Claude.ai — The Chat Interface
Plan tiers and their security implications
Claude.ai offers five plan tiers. The features available on each tier directly affect what you can accomplish for security work.
The Free tier provides Sonnet 4.6 access (with usage limits), Haiku 4.5, limited web search, file uploads, Artifacts, and Visualizations. The Free tier is sufficient to evaluate Claude and complete the exercises in this course. However, it does not include Projects, Extended Thinking, Memory, Opus, or Cowork — the features that transform Claude from a chat tool into a professional work platform. On the Free tier, Anthropic may use your input for model training and staff may access your conversations for safety review. Do not paste sensitive security data on the Free tier.
Pro ($20/month) unlocks everything a solo security professional needs: full Sonnet and Opus access with higher usage limits, Projects for persistent context, Extended Thinking for complex reasoning, Memory for cross-session preferences, Claude Code access, and Cowork preview. Pro is the minimum tier for production security work. Data handling: input is retained but you can opt out of training use. Staff may access conversations for safety review.
Max ($100-$200/month) provides five to twenty times the usage limits of Pro, plus priority access during peak times and Agent Teams in Claude Code. Max is relevant only if you hit Pro’s rate limits during sustained heavy usage or if you run Opus 4.6 as your primary work model.
Team ($30/user/month) adds admin controls, shared Projects across team members, and SOC 2 Type II compliance. Data is not used for training by default. If your security team is using Claude collaboratively — sharing investigation projects, detection rule libraries, or incident documentation — the Team plan provides the data governance guarantees your organization needs.
Enterprise offers zero data retention, SSO integration, dedicated support, private plugin marketplaces, and custom deployment options. Required for organizations with strict data sovereignty or regulatory requirements.
Projects — persistent context across conversations
Projects are the single most important feature for professional security work. A Project is a container that holds a custom system prompt (instructions that apply to every conversation in the project), uploaded reference documents (available across all conversations), and conversation history.
Without a Project, every conversation starts from zero — you must re-explain your environment, your conventions, and your requirements each time. With a Project, Claude already knows your Sentinel workspace details, your KQL style conventions, your IR report format, and your organizational context. Every conversation inherits this context automatically.
Creating a security operations project. Click the Projects icon in the left sidebar, create a new project, and configure two things: the Project Instructions (system prompt) and the Project Knowledge (uploaded documents).
Worked artifact — Security Operations project configuration:
Project Instructions (system prompt):
You are assisting a senior SOC analyst working in a Microsoft 365 E5 environment with Defender XDR and Microsoft Sentinel.
Environment context:
- Sentinel workspace uses standard Microsoft table names
- The CorporateExternalIPs watchlist contains all corporate egress IPs
- The DepartingEmployees watchlist is maintained by HR (columns: SearchKey/UPN, DepartureDate, Department)
- KQL code blocks must include inline comments explaining each operator
- Detection rules must include MITRE ATT&CK technique mapping
- IR reports follow the Ridgeline IR report template structure
- All output must be production-ready and deployable
- US English for all text output
- No preamble or unnecessary caveats — deliver the output directly
Project Knowledge (uploaded documents):
- Detection rule template (your standard format)
- IR report template (your organizational format)
- KQL style guide (naming conventions, comment standards)
- Sentinel table reference (the tables available in your workspace)
Copy this configuration into a new Claude Project. Modify the environment context to match your organization. Upload your actual templates and reference documents. Every conversation in this project now produces output calibrated to your environment.
Artifacts — structured output you deploy
When Claude generates code, documents, or structured content, it can present the output as an Artifact — a standalone panel that appears alongside the conversation. Artifacts are downloadable (copy the content or save as a file), editable (modify the content directly in the panel), and iteratable (ask Claude to modify the artifact in subsequent messages).
For security work, Artifacts are how you get usable output. Ask Claude to write a KQL detection rule — it appears as a code Artifact you can copy directly into Sentinel’s analytics rule editor. Ask Claude to draft an IR report section — it appears as a document Artifact you can download as markdown or paste into your report. Ask Claude to create a decision flowchart — it appears as a rendered SVG you can embed in documentation.
Artifacts support multiple formats: code (any language, with syntax highlighting), markdown documents, HTML pages, React components (for interactive tools and dashboards), SVG graphics, and Mermaid diagrams. The React component capability is particularly powerful — Claude can build interactive security tools (alert triage workflows, risk scoring calculators, timeline visualizers) that run directly in the Artifact panel.
Extended Thinking — deeper reasoning
Extended Thinking is a mode where Claude performs multi-step internal reasoning before generating a response. Instead of producing the first plausible answer, Claude works through the problem — considering alternatives, checking its own logic, and refining its approach.
For security work, Extended Thinking is the difference between a generic response and a thorough analysis. Enable it when the task requires complex reasoning: reconstructing an attack timeline from multiple log sources, analyzing whether a set of sign-in events constitutes a genuine compromise or a false positive, generating a detection rule that must account for multiple conditions and edge cases, or writing a comprehensive risk assessment.
The Adaptive Thinking mode (enabled by default on newer models) lets Claude decide automatically when deeper reasoning is needed. Simple factual questions get fast responses. Complex analytical questions trigger extended reasoning. You can also force Extended Thinking on for specific prompts when you know the task needs it.
