AWS Incident Response - Korstiaan Stam - DCTAC2025
Name of Training: AWS Incident Response
Trainer(s): Korstiaan Stam
Dates: November 3-4, 2025
Time: 9:00 am to 5:00 pm
Venue: Exhibition World Bahrain
Cost: $2,200
Course Description:
This course focuses on equipping learners with the knowledge, skills, and hands-on experience required to respond to security incidents in AWS environments. Through a mix of lectures, labs, and Capture The Flag (CTF) challenges, students will learn how to detect, analyze, contain, and recover from cloud-based compromises within AWS.
By the end of this course, participants will be able to:
- Understand AWS fundamentals relevant to security operations (IAM, roles, organizational structure)
- Identify and use AWS security services (GuardDuty, Inspector, Detective, Security Hub, Security Lake)
- Investigate alerts by exploring logs, events, and AWS-native telemetry
- Apply threat models and frameworks to real AWS incidents
- Use AWS attack tools (e.g. Prowler, CloudFox) to simulate and defend against adversarial behavior
- Perform cloud forensics – acquire, process, and analyze logs (CloudTrail, VPC Flow Logs, etc.)
- Conduct host forensics for EC2, containers, and AWS Systems Manager–managed systems
- Execute the incident response lifecycle (prepare → detect & analyze → contain/eradicate/recover → post-incident) in a cloud context
- Work through real-world case studies (ransomware, long-term compromise)
- Participate in competitive CTF scenarios to test your incident response capabilities
Course Outline:
Major modules include:
- AWS Basics & Identity and Access Management (IAM)
- AWS Security Services
- Threats & Common Attack Patterns in AWS
- Attack Tools & Techniques
- AWS Log Strategy, Acquisition, and Processing
- Log Analysis using Athena, CloudWatch, OpenSearch
- Host Forensics in AWS
- Cloud Incident Response Process and Framework
- Case Studies (e.g. ransomware, long compromise)
- CTF Challenges for hands-on assessment
Difficulty Level:
Intermediate/Advanced
Suggested Prerequisites:
Experience in the AWS cloud will prove very useful to be able to keep up.
Experience with PowerShell and/or KQL is not required but will help you to gain even more from the training. You must also not be afraid of the command-line interface as this will be a hands-on training and not everything will be in the GUI.
What Students Should Bring:
Important: You only have to bring your laptop with a browser and we will provide you with access to the cloud tenants and investigation data.
Trainer(s) Bio:
Korstiaan Stam is the Founder and CEO of Invictus Incident Response & SANS Trainer - FOR509: Cloud Forensics and Incident Response. Korstiaan is a passionate incident responder, preferably in the cloud. He developed and contributed to many open-source tools related to cloud incident response. Korstiaan has gained a lot of knowledge and skills over the years which he is keen to share.
Way before the cloud became a hot topic, Korstiaan was already researching it from a forensics perspective. “Because I took this approach I have an advantage, because I simply spent more time in the cloud than others. More so, because I have my own IR consultancy company, I spent a lot of time in the cloud investigating malicious behavior, so I don’t just know one cloud platform, but I have knowledge about all of them.” That equips him to help students with the challenge of every cloud working slightly or completely different. “If you understand the main concepts, you can then see that there’s also a similarity among all the clouds. That is why I start with the big picture in my classes and then zoom in on the details. Korstiaan also uses real-life examples from his work to discuss challenges he’s faced with students to relate with their day-to-day work. “To me, teaching not only means sharing my knowledge on a topic, but also applying real-life implications of that knowledge. I always try to combine the theory with the everyday practice so students can see why it’s important to understand certain concepts and how the newly founded knowledge can be applied.”
Registration Terms and Conditions:
Trainings are refundable before October 2, 2025, minus a non-refundable processing fee of $250.
Trainings are non-refundable after October 2, 2025.
Training tickets may be transferred. Please email us at training@defcon.org for specifics.
If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).
Failure to attend the training without prior written notification, will be considered a no-show. No refund will be given.
By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.
Several breaks will be included throughout the day. Please note that food is not included.
All courses come with a certificate of completion, contingent upon attendance at all course sessions.
Training Justification Request – DEF CON Training
To: [Manager Name]
From: [Employee Name]
Date: [Date]
Subject: Business Justification for Attendance at DEF CON Training
Dear [manager’s name],
I am requesting approval to attend DEF CON Training, one of the cybersecurity industry's most recognized technical training programs. I’ve reviewed the options and selected a course to expand my skills with [1-2 key skills focus areas for the course].
DEF CON has been one of the world’s leading cybersecurity communities for more than three decades, known for convening industry, government, and independent experts to exchange advanced knowledge and practical skills. Building on this tradition, DEF CON Training delivers intensive courses taught by recognized global instructors. DEF CON Training courses offer hands-on instruction in a challenging, fast-paced environment. Many of the courses offered by DEF CON Training align with the National Institute of Standards and Technology (NIST) NICE Framework and Department of Defense Cyber Workforce Framework (DCWF), and attending this course will help me build and sharpen the skills required for my role.
Training: [Name of DEF CON Training Course]
Instructor/Provider: [Trainer Name(s)]
Dates: [Training Dates]
Location: Las Vegas, NV
Cost: [Course Fee]
Travel Expenses: [estimated travel & accommodations costs]
Course Description: [Copy short description of the selected class from the website here]
Trainer Bio: [Copy bio of the trainers of the selected class from the website here]
Once I’ve completed the course, I’ll be able to:
[copy student outcomes from course page where available or choose 3-4 skills or topic areas from the outline that are applicable to your current role, will help you fill a skill gap, etc.]
Business Need
As cyber threats continue to evolve, it is critical that our organization maintains current knowledge of emerging techniques and industry best practices. The selected DEF CON training aligns directly with my responsibilities in [your role/field here - for example, security operations, incident response, threat detection and hunting, application security, cloud security, risk management, security engineering].
The course will provide practical, hands-on experience that can be immediately applied to our environment and security initiatives. DEF CON training emphasizes real-world attack and defense scenarios, enabling participants to develop skills that extend beyond traditional classroom learning.
Request for Approval
I respectfully request approval and funding to attend DEF CON Training this August in Las Vegas. The knowledge, hands-on experience, and industry insights gained will directly support our cybersecurity objectives and contribute to strengthening our organization's security capabilities.
Thank you for your consideration. Please let me know if you have questions or need additional information to support this request.
Sincerely,
[Employee name]