
Rob T. Lee
@robtlee • 26,623 subscribers
Chief AI Officer, Chief of Research, @SANSInstitute | Cybersecurity Expert & Threat Hunter | Godfather of DFIR | Technical Advisor to US Govt
Videos

(4 DAYS BEFORE SUBMISSIONS CLOSE) I get this question a lot about the Find Evil! hackathon: What does “find evil” actually mean? In this case, the name comes from a real command. I built an autonomous incident response agent I built on the SIFT Workstation. Then I typed “find evil” as a prompt into Claude Code. And it did (watch the demo). I was blown away to watch the autonomous agent run a complete C drive forensic analysis, across 200+ tools via MCP. The agent identified threat actor and context, the attack chain, malware deployment method, persistence mechanisms, code injection analysis, network connections, command-and-control (C2) infrastructure, a complete malicious process tree, and a chronological activity timeline. Two days after I shared initial findings, Anthropic released their report on how threat actors were deploying Claude Code with operational tools and letting it go do evil. (Same thing I was doing.) Find Evil! is the first hackathon dedicated to building autonomous AI agents for incident response. 4,178 defenders are working on final Find Evil! hackathon submits. (This number makes me very happy to see so many diving in. And wishing that the thousands more in our community were experimenting with us.) Your job: teach an AI agent to think like a senior analyst, how to sequence its approach, recognize when something doesn’t add up, and self-correct when it gets it wrong. There are FOUR DAYS left to build with us! (Very few of us are actual AI experts. The rest of us including me are learning.) Register: Apply to judge: We need DFIR, AI, cybersecurity, and open-source reviewers who can separate useful autonomous response tools from polished demos. Apply: I am SO EXCITED to see what comes out of this hackathon and goes back to the community. Sponsored by SANS Institute
Rob T. Lee14,405 views • 1 month ago

Watch this clip. Joshua Wright described this exact attack at RSAC five days ago. Today it happened to one of the most downloaded packages on the planet. Attackers hijacked the #Axiosnpm package this morning. 100 million weekly downloads. 600,000 installs of a credential-stealing backdoor in three hours. Joshua Wright and Rich Greene did an emergency SANS livestream this morning breaking down exactly what happened. The part that caught my attention: the attack deployed separate payloads for Mac, Windows, and Linux simultaneously. Josh isn't ready to call it confirmed, but the pattern points to AI acceleration. Josh's full analysis and steps you should take: Watch Josh's keynote if you missed it. SANS Institute edskoudis Heather Mahalik Barnhart Barnhart Robert M. Lee #AxiosCompromise #AxiosSupplyChain
Rob T. Lee18,227 views • 3 months ago
No more content to load