Center for Qualified CyberSecurity Excellence & Mastery

"Where Qualified Cyber Education Happens"

Our Mission - Security University

Security University is the leading provider of Qualified Hands-On Cybersecurity Education, Information Assurance Training and Certifications for IT and Security Professionals in the world.

The mission of Security University is striving to provide our students with the highest quality Cybersecurity educational available through our Information Security and Information Assurance Training and Certifications for IT Security Professionals Worldwide.

Since 1999, Security University has led the professional cybersecurity education industry in hands-on information security training & education. Security University provides uniform IT security workforce training with performance based, tactical hands-on security skills that qualify and validate the workforce so less people can do the same job or more, with consistent cybersecurity skills. SU's Q/ISP Certification  rigorously qualifies and validates cyber security professionals with tactical security skills necessary to deliver the capability to establish, operate, defend, exploit, and attack in, through, and from the cyberdomain.  The Q/ISP® (Q/EH, Q/SA-Q/PTL, Q/FE, Q/ND)  Certification provides the only means of identifying and certifying "qualified" persons who subscribe to a rigorous requirement of learning objectives for maintaining their tactical security skills knowledge and proficiency with validated security skills and experience.

The SU Qualified Programs such as the Q/ISP were born from IS professionals who need to prove they are "Qualified" and validated for their job, not just certified.

CNSS achievement - all SU Performance-Based Security University classes have earned the CNSS highest non-academic approval.

Certified to Operate by State Council of Higher Education for Virginia (SCHEV)


Capt. Duby Q/EH, Q/SA, Q/PTL Summer 2018

As an Army Cyber Warfare Officer (17A) and professional cyber educator, I have participated in thousands of hours of cyber training through various training providers. I have extensive experience in cyber education from the perspective of a student, instructor, and content developer. I was immersed as a student in months of cyber training as a member of a Cyber Protection Team (CPT). I also participated in, and later instructed, cyber training courses for various government agencies. I also have years of experience in higher education as an adjunct professor of cyber security. Therefore, I have a uniquely experienced opinion on cyber security training and education.

It is my opinion that the quality of training provided by Security University is of the highest standards desired by employers and government agencies. Security University takes a unique graduated approach towards training and apprenticeship. Most training providers offer many individual classes, without considering the bigger picture of trainee development. Security University’s custom incremental approach to training forces trainees to retain and apply skills and theory gained in foundational classes into more advanced training scenarios. For examples, Security University’s Q/ISP curriculum provides trainees with extended exposure to tools, tactics, and techniques in a unique systemic manner that I believe is ideal for cyber professional skills development. It provides the desired balance between traditional university style education and stand-alone immersion classes.

Security University also provides advanced training paths in topics such as network defense, penetration testing, exploitation, digital forensics, and software security that is tailored to the trainee’s long-term skills acquisition goals. The instruction is provided by proven leaders in the field and guarantees graduates have the immediately applicable skills to be relevant in the cyber fight. In my experience, few practitioners can apply the skills gained in a traditional immersion course into the workforce. I have led, trained, and worked alongside with cyber professionals who have earned numerous industry certifications. However, it has been shown time and again that these certifications provide mere exposure without the critical analysis and creative thinking required to solve tough problems in our evolving cyberspace. Security University addresses this shortcoming with their training model and apprenticeship.

Security University comes with my highest recommendation for government, military, and civilian employers seeking a training approach to prepare our cyber workforce.

Adam Duby,Captain, USA, Department of Computer Science, University of Colorado at Colorado Springs

Paul Sparks DoD/DISA/JITC Q/EH , April 2009

I have over 20 years experience in both teaching and information security. I am highly concerned with the decline in real training revolving around the current challenges which we face. I was impressed with both the level of expertise and the instructor's ability to relay the information to the students. This is not simply another idiot boot camp but a well reasoned and directed classroom experience which prepares the student for the real world. The hands on exercises combined with the instructor's elevated knowledge base made the class enjoyable and extremely topical. When you compare Security University to other training groups in the region, they are infinitely superior in both talent and developmental materials. Security University has the right mindset in the development of their classes. They are working to impart valuable knowledge and not simply to push students through. I sincerely appreciate my time learning with Security University and would recommend it to any organization which actually wants to develop real IA professionals.

