Talk With an Expert
Major updates

SEC598: AI and Security Automation for Red, Blue, and Purple Teams

SEC598Offensive Operations
  • 6 Days (Instructor-Led)
  • 36 Hours (Self-Paced)
Course authored by:
Jeroen VandeleurJason Ostrom
Jeroen Vandeleur & Jason Ostrom
SEC598: Security Automation for Offense, Defense, and Cloud
Course authored by:
Jeroen VandeleurJason Ostrom
Jeroen Vandeleur & Jason Ostrom
  • 36 CPEs

    Apply your credits to renew your certifications

  • In-Person or Virtual

    Attend a live, instructor-led class from a location near you or virtually from anywhere

  • 25 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Harness GenAI, agentic AI, world-class automation, emulation and detection-as-code to unify red and blue operations into a continuous purple team model.

Course Overview

SEC598: AI and Security Automation for Red, Blue, and Purple Teams empowers you to elevate your security program across offensive and defensive domains. Whether you're automating adversary emulation campaigns, building intelligent response workflows, or engineering detection-as-code pipelines, this course teaches you to harness AI-driven automation to outpace modern threats.

You’ll develop the skills to operationalize AI, agentic automation, detection-as-code, and SOAR while integrating GenAI and LLMs into enrichment and response workflows, deploying secure cloud infrastructure, and emulating attack techniques.

These capabilities are brought to life through 25 immersive labs and practical frameworks that unify red and blue team functions into continuous purple teaming—enabling you to automate offensive testing, scale cloud-native detection, and build AI-powered playbooks for faster, smarter, and more resilient cybersecurity operations.

What You’ll Learn

  • Build and operationalize automation playbooks for both offensive and defensive workflows
  • Implement detection-as-code pipelines and integrate them into CI/CD environments
  • Apply LLM-powered workflows for enrichment, detection generation, and decision support
  • Engineer and deploy RAG-based agents for investigation and context-aware response
  • Utilize red team AI agents for autonomous adversary emulation and control validation
  • Design and implement AI-augmented defensive playbooks to reduce detection and response time
  • Adopt automation and continuous purple teaming practices to unify offensive and defensive teams

Business Takeaways

  • Accelerate SOC maturity by automating repetitive tasks and enabling AI-driven decision-making
  • Bridge operational gaps between red and blue teams through continuous purple teaming
  • Modernize detection engineering by adopting detection-as-code and CI/CD best practices
  • Reduce risk exposure by continuously validating defenses against AI-driven adversaries
  • Maximize security operations capabilities by integrating automation and AI into existing processes
  • Develop future-ready skills to manage increasingly hybrid and AI-powered environments

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in SEC598: AI and Security Automation for Red, Blue, and Purple Teams.

Section 1Foundations of GenAI, LLMs, & Security Automation

Build the foundation for modern security automation by understanding why AI and automation matter now. Learn how to secure AI systems, leverage AI for security, and integrate automation strategies that scale across hybrid cloud environments and SOC operations.

Topics covered

  • Why security automation and AI are critical today
  • Security engineering the CI/CD approach
  • Configuration management & policy-as-code at scale
  • Automation triggers and SOAR workflows
  • Foundations of detection-as-code, GenAI and LLMs

Labs

  • One Bucket Is All It Takes
  • OS Hardening Baselines with Ansible
  • Link Triggers to Automation Scripts
  • Intro to LLM and RAG
  • Detection as Code I: Write a Detection Using LLM

Section 2Security Automation Engineering & AI Workflows

This section focuses on practical automation workflows using PowerShell, Terraform, Ansible, Python, and Jupyter Notebook. Students will learn how to build secure infrastructure-as-code deployments, create automated firing ranges, engineer SOAR playbooks, and develop AI-driven agentic workflows for next-generation SOC operations.

Topics covered

  • Automated security workflows with PowerShell for both offense and defense
  • Infrastructure as Code (IaC) for secure cloud management using Terraform
  • Building automated firing ranges for testing and validation
  • Python and Jupyter Notebook for SOC enrichment and analysis
  • SOAR tooling, playbook automation, and agentic AI engineering

Labs

  • OS Hardening Baselines with PowerShell
  • Cloud Management with Terraform
  • Deploying a Firing Range with Terraform and Ansible
  • Email Threat Analysis with Jupyter Notebook
  • Creating a Tines Story

Section 3Cloud Automation & AI Security Services

This section covers cloud-native security automation across Microsoft Azure and AWS. You will learn to enforce security policies, automate response workflows, integrate AI services, and deploy offensive and defensive automation, including AI-driven Kubernetes attack simulation and continuous security testing with GenAI-powered agents.

