I’ve taken training across offensive, defensive, cloud, and forensics. These reviews cover what each course delivered and whether it was worth the cost.
I started out in digital forensics and later transitioned into offensive security. Over the last few years, my interest in the defensive side picked back up, and I’ve been shifting more towards purple teaming. My employer offers a tuition assistance benefit, so I used it to take SANS’s Advanced Incident Response, Threat Hunting (FOR508) course via OnDemand in June 2025. The FOR508 material overlaps with earlier DFIR work, so I came to it with more context than a first-time practitioner would.
The course
FOR508 is organized into six sections: advanced incident response and threat hunting, intrusion analysis, memory forensics, timeline analysis, advanced adversary and anti-forensics detection, and a capstone APT challenge. SANS ships physical books and provides recorded lectures through their portal for the OnDemand format. The format is lecture-heavy.
SANS refreshed FOR508 in Spring 2025. The updated version expanded credential theft and lateral movement analysis, added hybrid cloud coverage including Entra ID, and reworked the memory forensics content. The memory forensics section was the most detailed portion of the course. It introduced (to me) MemProcFS as a modern alternative to Volatility for memory forensics. MemProcFS mounts an acquired memory image as a virtual filesystem, and the data extraction workflow is more direct than Volatility’s plugin model. Volatility was the standard tool when I was doing DFIR work several years ago, so picking up a new tool was a welcome change. In the months following, I would attempt to use MemProcFS on a VMWare memory snapshot during a penetration test.
Figure 1 — MemProcFS virtual filesystem view showing extracted process and artifact data from a memory image.
FOR508 includes 35 labs distributed across all sections. The labs reinforce the lecture material and map to the exam content. The course is majority lecture. The hands-on component supports the content. OSCP is a useful contrast: with PEN-200, the labs are the course and the written material supports them. FOR508 inverts that relationship. The labs are solid. The lectures carry more of the learning load.
I took the course OnDemand. The recorded lecture format works for self-paced study. The OnDemand version lacks instructor interaction. SANS live training gives you access to the instructor during and after sessions, and that access adds a lot to the SANS format. OnDemand delivers the content. You lose the back-and-forth, but that’s true for any online/remote training course.
The exam
The GCFA exam is 115 multiple-choice questions, 3 hours, open-book, and proctored through the GIAC portal. The course material prepared me for the exam content. I passed on the first attempt with a 92%.
Index-building is the exam preparation strategy I use for every GIAC certification. I picked up the methodology from Lesley Carhart’s Better GIAC Testing with Pancakes blog post and have used it the same way since my first SANS exam in November 2019. You start with an Excel spreadsheet: columns for the term, book number, page number, and an optional brief definition. Color-code each row by section so you can locate the right part of your notes by color at a glance. Highlight the physical books during study and tab them by section. During the exam, the index tells you which book and page to flip to, and the tab tells you which section to open to. Start building the index on your first pass through the material, then add entries while working through the GIAC practice exams to catch anything you missed. The index is a retrieval tool for terms and procedures you understand but cannot hold in working memory for three hours. Build it as you go.
Figure 2 — GCFA exam index with entries color-coded by book.
What stuck
The lateral movement artifact coverage in FOR508 applied to the purple team work I was doing at the time. The course covers what forensic and threat-hunting artifacts each lateral movement technique generates: event log entries, registry keys, file system artifacts, network indicators. I used that knowledge to verify that our logging and auditing configurations are capturing the expected artifacts before and during the exercise.
That artifact knowledge maps to the offensive side too. The same indicators defenders and threat hunters use to identify lateral movement are what an attacker needs to understand in order to adapt/modify their tradecraft.
If you work on a red team, the artifact coverage in FOR508 is worth your time. The course documents what forensic evidence each technique leaves behind: which event IDs fire, which registry keys are written, which files are touched. You can use that list to evaluate your own technique selection. Where the blue team expects to find an artifact, you can avoid generating it, remove it post-exploitation, or obfuscate it. Or if you can’t avoid it, you’ll know exactly what you’re giving up. For example, “I can move to this system via this lateral movement technique at the moment, but I will generate x,y,z artifacts.” The course is written for defenders. The artifact inventory is just as useful on offense.
Bottom line
FOR508 and the GCFA are best suited for DFIR practitioners past the entry level who want a recognized certification. From a recruiter and hiring manager standpoint, GCFA occupies a similar position on the defensive side that OSCP does on the offensive side: a cert that signals demonstrated competency and gets through HR filters. The course is worth considering for red teamers who want a systematic understanding of what defenders and threat hunters look for, to inform tradecraft decisions. It is not a starting point for someone early in a defensive career. Get entry-level defensive certifications and hands-on experience first. Take it if your employer is covering the cost. At $8,000 or more out of pocket, it is difficult to recommend paying for it yourself.