Sign up for our free Threat Hunting Summit June 17 Register Here

Agentic AI for Threat Hunting

Course Authored by .

Agentic AI for Threat Hunting

Threat hunting is the most effective approach for driving lasting improvement in security posture – the only problem is scale. One hunter, no matter how skilled, can only cover so much ground.

Course Length: 8 Hours

Includes a Certificate of Completion



Description

Threat hunting is the most effective approach for driving lasting improvement in security posture – the only problem is scale. One hunter, no matter how skilled, can only cover so much ground.

Agentic AI changes that equation – not by replacing the hunter, but by extending their reach, building autonomous systems that investigate, correlate, and triage alongside them, while the human retains direction and judgment.

But getting real results from agents requires more than installing a tool and writing better prompts. It requires engineering the complete environment the agent operates in – what the field calls “harness engineering.” This workshop teaches you how to design and build that environment specifically for threat hunting.

The course is structured around seven core systems that together form a complete agentic hunting architecture:

  1. Distillation – transforming raw telemetry into scored candidates before agents ever see it

  2. Context Engineering – optimizing the delivery of organizational knowledge, threat intelligence, and reference documentation to agents at inference time

  3. Tool Configuration – giving agents the right tools with the right permissions for the job

  4. Skills Architecture – formalizing hunting knowledge into executable, composable, testable procedures

  5. Agent Orchestration – arranging multiple agents to work together using established coordination patterns

  6. Knowledge Graphs – providing shared working memory so agents can build on each other’s findings

  7. Feedback Loops – routing analyst verdicts and investigation outcomes back to improve every layer

This training is progressive and hands-on: students build the system piece by piece across the day, starting with distilled telemetry and adding each layer context, tools, skills, orchestration, shared memory, feedback until they have a working agentic hunting system by the end.

This is not a course about prompting chatbots to analyze logs. It’s about engineering a purpose-built threat hunting harness where deterministic code handles what it does best, agents handle the interpretive work, and humans direct and judge – with clear boundaries between the three.

  • SYSTEM REQUIREMENTS
    • A computer with a terminal, modern web browser, and stable internet connection
    • Ability to join the live workshop stream
    • Node.js 18+ installed with npm
    • Python 3.10+ installed with pip (for hands-on exercises throughout the day)
    • A code editor or IDE of your choice
    • An API key for at least one LLM provider (Anthropic, OpenAI, or Google)
    • Detailed setup instructions will be sent to registered students ahead of the workshop.

Syllabus

SYLLABUS

Module 1: Why Agents for Threat Hunting 

Theory: The fundamental tension in alert-based security, why hunting is the right approach, and how agentic AI removes the scale constraint.

Module 2: Harness Engineering 

Theory: What a harness is, universal design principles, security-specific concerns, and the mindset shift from debugging the agent to debugging the environment.

Module 3: Architecture Overview

Theory: The seven systems that compose an agentic hunting architecture, how they fit together, and what breaks when each one is missing.

Module 4: Distillation 

Theory: Why raw telemetry breaks agent reasoning, and the five-stage distillation pipeline.

Practical: Walk through a working distillation pipeline against sample telemetry and examine scored candidates.

Module 5: Context Engineering

Theory: The six context layers, delivery mechanisms, and when to use each.

Practical: Configure context delivery for a hunting agent and observe how it changes investigation quality.

Module 6: Tool Configuration

Theory: The tool surface, the permission spectrum, and the threat hunter’s toolkit.

Practical: Configure tool definitions and permissions for a hunting agent.

Module 7: Skills Architecture 

Theory: The core sequence, shared ground, narrow-and-focused design, and composability.

Practical: Author a detection skill and run it against distilled candidates.

Module 8: Agent Orchestration

Theory: The five canonical orchestration patterns and how to choose them for different hunt phases.

Practical: Build a multi-agent orchestration layer with sequential pipeline and concurrent fan-out.

Module 9: Knowledge Graphs 

Theory: The silo problem, how agents write to and traverse a shared graph, and how connections emerge automatically.

Practical: Build a shared investigation graph, write findings from multiple agents, and traverse to discover connections.

Module 10: Feedback Loops 

Theory: The five feedback paths, the accuracy flywheel, and autonomy progression.

