AI agents represent a fundamental shift for security practitioners. They can automate tedious workflows, act as a co-pilot while you build custom tooling that was previously out of reach, and - when integrated into a well-designed system - serve as an intelligent analyst alongside you.
This workshop shows you all three. You'll learn to direct AI agents effectively, then apply those skills to customize and use a complete threat hunting system that combines deterministic processing with AI-assisted analysis.
What You'll Build A working threat hunting pipeline:
- Endpoint telemetry via Sysmon - process creation, network connections, file operations
- Network telemetry via Zeek - connection logs, DNS queries, HTTP traffic
- A deterministic receptor that harmonizes both sources, correlates events using four-tuple matching, and ranks suspicious activity using DuckDB
- Agent integration where an agent assists with investigation, pattern analysis, and detection refinement
The deterministic layer does the heavy lifting. The agent provides contextual analysis on what surfaces. You make the final call.
What You'll Learn Beyond the system itself, you'll learn the practices that make agent collaboration effective: - Structuring projects so agents understand your environment, optimize outputs, and retain "memory" - Integrating systems that ensure you not only become effective at delivering results, but ensure you continue learning while working with agents ("anti-brainrot systems") - Context management + intuition - learn how to optimize your interaction with agents - Learn how to extend agent capabilities, when MCPs are the right call, when they are not - Agentic coding best practices - staying on top of what's being built, not outsourcing your thinking - Building reusable skills for repeatable security workflows - Hooks and guardrails for safe, automated agent operation
Who Should Attend Threat hunters, detection engineers, SOC analysts, and security practitioners who want to integrate AI agents into their workflow - whether for building tools, automating analysis, or hunting threats.
Requirements - Laptop with terminal access - Model access - I will be using Claude Code, but the course is agnostic - you can use any model to provide inference.
Faan Rossouw Researcher/Instructor, Active Countermeasures + AntiSyphon Training
Faan Rossouw is a security researcher at Active Countermeasures and instructs at Antisyphon Training, where he teaches courses on threat hunting and offensive security tooling. He's currently building AionSec.ai - courses designed to help security practitioners leverage AI agents in their work. Originally from South Africa, Faan is now based in Val-David, Quebec.