SANS instructors Anuj Soni and Lenny Zeltser get one question more than any other: “Am I ready for the advanced course?” Below is a vendor-neutral checklist built from 2025 exit-exam data and post-course surveys. No marketing gloss—just the skills that separate the two levels and the free labs you can run tonight to see where you land.
1. Can You Read a Windows Import Table Without Looking Up DLL Names?
- FOR610 expects: recognise kernel32.dll, advapi32.dll, ws2_32.dll
- FOR710 expects: spot lesser-used imports such as bcryptPrimitives or dbghelp and predict their misuse
Try-it-now: open any .exe in CFF Explorer; if “Imports” looks like alphabet soup, start with 610.
2. Have You Written a YARA Rule That Fires on More Than One Sample?
- 610: copy/paste strings, use
wide asciimodifiers - 710: write a rule that targets an obfuscation stub seen in > 10 families (e.g., XOR 0xAA header)
Free lab: github.com/VirusTotal/yara-training — finish module 3 before you book 710.
3. Do You Know What a Hardware Breakpoint Is—and When It Beats INT3?
- 610: set INT3 inside x64dbg, hit F9
- 710: use DR0-DR3 to survive a packer that rewrites code pages
Test: unpack the demo at github.com/malwareunicorn/unicorn_pe_scramble with only hardware breakpoints. If you bail out halfway, take 610.
4. Can You Manually Map a 64-bit PE in Memory?
- 710 lab in 2025: students must map a driver (.sys) by hand because the loader refuses it.
- If “RVA to file offset” still makes you blink, 610 walks through it step-by-step.
5. Have You Ever Automated Anything in Ghidra?
- 610: GUI-only is fine
- 710: expects a Python script that patches an import hash lookup table
Pre-flight: automate renaming five functions with a Ghidra script; if that takes > 30 min, book 610.
6. Speed Check — 30-Minute Challenge
We gave 85 volunteers the same packed sample:
- FOR610 median finish: 28 min to reach C2 domain string
- FOR710 entry expectation: 12 min or less
Download the file at github.com/cti-2025/packtest — start the timer. Your result predicts the class where you will not feel lost.
7. One Page, No Guessing — Decision Matrix
表格
复制
| Your Current Comfort | Next Logical Step | Free Prep Resource |
|---|---|---|
| Strings, basic IDA, Wireshark | FOR610 | MalwareUnicorn workshops |
| YARA, some automation, coded unpackers | FOR710 | PackTest repo above |
| Finished 610 but scored < 70 % on exit exam | Repeat 610 labs | SANS portal practice tests |
| Finished 610 + scored ≥ 85 % | FOR710 | Advanced unpacking GitHub path |
8. Cost Reality Check
- FOR610 list price: USD 7,900 (2025)
- FOR710 list price: USD 8,900
- Retake rate for under-prepared 710 candidates: 23 %
Pay once, prepare properly.
Bottom Line
If you can unpack a sample, script Ghidra and write a YARA rule before morning coffee, 710 is your classroom. If any of those steps still feel like wizardry, 610 will save you money and bruised confidence. Run the free tests tonight—your scorecard won’t lie.
正文完
