Michael Glass & “K” SINGH - Solving Modern Cybersecurity Problems with AI - DCTAC2025
Trainer(s): Michael Glass and “K” Singh
Dates: November 3-4, 2025
Time: 8:00 am to 5:00 pm
Venue: TBD
Cost: $2,500
Since our sold out class in 2024, we have refreshed the material to incorporate not only Agentic AI but Content Augmentation Generation (CAG)!
Have you ever wondered how the pros use AI to solve their complex cybersecurity problems? Come find out!
Artificial Intelligence (AI) and Large Language Models (LLMs) have emerged as robust and powerful tools that have redefined how many approach problem solving. The last few years have seen industry AI interest surge while Cybersecurity experts struggle not only to threat model LLMs but to leverage them effectively. Our training presents a comprehensive educational framework aimed at equipping students with the necessary skills to not only build their own LLM toolkits but to leverage AI and LLMs to build elegant solution to solve complex problems unique to their own environments.
This class will teach students how to build their own AI frameworks to ingest data from either SaaS or on-prem data lakes. We will provide both the tools for data data consumption but as well as data warehousing. From there we will walk students through transforming this data and making it operationally effective and efficient for their AI. We will cover various types of data common to Cybersecurity environments, protentional issues with certain data types, and how to make the most of opensource to help transform the data. We will also touch on training and LoRA for model customization.
As Cybersecurity experts, we also need to understand the risk that comes with the use of AI. For this purpose, we will discuss foundational knowledge to conduct both red and blue team exercises regarding AI. We will discuss risk analysis of the disparate components used to make AI functional, a holistic and functional approach to defending the supply chain, understanding vulnerability analysis, and modern day adversary attacks and techniques that you will encounter. Understanding modern security policy frameworks is just as important and we will cover a few of the popular frameworks used to secure and apply policy to your AI environment. We will cap this section of class off with a practicum of both attacking and defending our AI deployed in class.
Using the tools created in class, we will use the SOCMAN DEF CON model to solve hand-picked operational problems we have seen teams struggle with all over the world. You will learn how to use LLMs with agentic AI, how to augment our queries with our own data in two different methods (RAG/CAG), generate high quality YARA/SIGMA rules using your own data, tune your model to hunt complex patterns, improve application observability by adding context to "weird" behavior, how to hunt for APTs using real world scenarios and logs (Stuxnet), filter out noise to increase signal in your environment (SNR), and much more! All of these labs will be performed by students and will leverage AI as middleware to add contextual data between disparate platforms to solve your complex cybersecurity problems. All use cases will be performed by students live and in-class.
By the end of this training you will be able to:
- Build their own AI-powered cybersecurity framework, including custom tooling, ingestion pipelines, and LLM orchestration
- Ingest and warehouse data from SaaS and on-prem sources, transforming it for AI readiness using open-source tools
- Apply Agentic AI and Content Augmentation Generation (CAG) to real-world cybersecurity challenges
- Select, train, and fine-tune models, including LoRA customization for environment-specific detection and automation
- Generate high-quality YARA and SIGMA rules using real-world data and AI-assisted pattern matching
- Augment detection logic using RAG/CAG, enhancing context-awareness and improving incident triage
- Understand foundational knowledge to defend your AI deployments, including threat modeling, adversary simulation, and defending AI infrastructure
- Analyze and enrich logs using AI, identify complex behavioral patterns, and detect APT activity using real-world examples like Stuxnet
- Improve observability by adding AI-generated context to anomalous or hard-to-interpret behaviors
- Increase signal-to-noise ratio (SNR) by using AI to reduce false positives and highlight meaningful security events
- Solve complex cybersecurity problems!
Course Outline:
Introduction (1 lab)
- Introduction to AI, terminology, brief history, and where we are today
Building AI Framework (6 labs)
- Building Your First Data Lake
- Creating Your First AI Framework
- Log Shipping, Centralizing Data, and Log Enrichment
- Hosting and Deploying AI/LLM
- SOCMAN - The DEF CON AI Model
- LoRA Fine-Tuning using Jupyter
AI Blue Team / Red Team (5 labs)
- Threat Modeling AI using Mitre Atlas
- AI Security Policy Frameworks
- Adversary Tactics and Controls
- Supply Chain Attacks and Securing the Supply Chain
- Mini Purple Team Exercise: Attacking and Defending SOCMAN!
Solving Complex Observational Problems with AI (8 labs)
- Log Enrichment using AI
- Generate SIGMA/YARA Rules using IOCs
- Automatic Pattern Analysis in WebApp Traffic
- Alert Analysis and Hallucination Detections
- Adding Context to Weird Behavior for Improving SNR
- Malicious Identification of Lateral Movement
- LLM-Assisted Threat Intelligence Correlation
- Real-time Alert Triage using Agentic AI
Students will also be allowed to export the tools they create in class from our private cloud environment following the training and use the in-class environment for 30 days following the class instructions.
Difficulty Level:
Intermediate
Suggested Prerequisites:
Basic understanding AI (beneficial but not necessary), git, and opensource tools such as OpenSearch. Comfortable in command line (either Windows or Linux).
What Students Should Bring:
Bring a laptop to the class! Students will also need Github usernames.
Trainer(s) Bio:
Michael Glass AKA "Bluescreenofwin" is currently a Principal Security Engineer providing security leadership for one of the largest streaming technology companies in the world specializing in Blue Team, SecOps, and Cloud. Michael has been in the hacking and security scene for over 15 years working for a wide variety of organizations including government, private, and non-profit. Using this diverse background he has founded the company "Glass Security Consulting" in order to provide world class Cybersecurity instruction for Information Security Professionals and Hackers alike.
“K” Singh is currently a Senior Incident Response Consultant at CrowdStrike. Previously an Incident Response Consultant and the Forensic Lab Manager for the Global Incident Response Practice at Cylance – “K” has worked with multiple Fortune 500 companies, sector-leading firms, and healthcare organizations in a variety of engagements ranging from Incident Response to Traditional “Dead Disk” Forensics and E-Discovery. Additionally, “K” is also part of the Operations team for WRCCDC-handling infrastructure for the competition’s core cluster, student environments, Social Media outlets, and liaising between the Red Team and other teams to ensure the competition runs smoothly.
Registration Terms and Conditions:
Trainings are refundable before October 2, 2025, minus a non-refundable processing fee of $250.
Trainings are non-refundable after October 2, 2025.
Training tickets may be transferred. Please email us at training@defcon.org for specifics.
If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).
Failure to attend the training without prior written notification, will be considered a no-show. No refund will be given.
By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.
Several breaks will be included throughout the day. Please note that food is not included.
All courses come with a certificate of completion, contingent upon attendance at all course sessions.