When I finished the second edition of the Cybersecurity Architect's Handbook, the printed book ran to nearly 700 pages. That alone represents the framework I wanted to put in front of practitioners: how to think like a security architect, how to translate strategy into controls, and how to carry a design from a whiteboard to a defensible, governed reality.
But the book is only half of what readers actually get.
The 700 pages you can't see on the shelf
Alongside the printed edition, the book's associated GitHub repository holds over 700 more pages of supplementary content and hands-on labs — material that never fit between two covers but that I consider every bit as important as the chapters themselves. In practice, buying the Cybersecurity Architect's Handbook gets you two books' worth of material: the architectural reasoning in print, and an evolving, hands-on lab suite online that lets you do the thing the chapters describe.
These aren't toy exercises. Every lab is built and tested against real infrastructure — in my case, Debian-based virtual machines running genuine open-source security tooling — so the failures, version quirks, and "why won't this connect" moments are baked into the instructions rather than glossed over. The goal is that a motivated reader can stand up enterprise-class capabilities on a lab budget and come away understanding not just how a control works, but why it's wired the way it is.
Where it all comes together: the AI Security Automation capstone
The labs are organized by domain — detection and SIEM, vulnerability and configuration management, incident response, application security, access control, and more. Each one teaches a discipline in isolation. But the final category, Security Automation with AI Agents, is deliberately different. It's the capstone.
Instead of introducing yet another standalone tool, the capstone reaches back into the infrastructure you already built in the earlier labs and asks you to bring it together. The SIEM you deployed in the detection labs. The vulnerability scanner you stood up in the vulnerability-management labs. The hosts, the data, the credentials, the network paths. The capstone treats all of that as the raw material for something larger.
Across three progressive labs, you build:
- A SIEM log triage agent that pulls real alerts from your SIEM and uses a frontier AI model to assign severity, summarize what happened, and recommend next steps — turning a wall of events into a ranked, human-readable shortlist.
- A vulnerability remediation agent that reads your latest scan results and produces a prioritized, context-aware fix plan instead of an undifferentiated CVE dump.
- An orchestrator that correlates both signals — an active alert and a known vulnerability on the same host rise to the top — and assembles a single, executive-style daily security brief, scheduled to run unattended.
The end result is something readers can genuinely use: an automated, AI-assisted SOC reporting mechanism that wakes up every morning, reasons over your live security telemetry, and lands a prioritized brief in your inbox — built entirely from open-source tooling and an AI API, on hardware you already have.
Automation without abdication: the guardrails matter most
Here's the part I care about most, and the reason this is a security architect's take on AI rather than a "point an LLM at your logs" tutorial. Automation in a SOC is only valuable if it's safe, bounded, and accountable. So the capstone is built around guardrails and controls from the first line of code:
- Read-only by design. The agents read, reason, and report. They never write to your SIEM, never re-run scans, never act on a host. A human reviews the output and decides what to do. The agent informs; the analyst decides.
- Secrets never leave the host. A redaction pass strips passwords, tokens, session IDs, and keys out of log lines and scan findings before any data is sent to an API.
- The input is treated as hostile. A crafted log line is a textbook prompt-injection vector, and a SIEM is exactly where an attacker can plant one. The read-only design is what contains that risk — the worst case is a wrong verdict a human reviews, never an action — and the model's output is validated rather than trusted.
- Cost and least-privilege controls. Explicit limits, scoped credentials kept in environment variables and secret stores rather than code, and connection patterns that mirror how you'd actually segment an enterprise deployment.
Those controls aren't an afterthought bolted on at the end. They're the lesson. By the time you finish the capstone, you haven't just wired up an AI workflow — you've internalized what it takes to deploy autonomous tooling responsibly inside a real security program, which is precisely the judgment an architect is paid to bring.
See it for yourself
If you want the architectural foundation, it's in the nearly-700-page second edition. If you want to put your hands on it — to build a guardrailed, AI-driven SOC reporting pipeline and watch the disciplines from every prior chapter snap together — that's waiting in the lab repository, all 700-plus pages of it.
Grab the Cybersecurity Architect's Handbook, Second Edition here: Amazon
And if you build something with the capstone — or break it in an interesting way — I'd genuinely like to hear about it. You can find me at secdoc.tech.
