AI + SOC 101 Bootcamp: Building Modern Security Operation Skills with AI Integration - Rod Soto - DCTLV2026
Name of Training: AI + SOC 101 Bootcamp: Building Modern Security Operations Skills with AI Integration
Trainer(s): Rod Soto
Dates: August 10-11, 2026
Time: 8:00 am to 5:00 pm
Venue: Las Vegas Convention Center
Cost: $2,500 (USD)
Short Summary:
Learn core Security Operations Center (SOC) skills enhanced with AI-powered tooling in an intensive, lab-driven bootcamp. Students will work through realistic SOC analyst workflows—log analysis, detection, investigation, and response—while integrating modern AI/LLM tools into their processes. This course is designed to bridge traditional SOC fundamentals with AI-driven detection, analysis, and automation, preparing participants for today’s rapidly evolving security landscape
Course Description:
This two-day bootcamp delivers practical, hands-on training in SOC fundamentals with a strong focus on real-world workflows and AI augmentation. Students will work directly with logs, packets, SIEMs, EDR platforms, and AI tools that mirror what’s used in modern security operations.
Participants will start with foundational concepts—SOC roles, access controls, logging, and incident triage—then progressively move into network analysis, SIEM workflows, detection engineering, and adversarial simulation. Throughout the course, AI and LLMs are positioned as force multipliers: enhancing detection, supporting triage, summarizing evidence, and accelerating investigation.
By the end of the bootcamp, students will be able to:
- Understand how a SOC operates and where a Level 1 analyst fits.
- Collect, parse, and analyze security logs from Windows, Linux, and network sensors.
- Use tools like Sysmon, Zeek, Arkime, Suricata, Elasticsearch, Splunk, and Wazuh in realistic scenarios.
- Apply frameworks such as MITRE ATT&CK, ATT&CK-based kill chains, and OWASP Top 10 to detection and incident analysis.
- Integrate AI/LLMs into SOC workflows for triage, summarization, and threat hunting.
- Recognize and mitigate security risks introduced by AI and LLM usage (including Shadow AI and MCP-based agents).
The course emphasizes practical, baseline SOC analyst competencies that are enhanced—but never replaced—by AI. Graduates will leave with a well-rounded skill set suitable for SOC Analyst 1 roles in AI-enabled environments.
Course Outline:
Day 1 – SOC Fundamentals & Core Tooling
-
Fundamentals of a SOC
- Introduction and instructor background
- What is a Security Operations Center (SOC)?
- Roles and responsibilities of a SOC analyst
- Security posture, SecOps, and the pillars of information security (Confidentiality, Integrity, Availability)
- Access Controls & Operating Systems
- Access control concepts: Authentication, Authorization, Principle of Least Privilege (PoLP), Separation of Duties (SoD)
- Access control models: MAC, DAC, RBAC, ABAC, risk-based access
- Defense in Depth and Endpoint Detection & Response (EDR)
- Hands-on Exercises (Access Controls)
- Linux: Mandatory and discretionary access controls (AppArmor, file permissions)
- Windows: Access controls in Active Directory, NTFS permissions, and local/system accounts
- Windows: Processes, integrity levels, and permissions
- Security Events & Logging
- Security events vs. incidents; triage fundamentals (true/false positives, CISA severity)
- Log structure and common formats: JSON, XML, YAML, CSV
- Text manipulation and regular expressions (regex) for log parsing
- Windows and Linux log sources: EVTX, Syslog
- Sysmon overview and configuration
- Hands-on exercise: Installing Sysmon and detecting malicious activity in logs
- Network Basics & Intrusion Detection
- Network fundamentals for SOC analysts: packet capture, TCPDump, Wireshark
- Core protocols: TCP/IP, DNS, HTTP/HTTPS
- Common network attacks and artifacts
- Network analysis tools: Zeek, Arkime, and Suricata in SOC workflows
- Standards & Frameworks
- CVE, CWE, CAPEC
- MITRE ATT&CK, ATLAS
- OWASP Top 10
- Key compliance frameworks and why they matter to SOCs
- Hands-on exercise: Replicating an OWASP Top 10 attack and observing/analyzing the resulting logs
Day 2 – SIEM, EDR, and AI-/Agentic-Enhanced SOC Workflows
- Centralized Logging & SIEM
- CIS Critical Security Controls for log management
- Remote log collection (WEC/WEF, SIEM agents)
- SIEM fundamentals and core use cases
- Hands-on Exercises (Elastic Stack)
- Elasticsearch setup
- Threat discovery using search, filters, and dashboards
- Integrating Zeek and Windows logs (Winlogbeat)
- Hands-on Exercises (Splunk)
- Introduction to Splunk: architecture, apps, and add-ons
- Running Splunk in Docker and exploring the UI
- Data onboarding, basic searches, and threat discovery
- Analyzing Suricata IDS logs in Splunk
- Endpoint Detection & Response (EDR)
- EDR concepts and the role of EDR in SOC operations
- Wazuh as an open-source EDR platform
- Adversarial Simulation & Detection Engineering
- IaC and modern SOC infrastructure (ephemeral/immutable)
- Detection engineering fundamentals
- Cryptography touchpoints and SOC-adjacent teams & Legal considerations
(IR, CIRT/SERT, Legal)
- AI/LLMs, MCP, and the Agentic SOC
- AI + SOC foundations (LLMs, multimodal models, core concepts)
- Practical SOC applications (enrichment, summarization, anomaly
detection, agentic workflows)
- LLM/agent usage examples and prompt best practices
- Free and open-source LLMs (e.g., GPT4All, Ollama) and local deployment
- Agentic workflow basics(LangChain ecosystem, CrewAI, A2A)
- Agentic SOC applications
- AI/LLM/MCP/Agent Risks & Frameworks (OWASP, MITRE ATLAS)
- Risks of LLMs/MCP/Agents
- Shadow AI and unapproved model/agent usage
- Monitoring and logging requirements for LLM and agent orchestration visibility
- OWASP Top 10 for LLMs and agentic applications
- Agentic security: monitoring and threat surface
- AI SOC Exercises
- Setting up Ollama Web UI and describing a synthetic firewall dataset
- Agentic security workflow: from log → detection → incident
- Detecting LLM/MCP abuse using log telemetry (Splunk MCP LLM SIEMulator)
- Optional: agentic workflow security analysis
- CTF-style SOC challenges
Difficulty Level:
Beginner to Intermediate.
