SANS Challenge Coins: The Ultimate Recognition to Elite Cybersecurity Professionals

Hundreds of SANS Institute students have stepped up to the challenge and conquered. They’ve mastered the concepts and skills, beat out their classmates, and proven their prowess. These are the elite, the recipients of a SANS Challenge Coin, an award given to a select portion of the thousands of students that have taken any of the SANS courses.

The coins – more precisely, Round Metal Objects (RMO) – were initially created to recognize students who demonstrate exceptional talent and significantly contribute to, and lead, the cybersecurity profession and community. The coins are meant to be an honor; they’re also intended to be rare. SANS Institute uses the coins to identify and honor those who excel at detecting and eradicating threats, those who understand the critical importance of cybersecurity and continually strive to further not only their own knowledge, but the knowledge of the entire cybersecurity field. These students actively share their experiences and encourage learning through participation in the community; they’re typically leaders in the community.

The challenges through which students can earn a coin are typically held on the last day of class for a SANS course. Students compete in a Capture-the-Flag (CTF) or Capstone Challenge and must successfully overcome a number of obstacles to prove their proficiency during timed, hands-on incidents. The CTFs and Capstone Challenges are created by SANS’ top instructors – each one a cybersecurity practitioner, subject-matter expert, experienced teacher, and professional leader in their own right.

Each SANS Institute Curriculum features different coins:

Cyber Defense Curriculum

SANS Cyber Defense curriculum is broken down into Cyber Defense Essentials and Blue Team Operations courses.

SANS Cyber Defense Essentials

These courses build a solid foundation of core policies and practices to enable you and your security teams to practice proper incident response, then expand upon those crucial skills by adding advanced core techniques to help defend an enterprise from every angle.

Whether you’re new to security or need a broad overview of security topics, these courses support your effort to win the battle against the wide range of cyber adversaries that want to harm your environments.

Cyber Defense Essentials Course Challenge Coins 

SEC501: Advanced Security Essentials – Enterprise Defender 

SEC599: Defeating Advanced Adversaries – Purple Team Tactics & Kill Chain Defenses

Blue Team Operations

SANS Blue Team Operations courses teach the critical skills required to defend your organization against cyber-attacks and improve its overall security posture.

Blue Team Operations Course Challenge Coins

SEC450: Blue Team Fundamentals – Security Operations and Analysis 

SEC487: Open-Source Intelligence (OSINT) Gathering and Analysis

SEC503: Intrusion Detection In-Depth

SEC505: Securing Windows and PowerShell Automation

SEC511: Continuous Monitoring and Security Operations

SEC530: Defensible Security Architecture and Engineering

SEC555: SIEM with Tactical Analysis

Penetration Testing Curriculum

SANS Penetration Testing courses are uniquely designed to provide the understanding and skills necessary to be counted among the best pen testers in the business. Our courses cover a wide variety of different technological landscapes that penetration testers may face, with our in-depth focus on pen testing networks, web applications, mobile devices, wireless devices, and cloud environments, as well as exploit development.

While our focus is on penetration testing to provide high-value, properly conducted tests are also a tremendous amount of fun! Penetration testing is a truly exciting and rewarding job, and this joy of the well-done professional test shines throughout our course material and expert instructors, each with real-world experience in penetration testing.

Pen Test Course Challenge Coins

SEC460: Enterprise Threat and Vulnerability Assessment

SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling

SEC542: Web App Penetration Testing and Ethical Hacking

SEC560: Network Penetration Testing and Ethical Hacking

SEC573: Automating Information Security with Python

SEC575: Mobile Device Security and Ethical Hacking

SEC588: Cloud Penetration Testing

SEC617: Wireless Penetration Testing and Ethical Hacking

SEC642: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques

SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking

SEC699: Purple Team Tactics – Adversary Emulation for Breach Prevention & Detection

SEC760: Advanced Exploit Development for Penetration Testers

Digital Forensics & Incident Response Curriculum

Whether you’re seeking to maintain a trail of evidence on host or network systems or hunting for threats using similar techniques, larger organizations are in need of specialized professionals who can move beyond first-response incident handling to analyze an attack and develop an appropriate remediation and recovery plan. The DFIR curriculum will teach you how to detect compromised systems, identify how and when a breach occurred, understand what attackers took or changed, and successfully contain and remediate incidents.

