SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Major updates
SEC598: AI and Security Automation for Red, Blue, and Purple Teams
SEC598Offensive Operations
- 6 Days (Instructor-Led)
- 36 Hours (Self-Paced)
Course authored by:
Jeroen Vandeleur & Jason Ostrom
Course authored by:Jeroen Vandeleur & Jason Ostrom
- 36 CPEs
Apply your credits to renew your certifications
- In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
- 25 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Harness GenAI, agentic AI, world-class automation, emulation and detection-as-code to unify red and blue operations into a continuous purple team model.
Featured Quote
I highly recommend SEC598 for its exceptional blend of practical security automation across both offensive and defensive domains. The course stands out for its hands-on approach to automating real-world security scenarios. It successfully bridges the gap between theoretical knowledge and practical application, teaching students not just what to automate, but how to effectively implement and maintain security automation workflows.
Course Overview
SEC598: AI and Security Automation for Red, Blue, and Purple Teams empowers you to elevate your security program across offensive and defensive domains. Whether you're automating adversary emulation campaigns, building intelligent response workflows, or engineering detection-as-code pipelines, this course teaches you to harness AI-driven automation to outpace modern threats.
You’ll develop the skills to operationalize AI, agentic automation, detection-as-code, and SOAR while integrating GenAI and LLMs into enrichment and response workflows, deploying secure cloud infrastructure, and emulating attack techniques.
These capabilities are brought to life through 25 immersive labs and practical frameworks that unify red and blue team functions into continuous purple teaming—enabling you to automate offensive testing, scale cloud-native detection, and build AI-powered playbooks for faster, smarter, and more resilient cybersecurity operations.
What You’ll Learn
- Build and operationalize automation playbooks for both offensive and defensive workflows
- Implement detection-as-code pipelines and integrate them into CI/CD environments
- Apply LLM-powered workflows for enrichment, detection generation, and decision support
- Engineer and deploy RAG-based agents for investigation and context-aware response
- Utilize red team AI agents for autonomous adversary emulation and control validation
- Design and implement AI-augmented defensive playbooks to reduce detection and response time
- Adopt automation and continuous purple teaming practices to unify offensive and defensive teams
Business Takeaways
- Accelerate SOC maturity by automating repetitive tasks and enabling AI-driven decision-making
- Bridge operational gaps between red and blue teams through continuous purple teaming
- Modernize detection engineering by adopting detection-as-code and CI/CD best practices
- Reduce risk exposure by continuously validating defenses against AI-driven adversaries
- Maximize security operations capabilities by integrating automation and AI into existing processes
- Develop future-ready skills to manage increasingly hybrid and AI-powered environments
Meet Your Authors
- Slide 1 of 2
Jeroen Vandeleur
Certified Instructor CandidateJeroen is the security architecture team lead and incident manager at NVISO where he specializes in security architecture, cloud security, and continuous security monitoring.
Read more about Jeroen Vandeleur - Slide 2 of 2
Jason Ostrom
Certified InstructorJason Ostrom has revolutionized cybersecurity by developing open-source tools like PurpleCloud and Automated Emulation, enabling scalable adversary emulation in cloud environments.
Read more about Jason Ostrom
Slide 1 of 0
(1/0)
Course Syllabus
Explore the course syllabus below to view the full range of topics covered in SEC598: AI and Security Automation for Red, Blue, and Purple Teams.
Section 1Foundations of GenAI, LLMs, & Security Automation
Build the foundation for modern security automation by understanding why AI and automation matter now. Learn how to secure AI systems, leverage AI for security, and integrate automation strategies that scale across hybrid cloud environments and SOC operations.
Topics covered
- Why security automation and AI are critical today
- Security engineering the CI/CD approach
- Configuration management & policy-as-code at scale
- Automation triggers and SOAR workflows
- Foundations of detection-as-code, GenAI and LLMs
Labs
- One Bucket Is All It Takes
- OS Hardening Baselines with Ansible
- Link Triggers to Automation Scripts
- Intro to LLM and RAG
- Detection as Code I: Write a Detection Using LLM
Section 2Security Automation Engineering & AI Workflows
This section focuses on practical automation workflows using PowerShell, Terraform, Ansible, Python, and Jupyter Notebook. Students will learn how to build secure infrastructure-as-code deployments, create automated firing ranges, engineer SOAR playbooks, and develop AI-driven agentic workflows for next-generation SOC operations.
Topics covered
- Automated security workflows with PowerShell for both offense and defense
- Infrastructure as Code (IaC) for secure cloud management using Terraform
- Building automated firing ranges for testing and validation
- Python and Jupyter Notebook for SOC enrichment and analysis
- SOAR tooling, playbook automation, and agentic AI engineering
Labs
- OS Hardening Baselines with PowerShell
- Cloud Management with Terraform
- Deploying a Firing Range with Terraform and Ansible
- Email Threat Analysis with Jupyter Notebook
- Creating a Tines Story
Section 3Cloud Automation & AI Security Services
This section covers cloud-native security automation across Microsoft Azure and AWS. You will learn to enforce security policies, automate response workflows, integrate AI services, and deploy offensive and defensive automation, including AI-driven Kubernetes attack simulation and continuous security testing with GenAI-powered agents.
