LDR551 is packed with hands-on labs that demonstrate key SOC capabilities, and each day concludes with "Cyber42" SOC leadership simulation exercises. Students will learn how to combine SOC staff, processes, and technology in a way that promotes measurable results and covers all manner of infrastructure and organizational requirements. Attackers are always improving, so a SOC that sits still is losing ground. LDR551 will give SOC managers and leaders the tools and mindset required to build the team, process, workflow, and metrics to defend against modern attackers by building the processes for continuously growing, evolving, and improving the SOC team over time.

"There are so many [organizations] that seem to be trying to reinvent the wheel. All they need to do is invest in this course for real world, actionable information that can put them on a solid path toward building, staffing, and leading their own SOC." - Brandi Loveday-Chelsey

What Is A SOC Manager?

A SOC Manager leads an organization's cyber security operations team by developing and guiding implementation of a cyber defense strategy that can minimize the impact of cyber security incidents. Leading a SOC is a complex role that requires merging technical and business sensibilities, and the skills to monitor performance, communicate requirements, and demonstrate results up and down the chain of command.

Business Takeaways

  • Implement strategies for aligning cyber defense to organizational goals
  • Decrease risk profile due to improved security validation tools and techniques
  • Apply methodologies for recruiting, hiring, training, and retaining talented cyber defenders
  • Streamline effective cross-team coordination and collaboration
  • Employ immediate security optimization improvements using current assets
  • Reduce financial spend due to smoother cyber security operations

Skills Learned

  • Construct a strong SOC foundation based on a clear mission, charter, and organizational goals
  • Collect the most important logs and network data
  • Build, train, and empower a diverse team
  • Create playbooks and manage detection use cases
  • Use threat intelligence to focus detection efforts on true priorities
  • Apply threat hunting process and active defense strategies
  • Implement efficient alert triage and investigation workflow
  • Operate effective incident response planning and execution
  • Choose metrics and long-term strategy to improve the SOC
  • Employ team member training, retention, and prevention of burnout
  • Perform SOC assessment through capacity planning, purple team testing, and adversary emulation

Hands-On SOC Manager Training

While LDR551 is focused on management and leadership, it is by no means limited to non-technical processes and theory. The course uses the Cyber42 interactive leadership simulation game to put you in real-world scenarios that spur discussion and critical thinking of situations that you will encounter at work. Throughout the five days of instruction, students will work on seventeen hands-on exercises covering everything from playbook implementation to use case database creation, attack and detection capability prioritization and visualization, purple team planning, threat hunting, and reporting. Attendees will leave with a framework for understanding where a SOC manager should be focusing efforts, how to track and organize defensive capabilities, and how to drive, verify, and communicate SOC improvements.

Hands-on labs include:

  • Section 1: Creating a SOC Mission and Charter, Critical Asset Mapping, Defining SOC Roles, Priority Intelligence Requirements
  • Section 2: Threat Actor Assessment, Cyber Attack Threat Modeling and Data Source Assessments, ATT&CK Navigator for Attacker Technique Prioritization, SOC Capacity Planning
  • Section 3: Detection Rule Management, Measurement, and Visualization, Structuring, Documenting, and Organizing Use Cases, Planning Threat Hunting
  • Section 4: Incident Response Goals and Teamwork, Developing and Implementing SOC Playbooks, Investigation Quality Review
  • Section 5: Creating, Classifying, and Communicating Your Metrics, Purple Team Assessment Planning, Execution and Tracking, SOC Process Improvement

"The labs are great in walking you through practical activities." - Sean Mitchell, Babcock International

"Great labs - will use these a lot." - Andrew Head, dentsu

"[I] liked the Cyber42 game activities as they enforce the concepts learned during the day." - Ilyas Khan, Ericsson

"The exercises while mostly non-technical triggered the thinking process to ensure that all aspects for the building of a SOC are in place."- Wee Hian Peck, INTfinity Consulting PL

Syllabus Summary

  • Section 1: Critical elements necessary to build your Security Operations Center
  • Section 2: Building a threat model, defensive theory, and mental models
  • Section 3: Threat detection and threat modeling
  • Section 4: The full incident response cycle for operations managers
  • Section 5: Measuring and improving security operations

Additional Free Resources

What You Will Receive

  • Custom distribution of the Linux Virtual Machine containing free open-source SOC tools
  • MP3 audio files of the complete course lecture
  • Printed and Electronic Courseware
  • A digital download package that includes the above and more
  • Access to the Cyber42 web application

What Comes Next

Syllabus (30 CPEs)

Download PDF
  • Overview

    LDR551 starts with the critical elements necessary to build your Security Operations Center: understanding your enemies, planning your requirements, making a physical space, and building your team. Throughout this course section, students will learn how to build a strong foundation upon which an SOC can operate, focusing first on the most important users and data, and tailoring defense plans to threats most likely to impact your organization. Through workflow optimization, information organization, and data collection, you will learn how to ensure that your security operations will hit the ground running as efficiently as possible while protecting privileged SOC users and data.

    • Creating a SOC Mission and Charter
    • Critical Asset Mapping
    • Defining SOC Roles
    • Priority Intelligence Requirements
    • The State of the Cyber Defense Industry - Trends, Problems, and Priorities
    • SOC Planning - Charters, Mission, Team Planning, Org. charts and more
    • Mapping the SOC Functions - Collection, Detection, Triage, Investigation, and Incident Response
    • Team Creation, Hiring, and Training - Building Job Specifications, Interviews, Hiring, Training and More
    • Cyber Threat Intelligence for the SOC - Identifying, Collecting, and Processing the Most Important Sources
    • Building the SOC - Both Physical and Virtual

  • Overview

    Section 2 of LDR551 focuses on expanding our understanding of attacker tactics, techniques, and procedures and how we might identify them in our environment. This day discusses defensive theory and mental models that can guide our assessment and planning efforts, data collection and monitoring priorities, and cyber threat intelligence collection. The course focus of this section is ensuring your team has the visibility and data sources required to do the job, and that they will continue to operate without failure for the long term.

    • Threat Actor Assessment
    • Cyber Attack Threat Modeling and Data Source Assessments
    • ATT&CK Navigator for Attacker Technique Prioritization
    • SOC Capacity Planning
    • Cyber Defense Theory and Mental Models
    • Critical SOC Tools and Technology
    • SOC Data Collection
    • Using MITRE ATT&CK to Plan and Prioritize Collection
    • SOC Analyst Capacity Planning
    • Protecting SOC Data and Capabilities from Interference
  • Overview

    Section 3 of LDR551 is all about building and improving your threat detection capability. Starting with tool selection and setup to enable effective alert triage and analysis and moving towards analytic design, this section focuses on ensuring no attack goes unseen. We focus detection engineering as a core SOC discipline to be planned, tracked, and measured, show how to implement and manage detection use cases, and demonstrate how to plan and execute threat hunts. The results are a structured approach that leads to measurable improvements to your detection capability. Finally, we will look at active defense concepts and their role in a mature security operations capability. Taking the tools, processes, and concepts from section 3 of LDR551 back to your SOC will ensure that no (virtual) stone in your environment remains unturned.

    • Detection Rule Management, Measurement, and Visualization
    • Structuring, Documenting, and Organizing Use Cases
    • Planning Threat Hunting
    • Analytic Frameworks and Tools
    • Threat Detection and Analytic Design
    • The Keys to Efficient Alert Triage
    • Detection Engineering Process and Lifecycle
    • SOC-Assisted Use Cases
    • Threat Hunting Process and Tracking
    • Active Defense Tactics and Techniques
  • Overview

    From toolsets to proven frameworks to tips and tricks learned in countless real-world scenarios, section four covers the full response cycle, from preparation to identification to containment, eradication, and recovery, for operations managers. The fourth section of LDR551 begins with preparing your people, processes, IT infrastructure, and forensics toolset to quickly identify and remediate incidents. In this section, we will review best practices in cloud incident response, forensic analysis, playbook development, and cross-team collaboration. Lab exercises in section four include incident response playbook design and implementation, investigation review and quality control, incident response goal setting, and cross-team collaboration.

