0.4 Setting Up Your Claude Workspace
Setting Up Your Claude Workspace
Introduction
This is a Claude course. Not a generic “AI for security” course. Every module, every prompt template, every workflow is built for the Claude platform — its five surfaces, its specific capabilities, and its particular strengths and limitations. If you completed Claude Essentials for Security Professionals, you already understand the five surfaces and the foundation workflows. This module configures them for production-depth work.
What you need
1. A Claude account — Pro at minimum. Team recommended.
This course requires features not available on the Free tier: Projects (persistent context), Extended Thinking (deep reasoning), Opus (maximum capability), and Claude Code (terminal agent). Pro ($20/month) provides all of these for individual use. Team ($30/user/month) adds admin controls, shared Projects, and no-training-by-default — the minimum for organizational deployment.
2. Claude Code — installed and authenticated.
Claude Code is the terminal-native agentic tool you will use for security scripting, detection rule management, vulnerability scanning, and scheduled automation throughout this course. Install it from code.claude.com/docs. Claude Code is included with Pro, Max, Team, and Enterprise plans.
Verify your installation:
claude --version
Navigate to a test directory and start a session:
cd ~/security-workspace
claude
If Claude Code launches and greets you, the installation is working. If you encounter issues, the Claude Code documentation covers platform-specific troubleshooting for macOS, Linux, and Windows (via WSL2).
3. Claude Desktop app with Cowork — installed.
Cowork is the desktop agent for delegated tasks — evidence processing, report compilation, and document generation. Download the Claude Desktop app from claude.com/download. Cowork is available as a tab in the desktop app on Pro, Max, Team, and Enterprise plans.
After installation, configure folder access: share the folder(s) you will use for course exercises. Cowork can only access folders you explicitly share.
4. MCP Connectors — configured for your tools.
In Claude.ai, go to Settings → Connectors and enable the connectors relevant to your security work. At minimum for this course:
- Gmail — for phishing email analysis and investigation workflows (Modules 2, 4)
- Google Drive — for document access during investigations (Modules 2, 4)
- GitHub — for detection rule repository management (Modules 3, 5)
Additional connectors (Slack, Google Calendar, Notion) enhance investigation workflows but are not required to complete the exercises.
Configure permissions for each connector: Allow search and read access. Block send, delete, and modify actions. You want Claude to retrieve information during investigations — not take actions in your external systems.
5. A security environment for hands-on exercises (recommended, not required).
The investigation, detection engineering, and automation modules are more effective with access to real log data. Any of the following works: a SIEM with log data (Sentinel, Splunk, Elastic), an EDR console with endpoint data, or a cloud security platform (Defender for Cloud, Prisma Cloud, AWS Security Hub). If you do not have access to a security environment, the exercises provide sample data that allows you to complete every task.
Create your course workspace — Claude.ai Project
Create a new Project in Claude.ai dedicated to this course:
Project name: “Security Professional — Course Workspace”
Project Instructions (system prompt):
Environment context:
- Primary SIEM: Microsoft Sentinel (adapt if using another platform)
- Primary EDR: Microsoft Defender for Endpoint
- Identity: Microsoft Entra ID
- KQL code blocks must include inline comments
- Detection rules must include MITRE ATT&CK technique mapping
- IR reports follow the organizational template (uploaded)
- All output must be production-ready and verifiable
- US English for all output
Behavioral requirements:
- Deliver output directly — no preamble or unnecessary caveats
- Flag when output needs expert review or verification
- Flag when assumptions were made about the environment
- Reference MITRE ATT&CK techniques where relevant
- Include verification steps with every query, script, and rule
Upload the following reference documents to the Project as you progress through the course:
After Module 2: your investigation prompt library. After Module 3: your detection engineering templates and rule documentation Skill. After Module 4: your IR report templates. After Module 5: your CLAUDE.md automation configuration. After Module 7: your AI governance framework. Each upload adds context that makes subsequent modules more effective — Claude references your earlier work when generating new assets.
Create your security automation repository — Claude Code
Create a dedicated repository for security automation scripts and detection rules:
mkdir -p ~/security-scripts
cd ~/security-scripts
git init
Create the CLAUDE.md configuration file that defines your coding standards (detailed in Module 5). For now, create a minimal version:
Standards
- PowerShell: strict mode, approved verbs, comment-based help
- Python: type hints, docstrings, black formatting
- All scripts: error handling, logging, dry-run mode
- No hardcoded credentials
- Minimum RBAC permissions documented in script header
Authentication
- M365/Graph: certificate-based auth
- Never interactive login in production scripts
Configure Cowork for security tasks
Open the Claude Desktop app and navigate to the Cowork tab. Configure folder access:
- Share your security working directory (e.g.,
~/security-ops/) - Create subfolders:
evidence/,reports/,exports/,processed/ - Cowork will use these for evidence processing and report generation exercises
Verify your setup
Test each surface with a simple task:
Claude.ai Project: Open your course workspace Project. Ask: “I need to investigate a suspicious sign-in. The user j.morrison@northgateeng.com signed in from IP 198.51.100.44 (Netherlands hosting provider). The user normally signs in from UK residential IPs. What are my investigation steps? Include KQL queries for Sentinel.” Evaluate: does it provide structured steps, KQL queries, flag the hosting provider IP, mention MFA status, and include verification caveats?
Claude Code: Navigate to your security-scripts repository and start Claude Code. Ask: “Create a simple PowerShell script in scripts/test/Get-EntraAdmins.ps1 that lists all Global Administrator role members with their last sign-in date using Microsoft Graph.” Evaluate: does Claude Code create the file at the correct path? Does it follow the CLAUDE.md standards? Does it include error handling and inline comments?
Cowork: Create a test folder with a few sample files (CSV, text, image). Ask Cowork to organize them into subfolders by type and generate an inventory. Evaluate: does Cowork categorize correctly? Does the inventory list all files?
Connectors: In Claude.ai, ask: “Search my email for any messages from security@northgateeng.com in the last 7 days.” Evaluate: does the Gmail connector execute the search? If it asks for permission, approve the read/search access.
If all four surfaces respond correctly, your workspace is configured for the course.
Try it yourself
Complete the full setup now: (1) Create the Claude.ai course Project with the system prompt above. (2) Install Claude Code and create the security-scripts repository with CLAUDE.md. (3) Configure Cowork folder access. (4) Enable and configure at least the Gmail and Google Drive connectors. (5) Run the verification tests for each surface. Document any issues you encounter — troubleshooting your setup now prevents disruption during later modules.
Check your understanding
1. This course requires four Claude surfaces. What are they and what does each handle?
You're reading the free modules of this course
The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.