If you are considering the Applied Data Science and AI for Cybersecurity course at Black Hat USA 2026, this is a plain walk through what the two days actually look like. No pitch, just the shape of the class so you can decide whether it fits.
Format: about half labs
The course runs roughly half lecture and half hands-on labs. That ratio is deliberate. You cannot learn to apply machine learning to security data by watching someone else do it. Each concept gets a short explanation, then you open a notebook and run it against real data yourself.
The labs build on each other across the two days, so by the end you have worked a problem from raw data to a working model rather than a scattered set of one-off exercises.
The Centaur VM
Everything runs inside the Centaur VM, our pre-built lab environment. It ships with Python, Jupyter, scikit-learn, pandas, and every dataset and notebook you need already loaded. You boot it and you are ready. There is no first-morning ritual of fighting dependency errors while the instructor waits.
You keep the VM and, more importantly, you keep the Jupyter notebooks you build during class. That matters. The notebooks are the thing you take back to work. They already run against realistic security data, so they are a starting point for your own pipelines, not a souvenir.
The two-day arc
Day one starts with the data. Security data does not behave like the tidy datasets in most tutorials: the events you care about are rare, labels are unreliable, and adversaries try to look normal. We spend real time on loading, cleaning, and exploring security data (logs, network traffic, and similar sources) with pandas before touching any models. Getting the data right is most of the job, and most courses rush it.
From there you move into feature engineering, the part where domain knowledge and data science meet. What signal do you pull out of a DNS log or a proxy record so a model can use it? This is where security experience becomes an advantage rather than a gap.
Day two moves into the modeling itself: classification and anomaly detection applied to security problems, how to evaluate models when your classes are badly imbalanced, and why accuracy is a misleading metric for rare-event detection. You will build models, break them, and learn to read what the results are actually telling you. We close on how to take what worked in a notebook toward something you could run against your own data.
Prerequisites
This is an intermediate course. The honest prerequisite is that you can read Python and are comfortable running scripts. You do not need prior machine learning experience, and you do not need to be a data scientist. If you have never opened a terminal, this is not the right starting point, and that is fine; better to know before you enroll.
What to bring
A laptop that can run a VM comfortably. Sixteen gigabytes of RAM is a good target. Bring a power adapter; the room days are long. Everything else, the tools and data, comes in the Centaur VM.
Two identical sessions
We run the course twice at Black Hat USA 2026, both at Mandalay Bay: August 1-2 and August 3-4. The two sessions are identical, so choose based on your schedule and the rest of your conference plans. Running it twice is purely for flexibility.
Who teaches it
Charles Givre (CISSP, Apache Drill PMC Chair, 20-plus years in the field) and Summer Rankin (PhD, 30-plus peer-reviewed publications). Both are working practitioners. When a lab breaks in an interesting way, they can tell you why, because they have hit the same wall on real projects.
If that is the kind of two days you want, look at the details and dates on the Applied Data Science at Black Hat USA 2026 page, or see all of GTK Cyber’s Black Hat courses on the events page.