Bethesda, MD, April 15, 2026 (GLOBE NEWSWIRE) -- At RSAC 2026, Rob T. Lee typed two words into an autonomous agent built on the SANS SIFT Workstation: “find evil.” Fourteen minutes and twenty-seven seconds later, he had a complete C drive forensic analysis. That is work incident responders told Lee can take a week or longer to complete. The live audiences at RSAC and the [un]prompted AI security conference watched the whole thing in real time.
“The answer is not faster humans,” said Lee, Chief AI Officer and Chief of Research at SANS Institute. “The answer is AI-augmented defenders, matching AI speed with AI speed. I built Protocol SIFT thinking I was ahead of the curve. Then Anthropic’s security team disclosed a Chinese state-sponsored operation using the exact same architecture for offense: AI agents, MCP, security tools, 80–90% autonomy across 30+ targets. Chinese intelligence got their press release out first.”
The urgency sharpened again this week. Anthropic announced that Claude Mythos Preview, an unreleased frontier model, has already found thousands of critical zero-day vulnerabilities across every major operating system and web browser, including bugs that went undetected for over two decades. Over 99% remain unpatched. Treasury Secretary Scott Bessent convened bank CEOs to discuss the implications. Jamie Dimon addressed it on the JPMorgan Chase earnings call. Vulnerability discovery at AI speed is here. Defensive response at AI speed is not. That is the gap Find Evil! exists to close.
Today, SANS launches Find Evil! ( findevil.devpost.com), the first hackathon for autonomous AI incident response. More than 1,100 participants have already registered, competing as solo builders and teams, from students to seasoned experts, from across the globe. The two-month competition challenges them to take Protocol SIFT, the proof-of-concept framework connecting AI agents to the SIFT Workstation’s 200+ forensic tools through MCP (sans.org/tools/sift-workstation), and make it production-ready. Submissions are due June 15, 2026.
“Offensive teams operate with three or four people working in secret,” Lee said. “We’re putting the entire practitioner community on this problem at the same time. The biggest advantage defenders have over attackers is that there’s a lot more of us. The SIFT Workstation was built by the community over 19 years. Find Evil! is how we do the same thing for autonomous defense.”
Protocol SIFT works. It also hallucinates more than the team would like. That is exactly why this hackathon requires a community, not a closed team. OpenClaw proved that a single developer’s weekend project could become the agent framework entire industries are now rebuilding around. Mythos just proved that AI vulnerability discovery has outpaced human remediation capacity. Find Evil! applies the same agentic model to cybersecurity defense, with 19 years of community-built tooling underneath it. For practitioners looking for a structured way to learn how AI agents actually work, this is it. The goal: emerge from 60 days with two to three installable packages any practitioner can deploy.
Participants can compete solo or in teams of up to five. No incident response background is required. Submissions will be judged on autonomous execution quality, IR accuracy, hallucination management, architectural guardrails, audit trail quality, and documentation. Total prizes exceed $22,000: $10,000 for first place, $7,500 for second, $3,000 for third. Winners announced on or around July 8, 2026.
To get started: register at findevil.devpost.com, download the SIFT Workstation at sans.org/tools/sift-workstation, and join the Protocol SIFT Slack for team formation and mentorship. SANS will also host a live SANS Critical Advisory: BugBusters - AI Vulnerability Discovery Hype vs. Reality broadcast on April 16th at 12pm NOON ET, using current AI models to discover vulnerabilities in penetration tests, finding critical flaws in code that human reviewers already cleared.
