Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Community Resources

SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

AI Risk & Readiness

Explore expert-driven guidance, training, and tools to help defend against AI-powered threats and adopt AI securely.

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations

Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk With an Expert
Talk With an Expert

Assisted Security Investigations Using Cognitive Computing

Download File
Assisted Security Investigations Using Cognitive Computing (PDF, 3.72MB)Published: 03 Dec, 2019
Created by
Lori Stroud

The purpose of this research is to illustrate the application of cognitive computing and machine learning concepts through the building and training of a chatbot that simulates human conversation for cybersecurity investigation scenarios. The SOC chatbot will offer best-practice advisory dialogue to security analysts as they proceed through security incident investigations, thus simulating technical mentorship. As a security analyst progresses through various investigations, they will become more practiced in the recommended and appropriate workflows, gain investigative tool proficiency, and become more confident in handling standalone investigations. The SOC chatbot will serve as a training tool for less experienced analysts and afford more time to upper-tier analysts to respond to escalated security incidents, as they will no longer need to walk through incidents alongside junior analysts. Security analysts serving in a tier 1 SOC role are ideal end-users of the SOC chatbot. As the first line of defense, their primary function is to address SIEM events. They are familiar with basic security concepts, incident ticketing systems, and hold the appropriate level of access for data gathering and external research.

Additional resources

SOC AI Automation Masterclass: How Swimlane Enhances Incident Response and Visibility

WhitepaperCyber Defense
  • 31 Jul 2025
  • Mark Jeanmougin

Balancing On-Prem and Cloud Security Strategic Considerations for Modern Organizations

WhitepaperCyber Defense
  • 30 Jul 2025
  • Matt Bromiley

Evaluating Zero Trust Network Access: A Framework for Comparative Security Testing

WhitepaperCyber Defense
  • 11 Jul 2025

Defense in Depth: Multiple Layers of Protection Fortifying Your Cyber Defenses

WhitepaperCyber Defense
  • 10 Jul 2025
  • Ted Demopoulos

SANS 2025 SOC Survey

WhitepaperCyber Defense
  • 9 Jul 2025
  • Christopher Crowley

AI-Driven Insecurity: Assessing Security Gaps in AI Generated IT Guidance

WhitepaperArtificial Intelligence, Cyber Defense
  • 13 May 2025

Related courses

  • Slide 1 of 18

    SEC275: Foundations: Computers, Technology, & Security

    Beginner
    SEC275Cyber Defense
    SEC406: Linux Security for InfoSec Professionals
    • GIAC Foundational Cybersecurity Technologies (GFACT)
    • 38 CPEs / 38 Hours (Self-Paced)
    • Labs: 80 Hands-On Labs

    View course detailsRegister
  • Slide 2 of 18

    SEC503: Network Monitoring and Threat Detection In-Depth

    Intermediate
    SEC503Cyber Defense
    SEC503: Network Monitoring and Threat Detection In-Depth
    • GIAC Certified Intrusion Analyst (GCIA)
    • 6 Days (Instructor-Led)
    • 46 CPEs / 46 Hours (Self-Paced)
    • Labs: 37 Hands-On Labs

    View course detailsRegister
  • Slide 3 of 18

    SEC501: Advanced Security Essentials - Enterprise Defender

    Intermediate
    SEC501Cyber Defense
    SEC501: Advanced Security Essentials - Enterprise Defender
    • GIAC Certified Enterprise Defender (GCED)
    • 6 Days (Instructor-Led)
    • 38 CPEs / 38 Hours (Self-Paced)
    • Labs: 25 Hands-On Labs

    View course detailsRegister
  • Slide 4 of 18

    SEC573: Automating Information Security with Python

    Advanced
    SEC573Cyber Defense
    SEC573: Automating Information Security with Python
    • GIAC Python Coder (GPYC)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 128 Hands-On Labs

    View course detailsRegister
  • Slide 5 of 18

    SEC497: Practical Open-Source Intelligence (OSINT)

    Intermediate
    SEC497Cyber Defense
    SEC497: Practical Open-Source Intelligence (OSINT)
    • GIAC Open Source Intelligence (GOSI)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 29 Hands-On Labs

    View course detailsRegister
  • Slide 6 of 18

    SEC450: Blue Team Fundamentals: Security Operations and Analysis

    Beginner
    SEC450Cyber Defense
    SEC450: Blue Team Fundamentals: Security Operations and Analysis
    • GIAC Security Operations Certified (GSOC)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 20 Hands-On Labs

    View course detailsRegister
  • Slide 7 of 18

    SEC401J: Security Essentials - Network, Endpoint, and Cloud (Japanese)

