Course Introduction

0.1 What AI-assisted security operations is

AI-assisted security operations is the discipline of using large language models to accelerate investigation, detection engineering, incident response documentation, and security automation — while maintaining the validation discipline that prevents AI from introducing the errors it is supposed to help you find.

The operational case is concrete. An AiTM account compromise investigation that takes 45 to 60 minutes manually takes 15 minutes with AI assistance. The AI generates KQL queries across four Sentinel tables, builds a cross-table timeline, and identifies the AiTM-specific indicators — MFA completed via proxy, token replay from attacker infrastructure, inbox rule for concealment, lateral phishing from the compromised account. The analyst validates each query against the workspace schema, runs them, catches the one field Claude missed, and completes the investigation in a fraction of the time. The time savings compound across 3 to 5 investigations per shift into 1.5 to 2.5 hours recovered daily for deeper analysis, proactive hunting, and the detection engineering work that always gets deprioritized when the queue is full.

The attacker side is already here. The Dragos/Gambit investigation in early 2026 documented a single threat actor using AI to compress a multi-week campaign into hours, generating over 350 scripts and operational plans. AiTM attacks surged 46% in 2025 as Phishing-as-a-Service platforms industrialized the technique. The April 2026 Code of Conduct campaign hit 35,000 users across 13,000 organizations in three days. Defenders who cannot match that compression with AI-assisted detection, investigation, and response fall further behind with every advisory and every technique that evolves.

This module demonstrates the case through a real investigation, defines the five failure modes that make unsupervised AI output dangerous, configures your workspace, and walks you through your first AI-assisted AiTM investigation. No account required. No lab environment needed. Everything you need to evaluate whether this course is worth your time is in these four sections.

0.2 What you will learn

Four sections, each building toward your first hands-on AI-assisted investigation.

Section 0.1 — What Claude Does for Security Investigations. A side-by-side comparison of the same AiTM investigation performed manually and with AI assistance. Seven queries across four Sentinel tables, 45-60 minutes manual vs 15 minutes AI-assisted. The judgment boundary defined: AI accelerates query writing, cross-table correlation, and timeline construction. The analyst retains schema verification, scope assessment, containment decisions, and accountability. Prompt Pattern introduced: AiTM compromise investigation template. Claude Exchange demonstrated: token replay detection query with analyst evaluation.

Section 0.2 — How AI Changes Cybersecurity Work. Four dimensions of change — speed of analysis, scale of coverage, quality of documentation, accessibility of specialized knowledge. Each carries a specific risk profile. The five AI failure modes — hallucinated references, outdated syntax, confident-but-wrong analysis, incorrect logic, and context leakage — define the validation discipline. The five-check review applies to every AI-generated artifact before deployment.

Section 0.3 — Setting Up Your Claude Workspace. Creating a Claude Project with a security-specific system prompt. Selecting the right surface for each task: Claude.ai for investigation, Claude Code for automation, Cowork for file tasks, Connectors for tool integration, Claude Security for repository scanning. Establishing data handling boundaries — safe to share, requires judgment, never share. The system prompt that eliminates the 2-minute context tax from every conversation.

Section 0.4 — Your First AI-Assisted Investigation. Hands-on exercise: investigate an AiTM account compromise using the workspace you just configured. Generate KQL queries for sign-in analysis, token replay detection, inbox rule auditing, and lateral phishing scope. Validate each query against the five-check discipline. Build a chronological investigation timeline. Identify the scope gap Claude misses. Make the containment judgment call that AI cannot.

0.3 Why Claude is the right tool for security operations

Claude handles the mechanical parts of security work — the query drafts, the cross-table correlation, the report structure, the script scaffolding — because these tasks share a common pattern: they are verifiable against an external reference. A KQL query either references real tables and fields or it does not. A detection rule either matches the intended attack technique or it does not. A report either traces every factual claim to investigation evidence or it does not. The verification step is what makes AI assistance safe, and the verification step is fast.

Claude Projects ensure persistent context across every conversation. Your SIEM platform, your output requirements, your validation constraints, your coding standards — specified once, applied to every interaction. The 2 minutes per conversation spent re-explaining your environment compounds into hours per week recovered.

Adaptive Reasoning lets Claude decide how deeply to think based on task complexity. For straightforward query generation, it responds directly. For complex multi-step analysis — building investigation queries that join across multiple tables, validating detection rule logic against attack chains — it engages deeper reasoning automatically. The analyst does not manage the reasoning depth; the model does.

Claude Code reads your CLAUDE.md file from the project directory and generates every script following your coding standards from the first draft. Claude Security scans repositories, traces data flows, and generates patches. Connectors extend Claude's reach into Gmail, Google Drive, GitHub, and Slack for phishing analysis and evidence retrieval. Each surface handles a different part of the security workflow, and the course teaches you which surface to use for which task.

0.4 How to get the best from this module

Read the sections in order. Section 0.1 demonstrates the value. Section 0.2 defines the risks. Section 0.3 configures the workspace. Section 0.4 puts you through the investigation. The module is designed so that by the end of section 0.4, you have completed a real investigation exercise and can evaluate for yourself whether AI-assisted security operations is worth pursuing through the remaining ten modules.

Section 0.2 (five failure modes) is the conceptual core. Every module from C1 onward applies the five-check validation discipline taught here. If you understand the five failure modes and the five checks, the rest of the course is application across different security domains.

Estimated time: 2 to 3 hours. One session is typical.

0.5 Module structure

• Section 0.1 — What Claude Does for Security Investigations
• Section 0.2 — How AI Changes Cybersecurity Work
• Section 0.3 — Setting Up Your Claude Workspace
• Section 0.4 — Your First AI-Assisted Investigation

No prerequisites. This is the first module of the course. Experience in security operations (SOC, DFIR, detection engineering, or security administration) is assumed — the course teaches AI integration into security work, not the security work itself.

Go to Section 0.1 — What Claude Does for Security Investigations to begin.