Topics covered
- Cloud security fundamentals and governance (Azure & AWS)
- Cloud-native services for automated security monitoring & enforcement
- Intelligent automation with Microsoft AI and AWS Bedrock services
- Cloud-native incident response, monitoring, and third-party API integrations
- AWS AI agents targeting Kubernetes and continuous security testing
Labs
- Create Automated Actions in Azure
- Cloud-Native IR for Compromised Systems
- Continuous Security Testing Enhanced with AI
- Kubernetes Takedown with Offensive AI Agents
Section 4Red Team Automation & Offensive AI Agents
This section explores offensive automation using AI-powered red team agents, adversary emulation frameworks, and CI/CD-driven continuous testing. Students will learn to leverage MITRE ATT&CK, automate multi-step attack flows, simulate autonomous adversaries, and validate cloud detection capabilities using AI-augmented offensive techniques.
Topics covered
- Adversary emulation & purple teaming methodologies
- MITRE ATT&CK-driven offensive frameworks
- AI-powered red team agents & autonomous adversaries
- Cloud-native adversary emulation and detection validation
- Continuous adversary simulation integrated into CI/CD pipelines
Labs
- Fully Automate Adversary Techniques with Atomic
- Using Caldera to Run a Breach Exercise
- Red Team Agents with CrewAI
- Cloud Adversary Simulation with Automated Detections
- Adversary Emulation as Code using Tines
Section 5Defensive Automation & AI-Augmented Response
Learn to operate automation and AI to strengthen your SOC. This section focuses on defensible architecture, detection-as-code, modular incident response playbooks, and AI-driven workflows. Students will also explore how to counter adversarial automation with AI-augmented defenses and continuous purple teaming.
Topics covered
- Modern SOC evolution and automation priorities
- Defensible architectures with embedded automation
- Modular incident response and SOAR workflows
- AI-infused detection-as-code pipelines
- Countering adversarial automation with defensive automation
Labs
- Automated Triage and Analysis with Velociraptor and Timesketch
- Create an Incident Response Playbook in PowerShell
- Create an Incident Response Playbook in Tines
- Detection as Code II: LLM-Assisted Detection Testing
- Create an Adversary Emulation & Detection Playbook
Section 6Security Automation Capstone
The capstone is a full day of challenging hands-on work applying the principles taught throughout the course. Your team will progress through multiple levels and missions designed to ensure the presence of detection and defensive capabilities.
Things You Need To Know
Relevant Job Roles
Systems Administration (OPM 451)
NICE: Implementation and OperationResponsible for setting up and maintaining a system or specific components of a system in adherence with organizational security policies and procedures. Includes hardware and software installation, configuration, and updates; user account management; backup and recovery management; and security control implementation.
Explore learning pathSystems Security Analysis (OPM 461)
NICE: Implementation and OperationResponsible for developing and analyzing the integration, testing, operations, and maintenance of systems security. Prepares, performs, and manages the security aspects of implementing and operating a system.
Explore learning pathPurple Teamer
Offensive OperationsIn this fairly recent job position, you have a keen understanding of both how cybersecurity defenses (“Blue Team”) work and how adversaries operate (“Red Team”). During your day-today activities, you will organize and automate emulation of adversary techniques, highlight possible new log sources and use cases that help increase the detection coverage of the SOC, and propose security controls to improve resilience against the techniques. You will also work to help coordinate effective communication between traditional defensive and offensive roles.
Explore learning pathCyber Operations Planner (DCWF 332)
DoD 8140: Cyber EffectsCoordinates cyber operations plans, working with analysts and operators to support targeting and synchronization of actions in cyberspace.
Explore learning pathCourse Schedule & Pricing
Looking for Group Purchasing Options?Contact Us
OnDemand Bundle
When purchasing a live, instructor-led course, add 4 months of online access. View price in the info icons below.
SANS Skills Quest by NetWars Core Edition
Add 6 months of hands-on skills practice. Add to your cart when purchasing your course.
Filter by:
Location & instructorDate & TimeCourse priceRegistration Options
- Date & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$8,780 USD*Prices exclude applicable local taxesRegistration Options
- Date & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxesRegistration Options
- Date & TimeFetching schedule..View event detailsCourse price$8,900 USD*Prices exclude applicable local taxesRegistration Options
- Date & TimeFetching schedule..View event detailsCourse price¥1,335,000 JPY*Prices exclude applicable local taxesRegistration Options
- Date & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..View event detailsCourse price€8,230 EUR*Prices exclude applicable local taxes
- Date & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes
Showing 8 of 8
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources