# Applied Data Science at Black Hat USA 2026: What to Expect

By Charles Givre · 2026-07-07

> A walk through GTK Cyber's 2-day Applied Data Science course at Black Hat USA 2026: format, the Centaur VM, day-by-day arc, and what to bring.

If you are considering the Applied Data Science and AI for Cybersecurity course at Black Hat USA 2026, this is a plain walk through what the two days actually look like. No pitch, just the shape of the class so you can decide whether it fits.

## Format: about half labs

The course runs roughly half lecture and half hands-on labs. That ratio is deliberate. You cannot learn to apply machine learning to security data by watching someone else do it. Each concept gets a short explanation, then you open a notebook and run it against real data yourself.

The labs build on each other across the two days, so by the end you have worked a problem from raw data to a working model rather than a scattered set of one-off exercises.

## The Centaur VM

Everything runs inside the Centaur VM, our pre-built lab environment. It ships with Python, Jupyter, scikit-learn, pandas, and every dataset and notebook you need already loaded. You boot it and you are ready. There is no first-morning ritual of fighting dependency errors while the instructor waits.

You keep the VM and, more importantly, you keep the Jupyter notebooks you build during class. That matters. The notebooks are the thing you take back to work. They already run against realistic security data, so they are a starting point for your own pipelines, not a souvenir.

## The two-day arc

Day one starts with the data. Security data does not behave like the tidy datasets in most tutorials: the events you care about are rare, labels are unreliable, and adversaries try to look normal. We spend real time on loading, cleaning, and exploring security data (logs, network traffic, and similar sources) with pandas before touching any models. Getting the data right is most of the job, and most courses rush it.

From there you move into feature engineering, the part where domain knowledge and data science meet. What signal do you pull out of a DNS log or a proxy record so a model can use it? This is where security experience becomes an advantage rather than a gap.

Day two moves into the modeling itself: classification and anomaly detection applied to security problems, how to evaluate models when your classes are badly imbalanced, and why accuracy is a misleading metric for rare-event detection. You will build models, break them, and learn to read what the results are actually telling you. We close on how to take what worked in a notebook toward something you could run against your own data.

## Prerequisites

This is an intermediate course. The honest prerequisite is that you can read Python and are comfortable running scripts. You do not need prior machine learning experience, and you do not need to be a data scientist. If you have never opened a terminal, this is not the right starting point, and that is fine; better to know before you enroll.

## What to bring

A laptop that can run a VM comfortably. Sixteen gigabytes of RAM is a good target. Bring a power adapter; the room days are long. Everything else, the tools and data, comes in the Centaur VM.

## Two identical sessions

We run the course twice at Black Hat USA 2026, both at Mandalay Bay: August 1-2 and August 3-4. The two sessions are identical, so choose based on your schedule and the rest of your conference plans. Running it twice is purely for flexibility.

## Who teaches it

Charles Givre (CISSP, Apache Drill PMC Chair, 20-plus years in the field) and Summer Rankin (PhD, 30-plus peer-reviewed publications). Both are working practitioners. When a lab breaks in an interesting way, they can tell you why, because they have hit the same wall on real projects.

If that is the kind of two days you want, look at the details and dates on the [Applied Data Science at Black Hat USA 2026 page](/lp/applied-data-science-black-hat-2026), or see all of GTK Cyber's Black Hat courses on the [events page](/events).

## FAQ

### How much programming experience do I need?

The course is intermediate. You should be comfortable reading Python and running scripts. You do not need to be a data scientist or a machine learning engineer. We teach the ML; you bring basic coding comfort.

### What do I need to bring?

A laptop that can run a virtual machine, with enough RAM and disk to spare (16 GB RAM recommended). We provide the Centaur VM with every tool, dataset, and notebook pre-loaded, so there is no install scramble on day one.

### There are two sessions. Are they different?

No. The two 2-day sessions (August 1-2 and August 3-4) are identical. Pick whichever dates fit your Black Hat schedule. Running it twice just gives you flexibility.


---

Canonical: https://gtkcyber.com/blog/applied-data-science-black-hat-what-to-expect/