Students should have foundational IT knowledge and basic networking familiarity. The course builds on this baseline to develop practical SOC analyst skills with integrated AI tooling. No prior SOC or AI experience is required.
Beginner Definition - The student has an interest in the topic presented and general technology knowledge that a power user or undergraduate student may have acquired.
Intermediate Definition - The student has education and some experience in the field and familiarity with the topic being presented. The student has foundational knowledge that the course will leverage to provide practical skills on the topic.
Suggested Prerequisites:
- Basic understanding of networking concepts (TCP/IP, DNS, HTTP/HTTPS)
- Familiarity with Linux command-line operations
- General awareness of cybersecurity threats and terminology
- Comfort with technical content and hands-on labs
What Students Should Bring:
- Laptop with at least 16 GB RAM (32 GB recommended)
- Ability to run virtual machines (VMware Workstation, VirtualBox, or similar)
- Minimum 50 GB of free disk space
- Administrative privileges on the laptop
Note: Apple M-series laptops are not compatible with the course VMs; Intel/AMD x86-64 architecture is required.
What the Trainer Will Provide:
- Pre-configured virtual machine images with all required tools and lab environments
- Comprehensive course workbook with exercises and reference materials
- Access to lab scenarios and synthetic datasets
- Detection rule templates and practical examples
- Resource guides for continued self-study after the course
Trainer(s) Bio:
Rod Soto has over 15 years of experience in information technology and cybersecurity, with deep expertise in Security Operations Centers. He has served as a SOC support engineer, SOC engineer, security emergency response analyst, and incident responder, and currently works as a detection engineer and researcher on Splunk’s Cisco Threat Research Team. His previous roles include positions at Prolexic/Akamai, Splunk UBA, and JASK (SOC automation).
Rod is an accomplished cybersecurity competitor and educator. He won the Black Hat Las Vegas CTF in 2012 and the Red Alert ICS CTF at DEF CON 2022. He has presented at DEF CON, Black Hat, RSA Conference, Splunk .CONF, DerbyCon, BSides events, HackMiami, and numerous ISSA, ISC2, and OWASP chapters. His work and commentary have appeared in major media outlets including Rolling Stone, Pentest Magazine, Forbes, VICE, BBC, Univision, Fox News, and CNN.
Rod’s current research at Splunk–Cisco focuses on securing AI and LLM ecosystems, including:
- Developing the Splunk Technology Add-on for Ollama to monitor Shadow AI deployments.
- Creating detection frameworks for Microsoft 365 Copilot security threats.
- Analyzing LLM-based attack vectors such as the PromptLock ransomware proof-of-concept.
- Publishing on monitoring MCP servers (open-source LLM MCP Security Monitoring Tool).
- Using RAG with Splunk ESCU and MLTK to build AI-enhanced security detections aligned with the MITRE ATLAS framework.
He combines frontline SOC experience, active research, and a strong teaching background to deliver training that is both practical and current.
Proficiency Exam Option:
This course has the option for a proficiency certificate add-on.
Students who purchase the proficiency exam add-on will complete a capstone challenge simulating a real-world SOC investigation (CTF-style).
The exam covers:
- Alert triage
- Threat detection
- Incident analysis
- Response documentation
Students must score at least 75% to pass.
Those who opt in will receive:
- Detailed performance feedback
- Individualized coaching on areas for improvement
- A verified certificate of proficiency suitable for professional portfolios and employment verification
Please reach out to training@defcon.org for any questions related to the proficiency exam and certificate option.
Registration Terms and Conditions:
Trainings are refundable before July 11, 2026, minus a non-refundable processing fee of $250.
Between July 11, 2026 and August 5, 2026 partial refunds will be granted, equal to 50% of the course fee minus a processing fee of $250.
All trainings are non-refundable after August 5, 2026.
Training tickets may be transferred to another student. Please email us at training@defcon.org for specifics.
If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).
Failure to attend the training without prior written notification will be considered a no-show. No refund will be given.
DEF CON Training may share student contact information, including names and emails, with the course instructor(s) to facilitate sharing of pre-work and course instructions. Instructors are required to safeguard this information and provide appropriate protection so that it is kept private. Instructors may not use student information outside the delivery of this course without the permission of the student.
By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.
Several breaks will be included throughout the day. Please note that food is not included.
All courses come with a certificate of completion, contingent upon attendance at all course sessions. Some courses offer an option to upgrade to a certificate of proficiency, which requires an additional purchase and sufficient performance on an end-of-course evaluation.