AI for the Win

Build AI-Powered Security Tools | 40 Hands-On Labs for Security Practitioners

---

Project maintained by depalmar Hosted on GitHub Pages — Theme by mattgraham

AI for the Win

Build AI-Powered Security Tools | Hands-On Learning

python labs/lab10-phishing-classifier/solution/main.py

[+] Trained on 1,000 labeled emails

[+] Model: Random Forest with TF-IDF features

 

Testing on new emails...

"Dear user, your account will be suspended" → 🚨 PHISHING (94%)

"Q3 revenue report attached" → ✅ LEGIT (91%)

"Coinbase: verify identity immediately" → 🚨 PHISHING (97%)

 

Top phishing indicators learned:

1. urgency_score (+0.34) ← "immediately", "suspend", "verify"

2. url_mismatch (+0.28) ← display text ≠ actual link

3. sender_anomaly (+0.19) ← domain doesn't match brand

50+

Hands-On Labs

1000+

Tests Passing

9

Learning Paths

Dual License

MIT + CC BY-NC-SA

Get Started View on GitHub

What You Need to Start

Prerequisites Checklist

✓

Python 3.10+ Any OS: Windows, macOS, Linux

✓

Code Editor VS Code, Cursor, or PyCharm

✓

8GB+ RAM 16GB recommended for local LLMs

✓

Git Installed To clone the repository

✓

API Key (optional) Only needed for Labs 04+. Free options available.

✓

Security Background Basic security concepts helpful but not required

Why AI for the Win?

🎯

Built for Security Practitioners

Not generic ML courses. Every lab solves real security problems: phishing, malware, C2 detection, incident response.

🛠

You Build Real Tools

No toy examples. Build classifiers, agents, RAG systems, and detection pipelines you can actually use.

🚀

Vibe Coding Ready

Designed for AI-assisted development with Cursor, Claude Code, and Copilot. Learn the modern way.

💰

Start Free

Labs 00-13 need no API key. Learn ML foundations before spending on LLM APIs. Ollama option for $0 total.

🎓

Beginner Friendly

New to Python? Start at Lab 00. Security-to-AI Glossary translates ML jargon into terms you know.

🔬

1000+ Tests

Every lab has comprehensive tests. Know your code works before deploying. 100% pass rate.

Interactive Lab Navigator

Your Learning Journey: Click any lab to explore

Foundation (00-09)

00 01 02 03 04

→

ML Foundations (10-13)

10 11 12 13

→

LLM Basics (14-18)

14 15 16 17 18

→

Detection (19-24)

19 20 21 22 23

→

DFIR (25-35)

25 29 31 33 35

→

Advanced (36-50)

36 39 45 49 50

• Foundation (00-09, Free) • ML (10-13, Free) • LLM (14-18) • Detection (19-24) • DFIR/Advanced (25-50)

All 51 labs shown in the grid below with full details

All 50+ Labs (Including Bridge Labs)

00 Environment Setup

Python, VS Code, virtual env, Jupyter

🕑 ~30 min ★☆☆ Beginner

01 Python for Security

Variables, files, APIs, IOC extraction

🕑 ~2 hrs ★☆☆ Beginner

02 Prompt Engineering

LLM basics, templates, free playgrounds

🕑 ~1 hr ★☆☆ Beginner

03 Vibe Coding with AI

AI coding assistants, Claude Code, Cursor, Copilot

🕑 ~45 min ★☆☆ Beginner

04 ML Concepts

Supervised, unsupervised, features, metrics

🕑 ~1 hr ★☆☆ Beginner

05 AI in Security Ops

Real-world use cases, limitations, workflows

🕑 ~1 hr ★☆☆ Beginner

06 Visualization & Stats

Statistics, Plotly, security dashboards

🕑 ~2 hrs ★☆☆ Beginner

07 Hello World ML

Your first ML model, scikit-learn basics

🕑 ~1 hr ★☆☆ Beginner

08 Working with APIs

HTTP basics, requests, JSON parsing

🕑 ~1 hr ★☆☆ Beginner

09 CTF Fundamentals

CTF mindset, encoding, flag hunting techniques

🕑 ~45 min ★☆☆ Beginner

10 Phishing Classifier

ML text classification, TF-IDF, Random Forest

🕑 ~2 hrs ★☆☆ Beginner

11 Malware Clustering

K-Means, DBSCAN, feature extraction

🕑 ~2 hrs ★☆☆ Beginner

12 Anomaly Detection

Isolation Forest, statistical baselines

🕑 ~2 hrs ★☆☆ Beginner

13 ML vs LLM

When to use ML vs LLM, cost comparison

🕑 ~1 hr ★☆☆ Beginner

14 First AI Agent

Tool calling, ReAct basics, agent loops

🕑 ~2 hrs ★★☆ Intermediate

15 LLM Log Analysis

Prompt engineering, IOC extraction

🕑 ~3 hrs ★★☆ Intermediate

16 Threat Intel Agent

ReAct pattern, LangChain, autonomous investigation

🕑 ~3 hrs ★★☆ Intermediate

17 Embeddings & Vectors

Deep dive into embeddings for RAG

🕑 ~2 hrs ★★☆ Intermediate

18 Security RAG

Vector embeddings, ChromaDB, doc Q&A

🕑 ~4 hrs ★★☆ Intermediate

19 Binary Basics

PE files, headers, sections for YARA

🕑 ~2 hrs ★★☆ Intermediate

20 Sigma Fundamentals

Sigma rule syntax, SIEM queries, LLM generation

🕑 ~2 hrs ★★☆ Intermediate

21 YARA Generator

AI-assisted rule generation, validation

🕑 ~3 hrs ★★☆ Intermediate

22 Vuln Prioritizer

CVSS scoring, risk-based prioritization

🕑 ~4 hrs ★★☆ Intermediate

23 Detection Pipeline

Multi-stage ML + LLM architecture

🕑 ~5 hrs ★★★ Advanced

24 Monitoring AI Systems

Observability, drift detection, logging

🕑 ~2 hrs ★★☆ Intermediate

25 DFIR Fundamentals

IR lifecycle, Windows artifacts, ATT&CK

🕑 ~2 hrs ★★☆ Intermediate

29 IR Copilot

Conversational IR assistant, playbooks

🕑 ~4 hrs ★★☆ Intermediate

26 Windows Event Logs

Event log parsing, security event detection

🕑 ~3 hrs ★★☆ Intermediate

27 Registry Forensics

Registry analysis, persistence detection

🕑 ~3 hrs ★★☆ Intermediate

28 Live Response

Live IR, triage procedures, evidence collection

🕑 ~4 hrs ★★★ Advanced

30 Ransomware Fundamentals

Evolution, families, indicators, recovery

🕑 ~2 hrs ★★☆ Intermediate

31 Ransomware Detection

Entropy analysis, behavioral detection

🕑 ~5 hrs ★★★ Advanced

32 Purple Team Sim

Safe adversary emulation, gap analysis

🕑 ~6 hrs ★★★ Advanced

33 Memory Forensics AI

Volatility3, process injection, credentials

🕑 ~6 hrs ★★★ Advanced

34 C2 Traffic Analysis

Beaconing, DNS tunneling, JA3

🕑 ~5 hrs ★★★ Advanced

35 Lateral Movement

Auth anomalies, attack path graphs

🕑 ~5 hrs ★★★ Advanced

36 Threat Actor Profiling

TTP extraction, campaign clustering

🕑 ~5 hrs ★★★ Advanced

37 AI-Powered Threat Actors

Deepfakes, AI phishing, detecting AI attacks

🕑 ~2 hrs ★★☆ Intermediate

38 ML Security Intro

ML threat models, attack taxonomy

🕑 ~1 hr ★★☆ Intermediate

39 Adversarial ML

Evasion attacks, poisoning, defenses

🕑 ~6 hrs ★★★ Advanced

40 LLM Security Testing

Prompt injection, jailbreak testing

🕑 ~3 hrs ★★★ Advanced

41 Model Monitoring

Drift detection, adversarial input detection

🕑 ~3 hrs ★★★ Advanced

42 Fine-Tuning

Custom embeddings, LoRA, deployment

🕑 ~8 hrs ★★★ Expert

43 RAG Security

KB poisoning, context sanitization

🕑 ~3 hrs ★★★ Advanced

44 Cloud Security Basics

AWS/Azure/GCP fundamentals, IAM, logs

🕑 ~2 hrs ★★☆ Intermediate

45 Cloud Security AI

AI-powered CloudTrail analysis

🕑 ~5 hrs ★★★ Advanced

46 Container Security

Kubernetes, runtime detection, image scanning

🕑 ~4 hrs ★★★ Advanced

47 Serverless Security

Lambda, event injection, cold start attacks

🕑 ~3 hrs ★★★ Advanced

48 Cloud IR Automation

Automated containment, evidence collection

🕑 ~4 hrs ★★★ Advanced

49 LLM Red Teaming

Prompt injection, jailbreaks, guardrails

🕑 ~6 hrs ★★★ Advanced

50 Purple Team AI

AI attack simulation, detection validation

🕑 ~3 hrs ★★★ Advanced

Get Started Browse All Labs

Choose Your Learning Path

Click to expand each path and see the recommended labs

🟢 Beginner

▼

Start here! Foundations → ML basics → LLM basics. No API key needed until Lab 35.

📚 Foundations (Optional Prep)

00 Environment Setup ~30 min

01 Python for Security ~2 hrs

04 ML Concepts Primer ~1 hr

02 Prompt Engineering ~1 hr

05 AI in Security Ops ~1 hr

06 Visualization & Stats ~2 hrs

07 Hello World ML ~1 hr

08 Working with APIs ~1 hr

🔬 ML Basics (No API Key)

01 Phishing Classifier ~2 hrs

02 Malware Clustering ~2 hrs

03 Anomaly Detection ~2 hrs

🤖 LLM Basics (API Key Required)

04 LLM Log Analysis ~3 hrs

05 Threat Intel Agent ~3 hrs

06 Security RAG ~4 hrs

07 YARA Generator ~3 hrs

Total: ~25 hours | Cost: Free → ~$5

🟡 Intermediate

▼

Build advanced tools. Detection pipelines, IR copilots, and DFIR automation.

08 Vuln Prioritizer ~4 hrs

09 Detection Pipeline ~5 hrs

10 IR Copilot ~4 hrs

11 Ransomware Detection ~5 hrs

12 Purple Team Sim ~6 hrs

13 Memory Forensics ~6 hrs

14 C2 Traffic Analysis ~5 hrs

15 Lateral Movement ~5 hrs

Total: ~40 hours | Cost: ~$15-25

🔴 Expert

▼

Advanced techniques: threat actor profiling, adversarial ML, cloud/container security, and red teaming.

16 Threat Actor Profiling ~5 hrs

17 Adversarial ML ~6 hrs

17b LLM Security Testing ~3 hrs

18 Fine-Tuning ~8 hrs

19 Cloud Security AI ~5 hrs

19b Container Security ~4 hrs

20 LLM Red Teaming ~6 hrs

Total: ~37 hours | Cost: ~$15-30

By Role

🔵

SOC Analyst

Automate triage, reduce alert fatigue

Labs 00→04→06→10

🟢

Threat Hunter

Find unknowns, detect anomalies

Labs 03→02→14→15

🟡

Detection Engineer

ML-powered rules, fewer false positives

Labs 01→03→07→09

🔴

AI Red Team

Evade ML, attack AI systems

Labs 03→17→20

View All 9 Role Paths

Cost Breakdown

Labs	API Required	Estimated Cost
00-03 (ML Foundations)	No	Free
04-07 (LLM Basics)	Yes	~$2-8
08-10 (Advanced)	Yes	~$5-15
11-20 (Expert)	Yes	~$10-25
With Ollama (local)	No	$0 Total

API Keys Setup Guide

Quick Start

🚀 Option 1: Zero Setup (Colab)

Run labs directly in your browser — no installation needed!

Lab 29 (ML):

Lab 35 (LLM):

📓 All 50+ lab notebooks available for Colab

🐳 Option 2: Docker (Recommended)

One-command setup with all services pre-configured:

git clone https://github.com/depalmar/ai_for_the_win.git
cd ai_for_the_win/docker
docker compose up -d
# Access Jupyter Lab at http://localhost:8888 (token: aiforthewin)

📦 Includes: Jupyter, Elasticsearch, Kibana, PostgreSQL, Redis, MinIO, Ollama, ChromaDB

💻 Option 3: Local Setup

git clone https://github.com/depalmar/ai_for_the_win.git
cd ai_for_the_win
python -m venv venv
source venv/bin/activate  # Win: venv\Scripts\activate
pip install -r requirements.txt
python labs/lab10-phishing-classifier/solution/main.py

Full Setup Instructions Browse All Notebooks

Frequently Asked Questions

Do I need prior ML/AI experience?

No. Labs 00-09 cover Python basics, ML concepts, and prompt engineering from scratch. The Security-to-AI Glossary translates ML jargon into security terms you already know.

Which LLM provider should I use?

We recommend Anthropic Claude (Sonnet 4/Opus 4.5) for best reasoning on security tasks. All labs support OpenAI GPT-5.2, Google Gemini 3, and Ollama (free, local). You only need one provider.

Can I run everything locally without API costs?

Yes! Use Ollama to run models locally for free. Labs 00-13 don't need any API at all. You can complete the entire course for $0 if you use local models.

How long does it take to complete all labs?

The full course is approximately 40-89 hours depending on AI assistance level and prior experience. With AI coding tools (Cursor, Claude Code), most labs take 50-70% less time. Time estimates are approximate and vary by background. Focus on your role's learning path first (~5-18 hours) for immediate value.

What if I get stuck on a lab?

Every lab includes complete solution code, step-by-step hints, and a Colab notebook you can run in your browser. Check GitHub Discussions for community help or open an issue.

Can I use this commercially?

The documentation and labs are licensed CC BY-NC-SA 4.0 (non-commercial). Code samples are MIT licensed. For commercial use, contact the author for licensing options. The solutions demonstrate core concepts—for production, you'd add error handling, logging, and scale considerations.

How is this different from other ML courses?

Every lab solves a real security problem. You won't build iris classifiers or digit recognizers. You'll build phishing detectors, threat intel agents, and ransomware analyzers.

Resources

📚

Security-to-AI Glossary

ML terms explained using security analogies

🗺

Learning Paths

Curated paths for 9 security roles

🔑

API Keys Guide

Setup and cost management

🛠

Troubleshooting

Fix common issues and errors

📖

Lab Walkthroughs

Step-by-step solutions for each lab

📓

Jupyter Basics

Local notebook setup guide

☁️

Google Colab Guide

Zero-setup browser notebooks

💻

All 28 Guides

Tools, APIs, dev setup, and more

Get Started Star on GitHub

GitHub Discussions Issues Releases

Dual License (MIT + CC BY-NC-SA 4.0)  |  Built for security practitioners  |  Created by Raymond DePalma

Disclaimer: This is a personal educational project created on personal time. It is not affiliated with, endorsed by, or sponsored by any employer or vendor. All tool references are for educational purposes only.