Tentative DEaTH by Windows: Detection Engineering and Threat Hunting with Yamato Security Tools and AI
This 3-day hands-on training teaches you how to investigate Windows compromises using free and open-source tools — and how to supercharge that analysis with generative AI. It is a major upgrade of the 2-day training held at CODE BLUE last year, expanded with new sections on evidence acquisition, popular Windows forensic artifacts (Master Boot Record, Prefetch, Shimcache, and more), using AI to create Sigma detection rules, and automatically analyzing Hayabusa results with AI.
Training Outline
-
Title
DEaTH by Windows: Detection Engineering and Threat Hunting with Yamato Security Tools and AI
-
Trainer
Zach Mathis
-
Language
Japanese/English (training materials and lecture videos will be provided in both languages)
-
Date
2026-11-13 9:00 - 18:30
2026-11-14 9:00 - 18:30
2026-11-15 9:00 - 18:30 -
Format
Onsite and Online Hybrid & Self-Paced ("Choose Your Own Adventure")
-
Venue
Bellesalle Shinjuku Grand Conference Center (5F)
-
Capacity
40 (Maximum size of Venue) (*Minimum 10 participants)
-
Remarks
A 2-day Conference ticket (November 17th–18th, 2026) is included for all training attendees.
The special discounted online course for returning students does not include the conference ticket.
Training Application
Training Detail
- Those who want to learn how to detect attacks on Windows and Active Directory
- Basic IT knowledge. At least 1 year of experience in a security-related role is recommended.
What skills will participants learn at your training?
- Windows event log analysis, important Windows forensic artifacts, threat hunting, investigation workflows, and more
What students should bring
- A laptop with VMware and at least 8GB of RAM. If the host OS is not Windows, a Windows virtual machine is required.
Format: Hybrid & Self-Paced (“Choose Your Own Adventure”)
The training is offered both in person and online. The core material is delivered through pre-recorded lecture videos that you watch at your own pace (please bring headphones). We adopted this format because students’ skill levels vary widely — this way, experienced analysts can skip ahead or jump straight into the hands-on CTF, while those who prefer a structured approach can work through the lectures first. You choose your own path.
- - Day 1: Individual self-paced study and hands-on exercises
- - Day 2: Form teams and dive deeper into the CTF and forensic case analysis
- - Day 3: Team presentations on the forensic cases you analyzed
Why attend in person? We recommend in-person attendance if you think you may need troubleshooting help or want to ask lots of questions. In-person attendees also get to work in teams for the CTF and final presentation, and an award will be given to the best team presenting in person.
Language
- The training materials, lecture videos, and the lecture introduction are all provided in both Japanese and English. However, please note that the real-time (live) portions of the training will be conducted mostly in Japanese, unless there are enough English-only speakers in attendance. If there are not enough English-only speakers to form a team, English-only attendees will work through the CTF analysis individually. (Presenting is optional.)
What students will be provided with
- Training material PDFs and lecture videos in both Japanese and English
- Lecture videos are downloadable and yours to keep forever — watch them in any order, anytime, even after the course ends
- A CODE BLUE conference ticket is included in the training price — even for online attendees
Returning Students
- If you attended last year’s training, you can attend this year’s full 3-day training online for ¥99,000 (70% OFF) and get access to all new and updated material.
(The CODE BLUE conference ticket is not included in this discounted option.)
Course Overview
Detailed course overview is available here.Course Overview
Zach Mathis
Born in Indiana, USA.
Self-taught in IT, security, and Japanese since middle school (from 1990).
While in high school, he received top awards from Intel, the U.S. Air Force, and the U.S. Navy for his research on password cracking, establishing himself early in the security field.
He graduated from Purdue University in 2005 with a double major in Southeast Asian Studies and Computer Science, then joined Kobe Digital Labo, Inc. (KDL) in 2006.
At KDL, he launched a range of security services including web vulnerability assessments, mobile app assessments, penetration testing, phishing simulations, forensic investigations, and incident response.
He also built an internal security team (Proactive Defense) and dedicated himself to mentoring the next generation of security professionals.
From 2007 to 2010, he served as a teaching assistant for all courses and as a researcher at Carnegie Mellon University Japan (CMUJ), a prestigious institution in the security field.
Since 2008, he has spoken at numerous renowned international security conferences. In 2014, he joined the organizing team of SECCON, Japan's leading security competition.
Since 2012, he has been running "Yamato Security," a hands-on security study group that has grown highly popular among security engineers, with a mission to develop cybersecurity talent.
Since 2017, he has been localizing and teaching SANS's most popular course, SEC504 (Incident Response and Hacker Techniques), in Japanese.
In Japan, he has served as a trainer at CMUJ, SANS, JNSA, KIIS, IPA, the Kagoshima Prefecture Cybersecurity Council, Kobe 078, private training for critical infrastructure operators, and industry-academia-government collaborative programs, producing a large number of security professionals. His activities extend beyond Japan — he has taught security courses in the United States, the Philippines, Thailand, Laos, Cambodia, Myanmar, and other countries, with plans to deliver lectures worldwide including Kuwait, Hong Kong, India, and Australia. He always strives to teach security skills to the best of his ability, no matter the environment or circumstances.
On X (formerly Twitter) at @yamatosecurity, he shares daily security news, tips, and the latest developments in the field.