📌About the Event

The FIND EVIL! hackathon, hosted by SANS, is a high-stakes challenge designed to close the “Speed Gap” in cybersecurity. While AI-powered attackers can now compromise a domain in under 60 seconds, human incident responders are often minutes or hours behind. This competition tasks you with building autonomous AI agents on the SANS SIFT Workstation to triage, correlate, and respond to threats at machine speed.

---

📍 Event Overview

• Category: Cybersecurity / Digital Forensics & Incident Response (DFIR) / AI Agents.
• Organizer: SANS Institute.
• Venue: 100% Online / Public.
• Target Audience: IR Professionals, AI/ML Engineers, Students, and Open-Source Contributors.
• Participants: 2,853+ registered.
• The Goal: Transform Protocol SIFT into a fully autonomous agent that can think, self-correct, and hunt like a senior forensic analyst.

---

📅 Critical Timeline

• Status: ACTIVE.
• Deadline: June 15, 2026 @ 8:45 PM PDT.
• Duration: 39 days remaining.

---

💰 Prize Pool ($22,000 + SANS Training)

The rewards include significant cash and world-class cybersecurity education:

• 🥇 1st Place (SLAYED EVIL): $10,000 Cash + SANS Summit passes + SANS OnDemand courses + Featured Livestream.
• 🥈 2nd Place (HUNTED EVIL): $7,500 Cash + SANS Summit passes + SANS OnDemand courses.
• 🥉 3rd Place (FOUND EVIL): $4,500 Cash + SANS OnDemand courses.

---

🏗️ Supported Architectural Approaches

Participants are encouraged to build using one of these four patterns:

1. Direct Agent Extension: Extending the existing Protocol SIFT loop (using Claude Code or OpenClaw).
2. Custom MCP Server: Building a purpose-built server that exposes structured functions (e.g., extract_mft_timeline()) rather than raw shell access.
3. Multi-Agent Frameworks: Using AutoGen, CrewAI, or LangGraph to coordinate specialized agents (e.g., one for memory, one for logs).
4. Agentic IDEs: Leveraging tools like Cursor or Cline to build specialized rule systems for IR.

---

🚀 Getting Started

1. Join the Community: Sign up on Devpost and join the Protocol SIFT Slack.
2. Download the SIFT Workstation: Get the official VM from sans.org/tools/sift-workstation.
3. Install Protocol SIFT: Run the installer script inside your SIFT terminal:Bashcurl -fsSL https://raw.githubusercontent.com/teamdfir/protocol-sift/main/install.sh | bash
4. Pick a Case: Use the sample hard drive and memory images provided in the resources.

---

📋 Submission Requirements (8 Components)

To be eligible for the $22,000 pool, you must submit:

• Public GitHub Repo (MIT/Apache 2.0 license).
• Demo Video (5 mins max) showing a self-correction sequence.
• Architecture Diagram detailing security boundaries and data flow.
• Accuracy Report documenting hallucinations and evidence integrity.
• Agent Execution Logs showing tool calls and token usage.