Call Us (03) 2035 9258

Module A4 – Advanced SABSA Incident, Monitoring & Investigations

The increasing tempo of cyber attacks by cyber criminals, state sponsored actors, and hacktivists is a major concern for all organisations within government and industry. The internet is now a hostile environment where businesses can be destroyed overnight. The sophistication of cyber attack is challenging even the most capable cyber defender, and is well beyond the preventative capability of most organisations. Attacks will be successful, and there is an increasing requirement for businesses to monitor their systems and networks, and to respond effectively to incidents.

One of the key challenges for the security team is to be able to articulate to management why a specific operational capability is required, and to ensure the capability most effectively integrates with the overall technology strategy for the business. This requires the ability to trace business requirements down to the monitoring solutions, and to trace the solutions back to business requirements. It also requires an understanding of the impact of a cyber incident to justify the type and extent of response capabilities.

The SABSA Advanced A4 module provides participants with a comprehensive understanding of how the SABSA framework can be applied to deliver effective incident management and monitoring. Through a series of innovative presentations, case studies, and workshops, you will develop the knowledge and skills to use the most proven security architecture, design and service management processes in a way which ensures comprehensive and effective monitoring and incident management capabilities are achieved. This course approaches the incident management and monitoring capabilities in the context of both a baseline security operations center and the requirements which justify its development into an advanced security operations center.

Learning outcomes

The top ten competencies developed on this course are:

  • Understand the business relevance of cyber threats and threat intelligence
  • Understand the role of the Security Operations Center (SOC) function
  • Understand Cyber Essentials and Cybersecurity Framework controls
  • Understand the SOC Monitoring services
  • Understand the process of Incident Management and Investigations
  • Understand the requirements which lead to an Advanced SOC (ASOC)
  • Understand how to use the SABSA framework to architect a SOC
  • Understand how to use attributes to profile SOC/ASOC services
  • Understand monitoring services for Control Systems
  • Analyse enterprise value from SOC/ASOC deployments

Who should attend

This course is of particular significance for anyone operating, or planning to operate, a Security Operations Center. The course thoroughly addresses security operations, with emphasis on incident management and security event monitoring.  It addresses the architecture of a baseline SOC capability and the roadmap to an Advanced SOC.  Typical attendance includes:

  • IT Strategists and Planners
  • IT Architects
  • IT Development Managers and Project Leaders
  • IT Operations Staff
  • Information Security Managers, Advisors, Consultants & Practitioners
  • IT Line Managers
  • IT Service Delivery Managers
  • Risk Managers
  • Internal and External Auditors

Course contents

1.   SABSA as a Problem Solving Framework

  • Evolution of Operational Architectures and Strategies
  • Change: Legacy & Future-Proof
  • A Structured Thought Process for Dealing with Any Problem

2.   Stakeholder Value Propositions

  • Real-world Buy-in & Support
  • Cultural Shift
  • Customising Value Propositions
  • SABSA Institute and Certification Roadmap

3.   Thinking about Security Operation Centres

  • Understanding Cyber Threats
  • Incident Management and Monitoring in the SOC Services Catalogue
  • SOC Facilities
  • Obstacles to Efficient Security Operations
  • SOC Roadmap

4.   Framework Alignment

  • Lifecycle and Scope Issues
  • Greenfields Site or Alignment & Integration of Existing Investments

5.   Strategy & Planning for Incident Management

  • The Incident-Managed Attribute
  • Conceptual Analysis

6.   Incident Management Design

  • Analysing Events
  • Findings, Issues and Incidents
  • Design Phase Architecture

7.   Incident Management Maturity

  • Maturity Modelling
  • SABSA Maturity Profile and CREST-IR
  • Maturity Assessment Process
  • Cyber Kill Chain and Advanced Threats
  • Advanced SOC Design

8.   Industrial Control Systems

  • Requirements Analysis
  • Key Business Drivers
  • Zoning and Cross Domain Interactions

9.   Security Investigations

  • Investigating Issues
  • Attributes of Forensic Investigations

10.  Full Requirements-to-Solution Traceability

  • Detailed Application of the Traceability Layer Map
  • Fit-for-Purpose Design
  • SOC Service Providers

Course fees


Fees A$ Per Person

SABSA® Advanced Module A4:
Incident, Monitoring & Investigations Architecture

Course+ Exams
$4620 + gst

Requirement for Personal Computers

Due to the nature of Advanced course modules and examination, it is required that participants bring personal computing devices in order to create, discuss, share, populate and store personal work product in portable, editable form, such that it can be applied extensively:

  • In the candidate’s place of work;
  • In the preparation and submission of the candidate’s examination answers.

Candidates are responsible for ensuring the computing devices they use are pre-loaded with all software that may be appropriate to their needs including word processors, spread sheets, databases, and diagramming tools.


The SABSA Foundation Certificate is a pre-requisite for the SABSA Advanced modules.


The examination approach for a SABSA Advanced Course is totally different from that used at Foundation Level. Candidates are required to demonstrate advanced competencies to use the SABSA method and framework.

The examination is therefore entirely “open book” and project-based. Examination papers contain 5 questions from which candidates must choose 2 to answer. Using examples from real working environments, or by creating a case study, or a combination of both, candidates are required to assess issues, evaluate solution approaches, and customise and apply the SABSA method and framework to create and populate appropriate SABSA work-products (techniques, tools, templates, models, frameworks, etc.).
Examination answers must be provided within 4 weeks of the examination date.

Please understand that this more flexible format means your results will take longer than for Foundation - marking will only begin when the last delegate's exam is submitted which means it could take 10 to 12 weeks for notification if several delegates take the full four weeks to submit their exams.