Duration: 10 Days | Focus: Core Technical Foundations & IR Workflow Mastery. Covers the full intensive schedule (Days 1–10).
Duration: 15 Days | Includes: 10-Day Skills-Intensive + 5-Day Capstone Week + assistance in creating a shareable professional portfolio.
This program prepares cybersecurity professionals to architect and execute AI-driven workflows for risk analysis and incident response. Students operate within a tiered AI Instructional Ecosystem:
This course transforms traditional defensive theory into an experience-driven laboratory. Using Information Stealers (RedLine, Vidar, Raccoon, and Lumma) as a lens, students will investigate the primary fuels of the modern cybercrime economy: stolen identities and session artifacts.
The curriculum introduces the practice of leveraging AI as a co-pilot to translate high-level security concepts into actionable plans. By moving beyond memorization to active synthesis, students master the full Incident Response (IR) lifecycle while employing AI to accelerate triage, evidence linkage, and remediation.
By the end of the course students will have experienced first-hand how to analyze, remediate and mitigate real-world cyber compromises from endpoint incident data and, if completing the follow-on capstone, will pass a practical checkout on artifacts from an actual infostealer incident.
This course builds upon a recognized cyber security foundation such as a college degree or industry recognized certification. Students will typically enter with basic knowledge of:
By the end of this intensive, students will be able to:
| Day | Learning Objectives | Hands-On Lab |
|---|---|---|
| 01 | Identity theft mechanics; "Identity Chain Reaction" (Email → GitHub → Slack). | Personal Blast Radius Mapping |
| 02 | Calculating Risk (L×I); Lumma/Vidar evolution. | 4-Level Risk Heat Map |
| 03 | Step Scaffolding and Critique Loops (RTCC Framework). | Identity-to-URL Mapping |
| 04 | Strategic Playbooks vs. Tactical Runbooks. | Contoso O365 Incident Runbook |
| 05 | Assessing Access Level, Device Role, and Malware TTPs. | Telefonica Artifact Analysis |
| 06 | MFA Fatigue, Session Hijacking (Token Replay), OAuth persistence. | Telefonica Artifact Analysis (cont.) |
| 07 | Evidence Linkage and "Reproducibility Markers." | Drafting Verifiable Reports |
| 08 | Detection Coverage vs. Detection Fidelity. | Applied Detection Matrix |
| 09 | Implementing the 5-step IR pattern. | PowerShell/Python Log Triage |
| 10 | Automating Remediation Tools through AI | Applied endpoint remediation |
| Category | AI Application Description | RTCC Mapping |
|---|---|---|
| Code Gen | Drafting triage and remediation scripts with robust error handling. | Task: Script; Constraints: Atomic, dry-run. |
| Translation | Converting complex logs/TTPs into plain language for executives. | Role: Comm Lead; Task: Risk-centric language. |
| Safety | Reviewing AI code for logic errors or destructive loops. | Check: Fail-Closed logic evaluation. |
| Doc | Summaries including evidence pathways and at-risk compromised corporate systems assessments. | Constraints: Model version and prompt snippet. |
The Capstone is an additional high-intensity week designed specifically for the 3-Week Professional Track. It serves as the ultimate synthesis of the skills developed during the 10-day intensive, requiring students to complete and be checked-out on a comprehensive response to an un-sanitized real-world evidence pack.
Students move beyond guided labs to conduct and document an exhaustive 5-day investigation of a real-world cyber threats with implementable remediations, mitigations and management communications. This phase leverages the 6-Stage Identity Compromise Risk Model and AI Power Prompting to identify persistence markers, lateral movement, and the "Identity Chain Reaction" in unstructured data dumps.
A central pillar of the Capstone is the curation of a Shareable Professional Portfolio. This digital asset provides tangible proof of job readiness and personal branding utility by showcasing: