Sign In

0.5 Your First AI-Assisted Security Task

45 minutes · Module 0 · Free

Your First AI-Assisted Security Task

Introduction

Before moving to Module 1, complete this hands-on exercise. It demonstrates the AI-assisted workflow model from subsection 0.2 with a realistic security task: triaging a phishing email report.

This exercise uses your course workspace from subsection 0.4. If you have not set up the workspace yet, do that first.

The scenario

A user forwards a suspicious email to your security team with the note: “This looks like it might be phishing but I’m not sure.”

The forwarded email:

From: payments@acme-corp.net
To: sarah.jones@yourcompany.com
Subject: Overdue Invoice — Immediate Action Required
Date: Mon, 23 Mar 2026 09:15:00 +0000

Dear Sarah,

Our records indicate that invoice #INV-2026-0847 for $12,400 
remains unpaid. This was due on 15 March 2026.

To avoid service disruption, please process payment immediately 
using the updated bank details below:

Account Name: ACME Corp International
Sort Code: 40-12-55  
Account Number: 72849163
Reference: INV-2026-0847

Alternatively, you can make payment via our secure portal:
https://acme-corp-payments.net/invoice/INV-2026-0847

If you have already made this payment, please disregard this email.

Kind regards,
Michael Chen
Accounts Receivable
ACME Corp
+44 20 7946 0958

Additional context you would have as the analyst:

  • Your company does business with “ACME Corporation” (domain: acmecorporation.com), not “acme-corp.net”
  • Sarah Jones is in the finance department
  • The invoice amount ($12,400) is within a plausible range for your ACME relationship

Step 1: Write the triage prompt

In your course workspace, write a prompt that asks the AI to triage this email. Apply the role/context/task/constraints structure:

Role: You are assisting me with phishing email triage.

Context: A user (finance department) forwarded this email 
as potentially suspicious. We do business with "ACME Corporation" 
(domain: acmecorporation.com). The email came from 
payments@acme-corp.net. The invoice amount ($12,400) is plausible 
for our relationship with this vendor.

[Paste the email text]

Task:
1. Assess the email for phishing indicators
2. Compare the sender domain against our known vendor domain
3. Identify social engineering techniques used
4. Provide a triage classification: Malicious / Suspicious / 
   Legitimate
5. Recommend immediate actions

Constraints: Base your assessment on the information provided. 
Flag any analysis that would require additional verification 
(checking email headers, contacting the vendor, etc).

Step 2: Evaluate the AI output

Run the prompt and evaluate the response against these criteria:

Did the AI identify these key indicators?

  • The sender domain (acme-corp.net) does not match the known vendor domain (acmecorporation.com) — this is the primary phishing indicator
  • The email creates urgency (“Immediate Action Required,” “avoid service disruption”) — a social engineering technique
  • The email requests a payment method change (new bank details) — the hallmark of BEC/invoice fraud
  • The “secure portal” URL (acme-corp-payments.net) is a third domain, different from both the sender domain and the known vendor domain
  • The invoice reference and amount are designed to appear legitimate — the adversary likely researched the relationship

Did the AI classify correctly?

The correct classification is Malicious — this is a payment diversion attempt using a lookalike domain. If the AI classified it as “Suspicious” with a recommendation to investigate further, that is acceptable but less decisive than the evidence warrants.

Did the AI recommend appropriate actions?

  • Do not pay — block the payment if already initiated
  • Contact the real vendor (ACME Corporation) at their known contact details to verify the invoice
  • Check email headers for authentication results (SPF, DKIM, DMARC for acme-corp.net)
  • Check if other users received similar emails
  • Block the sender domain (acme-corp.net) and the portal URL (acme-corp-payments.net)
  • Report to the user that it is phishing and commend them for reporting it

Step 3: Refine and iterate

If the AI missed any of the indicators above, refine your prompt:

  • Add more specific context: “The sender domain acme-corp.net is different from our vendor’s actual domain acmecorporation.com”
  • Add a constraint: “Pay particular attention to domain discrepancies between the sender and our known vendor”
  • Ask a follow-up: “What additional investigation should I conduct before closing this as phishing?”

Note which refinements improved the output — add these observations to your prompt engineering log.

Step 4: Generate the user response

Prompt the AI to draft a response to Sarah Jones:

Draft a reply to the user (Sarah Jones, finance department) who 
reported this phishing email. The email is confirmed phishing 
(payment diversion using a lookalike vendor domain). 

The reply should:
1. Thank her for reporting
2. Confirm it is phishing and briefly explain why
3. Tell her what NOT to do (do not reply, do not click the link, 
   do not process the payment)
4. Tell her what the security team is doing about it
5. Reinforce that reporting suspicious emails is the right action

Evaluate: Is the tone appropriate (professional, not condescending)? Is the explanation clear enough for a non-technical finance professional? Does it reinforce the positive behavior (reporting)?

What you learned

This exercise demonstrated every step of the AI-assisted workflow:

  1. Define — you wrote a structured prompt with role, context, task, and constraints
  2. Generate — the AI produced a triage analysis
  3. Review — you evaluated the output against your domain expertise
  4. Refine — you identified gaps and improved the prompt
  5. Deploy — you generated a user-facing communication from the analysis

Every module in this course follows this same pattern with increasing complexity. Module 2 applies it to full incident investigations. Module 3 applies it to detection engineering. Module 4 applies it to IR documentation. The workflow is constant; the application domain changes.

Check your understanding

1. The AI classified the phishing email as "Suspicious — recommend further investigation" rather than "Malicious." You know from your domain expertise that the lookalike domain + payment change request + urgency language is sufficient to classify as Malicious. What should you do?

Override the AI classification with your expert judgment. The AI was conservative — it flagged indicators but did not commit to a Malicious classification, possibly because it was trained to be cautious. Your domain expertise tells you the combination of indicators is definitive. This is exactly why step 3 (Review) exists: AI provides analysis, you provide judgment. In your prompt log, note that the AI was under-decisive on classification for this type of scenario. In future prompts, add: "Classify definitively based on the evidence — do not default to Suspicious when the indicators support a stronger classification." This teaches you to refine prompts based on observed AI behavior.
Accept the AI classification — it may have information you do not
Escalate to a senior analyst because you and the AI disagree
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of this course

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← 0.4 Setting Up Your Claude Workspace 0.6 Module Summary →