Hands-On Exercises

Build two real cybersecurity workflow agents using Deloitte's use cases. Each exercise takes ~45 minutes and includes step-by-step instructions.

Exercise A — Firewall Rule Optimizer

Duration: 45 minutes | Type: Workflow Agent

Scenario

Your organization's network security team exports firewall rule reports periodically. These reports contain hundreds of rules accumulated over years — many are outdated, overly permissive, or redundant. Manual review is time-consuming and error-prone.

You'll build a Kindo Workflow Agent that:

  1. Ingests a firewall rule report
  2. Analyzes each rule against security best practices
  3. Categorizes rules into four cleanup categories
  4. Outputs a structured report with confidence levels and metadata

Output Categories

Category Description Risk Level
Risky rules Rules that expose the network to known threats (e.g., allow inbound from any source to sensitive ports) 🔴 High
Over-permissive rules Rules broader than necessary (e.g., allow all protocols when only TCP/443 is needed) 🟡 Medium
Unused rules Rules with zero or near-zero hit counts over the analysis period 🟢 Low
Redundant rules Rules that duplicate or are fully covered by other rules 🟢 Low

Step-by-Step Guide

Step 1 — Create the Agent (5 min)

  1. Sign in to your Kindo instance
  2. Navigate to the Agents tab
  3. Click Create an Agent
  4. Select Workflow Agent
  5. Configure:
    • Name: Firewall Rule Optimizer
    • Description: Analyzes firewall rule reports and categorizes rules for cleanup — identifies risky, over-permissive, unused, and redundant rules with confidence levels.

Step 2 — Set Up the Knowledge Store (5 min)

  1. In the Agent Configuration panel, click Add Knowledge Store
  2. Upload the sample firewall rule report (CSV or text format)
  3. Optionally, upload a reference document with your organization's firewall policy standards
💡 Tip: The Knowledge Store gives your agent context. The more specific and structured the reference material, the better the agent's analysis will be.

Step 3 — Write the Analysis Prompt (LLM Step) (10 min)

  1. Click + to add a step → Select LLM Step
  2. Name the step: Analyze and Categorize Rules
  3. Enter the prompt (see full guide for detailed prompt template)

Prompt Engineering Tips:

  • Be specific about the role — "senior network security engineer" sets the right context
  • Define output format explicitly — the model follows table structures well
  • Include edge case handling — "if a rule could belong to multiple categories..."
  • Add confidence levels — makes the output actionable (high confidence = auto-fix, low = manual review)

Step 4 — Add the Report Formatting Step (10 min)

  1. Click + to add another step → Select LLM Step
  2. Name the step: Format Cleanup Report
  3. Enter the formatting prompt (executive summary + immediate action items + category details + recommendations)

Step 5 — Run and Review (15 min)

  1. Click Generate / Run to execute the agent
  2. Review the output: Are the categorizations accurate? Do the confidence levels make sense?
  3. Iterate: Try adjusting the prompt to improve accuracy or change the output format

Discussion Points

  • Accuracy: How well did the agent categorize the sample rules? Where did it struggle?
  • Prompt refinement: What prompt changes improved the output most?
  • Production readiness: What would you need before using this in production? (integration with firewall management system, automated ticketing)
  • Extensions: Add a Trigger Agent, connect to CrowdStrike for threat intel, auto-create Jira tickets, add scheduled runs

View full exercise guide on GitHub →

Exercise B — Pathfinder: NIST CSF Compliance Mapper

Duration: 45 minutes | Type: Workflow Agent

Scenario

Your organization needs to demonstrate compliance with the NIST Cybersecurity Framework (CSF). Compliance teams collect evidence — policies, standards documents, configuration screenshots, audit reports — and manually map each to the relevant NIST CSF controls. This is labor-intensive, error-prone, and must be repeated for each audit cycle.

You'll build a Kindo Workflow Agent ("Pathfinder") that:

  1. Ingests evidence documents (policies, standards, configuration data)
  2. Maps each document to relevant NIST CSF controls
  3. Evaluates compliance status per control
  4. Produces a structured compliance report

NIST CSF Functions (for reference)

Function ID Description
Govern GV Establish and monitor cybersecurity risk management strategy and policy
Identify ID Understand organizational context, assets, risks, and supply chain
Protect PR Implement safeguards to ensure delivery of critical services
Detect DE Identify cybersecurity events in a timely manner
Respond RS Take action regarding a detected cybersecurity incident
Recover RC Restore capabilities impaired by a cybersecurity incident

Step-by-Step Guide

Step 1 — Create the Agent (5 min)

  1. Sign in to your Kindo instance
  2. Navigate to the Agents tab
  3. Click Create an Agent
  4. Select Workflow Agent
  5. Configure:
    • Name: Pathfinder — NIST CSF Compliance Mapper
    • Description: Reviews evidence and supporting documents, maps them to NIST CSF controls, and evaluates compliance status. Produces a structured compliance report.

Step 2 — Set Up the Knowledge Store (10 min)

This agent needs two types of reference material:

  1. NIST CSF Framework Reference — Upload a NIST CSF control catalog (provided by facilitator)
  2. Evidence Documents — Upload sample policies, standards, and/or configuration screenshots
💡 Tip: For best results, upload the NIST CSF reference as a structured document (markdown or CSV with control IDs, names, and descriptions).

Step 3 — Write the Mapping Prompt (LLM Step) (10 min)

  1. Click + to add a step → Select LLM Step
  2. Name the step: Map Evidence to NIST CSF Controls
  3. Enter the mapping prompt with these key elements:
    • Define mapping guidelines (single document may map to multiple controls)
    • Specify output format: Document Name | Control ID | Control Name | Function | Mapping Rationale | Coverage Level
    • Define coverage levels: FULL, PARTIAL, REFERENCE, NONE
    • Request gap identification (controls with no evidence)

Step 4 — Write the Compliance Assessment Prompt (LLM Step) (10 min)

  1. Click + to add another step → Select LLM Step
  2. Name the step: Evaluate Compliance Status
  3. Enter the assessment prompt:
    • Assessment criteria: COMPLIANT, PARTIALLY COMPLIANT, NON-COMPLIANT, INSUFFICIENT EVIDENCE
    • Output sections: Compliance Scorecard | Detailed Assessment | Priority Remediation | Gaps Analysis

Step 5 — Run and Review (10 min)

  1. Click Generate / Run to execute the agent
  2. Review: Does the evidence-to-control mapping make sense? Are the compliance assessments defensible? Are the gaps identified accurately?
  3. Iterate: Upload additional evidence documents and re-run, or adapt to a different framework (ISO 27001, SOC 2)

Discussion Points

  • Accuracy: How well did the agent map evidence to controls? Were there false positives?
  • Coverage vs. compliance: What's the difference between "we have evidence" and "we're actually compliant"?
  • Scalability: How would this work with 500+ evidence artifacts? (chunking strategies, batch processing)
  • Framework portability: Could the same agent be adapted for ISO 27001, SOC 2, PCI DSS, or CMMC?
  • Extensions: Add a Trigger Agent for new evidence uploads, connect to Jira for remediation tickets, build a Canvas dashboard, add a chatbot companion

View full exercise guide on GitHub →