SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

We're living through the most fundamental shift in cybersecurity since the advent of the Internet itself. AI isn't replacing security practitioners (yet), but it's creating augmented adversaries who operate at unprecedented scale. A single attacker can now use AI to force multiply themself as if they were an entire team. Nation-state actors are leveraging AI to maintain fraudulent positions at Fortune 500 companies. Non-technical criminals are deploying sophisticated ransomware. The question isn't whether AI will disrupt security, it's whether you'll be the disruptor or the disrupted.
Social engineering remains one of the most effective and widely used attack vectors in modern cybersecurity operations. John McAfee once stated, “Social engineering has become 75% of an average hacker’s toolkit, and for the most successful hackers, it reaches 90% or more.” Despite its overwhelming real-world application, providing a hands-on, safe, and realistic environment to learn and test these techniques has remained elusive. Until now. Introducing Social Hacktics, a next-generation social engineering CTF that merges AI innovation with an immersive strategy to create one of the most authentic human exploitation experiences to date.
Traditionally, security monitoring assumes that SIEM technologies will be accurate and provide a comprehensive picture of network activity, but what happens when we find that the events recorded by these technologies are insufficient, and we don't have the proper telemetry?
Artificial Intelligence has taken the world by storm. From leveraging AI for cancer detection to powering the latest fully autonomous smart toaster, this technology is finding its way into every industry and every walk of life.
The misconception: Malware analysis requires deep assembly knowledge and reversing skills. The reality: Many practical insights can be gained through simple, freely available tools/frameworks. Target audience: Blue teamers who need actionable intel without becoming RE experts.
As attackers evolve beyond malware and implants, defenders must learn to hunt compromise that never triggers an alert.
Identity has become the new perimeter and in Microsoft Entra ID (formerly Azure Active Directory), it's also the easiest one to break. Misconfigured apps, over-scoped permissions, and weak conditional access open the door to attackers who know where to look.
Tasks in the SOC are critical for detecting malicious activity and driving the appropriate response. However, some workflows are not optimized, resulting in SOC analysts having to conduct tasks that are highly repetitive or that involve significant manual effort. This workshop will provide a model for optimizing common tasks in the SOC, showing an evolution of manual processes to more efficient approaches then to automation to free up the analysis for high-value tasks.
This presentation provides a step-by-step, technical exploration of the evolution of syscalls. It begins with the fundamental role of Win32 & NT Windows APIs in executing syscalls within kernel space.
Endpoint protection systems regularly identify credential harvesting and session hijacking attacks, but crash dumps represent an unmonitored attack surface with the potential to contain the same valuable information. Windows crash dumps routinely preserve domain credentials, browser authentication tokens, and sensitive documents from multiple applications and sessions, yet organizations rarely consider their exploitation potential. This presentation demonstrates how offline analysis of these naturally occurring artifacts can lead to intelligence extraction using chained memory analysis tools after initial acquisition without ongoing endpoint interaction or detection.
Social engineering remains one of the most effective and widely used attack vectors in modern cybersecurity operations. John McAfee once stated, “Social engineering has become 75% of an average hacker’s toolkit, and for the most successful hackers, it reaches 90% or more.” Despite its overwhelming real-world application, providing a hands-on, safe, and realistic environment to learn and test these techniques has remained elusive. Until now. Introducing Social Hacktics, a next-generation social engineering CTF that merges AI innovation with an immersive strategy to create one of the most authentic human exploitation experiences to date.
Welcome to the era of vibe coding—where AI isn’t just a tool, but a creative partner in cyber operations. This talk explores how red teamers can leverage AI to rapidly develop malware, ransomware, exploits, and other offensive tools with unprecedented speed and precision.
A NetWars Tournament is an interactive cyber range event designed to reinforce your learning through hands-on, gamified challenges. Cyber Defense NetWars is focused on preventing, analyzing, and defending against complex real-world attack scenarios, including brute-force attacks and ransomware campaigns. Compete against your peers, on a team or individually, for bragging rights and a chance to take home a NetWars challenge coin!
macOS combines a layered security model with a variety of enforcement mechanisms, including consent-based controls, code integrity validation, sandboxing, and runtime protections.
Large Language Models (LLMs) like ChatGPT, Claude and Gemini are increasingly being integrated into enterprise environments for the purposes of automation, analytics, and decision-making.
Adversarial exploitation of medical devices, robotics, and smart hospital systems has emerged as a critical challenge as healthcare environments embrace interconnected, IoT enabled equipment.
Keyloggers have long been a tool of choice for both penetration testers and cybercriminals. However, traditional options, like Meterpreter, are easily flagged by antivirus solutions, while writing a custom keylogger from scratch can be cumbersome and technically demanding. But with the rise of Generative AI, that challenge has all but disappeared.
In this hands-on workshop, we'll harness the power of AI to build a fully functional keylogger from the ground up. Taking an iterative approach, we'll start with a basic keylogger before progressively refining it with quality-of-life enhancements such as output cleanup, window monitoring, timestamps, and clipboard capture.
In the evolving landscape of cybersecurity, defenders face the challenge of distinguishing malicious activities from benign ones, particularly when dealing with ambiguous techniques--those whose observables lack sufficient clarity to determine intent with certainty.
Kubernetes and container platforms have transformed deployment speed-but they also obscure post-exploitation activity behind abstraction layers.
As enterprise platforms quietly integrate AI features into productivity suites, CRMs, and collaboration tools, Blue Teams are left blind to where data is flowing, what models are learning, and how risk is propagating.
Technical findings alone don't drive change-risk-informed insights do. In this talk, we'll explore how red and purple team activities can evolve from isolated exercises into enterprise-level enablers that directly inform mission resilience, operational risk decisions, and business prioritization.
Registration: All students who register for a 4–6 day course will be eligible to play NetWars for free. Registration for this event will be through your SANS Account Dashboard the week of the event.
Registration: All students who register for a 4–6 day course will be eligible to play NetWars for free. Registration for this event will be through your SANS Account Dashboard the week of the event.