Identity Security - AI Powered IAM and ITDR
Course 12143 DAY COURSE
Course Outline
This course is an "Identity Bootcamp", providing a progression from foundational identity best practices to advanced AI-driven implementation. It bridges the gap between proactive Identity and Access Management (IAM) and reactive Identity Threat Detection and Response (ITDR), using AI as the intelligence layer for real-time detection, behavioral analytics (UEBA), and automated response. The included LABs are built on a stack that supports Identity Orchestration, Behavioral Analytics, and Machine Identity Management.
The content is organized into 4 areas: The Human Element & Risk Orchestration, The Machine & Agentic Explosion, Identity Threat Detection & Response, and Privacy, Governance, and the Future. Zero Trust is the foundational philosophy of this course, woven into the curriculum by shifting focus from traditional perimeter security to "Identity-First" security.
Identity Security - AI Powered IAM and ITDR Benefits
-
Course Benefits
- Modernize authentication with FIDO2, WebAuthn, and passkeys, replacing vulnerable shared-secret methods.
- Build AI-driven risk engines using behavioral biometrics for continuous identity verification.
- Secure machine identities with SPIFFE and HashiCorp Vault using just-in-time credentials.
- Govern agentic AI through security guardrails that control permissions and prevent data leakage.
- Map identity attack paths and shadow administrators using graph analytics and BloodHound.
- Automate threat response with Sigma rules and Wazuh-driven active defense playbooks.
- Implement next-generation privacy using Zero-Knowledge Proofs (ZKP) and Decentralized Identifiers (DID).
Prerequisites
Attendees should have intermediate knowledge in networking and cybersecurity and knowledge of AI at the level of AI and Cyber Security: Attack and Defend.
AI Identity Security Training Outline
Learning Objectives
Module 1: Architecture of Modern Authentication
- Understand the shift from shared secrets to cryptographic identity verification.
- Analyze the limitations of SMS and TOTP-based MFA against modern attacks.
- Implement strong authentication using FIDO2 and WebAuthn.
- Deploy passkeys and passwordless authentication workflows.
- Secure account recovery with AI-assisted identity verification.
- Configure trusted certificate authorities and identity trust chains.
- LAB: Establish ADFS trust relationships using Microsoft PKI.
- LAB: Implement passwordless X.509 certificate-based authentication.
Module 2: Real-Time Risk Engines
- Building the AI "Brain" that decides when to trust a login signal
- Behavioral Biometrics: Capturing keystroke dynamics, mouse velocity and touch pressure
- Contextual Telemetry: Analyzing "Geo-velocity" and IP reputation signals
- ML Anomaly Detection: Training Scikit-learn models on "Normal" user login patterns
- LAB: Adaptive Risk Orchestration
- LAB: "Geo-Velocity" Risk Trigger
- LAB: Adding, executing and reviewing tests with Playwright
Module 3: Securing the Machine Workforce (NHI)
- Managing identities for the 95% of accounts that aren't human
- Workload Identity Federation: Understanding the SPIFFE standard for platform-agnostic identity
- Dynamic Secret Injection: Using HashiCorp Vault for "Just-in-Time" database credentials
- Attestation Mechanics: How containers prove integrity before receiving OAuth tokens
- Mutual TLS (mTLS): Securing the connection between Keycloak and autonomous AI agents
- API Security: Ensuring that autonomous agents have the correct OAuth "scopes" and "claims" before they can access backend data
- Auto-Enrollment AI Audit: Using AI to monitor AD CS logs for certificate anomalies
- LAB: Securing n8n workflows with mTLS
- LAB: mTLS with SPIRE Workload Attestation
Module 4: Identity Governance for Agentic AI
- Designing security guardrails for autonomous AI agents
- The "On-Behalf-Of" Problem: Manage how an AI agent proves it has explicit user consent to perform a task with OAuth
- Blast Radius Management: Restricting agent access based on intent with OAuth scopes
- Identity-Aware LLM Chains: OAuth tokens carry the identity context for AI prompts to prevent data leakage
- LAB: AI Agent Secret Retrieval
- LAB: AI Agent "Human-in-the-Loop" Approval
Module 5: Visualizing the Identity Attack Surface
- Using Graph Theory AI to see what the attacker sees
- Identity Graph Fundamentals: Mapping nodes (users) and edges (permissions)
- Shadow Admins: Detecting users with excessive permissions outside standard groups
- Tiered Administration: Implementing the "Red Forest" or Enterprise Access Model
- ESC (Escalation) Vulnerabilities: Using BloodHound to find Certificate Template misconfigurations
- Monitoring CA Logs: Sending AD CS "Certificate Issued" events to Wazuh
- LAB: The "BloodHound" Attack Path Hunt
- LAB: Detecting Certificate Forgery
Module 6: Active Defense & Autonomous Response
- Detecting and killing sessions in the middle of an attack
- Embody Zero Trust continuous monitoring and automated remediation
- Token Theft & Session Hijacking: Real-time detection of "Cookie Replay" attacks with OAuth bearer tokens
- Sigma for Identity: Writing rules for Kerberoasting, DCSync and Brute Force
- Automated Remediation Playbooks: Configuring Wazuh to trigger a "Global Logout" via OAuth APIs when an attack is detected
- LAB: Detecting "Golden Ticket" Anomalies
Module 7: Active Defense & Autonomous Response
- Using AI to automate the tedious parts of compliance
- Entitlement Outlier Detection: Using Peer Group Analysis to find excessive permissions
- Continuous Access Certification: Moving from quarterly reviews to real-time reviews
- Joiner-Mover-Leaver (JML) Pipeline: Automating role changes during department switches and termination
- CRL and OCSP: Using Keycloak to check if a Windows certificate has been revoked
- LAB: Entitlement Auditing with "Baton"
- LAB: The Offboarding Workflow
Module 8: The Future of Privacy: ZKP & DID
- Decoupling "Who you are" from "What you are allowed to do"
- Decentralized Identifiers (DID): Giving users ownership of their own identity "Wallet"
- Zero-Knowledge Proofs (ZKP): Mathematically proving a claim without revealing raw data
- Verifiable Credentials: Issuing digitally signed "badges" for offline verification
- LAB: Building a Zero Knowledge Proof Circuit
- choosing a selection results in a full page refresh