SHANE F.LIPTAK, Major , Cyber Defense Officer, 21st Signal Brigade / CISSP, GCIH, Q|SA, Q|PTL, MCTS, Sec +, Net+

Security University's Q|SA / Q|PTL program of instruction is impressive and superior to some other training programs in several ways ; one of them being the daily hands-on assessment of critical skills being taught. Another was the realistic practical final exam which included a penetration test with a final report that required some in-depth analysis of the resulting sets of data. I spent 30 post-course hours alone on analyzing the data and developing a 32 page report. That's definitely an experience you're not going to get through other training programs that teach a five day curriculum that's predominately lecture based.

The Q|SA and Q|PTL courses also expose the students to a wide range of open and closed source automated tools for use in security analysis and penetration testing as well as the built-in assessment and exploitation capabilities of both Linux and Windows based operating systems. I honestly can't understand how we expect to conduct defense in depth across the GiG without our technical workforce understanding basic exploitation, which is exactly what's missing from many other approved certifications. SU equally balances this with methodology and analysis techniques rather than relying on specific toolsets since tools frequently change and are always subject to interpretation of their results.

Many leaders and managers in a resource constrained environment try to meet FISMA compliance by targeting those one-shot, many-kills certifications that are on the DoD 8570.01M chart with little regard for how relevant the training might be for certain 8570 categories. No better example can be given than the inclusion of CISSP as an IAT validating certification. Being a CISSP I can attest that it's a great certification for a security manager as it is wide and deep in several essential bodies of knowledge. But it will not enable a security technician, especially at the enclave level, to secure enterprise environments from a hands-on technical approach nor understand the threat and environment essential to effective defense in depth. Therefore it adds little value for an organization to have an IAT-III CISSP from a technical standpoint, but practically, that person can also fill other roles since CISSP covers everything from IAT-I through IAM-III. Hence, managers focus on CISSP and miss excellent training like Security University's programs.

Security University training should be a major part of any organization's information security training programs. All other questions pls call

How To Start Being aware of the dangers of network security is the first step in defending your network. The next step is to certify your team that protects those assets by building your corporate arsenal of computer security knowledge.

Ethics Policy - Security University


A. Code

All qualified information security professionals who are qualified by Security University recognize that such qualification is a privilege that must be both earned, validated and maintained. In support of this principle, all Security University students are required to commit to fully support this Code of Ethics (the "Code"). Security University qualified credential holders who intentionally or knowingly violate any provision of the Code will be subject to action by a peer review panel, which may result in the revocation of student qualification. Student are obligated to follow the ethics complaint procedure upon observing any action by an Security University qualification holder that breach the Code. Failure to do so may be considered a breach of the Code pursuant to Canon III.

There are 3 mandatory canons in the Code. By necessity, high-level guidance is not a substitute for the ethical judgment of the qualified information security or assurance professional.

Guidance is provided for each of the 3 canons. This guidance may be considered by the School Director / President in judging behavior, it is not mandatory, only advisory. It is intended to help IS and IA professionals identify and resolve the any ethical dilemmas they confront during the normal course of their qualified information security or information assurance career.

Code of Ethics Preamble:

To each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Strict adherence to this Code is a condition of qualification.

Code of Ethics Canons:

Canon 1 Act honorably, responsibly, and legally

Canon 2 Provide diligent and qualified services

Canon 3 Advance and protect the profession

Ethics Complaint Process


Security University Q/ISP Qualified/ Information Security professionals and are expected to behave in an ethical manner. They are expected to make difficult ethical decisions and to support one another in doing so. While the Board recognizes its obligation to provide the qualification holder with guidance on making ethical decisions, it does not expect to supervise or judge professionals in making these difficult decisions. The Board recognizes its responsibility to maintain the integrity of the qualification for the good of the profession, Security University may required to revoke qualification due to egregious behavior on the part of a particular qualification holder. It intends to deal with necessary complaints in a timely manner.