    Essentials
    SEC401JCyber Defense
    SEC401: Security Essentials - Network, Endpoint, and Cloud
    • GIAC Security Essentials (GSEC)
    • 6 Days (Instructor-Led)
    • 46 CPEs / 46 Hours (Self-Paced)
    • Labs: 20 Hands-On Labs

    View course detailsRegister
  • Slide 8 of 18

    SEC587: Advanced Open-Source Intelligence (OSINT) Gathering and Analysis

    Advanced
    SEC587Cyber Defense
    SEC555: SIEM with Tactical Analytics
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 28 Hands-On Labs

    View course detailsRegister
  • Slide 9 of 18

    SEC511: Cybersecurity Engineering: Advanced Threat Detection and Monitoring

    Intermediate
    SEC511Cyber Defense
    SEC511: Continuous Monitoring and Security Operations
    • GIAC Continuous Monitoring Certification (GMON)
    • 6 Days (Instructor-Led)
    • 46 CPEs / 46 Hours (Self-Paced)
    • Labs: 18 Hands-On Labs

    View course detailsRegister
  • Slide 10 of 18

    SEC555: Detection Engineering and SIEM Analytics

    Intermediate
    SEC555Cyber Defense
    SEC555: SIEM with Tactical Analytics
    • GIAC Certified Detection Analyst (GCDA)
    • 5 Days (Instructor-Led)
    • 30 CPEs / 30 Hours (Self-Paced)
    • Labs: 18 Hands-On Labs

    View course detailsRegister
  • Slide 11 of 18

    SEC406: Linux Security for InfoSec Professionals

    Essentials
    SEC406Cyber Defense
    SEC406: Linux Security for InfoSec Professionals
    • 5 Days (Instructor-Led)
    • 30 CPEs / 30 Hours (Self-Paced)
    • Labs: 30 Hands-On Labs

    View course detailsRegister
  • Slide 12 of 18

    SEC495: Leveraging LLMs: Building & Securing RAG, Contextual RAG, and Agentic RAG

    Essentials
    SEC495Cyber Defense
    SEC450: Blue Team Fundamentals: Security Operations and Analysis
    • 7 CPEs / 7 Hours (Self-Paced)

    View course detailsRegister
  • Slide 13 of 18

    SEC401: Security Essentials - Network, Endpoint, and Cloud

    Essentials
    SEC401Cyber Defense
    SEC401: Security Essentials - Network, Endpoint, and Cloud
    • GIAC Security Essentials (GSEC)
    • 6 Days (Instructor-Led)
    • 46 CPEs / 46 Hours (Self-Paced)
    • Labs: 20 Hands-On Labs

    View course detailsRegister
  • Slide 14 of 18

    SEC673: Advanced Information Security Automation with Python

    newAdvanced
    SEC673Cyber Defense
    SEC673: Advanced Information Security Automation with Python
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 27 Hands-On Labs

    View course detailsRegister
  • Slide 15 of 18

    SEC547: Defending Product Supply Chains

    newIntermediate
    SEC547Cyber Defense
    SEC547: Defending Product Supply Chains
    • 18 CPEs / 18 Hours (Self-Paced)
    • Labs: 13 Hands-On Labs

    View course detailsRegister
  • Slide 16 of 18

    SEC301: Introduction to Cyber Security

    Beginner
    SEC301Cyber Defense
    SEC673: Advanced Information Security Automation with Python
    • GIAC Information Security Fundamentals (GISF)
    • 5 Days (Instructor-Led)
    • 30 CPEs / 30 Hours (Self-Paced)
    • Labs: 14 Hands-On Labs

    View course detailsRegister
  • Slide 17 of 18

    SEC530: Defensible Security Architecture and Engineering: Implementing Zero Trust for the Hybrid Enterprise

    Intermediate
    SEC530Cyber Defense
    SEC530: Defensible Security Architecture and Engineering: Implementing Zero Trust for the Hybrid Enterprise
    • GIAC Defensible Security Architecture (GDSA)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 24 Hands-On Labs

    View course detailsRegister
  • Slide 18 of 18

    SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

    Advanced
    SEC595Cyber Defense
    SEC530: Defensible Security Architecture and Engineering: Implementing Zero Trust for the Hybrid Enterprise
    • GIAC Machine Learning Engineer (GMLE)
    • 6 Days (Instructor-Led)
    • 36 CPEs / 36 Hours (Self-Paced)
    • Labs: 30 Hands-On Labs

    View course detailsRegister
Assisted Security Investigations Using Cognitive Computing