What Claude Does for Security Investigations

The manual investigation

You open the Defender XDR incident. The alert correlates a suspicious sign-in from a hosting provider IP with an inbox rule creation event 4 minutes later. You start the investigation manually.

First query: SigninLogs for the user's sign-in history over the past 7 days. You write the query from memory, filter on UserPrincipalName, project the fields you need (TimeGenerated, IPAddress, Location, AppDisplayName, ResultType, MfaDetail, ConditionalAccessStatus). Run it. Wait for results. Scan the output for the anomalous IP. Find it. Note the MfaDetail shows MFA was completed successfully. This is the first indicator that this is AiTM rather than credential theft: the attacker did not bypass MFA, they proxied it.

Second query: AADNonInteractiveUserSignInLogs for the same user, filtered to the 3-hour window after the suspicious sign-in. You are looking for token replay: non-interactive sign-ins from a different IP using the stolen session token. You write the query, run it, and find three non-interactive sign-ins from a second IP (a different hosting provider) starting 8 minutes after the initial sign-in. The session token was exfiltrated and replayed.

Third query: CloudAppEvents for inbox rule operations. You filter on the user and the ActionType "New-InboxRule." You find a rule created at 09:16 that marks all inbound mail as read and moves it to a hidden folder. This is the attacker concealing their activity from the legitimate user.

Fourth and fifth queries: OfficeActivity for MailItemsAccessed and mail send events. Did the attacker read email? Did they send phishing from the compromised account? You find 47 MailItemsAccessed events from the attacker IP and 12 outbound emails to contacts in the user's address book, each containing the same Code of Conduct phishing lure.

Sixth query: threat intelligence cross-reference on the two attacker IPs. Seventh query: scope assessment across the organization. Did any of those 12 recipients click?

You assemble the timeline from seven result sets, sorting events by timestamp across different table schemas. The full investigation, from alert to timeline with scope assessment, takes 45 to 60 minutes for an experienced analyst.

The same investigation with Claude

You paste the alert details into your Claude Project workspace with a structured prompt.

Claude returns five KQL queries, a draft investigation timeline, the AiTM vs credential theft differentiators, and prioritized containment actions in under 2 minutes.

You do not run the queries blindly. You verify each query against your workspace schema (section 0.2 teaches the five-check validation for this). You run each query and compare the results against Claude's predicted timeline. You find that four of the five queries are accurate and return the expected results. The fifth query references a field that exists in the Microsoft documentation but is not populated in your Sentinel workspace because your organization has not enabled the relevant diagnostic setting. Claude had no way to know that. You adjust the query and rerun. Total investigation time: 15 minutes.

That is the difference. Not a theoretical productivity gain. A specific investigation that takes 45 to 60 minutes manually and 15 minutes with AI assistance. The time saved is 30 to 45 minutes per investigation. An SOC analyst handling 3 to 5 investigations per shift recovers 1.5 to 2.5 hours daily. Those recovered hours go toward deeper analysis, proactive hunting, and the detection engineering work that always gets deprioritized when the queue is full.

That exchange demonstrates the course in miniature. Claude produced a query that was structurally correct, logically sound, and missing one field that an experienced analyst would include. The query runs. It returns results. But without the missing field, you cannot distinguish between a replayed session token and a legitimate delegated authentication, which matters for determining whether the attacker accessed the mailbox directly or through a consented application.

This is the judgment boundary. Claude writes queries faster than you do. Claude does not know which fields are critical for distinguishing between attack subtypes, because that knowledge comes from investigating real incidents in your environment, not from training data. The analyst who understands the difference between TokenIssuerType values catches the gap in 15 seconds. The analyst who does not runs the query as-is and produces a finding that conflates two different access methods.

Claude saved 3 minutes of query writing. The validation added 15 seconds. Net gain: 2 minutes and 45 seconds on one query out of five. Across all five queries, the pattern repeats. Four were accurate. One needed a correction. Total time: AI generates in 2 minutes, analyst validates and runs in 12 minutes, investigation complete in 15 minutes. The same investigation manually takes 45 to 60 minutes. The difference is not that AI eliminated the need for expertise. The difference is that AI eliminated the mechanical parts so the analyst could spend the full 12 minutes on the parts that require expertise.

What this course builds

Eleven modules teach you to apply this pattern across every security workflow. The pattern does not change. The domain does.

Investigation (C2) gives you 20+ prompt templates for every investigation type: AiTM compromise, credential spray, insider threat, ransomware precursor, cloud misconfiguration, lateral movement, data exfiltration. Each template includes the structured prompt, the expected KQL queries by table, and the validation checklist for that investigation type. The AiTM investigation you just read is one of those templates.

Detection engineering (C3) takes you from threat advisory to deployed detection rule. You paste an advisory. Claude generates detection hypotheses, draft KQL analytics rules, Sigma rules, false positive predictions, and a full rule specification document. You validate, test against historical data, and deploy. The process that takes a full day manually takes 90 minutes with AI assistance.

IR documentation (C4) is where many analysts lose hours. You complete a 4-hour investigation and then spend 2 to 3 hours writing the technical report, the executive summary, and the regulatory notification assessment. With AI, you paste your investigation notes. Claude drafts all three documents. You review and correct. Documentation drops from 3 hours to 30 minutes. The time goes back into investigation.

Security automation (C5) uses Claude Code to generate PowerShell and Python scripts for operational tasks. Evidence collection scripts, scheduled hunting queries, automated enrichment workflows. Claude Code reads your CLAUDE.md standards file and generates scripts that follow your coding standards from the first draft.

Phase 2 modules are independent. If detection engineering is your bottleneck, start with C3 after completing this module. If documentation consumes more time than investigation, start with C4. Every module produces artifacts you deploy the same week.

Why this matters now

AiTM attacks surged 46% in 2025 because Phishing-as-a-Service platforms like Tycoon 2FA industrialized the technique. Any operator with a subscription could launch AiTM campaigns against M365 tenants without building their own proxy infrastructure. Europol dismantled Tycoon 2FA in March 2026 after 64,000 confirmed incidents across 100,000 organizations, but the technique proliferated across successor platforms before the takedown. The April 2026 Code of Conduct campaign, the scenario you just read, hit 35,000 users across 13,000 organizations in three days using Amazon SES for delivery and newly registered German domains for credential harvesting. These are not rare events. They are your Tuesday morning queue.

The attacker side is accelerating too. The Dragos/Gambit investigation in early 2026 documented a single threat actor using Claude and GPT to compress a multi-week campaign against Mexican government organizations into hours. Over 350 AI-generated scripts, tools, and operational plans were recovered. One operator, using AI for force multiplication, moved from initial access to remote code execution in 40 minutes. The AI did not create novel exploits. It made existing techniques faster to operationalize.

Anthropic responded with Project Glasswing and Claude Security (public beta, May 2026), which scans repositories, traces data flows, and generates vulnerability patches at machine speed. The arms race between AI-assisted attack and AI-assisted defense is the current operational reality. IBM's 2025 Cost of a Data Breach Report quantified the defensive advantage: organizations using AI and automation in security operations contained breaches 108 days faster and saved $2.22 million more than those without. An EY study of 500 senior security leaders in March 2026 found that 97% reported AI increased analyst operational efficiency.

This course teaches you to operate on the defense side of that arms race. Not with reckless automation, but with the same validation discipline you apply to any security tool: understand the capabilities, understand the limitations, verify every output, and deploy only what you have confirmed against the evidence.