Memory — cross-session persistence
Memory allows Claude to retain context from past conversations and apply it in future sessions. Claude derives preferences, project context, and working patterns from your conversations and remembers them across sessions.
For security professionals, Memory means Claude remembers your environment details (your Sentinel workspace, your naming conventions, your reporting format), your working preferences (how you like output structured, what level of detail you need), and your ongoing projects (the investigation you started yesterday, the policy you are drafting this week).
Memory updates happen in the background — not in real time. Recent conversations may not be reflected immediately. If you delete conversations, the derived information is eventually removed. Memory works within Projects (project-specific context) and across standalone conversations (general preferences).
Skills — reusable workflows
Skills are persistent instructions that shape how Claude behaves on specific tasks. Unlike a system prompt (which applies to all conversations in a project), Skills are activated when relevant — Claude automatically applies the right Skill based on what you are asking it to do.
You can create custom Skills directly in Claude.ai. A Skill for detection rule documentation might include your standard rule format, required fields (MITRE mapping, severity, threshold, entity mapping), and formatting conventions. When you ask Claude to document a detection rule, it automatically applies this Skill — producing output in your format without you specifying it each time.
The Skills ecosystem includes built-in Skills (for common file types like DOCX, PPTX, XLSX, PDF), community Skills (over 7,000 available on skillhub.club with quality scores), and custom Skills you create for your specific workflows. For Team and Enterprise plans, administrators can distribute approved Skills across the organization — ensuring consistent output quality without each analyst building Skills from scratch.
Connectors — integrating your tools
Connectors use the Model Context Protocol (MCP) to give Claude direct access to external tools and data sources. In Claude.ai, you manage Connectors through the Customize menu.
Built-in Connectors include Gmail (search and read emails), Google Drive (access documents and spreadsheets), Google Calendar (view and manage events), Slack (search messages and channels), GitHub (read repositories, manage issues, create PRs), and many more. Each Connector has individual tool permissions: Allow (runs automatically), Ask (confirms before running), or Block (never runs). You might allow Claude to search your emails but block it from sending them — controlling exactly what Claude can access and do.
For security professionals, Connectors mean you can ask Claude to pull a phishing report email for analysis, access an IR template from your shared drive, check your calendar for the next incident bridge, or review open GitHub issues on your detection rule repository — all within the conversation, without switching applications.
Web Search and Visualizations
Web Search gives Claude live internet access to find current information beyond its training cutoff. For security work, web search is essential for looking up recent CVEs, checking current Microsoft documentation, finding the latest threat intelligence on active campaigns, and verifying product feature changes. Web search is available on all plans (limited on Free, full on paid plans).
Visualizations are inline charts, diagrams, and interactive widgets that Claude renders directly in the conversation. Claude can create flowcharts, architecture diagrams, data charts, timelines, and interactive explainers without you asking for an Artifact. For security work, visualizations are useful for illustrating attack chains, diagramming network architectures, charting alert volume trends, and creating visual timelines of investigation events.
Try it: Create your first Security Operations project
Open Claude.ai. Create a new Project called "Security Operations." Copy the system prompt from the worked artifact above and paste it into the Project Instructions. Modify it for your environment (your actual table names, watchlist names, and conventions). Upload at least one reference document — even if it is just a simple text file listing your Sentinel table names. Then start a conversation in the project and ask Claude to write a KQL query that identifies failed sign-in attempts from non-corporate IPs in the last 24 hours. Compare the output to what you would have gotten without the project context — the difference in specificity and relevance is the value of Projects.
Try it: Enable Extended Thinking on a complex question
In your Security Operations project, enable Extended Thinking (the lightbulb/brain icon in the input area, or toggle in the model selector). Then ask: "A user account shows successful sign-ins from both London and Singapore within a 30-minute window. Both sessions used MFA successfully. Walk me through how to determine whether this is a true compromise or a legitimate scenario, including the specific log fields and tables I should check." Compare the depth and structure of the response with Extended Thinking enabled versus a standard response. Extended Thinking produces a more systematic, multi-step analysis.
Knowledge checks
Check your understanding
1. What is the primary advantage of using a Claude Project for security work instead of standalone conversations?
2. Your organization is evaluating Claude for the SOC team. The CISO is concerned about data handling — sign-in logs, investigation evidence, and incident details must not be used for model training. Which plan tier addresses this concern?
3. You want Claude to automatically apply your detection rule documentation format — including MITRE ATT&CK mapping, severity, threshold, entity mapping, and your team's naming convention — whenever you ask it to document a rule, without specifying the format each time. Which Claude feature achieves this?
Key takeaways
Projects are the foundation of professional Claude use. Create a Security Operations project with your environment details, conventions, and reference documents. Every conversation in the project inherits this context — no re-explanation needed.
Artifacts produce output you can deploy. KQL rules, report sections, PowerShell scripts, and documents appear as structured panels you can copy, download, edit, and iterate on.
Extended Thinking improves complex analysis. Enable it for attack timeline reconstruction, multi-condition detection rules, and any task requiring multi-step reasoning.
Skills create consistent output. Teach Claude your formats and workflows once. It applies them automatically to matching tasks.
Connectors integrate your tools. Gmail, Google Drive, Slack, GitHub, and dozens more — accessible within the conversation without switching applications.
Plan tiers determine your capability ceiling. Free for evaluation. Pro minimum for professional work. Team or Enterprise for organizational deployment with data governance.