Module Summary

Module Summary

Module 0 demonstrated what AI-assisted security operations looks like in practice and configured the workspace you need to apply it. Four sections covered the investigation case, the failure modes, workspace configuration, and your first hands-on exercise.

Section 0.1 — What Claude Does for Security Investigations. The April 2026 Code of Conduct AiTM campaign (35,000 users, 13,000 organisations, 26 countries) as an investigation benchmark. Manual investigation: 7 queries across 4 tables, 45-60 minutes. AI-assisted: 5 queries generated in 2 minutes, analyst validates and runs in 12 minutes, total 15 minutes. The judgment boundary: AI accelerates query writing, cross-table correlation, and timeline construction. The analyst retains schema verification, threshold judgment, scope assessment, and containment decisions. Prompt Pattern introduced: AiTM compromise investigation template. Claude Exchange demonstrated: token replay detection query with one missing field caught in 15 seconds.

Section 0.2 — How AI Changes Cybersecurity Work. Four dimensions of change: speed of analysis, scale of coverage, quality of documentation, and accessibility of specialised knowledge. Each dimension carries a specific risk profile. The five AI failure modes — hallucinated references, outdated syntax, confident-but-wrong analysis, incorrect logic, and context leakage — define the validation discipline. The five-check review applies to every AI-generated artifact before deployment.

Section 0.3 — Setting Up Your Claude Workspace. Created a Claude Project with a security-specific system prompt covering platform details, output requirements, and validation constraints. Selected the right Claude surface for each task type: Claude.ai for investigation and analysis, Claude Code for scripting and automation, Cowork for file-based tasks, Connectors for tool integration, Claude Security for repository scanning. Established data handling boundaries: safe to share, requires judgment, never share.

Section 0.4 — Your First AI-Assisted Investigation. Investigated an AiTM account compromise using the structured prompt pattern from section 0.1. Generated KQL queries for sign-in analysis, token replay detection, inbox rule auditing, and lateral phishing scope. Validated each query against the five-check discipline. Built a chronological investigation timeline and identified a scope gap (recipient investigation) that Claude missed. The containment decision demonstrated the judgment boundary: AI recommends actions, the analyst decides based on operational context.

What's next

Module 1 covers the AI landscape in security operations: a structured assessment of what AI can and cannot do across investigation, detection, response, compliance, and governance. You will build the capability matrix that informs every subsequent module's application of AI to specific security workflows. The five failure modes from section 0.2 expand into a comprehensive validation framework with worked examples for each failure type.