DFIR Course Challenge Coins

FOR308: Digital Forensics Essentials
Scientia Vincit – Knowledge is Key

FOR498: Battlefield Forensics & Data Acquisition
Consector Scientia Intro Strepitus – Seek Knowledge in the Noise

FOR500: Windows Forensic Analysis
Ex Umbra in Solem – From the Shadows into the Light

FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
Non Potestis Celare – You Cannot Hide

FOR518: Mac and iOS Forensic Analysis and Incident Response
Impera magis. Aliter cogita – Command more. Think differently

FOR526: Advanced Memory Forensics & Threat Detection
Cur mihi oculi dolent? – Why do my eyes hurt? 

FOR585: Smartphone Forensic Analysis In-Depth
Omnis Tactus Vestigium Relinquit – Every Contact Leaves a Trace

FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
Malum Loquitur, Bonum Auscultat – Evil Must Talk, So Good Must Listen

FOR578: Cyber Threat Intelligence
Hominem unius libri timeo – I fear the man of one book

FOR610: Reverse-Engineering Malware
R.E.M. – Reverse-Engineering Master

Industrial Control Systems (ICS)

The SANS ICS curriculum provides hands-on training courses focused on attacking and defending ICS environments. These courses equip both security professionals and control system engineers with the knowledge and skills they need to safeguard our critical infrastructures.

Industrial Control Systems Course Challenge Coins

ICS410: ICS/SCADA Security Essentials
“Defend Critical Infrastructure”

ICS456: Essentials for NERC Critical Infrastructure Protection
“Develop and maintain a defensible compliance program”

ICS515: ICS Active Defense and Incident Response
“Defense is Doable”

ICS612: ICS Cybersecurity In-Depth
“Hands On Cyber Physical”

Management Curriculum

Security managers need both technical knowledge and management skills to gain the respect of technical team members, understand what technical staff are actually doing, and appropriately plan and manage security projects and initiatives. This is a big and important job that requires an understanding of a wide array of security topics. The SANS Management curriculum develops cyber leaders who have the practical skills to build and lead security teams, communicate with technical and business leaders alike, and develop capabilities that build your organization’s success.

Management Course Challenge Coins

AUD507: Auditing & Monitoring Networks, Perimeters, and Systems
Controls that Matter. Controls that Work.

MGT512: Security Leadership for Managers
One Coin to Lead Them All

MGT514: Security Strategic Planning, Policy, and Leadership

Decipher, Develop, Deliver

MGT516: Managing Security Vulnerabilities: Enterprise & Cloud

Stop Treating the Symptoms. Cure the Disease.

Cloud Security Curriculum

SANS Cloud Security curriculum ingrains security into the minds of cloud, architecture, operations, and software engineers by providing world-class educational resources to design, develop, build, deploy, and monitor cloud resources.

Cloud Security Course Challenge Coins

SEC522: Defending Web Applications Security Essentials
Defending Web Applications

SEC540: Cloud Security and DevOps Automation
Keep calms & carry on. 

Those who are awarded SANS Challenge coins are also bestowed special privileges and recognition, including participation in the well-regarded “coin check” challenge and response.

A coin check typically begins by a challenger holding his or her coin in the air or slamming it on a table and yelling “coin check!” All those within earshot must respond by showing their coins to the challenger within 10 seconds. Anyone who fails to do so must buy those who successfully returned the coin check a round of drinks. If all the challenged coin holders produce their coin, the challenger must buy the round of drinks. (Also, if anyone accidentally drops their coin and it makes an audible sound on impact, they have “accidentally” initiated a coin check. There are no exceptions to the rules — get those coins out or you’re buying!)