SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense, Artificial Intelligence
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
AI-FOCUSEDMajor updates
SEC573: AI-Powered Security Automation: Building Tools with Python, LLMs, and MCP
SEC573Cyber Defense, Artificial Intelligence
- 6 Days (Instructor-Led)
- 36 Hours (Self-Paced)
Course authored by:
Mark Baggett
Course authored by:Mark Baggett
- GIAC Python Coder (GPYC)
- 36 CPEs
Apply your credits to renew your certifications
- In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
- Advanced Skill Level
Course material is geared for cyber security professionals with hands-on experience
- 128 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Learn how we can leverage Agentic AI development and Python as security professionals. From the Python essentials to developing AI Agents for your own information security tools.
Featured Quote
I have had a few Python courses in the past in school, but I am already learning new things and ways to find new information on Day 1.
Course Overview
Are you ready to supercharge your cybersecurity career with AI-driven automation and tackle the evolving threats in today's digital landscape? The key is mastering AI integration through practical tools like MCP (Message Context Protocol) and OpenAI agents, all built on accessible Python foundations. Want to leverage AI for real-time anomaly detection, automate analysis of forensic artifacts, or develop custom agents that uncover hidden attack patterns and outpace adversaries? From building AI-powered log analysts to integrating automation frameworks like n8n to writing stand along autonomous AI agents, this course equips you with the skills to harness massive data streams, enhance forensics, and create intelligent defenses that keep you ahead.
SEC573: AI-Powered Security Automation positions AI as the core of modern infosec. You will be taught to write and debug Python code. And when the code gets a little too complex you will learn to leverage AI code writing agents to "Vibe code" a solution to today complex problems. Have you ever wondered why so many SANS courses touch on the Python basics? It's because mastering Python is essential for completing advanced labs and staying relevant in fields like data science, machine learning, and penetration testing. This class will teach you the essentials and how to leverage AI to write, explain and enhance your Python programs to solve real-world problems.
When you're ready to elevate AI from a buzzword to your infosec superpower, SEC573 delivers exactly what you need to get started. This course also prepares you for the GPYC certification (GIAC Python Coder), validating your ability to apply AI and Python to solve real-world cybersecurity challenges.
What You’ll Learn
- Leverage AI to develop new tools to perform routine tasks quickly and efficiently.
- Automate log analysis and packet analysis with AI agents, file operations, regular expressions, and analysis modules to detect threats
- Develop forensics tools to carve binary data, process unstructured AI data, and extract new artifacts
- Read data from databases and the Windows Registry to support AI-driven for investigations and tool development
- Interact with websites and APIs to enrich logs and AI prompts to accomplish information security tasks
- Develop MCP servers and OpenAI agents for advanced automation and threat identification and response
- Understand prompt injection attacks and build secure AI integrations
Business Takeaways
- Automate system processes with AI to handle inputs quickly and efficiently
- Create AI-driven programs that increase efficiency and productivity
- Develop intelligent tools to provide the vital defenses our organizations need
- Integrate AI agents for proactive threat detection and response
- Streamline forensics and incident response with custom AI automations
- Enhance cloud and network security through AI-powered monitoring and analysis
- Build resilient systems against emerging threats using MCP and OpenAI technologies
Meet Your Author
Mark Baggett
FellowSANS Faculty Fellow Mark Baggett authored SEC573 and SEC673, leads as CTO of the SANS Internet Storm Center, and empowers defenders to automate security through practical, real-world application.
Read more about Mark BaggettCourse Syllabus
Explore the course syllabus below to view the full range of topics covered in SEC573: Automating Information Security with Python.
Section 1Essential Skills Workshop
The course starts with an intro to Python and the pyWars Capture-the-Flag challenge. Students learn at their own pace in the pyWars lab, with over 100 hands-on labs to build life-changing skills. Advanced students tackle Python bonus challenges, while beginners start with Python essentials.
Topics covered
- Leveraging AI and Vibe Coding
- The Essentials of Python Coding
- Variables and Math Operators
- Strings and Functions
- Visual Studio Code and Debugging Code
Labs
- 36 hands-on labs in Section 1 alone!
- Working with Python Numeric variables
- Working with Python Strings, Bytes and More
- Understanding and Using Python Functions
- Leveraging the Python Debugger to fix errors
Section 2Essentials Knowledge Workshop
You won't learn programming from slides. This section builds on the hands-on approach, covering data structures and programming concepts. Learn to use Python Virtual Environments to resolve library conflicts and organize your setup. We also cover debugging with Visual Studio Code and share tips to become a better Python programmer.
Topics covered
- Python Virtual Environments
- Python Modules
- Lists, Loops, and Tuples
- Dictionaries
- Tips Tricks and Shortcuts
Labs
- There are 22 Hands on labs for Section 2 alone
- Need more? There are 7 Bonus labs on section 2 material
- Managing and Using 3rd Party Modules and Virtual Environments
- Master using Python Lists and Loops
- Data Processing with Python Dictionaries and Sets
Section 3Automated Defense with AI
In this section, we take on the role of network defenders, using AI to develop code and access data to solve complex challenges. We’ll explore AI's limitations and the need for offline analysis, including regex and file analysis. Forensics and offensive security pros will also benefit, as skills like file reading and data parsing are essential for them.
Topics covered
- File Operations
- Leveraging Code writing Agents and “Vibe Coding”
- Developing MCP Server Leveraging Automation Frameworks like n8n
- Targeting Useful data with Regular Expressions
- Log Parsing, Data Analysis Tools and Techniques
Labs
- 18 hands on labs (plus 30+ CTF challenges to test your python coding/vibe coding skills)
- Solving File I/O Challenges with Python and Vibe Coding
- Developing MCP servers and integrate them into N8N
- Using Regular Expression to find relevant data
- Data Analytics Techniques to Minimize Context Windows
Section 4Automated Forensics with AI
In our forensics-themed section, we will assume the role of a forensic analyst who has to carve evidence from artifacts when no tool exists to do so. Even if you don't do forensics, you will find that the skills.
Topics covered
- Processing Unstructured and Structured Data
- Developing AI Agents with Chat Completion and Tool Calling
- Developing AI Agents with the Responses API
- Giving Access to data sources such as JSON, Windows Registry, SQL data
- Accessing Web APIs and Web Applications
Labs
- Section 4 introduces 17 more labs in addition to the 30+ bonus CTF labs
- Processing unstructured data with Struct, Pydantic and Regex
- Developing AI Agents
- Accessing the Windows Registry
- Accessing Web APIs and Web Applications
Section 5Automated Offense with AI
In this offensive-themed section, we become penetration testers whose attempts have been blocked by modern defenses. You will build an agent to bypass these defenses and gain remote access. We’ll also learn how AI agents can be turned against us by exploring AI guardrails, their limitations, and applying them in offensive exercises.
Topics covered
- AI Prompt Injection Attacks and Techniques
- OpenAI Agent Input and Output Guardrails
- Network TCP and UDP Socket Operations
- Exception Handling and Process Execution
- Blocking and Non-blocking Sockets
Labs
- Prompt Injection Attacks against real world models
- Communicating with TCP Sockets
- Using error handling to develop a port scanner
- Executing subprocesses to create a backdoor
- Handling large amounts of data across a socket for uploads
Section 6Capstone Workshop
In the final section, you’ll team up with other students to apply your skills in programming challenges. You’ll solve problems, exploit vulnerable systems, analyze packets, parse logs, and automate code execution on remote systems. Test your skills, tackle challenges, and prove your expertise!
Things You Need To Know
Relevant Job Roles
Data Analysis (OPM 422)
NICE: Implementation and OperationResponsible for analyzing data from multiple disparate sources to provide cybersecurity and privacy insight. Designs and implements custom algorithms, workflow processes, and layouts for complex, enterprise-scale data sets used for modeling, data mining, and research purposes.
Explore learning pathTechnology Research and Development (OPM 661)
NICE: Design and DevelopmentResponsible for conducting software and systems engineering and software systems research to develop new capabilities with fully integrated cybersecurity. Conducts comprehensive technology research to evaluate potential vulnerabilities in cyberspace systems.
Explore learning pathMalware Analyst
Digital Forensics and Incident ResponseMalware analysts face attackers’ capabilities head-on, ensuring the fastest and most effective response to and containment of a cyber-attack. You look deep inside malicious software to understand the nature of the threat – how it got in, what flaw it exploited, and what it has done, is trying to do, or has the potential to achieve.
Explore learning pathDigital Forensic Analyst Training, Salary, and Career Path
Digital Forensics and Incident ResponseThis expert applies digital forensic skills to a plethora of media that encompass an investigation. The practice of being a digital forensic examiner requires several skill sets, including evidence collection, computer, smartphone, cloud, and network forensics, and an investigative mindset. These experts analyze compromised systems or digital media involved in an investigation that can be used to determine what really happened. Digital media contain footprints that physical forensic data and the crime scene may not include.
Explore learning pathDigital Forensics (OPM 212)
NICE: Protection and DefenseResponsible for analyzing digital evidence from computer security incidents to derive useful information in support of system and network vulnerability mitigation.
Explore learning pathMilitary Operations / Law Enforcement Agents
Digital Forensics and Incident ResponseExecute digital forensic operations under demanding conditions, rapidly extracting critical intelligence from diverse devices. Leverage advanced threat hunting and malware analysis skills to neutralize sophisticated cyber adversaries.
Explore learning pathVulnerability Assessment
SCyWF: Protection And DefenseThis role tests IT systems and networks and assesses their threats and vulnerabilities. Find the SANS courses that map to the Vulnerability Assessment SCyWF Work Role.
Explore learning pathMedia Exploitation Analyst
Digital Forensics and Incident ResponseThis expert applies digital forensic skills to a plethora of media that encompasses an investigation. If investigating computer crime excites you, and you want to make a career of recovering file systems that have been hacked, damaged or used in a crime, this may be the path for you. In this position, you will assist in the forensic examinations of computers and media from a variety of sources, in view of developing forensically sound evidence.
Explore learning pathCourse Schedule & Pricing
Looking for Group Purchase Options?Contact Us
GIAC Certification Attempt
Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.
Location & instructorDate & TimeCourse priceRegistration Options
- Date & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$8,780 USD*Prices exclude applicable local taxesBuy now for access on Mar 27. Use code Presale10 for 10% off course price!Registration Options
- Date & TimeFetching schedule..Course price$8,780 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..Course price€8,230 EUR*Prices exclude applicable local taxes
- Date & TimeFetching schedule..Course price$8,780 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..Course price$8,780 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..Course price$8,780 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..Course price$8,780 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..Course price£7,160 GBP*Prices exclude applicable taxes | EUR price available during checkout
- Date & TimeFetching schedule..Course price$8,780 USD*Prices exclude applicable local taxes
Showing 9 of 9
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 3Python is a tool required in the world of InfoSec, and SEC573 helped me build that tool belt.
- Slide 2 of 3Very well put together. I have been afraid of learning how to code for years. Within the first days' worth of material my mind has been put at ease.
- Slide 3 of 3SEC573 is excellent. I went from having almost no Python coding ability to being able to write functional and useful programs.
Slide 1 of 0
(1/0)
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources