Training a U.S. Military Cyber Unit on AI and Machine Learning

Government/Defense · Custom on-site AI training

Client

U.S. military cyber unit

Industry

Government/Defense

Format

Custom on-site AI training

Students

25

The Engagement

GTK Cyber delivered a custom AI and machine learning training engagement to a U.S. military cyber unit. Twenty-five analysts and operators from the unit completed the course on-site at the unit’s facility.

The content was drawn from GTK Cyber’s AI Cyber Bootcamp curriculum and tailored to the unit’s operational needs. Because the unit handles classified material GTK Cyber does not have clearance to see, the course was scoped to techniques, frameworks, and tools the unit could adapt to their own operational data after the training.

The Challenge

The unit’s mission involves defending critical infrastructure and operational networks against sophisticated adversaries, many of whom now use AI-assisted techniques. The unit identified three specific needs:

  1. Analyst capability. Operators needed to apply machine learning to their own detection and hunting workflows without relying on black-box vendor tools.
  2. AI security awareness. As the unit evaluated deploying LLM-powered tools internally, and as they encountered AI-powered threats externally, operators needed to understand LLM attack surfaces, prompt injection, and adversarial ML.
  3. Vendor evaluation. The unit evaluates AI security products regularly. Operators needed the technical background to separate real AI capability from vendor marketing.

Traditional cybersecurity training did not cover AI in depth. General AI training did not map to military cyber operations. The gap was the combination.

What GTK Cyber Delivered

The course ran over multiple days and covered:

  • Data science foundations for security: Python, pandas, Jupyter workflows applied to security datasets
  • Supervised ML for detection: Random Forest, KNN, and SVM applied to malicious URL classification, SQL injection detection, and phishing identification
  • Unsupervised ML and anomaly detection: Isolation Forest, clustering, and statistical baselines for hunting anomalous behavior in logs
  • LLM security: Prompt injection (direct and indirect), jailbreaking, RAG poisoning, and hands-on testing using local models via Ollama
  • Adversarial ML: Model evasion, data poisoning, and robustness evaluation using the Adversarial Robustness Toolbox
  • AI-assisted SOC workflows: Using LLMs for threat intelligence summarization, log triage, and report generation
  • Vendor evaluation framework: Structured questions to ask vendors of AI-powered security tools, with emphasis on training data, false positive rates, explainability, and proof-of-concept design

All labs used the Centaur VM, GTK Cyber’s open-source portable training environment. The VM is pre-loaded with tools, libraries, and realistic unclassified datasets. Operators built and ran working classifiers, anomaly detectors, and prompt injection payloads during class. No time was lost to environment setup.

Why This Format Worked

Practitioners teaching practitioners. Every GTK Cyber instructor has field experience in cybersecurity, data science, or intelligence. The content was not academic. Techniques were presented alongside the operational context in which they actually matter.

Hands-on labs. More than half of class time was students writing code, running attacks, and evaluating output. Lecture-only AI training produces knowledge that does not transfer to operational work. Labs produce skills that do.

On-site delivery. Training happened at the unit’s facility, which simplified logistics, handled security considerations, and let the unit integrate class discussion with their own operational context.

Tailored scope. Because the unit handles classified operational data, the course was designed to give operators tools and methodology they could apply to that data after the engagement. GTK Cyber did not need access to classified material to deliver effective training.

What the Unit Gained

  • Twenty-five operators and analysts now have working familiarity with machine learning applied to security operations.
  • The unit has a common vocabulary and baseline technical understanding for AI-related evaluations and decisions.
  • Students left with working Python notebooks, detection models, and adversarial testing scripts they can adapt to their own environment.
  • The unit has reference material and a classification framework for ongoing AI red-teaming work.

About GTK Cyber

GTK Cyber is a boutique training firm specializing in hands-on AI and cybersecurity training. Instructors have 20+ years of experience across intelligence agencies, major financial institutions, and government bodies. Regular training partner at Black Hat USA and Hack In The Box. Past clients include ING, Booking.com, S&P Global, L3Harris, and the Government of Canada.

For custom training engagements, contact info@gtkcyber.com or visit gtkcyber.com/contact.

Interested in a custom training engagement?

Contact us to discuss a program designed for your team's specific tools, workflows, and skill level.

Get in Touch