I'm unsure about the Mandiant specific course but common logic dictates that Vendor initiated courses will teach you vendor specific software. Bejtlich runs (or ran) his "TCP Weapons" class at Blackhat and he (in my opinion) is so so. He tends to blurt China on everything under the sun and this is likely because is fixated on an enemy from his years in the USAF. In fact, I believe 90% of what Richard talks about is China in correlation to "threats" but that's neither here nor there.

He wrote the book on Extrusion Detection which was an excellent book however, what he and Mandiant do in their course are up for grabs. My guess is they're nothing more than tailored Mandiant sales pitches with enough technical verbiage to keep students thinking its Incident Response. Had I to choose, I would opt for SANS' or CERT's training on this subject

He just started at Mandiant last year when did you attend Weapons


I have yet to attend a vendor specific class where their products weren't the "gist" of the training. Again, this is not to say the class won't be or isn't good, I just opt to choose for vendor neutral courses. Its one of the reasons I have stayed away from the EnCe, CCxx (Cisco), JNCxx (Juniper) classes.

I would think that CERT would have a broader reach because of their visibility and collaboration with gov, businesses and academia. They are also considered to be the fathers of IR. Joe McCray has some interesting classes but then we're getting into name recognition based on your signature: Do you drop "Mandiant Training" versus "Joe McCray" training. Personally, I'd opt for something outside the norm (CERT) however, some of the SANS guys if I'm not mistaken train via Mandiant as well.