Staff Profile: David Hoelzer

David is most often associated with the SANS Institute as the author of more than twenty days of SANS courseware and as a faculty fellow.

Before founding Cyber-Defense, David served as the Director of GIAC, the world renowned security certification associated with The SANS Institute. While in this post, David oversaw the entire certification program and the creation of a number of GIAC certifications. Most notably, he brought the original GIAC Security Expert (GSE) certification to life, serving as the primary exam author and grader for what is widely considered to be the most difficult certification in the security field.

Prior to his association with SANS, David served as a senior network engineer and later as the security project manager for Standard Microsystems Corporation. David is currently the Chief Information Security Officer for CyberDefense, the parent company of Enclave Forensics. Within Enclave Forensics he serves as the Director of Research and a principal forensic examiner. In addition to day to day responsibilities, he has acted as an expert witness for the Federal Trade Commission and continues to teach at major SANS conferences, training security professionals from organizations including NSA, USDA Forest Service, Fortune 500 security engineers and managers, DHHS, various DoD sites, national laboratories and many colleges and universities. From time to time David also speaks nationally and internationally on various security topics. David holds a B.S.,I.T, Summa Cum Laude.

David is also an adjunct research associate of the UNLV Center for Cybersecurity Research, a SANS Technology Institute Fellow and a Research Fellow with the Identity Theft and Financial Fraud Research Operations Center (ITF/FROC), an NSA center of excellence.


Recent Accomplishments


  • Design, development and release of VisualSniff network visualization tool.


  • Appointed to STI Accreditation Steering Committee
  • Trained analysts at Fort Meade on advanced network & system analysis techniques
  • Provided expert training and consulting to Singapore government on information security issues
  • Guest lecturer, NEHIA
  • Guest lecturer, IIA National Conference, Toronto, Canada
  • Guest lecturer, ISACA regional conference, Washington, DC
  • Audit and Information Security consulting for SONY


  • High level management consulting for the IRS
  • Information security consulting and CIO level advice to portions of California State University system
  • Guest Lecturer at various ISACA chapters nationwide
  • Digital forensic examinations for several Fortune 100 organizations leading to successful outcomes for clients in all cases


  • Adjunct Professor, UNLV School of Informatics
  • Appointed as Audit Curriculum Lead, SANS Technology Institute
  • Released updated Self-Assessment toolkit for PCI/DSS
  • Authored “PCI/DSS What Matters for Management”
  • Elected member at large, SANS Technology Institute Ethics Committee


  • Appointed to the SANS Technology Institute Curriculum Committee
  • Architect, build and manage a large 30+ sensor distributed NIDS processing more than 250 gigabytes of data per day in near real time
  • Trained U.S. Department of Energy staff on cutting edge hacker techniques & overall network security best practice
  • Interview for on PCI/DSS 6.6 implementation requirements (available here)


  • Creation of Secure Coding for PCI Compliance (specific to web applications) curriculum and course materials
  • Creation of PASIFOR network forensics and research system
  • Creation of Enclave Carver digital data identification and carving tool


  • Forensic research and comparison of various major disk wiping products for effectiveness
  • Security consulting for the US Department of Health and Human Services
  • Creation of DAD log analysis and reporting tool


  • Creation of the PCI Self Assessment Toolkit
  • Forensic consulting for United States Treasury
  • Authored the SANS PCI hands on validation course
  • Created an automated scoring system for the technical portions of the PCI standard
  • Taught detailed computer forensics and media analysis for forensic investigators at NRI in Tokyo
  • Creation of a secure programming course through the creation of a Perl, PHP and MySQL based web application
  • Creation and production of the SANS Site Security Standard


  • Appointed a research fellow with the Internet Forensics Center
  • Appointed as an Adjunct Research Associate of the Center for Cybersecurity Research
  • Recently retained to author The SANS Institute's class on the Visa 'Digital Dozen' for e-commerce
  • Named an external Director by The SANS Institute, Director of Site Certification
  • Author of the 2004 GIAC GSE certification exam
  • Creation of a retrospective network classification and analysis tool for the identification of trends in user utilization for better productivity management
  • Taught classes for NSA and NCIS personnel on penetration and incident forensic techniques


  • Retained as an expert witness by the Federal Trade Commission
  • Created and authored the SANS Institute's ISO-17799 implementation track
  • Creation of a universal cipher analysis tool; this tool is uniquely useful for analyzing the patterns produced when varying ciphers are applied to a particular type or piece of data in order to measure how effectively the information is protected from cryptanalysis
  • Creation of a network based analysis tool capable of identifying encrypted covert network streams operating over arbitrary protocols
  • Created and authored the SANS Institute's 'Audit Essentials' track
  • Creation of the GSE (GIAC Security Expert) certification
  • Creation of a generic forensic analysis tool capable of identifying and extracting Unicode and normal text fragments within an NTFS disk partition


  • Took over management of SANS Institute's Advanced System and Network Auditing track
  • Design and implementation of a system for detecting and analyzing various encapsulation types operating over the same physical network media, thus enabling administrators to track down rogue network stacks and misconfigurations


  • Creation of PAE (Packet Analysis Engine) for statistical analysis of network traffic; this tool is especially tuned for identifying unusual patterns within IP traffic that could indicate stealthy scanning techniques, unusual data transfers or the use of covert channels
  • Creation of the ‘DNSInjector’ appropriate use monitoring and enforcement tool for corporate Internet usage
  • Creation of ‘TCPMunge’ traffic manipulation tool, allowing security professionals to safely discuss actual network traffic dumps without disclosing confidential information


  • Various contributions to notable on-going intrusion detection research efforts including the Snort project and the Shadow Intrusion Detection System