AI-Assisted Threat Intelligence for Adversary Emulation

Learn to leverage threat intelligence for Red Team engagements using both manual analysis and AI-assisted workflows. Participants will research the HAFNIUM state-sponsored threat group, extract TTPs from multiple intelligence sources (Microsoft, Mandiant, Volexity reports), and map techniques to the MITRE ATT&CK framework.

The workshop introduces CrewAI, an open-source framework for orchestrating AI agents, to validate and enhance threat intelligence analysis. Participants will build multi-agent workflows that automatically read threat reports, extract technical indicators, and generate comprehensive adversary profiles—demonstrating how AI can augment human expertise in Red Team planning.

Who Should Attend?

• Red Team operators seeking to improve adversary emulation methodology
• Threat intelligence analysts interested in AI-assisted workflows
• Penetration testers wanting to incorporate CTI into engagements
• Security professionals exploring practical AI/LLM applications
• Anyone interested in MITRE ATT&CK-based threat profiling

Learning Objectives:

• Apply the threat intelligence methodology for Red Team engagements
• Identify and research adversaries using MITRE ATT&CK
• Extract TTPs from multiple threat intelligence sources
• Use MITRE ATT&CK Navigator to visualize adversary techniques
• Build AI-assisted workflows with CrewAI to automate TTP extraction
• Create threat profile tables for adversary emulation planning
• Compare manual vs. AI-assisted analysis approaches

SYSTEM REQUIREMENTS:

• SEC565 course VM (Ubuntu-based) OR equivalent Ubuntu system
• Internet connectivity (for MITRE ATT&CK, web search)
• Web browser (for ATT&CK Navigator)

SOFTWARE PACKAGES:

• Python 3.x with pip
• pip install 'crewai[tools]' pypdf tavily-python

API KEYS (CrewAI supports 20+ LLM providers via LiteLLM):

Participants need ONE of the following:

• OpenAI API key (OPENAI_API_KEY)
• Anthropic API key (ANTHROPIC_API_KEY)
• Google/Gemini API key (GOOGLE_API_KEY)
• Azure OpenAI credentials
• AWS Bedrock credentials
• Groq API key (GROQ_API_KEY)
• Ollama (local - no key needed, run: ollama pull llama3.2)
• Any OpenAI-compatible endpoint (LITELLM_API_BASE + LITELLM_API_KEY)

FOR WEB SEARCH OPTION (Optional):

• Tavily API key (free tier: 1,000 calls/month at Tavily)

This workshop supports content and knowledge from SEC565: Red Team Operations and Adversary Emulation To learn more about this course and explore upcoming sessions, Click Here.