Topics covered

  • Cloud security fundamentals and governance (Azure & AWS)
  • Cloud-native services for automated security monitoring & enforcement
  • Intelligent automation with Microsoft AI and AWS Bedrock services
  • Cloud-native incident response, monitoring, and third-party API integrations
  • AWS AI agents targeting Kubernetes and continuous security testing

Labs

  • Create Automated Actions in Azure
  • Cloud-Native IR for Compromised Systems
  • Continuous Security Testing Enhanced with AI
  • Kubernetes Takedown with Offensive AI Agents

Section 4Red Team Automation & Offensive AI Agents

This section explores offensive automation using AI-powered red team agents, adversary emulation frameworks, and CI/CD-driven continuous testing. Students will learn to leverage MITRE ATT&CK, automate multi-step attack flows, simulate autonomous adversaries, and validate cloud detection capabilities using AI-augmented offensive techniques.

Topics covered

  • Adversary emulation & purple teaming methodologies
  • MITRE ATT&CK-driven offensive frameworks
  • AI-powered red team agents & autonomous adversaries
  • Cloud-native adversary emulation and detection validation
  • Continuous adversary simulation integrated into CI/CD pipelines

Labs

  • Fully Automate Adversary Techniques with Atomic
  • Using Caldera to Run a Breach Exercise
  • Red Team Agents with CrewAI
  • Cloud Adversary Simulation with Automated Detections
  • Adversary Emulation as Code using Tines

Section 5Defensive Automation & AI-Augmented Response

Learn to operate automation and AI to strengthen your SOC. This section focuses on defensible architecture, detection-as-code, modular incident response playbooks, and AI-driven workflows. Students will also explore how to counter adversarial automation with AI-augmented defenses and continuous purple teaming.

Topics covered

  • Modern SOC evolution and automation priorities
  • Defensible architectures with embedded automation
  • Modular incident response and SOAR workflows
  • AI-infused detection-as-code pipelines
  • Countering adversarial automation with defensive automation

Labs

  • Automated Triage and Analysis with Velociraptor and Timesketch
  • Create an Incident Response Playbook in PowerShell
  • Create an Incident Response Playbook in Tines
  • Detection as Code II: LLM-Assisted Detection Testing
  • Create an Adversary Emulation & Detection Playbook

Things You Need To Know

Relevant Job Roles

Systems Administration (OPM 451)

NICE: Implementation and Operation

Responsible for setting up and maintaining a system or specific components of a system in adherence with organizational security policies and procedures. Includes hardware and software installation, configuration, and updates; user account management; backup and recovery management; and security control implementation.

Explore learning path

Systems Security Analysis (OPM 461)

NICE: Implementation and Operation

Responsible for developing and analyzing the integration, testing, operations, and maintenance of systems security. Prepares, performs, and manages the security aspects of implementing and operating a system.

Explore learning path

Purple Teamer

Offensive Operations

In this fairly recent job position, you have a keen understanding of both how cybersecurity defenses (“Blue Team”) work and how adversaries operate (“Red Team”). During your day-today activities, you will organize and automate emulation of adversary techniques, highlight possible new log sources and use cases that help increase the detection coverage of the SOC, and propose security controls to improve resilience against the techniques. You will also work to help coordinate effective communication between traditional defensive and offensive roles.

Explore learning path

Cyber Operations Planner (DCWF 332)

DoD 8140: Cyber Effects

Coordinates cyber operations plans, working with analysts and operators to support targeting and synchronization of actions in cyberspace.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchasing Options?Contact Us
Filter by:
  • Location & instructor

    Boston, MA, US & Virtual (live)

    Instructed by Jason Ostrom
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Las Vegas, NV, US & Virtual (live)

    Instructed by Jason Ostrom
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Singapore, SG & Virtual (live)

    Instructed by Jeroen Vandeleur
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,900 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Tokyo, JP & Virtual (live)

    Instructed by Jeroen Vandeleur
    Date & Time
    Fetching schedule..View event details
    Course price
    ¥1,335,000 JPY*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Orlando, FL, US & Virtual (live)

    Instructed by Jason Ostrom
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Rockville, MD, US & Virtual (live)

    Instructed by Jeroen Vandeleur
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Amsterdam, NL & Virtual (live)

    Instructed by Jeroen Vandeleur
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,230 EUR*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Orlando, FL, US & Virtual (live)

    Instructed by Jason Ostrom
    Date & Time
    Fetching schedule..View event details
    Course price
    $8,780 USD*Prices exclude applicable local taxes
    Registration Options
Showing 8 of 8

Benefits of Learning with SANS

Instructor teaching to a class

Get feedback from the world’s best cybersecurity experts and instructors

OnDemand Mobile App

Choose how you want to learn - online, on demand, or at our live in-person training events

Resources

Get access to our range of industry-leading courses and resources