Investigation & Prompt Engineering Masterclass

Everything you've built leads to this.

You have 9 skills. 6 data sources. An AI analyst that knows your network. And a live environment with real security alerts firing right now.

In Part 1, you investigate — with no script to follow. Real alerts on the Domain Controller. Real telemetry across every data source. You decide what to ask, what to dig into, what to correlate. Nobody tells you the answer because there isn't one right answer — there's your investigation and the evidence you find.

In Part 2, you witness the moment that changes how you think about AI in security. Two prompts. Same model. Same data. Opposite conclusions — "monitor for 24 hours" versus "isolate the Domain Controller now." Then you write your own engineered prompt and assess whether it produced the analysis you intended.

You leave with the 5 principles that make every AI interaction sharper — not just in security, but anywhere you use AI to analyze data.

By the end of this lab, learners will be able to:

• Conduct a self-directed security investigation using all 9 skills without a prescribed script
• Choose investigation prompts based on findings rather than instructions
• Demonstrate that engineered prompts produce fundamentally different analysis than general prompts — using the same model and data
• Write an original engineered prompt that applies at least 3 of the 5 prompt engineering principles
•  Self-assess prompt quality using defined criteria
• Articulate the 5 prompt engineering principles and how they apply beyond security operations

Hardware:

• 1x Kali Linux VM (claw-secops-rednode, 192.168.1.2) — jumpbox, OpenClaw host
• 2x Windows 10 VMs (win-endpoint-1/2, 192.168.3.2/3.4) — Sysmon, Wazuh Agent, Elastic Agent
• 1x Windows Server 2019 VM (win-ad-01, 192.168.2.3) — Domain Controller, threathunt.org
• 1x Ubuntu VM (Wazuh XDR, 192.168.3.3) — Wazuh Manager, API on port 55000
• 1x Ubuntu VM (Security Onion so-prod, 192.168.10.5) — Zeek + Suricata NSM

Software:

• OpenClaw AI Agent Platform (gateway + WebUI on port 18789)
• Qwen 3.5 27B LLM via OpenRouter API
• VS Code, Google Chrome with OpenClaw bookmark
• All 4 helper scripts: winrm_query.py, ad_query.py, wazuh_query.py, seconion_query.py
• Python 3.12 venv with pywinrm, requests, paramiko