Instructor-led 4-days

Course Description

This immersive 4-day program equips security analysts with the skills to integrate agentic AI into Security Operations Center (SOC) defense workflows. Participants learn how AI agents can augment detection, triage, investigation, and response, while strengthening human-in-the-loop decision making. The course emphasizes applied SOC defense strategies, practical use of commercial tools, and real-world scenarios that simulate modern threat environments. Each day combines instructor-led discussions, live demonstrations, and intensive labs designed for SOC analysts working with AI-augmented operations.

Key Takeaways

• Understand the role of agentic AI in SOC defense operations.
• Apply SOC defense strategies to modern threat scenarios.
• Use commercial SIEM, SOAR, and EDR tools in hands-on labs.
• Build AI-augmented triage and investigation workflows.
• Automate common SOC tasks while maintaining analyst oversight.
• Integrate AI outputs into incident response playbooks.
• Evaluate AI-driven alerts for false positives and decision support.

Prerequisites

• Basic knowledge of SOC workflows (alerting, triage, incident response).

Focus: Foundations of Agentic AI in SOC Defense

Module 1: SOC Defense Strategy Basics

• SOC roles and defense layers.
• Detection, containment, and response workflows.
• Gaps and bottlenecks where AI agents add value.

Module 2: Agentic AI Concepts

• Agentic AI vs traditional ML models.
• AI in triage, correlation, and contextual enrichment.
• Security policy and compliance considerations.

Lab 1: Baseline SOC Defense

• Use Splunk or Elastic SIEM to monitor simulated network traffic.
• Conduct manual triage of alerts.
• Identify where AI assistance would reduce workload.

Focus: AI-Augmented Detection and Triage

Module 3: AI-Driven Detection Pipelines

• AI for anomaly detection and correlation.
• Integrating AI into SIEM workflows.
• Case study: detecting lateral movement with AI agents.

Module 4: Triage Acceleration with AI

• Natural language triage reports.
• Contextual enrichment from threat intel feeds.
• Human-AI collaboration for alert scoring.

Lab 2: AI-Powered Alert Triage

• Deploy Microsoft Sentinel or Splunk with AI-based enrichment.
• Use AI assistant to prioritize alerts.
• Compare human vs AI triage times and accuracy.

Focus: AI in Incident Investigation and Response

Module 5: AI-Assisted Investigations

• Automated hypothesis generation.
• Evidence correlation across log sources.
• Explainability and analyst trust in AI outputs.

Module 6: Response Strategy with AI Support

• AI-augmented SOAR playbooks.
• Automated containment recommendations.
• Escalation decision support.

Lab 3: Incident Response with AI

• Use Palo Alto Cortex XSOAR or IBM QRadar SOAR.
• AI-generated investigation notes.
• Simulated phishing and ransomware incidents with automated containment recommendations.

Focus: Operationalizing Agentic AI in the SOC

Module 7: Red-Blue Simulations

• Red team AI adversary tactics.
• Blue team AI-augmented defense.
• Evaluating AI effectiveness under live fire exercises.

Module 8: Building Trust and Governance

• Metrics for AI performance in SOC.
• Risk of AI bias, hallucinations, and adversarial attacks.
• SOC governance for human-in-the-loop AI.

Lab 4: Full SOC Defense Simulation

• Multi-phase attack simulation (insider threat + ransomware).
• AI-augmented detection, triage, and response using multiple tools (Sentinel, Splunk, Cortex XDR).
• Debrief with SOC defense strategy alignment.