This document describes the procedure to be used when complaints are necessary. By publishing these procedures, the Board does not expect, invite, solicit, or encourage such complaints. The use of these procedures is for the sole purpose of protecting the reputation of the Qualification. They are not intended to be used to coerce or punish qualification holders.


The SU Board and its agents undertake to keep the identity of the complainant and respondent in any complaint confidential from the general public. While disclosure of the identity of the complainant will be avoided where possible, upon filing a complaint, the complainant implies consent to disclose his identity to the Board only for due process. Actions of the Board may be published at its discretion. Parties are encouraged to maintain confidentiality and qualification holders are reminded of their obligation to protect the IS and IA profession.

The Ethics Committee

The Ethics Committee is established as needed by the SU President to hear all ethics complaints and resolve all ethics issues. The committee serves at the convenience and discretion of the SU CEO. As complaints and responses are received, the committee reviews both sides and renders a decision to the SU CEO for a final approval.

Standing of Complainant

Complaints will be accepted only from those who claim to be injured by the alleged unethical behavior. While any student of the public may complain about a breach of Canon I, only principals (those with an employer/contractor relationship with the qualification holder) may complain about violations of Canons II and III. And only other IS or Cybersecurity professionals (those who are certified, licensed or qualified as a IS, IA or cybersecurity professional AND subscribe to a Code of Ethics) may complain about all violations.

Form of Complaints

All complaints must be in writing. The newly selected committee will not have an investigative body or resources. Only information submitted in writing will be considered in the form of sworn affidavits. Filing of false affidavits will mean revocation for complainant and revocation of Q/ISP Qualification forever. The CEO will not consider allegations in any other form.

Complaints should be sufficiently complete to enable the President to reach an appropriate resolution. The affidavit should specify the respondent, the behavior complained of, the violation or breach, and any corroborating evidence.

Rights of Respondents

Respondents to complaints are entitled to timely notification of complaints. The President will notify the respondent within thirty days from receipt of the complaint. The respondent is entitled to review all complaints, evidence, and other documents. The respondent will have thirty days from accepting and acknowledging delivery to submit information in defense, explanation, rebuttal, extenuation, or mitigation. The defense submission must sent to the CEO who will forward it to the committee in the form of a sworn affidavit. At no time will silence imply consent, that is, to the extent that the respondent is silent, the CEO will assume that he does not dispute the allegations.

Disagreement on the Facts

Where there is disagreement between the parties over the alleged facts, the President and Ethics Committee at its sole discretion, may invite additional corroboration, exculpation, rebuttals and sur-rebuttals in the attempt to resolve the dispute.

Findings and Recommendations

In reaching its recommendations, the President will prefer the most direct and conservative action consistent with its findings.

Notification and Right of Comment

The President will notify the parties of its resolution thirty days prior to any action. Parties may submit comment on these recommendations for consideration by the President.

Disciplinary Action & Resolution

Discipline of qualification holders is at the sole discretion of the President. Decisions of the President are final. Parties will be notified of the final disposition within thirty days of CPresident's actions. All complaints should comply with the procedure stated and be mailed to the following address:

Ethics Complaint - Security University, 12001 Sunrise Valley Dr, Suite 203, Reston, VA 20191, USA

Questions should be directed to: or

Ethics Committee

The Ethics Committee is established as needed by SU's CEO to hear all ethics complaints and advise of resolutions. The students of the committee serve at the convenience and discretion of the CEO.


Security University CEO selects Advisors that are drawn from SME experts in the field and the top qualified individuals for a given qualification. Each SU advisor has a proven track record in the related qualification, has the ability, and the interest in the security community.

Why would anyone want to serve as a Security University Program advisor? Well, there are several reasons:

If Student is interested in becoming a Security University Advisor, student may apply to