Practical: Implement verdict tracking and observe how feedback calibrates the system over repeated runs.

Module 11: Putting It All Together 

Practical: Run a complete hunt through the full system built across the day, from distilled candidates through detection, assessment, narrative, graph traversal, and feedback.

Module 12: Conclusion 

Theory: Where to go from here – evaluating and improving your system over time, stripping complexity as models improve, and adapting the architecture to your own environment.

FAQ

VM / LAB / STUDENT INFO

No VM is required for this workshop. All exercises run directly on the student’s local machine using Python, Node.js, and standard tooling. Students who prefer working in an isolated environment are welcome to use a VM or container, but it is not necessary.

 A workshop repository will be provided to all registered students ahead of the session. The repo includes:

  • Working components for each module – ready to configure, run, and experiment with

  • Sample security telemetry (Zeek connection logs, Sysmon process events, authentication records) to work with throughout the day

  • Skill definitions and configuration files

  • Reference solutions for each exercise

Students build their system progressively during the workshop  – each module adds a new layer to what was built in the previous one. The repository is structured to support this progression, with clear starting points and checkpoints for each section.

WHAT YOU’LL LEARN

  • Gain understanding and experience with harness engineering systems for scalable threat hunting.

  • Leave with a working, AI-powered threat hunting system that is prepared for real-world experimentation and use.

  • Make use of AI to efficiently conduct proactive threat hunting at scale without knowing software development.

WHO SHOULD TAKE THIS COURSE

  • Threat hunters looking to scale their practice with agentic systems

  • SOC analysts who want to move beyond alert triage and build proactive detection capabilities

  • Detection engineers interested in how agentic systems can accelerate rule development and coverage

  • Security engineers responsible for building or evaluating AI-assisted security tooling

  • Blue team leads and security architects exploring how to integrate agentic AI into their defensive operations

  • Any security practitioner who wants to understand how to build their own purpose-built framework for working with AI agents, rather than relying on off-the-shelf tools they don’t control

SKILL LEVEL

Intermediate. The course assumes a working familiarity with security operations concepts (what telemetry is, what a detection rule does, what threat hunting means) and basic comfort navigating a command line.

No programming experience is required. The workshop provides pre-built components that students configure, run, and interpret rather than code from scratch. The focus is on understanding the architecture and making informed decisions about how to apply it, not on software development.

Note, however, that if you’re newer to security and willing to put in the effort, you can absolutely keep up. The workshop is structured progressively, each module builds on the last, and the concepts are taught before they’re applied.

All course materials remain accessible for six months after the workshop, so you can revisit and work through anything at your own pace. The people who get the most out of this course are those who show up curious and engaged, regardless of where they’re starting from.

STUDENT REQUIREMENTS

  • Basic familiarity with security operations concepts – you should know what telemetry, detection rules, and threat hunting mean at a high level, even if you have no hands-on experience with them

  • Comfort navigating a terminal and running commands

  • No coding experience is required. You will not be writing code.

KEY TAKEAWAYS

By the end of this workshop, students will:

  • Understand why harness engineering – not prompting or model selection – is where the leverage lives for getting real results from agentic AI

  • Know the seven systems that compose a complete agentic hunting architecture, what each one does, and what breaks without it

  • Have hands-on experience configuring and running each system component

  • Understand how to formalize tacit hunting knowledge into executable, testable skills that agents can follow consistently

  • Know how to arrange multiple agents using established orchestration patterns, and when to use which pattern

  • Understand how to design feedback loops that make the system improve with every investigation

  • Leave with a working repository they can adapt to their own environment and telemetry

About the Instructor

Pixel splash background
"Security Researcher, Teacher, Founder"
Bio

Faan Rossouw is a security researcher focused on the intersection of threat hunting and agentic AI. Faan is currently working on aionsec.ai, a complete educational ecosystem that helps threat hunters master AI agents – from using them effectively, to building their own, to securing them. He also has a deep interest in developing robust systems that produce coherent synthetic telemetry for security model training at scale. In his free time, Faan likes to hang out with his family and go for forest runs with his dog.

Related products

Shopping Cart

No products in the cart.