FIND EVIL!

The Speed ProblemAn AI-powered adversary can go from initial access to full domain control in under 8 minutes. CrowdStrike's fastest observed breakout time: 7 minutes. Horizon3's autonomous agent: 60 seconds to full privilege escalation. MIT's 2024 research: AI-driven attack workflows running 47 times faster than human operators.Meanwhile, a human incident responder is still pulling up their toolkit.That gap is the most dangerous problem in cybersecurity. And it's getting worse.The MissionFind Evil! challenges you to close it. You'll build autonomous AI agents on the SANS SIFT Workstation --- 200+ incident response tools on a single platform, 18 years of community development, 125,000+ downloads --- inspired by Protocol SIFT, the proof-of-concept framework that connects AI agents to those tools through Model Context Protocol (MCP).Protocol SIFT works. It also hallucinates more than we'd like.(That's exactly why this hackathon exists.)Unlike offensive teams that operate with three or four people in secret, we're putting the entire practitioner community on this problem simultaneously. Your job: teach an AI agent to think like a senior analyst --- how to sequence its approach, recognize when something doesn't add up, and self-correct when it gets it wrong.Who Should JoinYou don't need to be an incident response expert. The SIFT Workstation handles the domain tooling. You need curiosity and building skills.IR/Security professionals:You've been finding evil manually for years. Build the AI partner you wish you had at 3 AM during an active incident.AI/ML engineers:Apply your skills to a domain where speed determines whether attackers win. Real case data, real tools, no toy datasets.Students and early-career builders:No IR background required. The SIFT Workstation is your on-ramp to the most in-demand intersection in tech.Open-source contributors:Every submission lives on as a community tool. Build something thousands of responders will use.Four supported architectural approaches: Direct Agent Extension (Claude Code or OpenClaw), Custom MCP Server, Multi-Agent Frameworks (AutoGen, CrewAI, LangGraph), or Alternative Agentic IDEs (Cursor, Cline, Aider). Teams up to 5. Solo permitted. April 15 -- June 15, 2026. $22,000+ in prizes.About the ChallengeWhy this existsIn November 2025, Anthropic's security team published findings on GTG-1002 --- a Chinese state-sponsored operation where attackers used Claude Code to run autonomous reconnaissance, exploitation, and lateral movement at 80-90% autonomy. The AI handled everything at request rates Anthropic described as "physically impossible" for human operators.That was the offensive side. The SIFT Workstation is the defensive platform. Protocol SIFT demonstrated what's possible when you connect AI agents to that platform through MCP. This hackathon is how the community makes it real.The DFIR community built the SIFT Workstation 18 years ago to give every practitioner access to professional-grade tools. Find Evil! extends that mission: give every responder an AI co-pilot that can triage incidents at the speed adversaries now operate.The gap we're closingManual command-line incident response cannot compete with autonomous agents executing thousands of requests. Adversaries move at machine speed. Defenders still look up command-line flags during active incidents. Your goal: build AI systems on the SIFT Workstation that match that velocity --- triaging, correlating, and reporting at the pace the threat demands.This hackathon is how.Get StartedRegister on Devpost (you're here)Join the Protocol SIFT Slack--- this is where questions get answered, teams form, and mentors hang out -Download the SIFT Workstation from sans.org/tools/sift-workstationInstall Protocol SIFT Package to demonstrate automated analysis, To install Protocol SIFT, after you download SIFT OVA, and login, run this command from your terminal:: $ curl -fsSLhttps://raw.githubusercontent.com/teamdfir/protocol-sift/main/install.sh| bashReview the starter resources: sample case data (hard drives, memory images), example submission.Pick a problem and start building. See "What to Build" for project ideas and supported architectural approaches to get past the blank-screen problem.