This document outlines an agenda for an Amazon GuardDuty lab. The lab includes two parts that will demonstrate how GuardDuty can detect security threats and allow for automated remediation. Part one will generate findings when an EC2 instance connects to an IP address on a threat list, and demonstrate isolating the compromised instance using security groups and Lambda. