Sandia Lab News

  • Download This Issue (PDF)
  • Contact Us

Cyber Residency Program

BY MOLLIE RAPPE

THURSDAY, MARCH 12, 2026

Medically inspired rotation program trains, retains Sandia cyber experts

<strong>PROBLEM SOLVERS</strong> — Sandia cybersecurity experts Kinsleigh Wong, left, and Matthew Trotter work through a problem regarding a scenario that is part of the general forensics rotation of Sandia’s cyber residency program. (Photo by Craig Fritz)
PROBLEM SOLVERS — Sandia cybersecurity experts Kinsleigh Wong, left, and Matthew Trotter work through a problem regarding a scenario that is part of the general forensics rotation of Sandia’s cyber residency program. (Photo by Craig Fritz)

The American Medical Association describes residency as a bridge between medical school and independent practice, giving residents an immersive experience to apply what they have learned while building expertise.

Swap medicine for cybersecurity and you get a good sense of Sandia’s cyber residency program. The program offers a tailored, hands-on learning experience for cyber defenders right out of college, as well as Sandia employees with other expertise who want to transition into cybersecurity.

“We observed that most of the cybersecurity defenders took about 18 months to become proficient,” said Han Lin, a Sandia manager who founded and oversees the program. “Our initial motivation for creating the program was to fast-track their learning so they would be contributing and being impactful in six months instead.”

The program has been running about five years and roughly 75 employees have completed the residency. About 20% of residents are Sandia employees with related expertise who wanted to explore cybersecurity, while the rest were recent graduates.

Residents rotate through as many as five cybersecurity focus areas, with each rotation lasting as long as needed for the resident to gain the necessary skills, Han said. All residents gain experience in computer forensics, while rotations in incident response, red teaming, information assurance and secure software depend on a resident’s interests.

Introduction to computer forensics

<strong>RESIDENT MENTORS</strong> — Sandia cybersecurity experts Matthew Trotter, left, Kinsleigh Wong, right, and manager Han Lin discuss logistics of Sandia’s cyber residency program and the Forensic and Incident Response Exercise also known as Tracer FIRE. (Photo by Craig Fritz)
RESIDENT MENTORS — Sandia cybersecurity experts Matthew Trotter, left, Kinsleigh Wong, right, and manager Han Lin discuss logistics of Sandia’s cyber residency program and the Forensic and Incident Response Exercise also known as Tracer FIRE. (Photo by Craig Fritz)

Much like crime scene investigation, computer forensics involves examining the data and clues left behind after an attack or breach to identify the culprit and determine whether they accomplished their objective. The work can include network forensics, application forensics and memory forensics. Each area requires specialized tools to avoid disturbing any evidence, Han said.

The computer forensics rotation includes lectures and active-learning assignments, said Kinsleigh Wong, a Sandia cybersecurity expert and former resident who helps run the rotation. Depending on whether a resident is an established employee exploring a new career or a recent graduate, the rotation can be part time while the employee continues normal work or a full-time commitment, Han said.

One lecture focuses on memory forensics, said Matthew Trotter, a Sandia cybersecurity expert who teaches the session and supports the rotation. He described memory forensics as conducting an “autopsy” on computer memory to capture clues before they disappear when a device loses power. The work requires specific tools and technical expertise, he said.

“People are generally pretty receptive and say it’s very interesting because it’s not something you learn about in a traditional educational course,” Matthew said. “It’s been memorable sharing knowledge that I gained from diving into it and learning how to tailor the talk to share my knowledge in an accessible manner.”

To help residents remember the process workflow, Matthew created an exercise built around a mock cyberattack, including a list of tools and steps he would use to extract forensic data from memory.

Creating a practical exercise

As part of the general forensics rotation, residents use what they learn to create a new Tracer FIRE scenario. Tracer FIRE, short for Forensic and Incident Response Exercise, is a three-day cyber workshop. Sandia partners with universities to offer the exercise and provide students with a realistic experience. Kinsleigh added that Tracer FIRE also gives current cybersecurity staff an opportunity to practice and maintain their skills.

Each summer’s scenario is different and has ranged from protecting an electric scooter company from ransomware and corporate espionage to defending a municipal water supply’s operational technology from hackers and a rogue CEO, Kinsleigh said. Each resident, Tracer FIRE intern and staff member involved in the exercise is responsible for building part of the scenario, whether that is setting up an element of the attack or preparing digital “clues” tied to a segment of the narrative.

Han said Tracer FIRE also serves as a recruiting tool. Students who thrive in the exercise can apply for summer internships at Sandia, and top interns are often hired as staff after graduation, helping create a talent pipeline.

<strong>PAWN TO D4</strong> — Sandia cybersecurity expert Kinsleigh Wong keeps a chess board in his office when he needs to take mental break. Kinsleigh, a past resident, now serves as a mentor for Sandia’s cyber residency program. (Photo by Craig Fritz)
PAWN TO D4 — Sandia cybersecurity expert Kinsleigh Wong keeps a chess board in his office when he needs to take mental break. Kinsleigh, a past resident, now serves as a mentor for Sandia’s cyber residency program. (Photo by Craig Fritz)

Once residents complete the program, they mentor the next group of residents, Han said. Spreading mentorship across alumni reduces the burden on any one person and gives former residents a chance to deepen their expertise and build leadership skills.

Kinsleigh said he started at Sandia as an intern in 2018 and was hired in 2021. Since completing the residency, he has mentored about 10 residents. He said his favorite rotation was incident response, where residents learn the practical steps of responding to a cyberattack instead of analyzing evidence afterward.

“I especially liked the incident response rotation because I liked seeing the tools and processes that are used by our incident response teams,” Kinsleigh said. “It really fleshed out my whole view of enterprise cybersecurity at Sandia.”

Building a network

Beyond technical training, Han said the program is designed to help new employees build a professional network across the organization.

“If they need a network forensics expert, they know who to call because they worked with one during a rotation,” Han said. “They find people they enjoy working with and learning from, so they stay. Retention is not always about money. It’s about the people you work with too.”

Kinsleigh said networking is a vital part of the residency.

“It feels like I’m a connector,” he said. “As a mentor, I’m focused on letting them know what’s here and connecting them with their interests. If they’re really good at software development, I might have them explore malware development.”

Matthew, who joined Sandia before the residency program began, said the structure would have helped him early in his career.

“I remember when I started, I was inundated with all these different tools and processes that I had to learn on the go,” he said. “It was overwhelming. With the residency program, it gives you time to learn without having expectations on you. It really helps. We’ve gotten some really great hires out of the program.” 

Recent articles by Mollie Rappe