    • Incident Response Goals and Teamwork
    • Developing and Implementing SOC Playbooks
    • Investigation Quality Review
    • Planning and Preparation for Incident Response
    • Identification and Categorization of Incidents
    • Coordination During Incident Discovery
    • Incident Response Tools
    • Containment and Eradication Stage Activities
    • Incident Response in the Cloud
    • Investigation
    • Recovery, Post-Incident Activity, and Practice
  • Overview

    The fifth and final section of LDR551 is all about measuring and improving security operations. We focus on three areas: motivating your people and minimizing burnout, measuring SOC performance, and continuous SOC assessment through adversary emulation and SOC capability and maturity models. We will also cover some of the more challenging elements of managing people in a dynamic and often high-pressure environment: building the right culture, addressing damaging behaviors, and handling common pitfalls of daily operations. By focusing on our team and continuously improving quality toward a clear set of strategic goals, we can ensure long term growth and success. In section five, you'll receive the tools, techniques, and insights to do just that. Hands-on exercises will include designing SOC metrics, continuous assessment and validation, and SOC quality improvement using lean management concepts and techniques.

    • Creating, Classifying, and Communicating Your Metrics
    • Purple Team Assessment Planning, Execution and Tracking
    • SOC Process Improvement
    • Staff Retention and Burnout Mitigation
    • Building Your SOC Culture
    • Metrics, Goals, and Effective Execution
    • Measurement and Prioritization Issues
    • Automation in Security Operations
    • Analytic Testing and Adversary Emulation
    • SOC Capability Assessment
    • The Lean SOC

GIAC Security Operations Manager

The GIAC Security Operations Manager (GSOM) certification validates a practitioner's ability to effectively manage a technical team and strategically operate a Security Operations Center (SOC) to align with an organization's business goals and security requirements.

  • Designing, planning, and managing an effective SOC program
  • Prioritization and collection of logs, development of alert use cases, and response playbook generation
  • Selecting metrics, analytics, and long-term strategies to assess and continuously improve SOC operations
More Certification Details


This course does not have any specific prerequisites, but it is suggested that students have some experience in an operational security role. SANS courses such as SEC450: Blue Team Fundamentals: Security Operations and Analysis or MGT512: Security Leadership Essentials for Managers will give students a solid base-level understanding of the concepts that will be discussed.

Laptop Requirements

Important! Bring your own system configured according to these instructions!

CRITICAL NOTE: Apple Silicon devices cannot perform the necessary virtualization and therefore cannot in any way be used for this course.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 8GB of RAM or more is required.
  • 80GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.
  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. A second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact support.

Author Statement

"Written to compliment my first SOC course (SEC450: Blue Team Fundamentals), LDR551 completes the security operations picture by introducing the best higher-level frameworks and organization tactics I've discovered throughout my career as a SOC analyst and SOC manager for a large pharmaceutical company. By including hands-on application with state of the art open-source tools and methods for security operations, LDR551 delivers the complete package for SOC leaders. This course condenses years of knowledge and real-life experience with months of additional research to bring you the most important information to effectively and efficiently lead your security team to success." - John Hubbard

"As someone who has been the victim of less than ideal processes, tools, and team structure, my goal with this course is to help ensure every organization's blue team runs at peak efficiency and capability regardless of size and resources, and that no one must suffer through repeating mistakes so commonly made within the industry. This course is the culmination of 20 years of supporting, building, and leading security operations and I am incredibly excited to bring it to the SANS community." - Mark Orlando

"[I] would and will recommend this course to some of my peers. I have been a security sales engineer for so many years, but was missing customer pain or customer side knowledge. This course has been spot on so far!" - Moises Acevedo, Recorded Future


It has covered a lot of great information that can be applied anywhere when implementing or improving a SOC.
Dakota Kelly
Great content. Covers a lot of ground and exposed me to a lot of new concepts and ideas, and ties content to current real-world examples.
Prasanth Chatti
Campbells Soup Company
This course immediately expands your toolkit to problem solve in NOSC operations management.
Ron L.
US Government

    Register for LDR551

    Learn about Group Pricing

    Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.