Keynote: SIFT: Find Evil! Defensive AI Orchestration

Keynote: SIFT: Find Evil! Meeting AI Threat Speed with Defensive AI Orchestration 🎙️ Rob T. Lee, Fellow; Chief AI Officer and Chief of Research at SANS Institute 📍 Presented at SANS AI Cybersecurity Summit 2026 AI attack workflows run 47 times faster than human operators. Your adversary already has agentic AI. The question is whether defenders do too. Rob T. Lee wired Claude Code into the SIFT Workstation via Model Context Protocol. Two words typed. Fourteen minutes later: a complete C drive forensic analysis, timeline generation, memory analysis, malware sweeps, all via natural language. What normally takes defenders three days to do. This session covers what 40+ hours of testing actually produced: • How Claude Code integrates with SIFT via MCP for timeline generation, memory analysis, and malware sweeps • What “Find Evil!” produces end to end — and where it still needs a human analyst • Why matching AI speed with AI speed is no longer optional The velocity gap between AI offense and human defense is already operational, and closing it requires defenders to build with the same architecture that the adversary has already demonstrated works: an orchestration layer, tool integration, and autonomous execution. Explore upcoming SANS Summits to continue learning from leading voices in cybersecurity: https://go.sans.org/summits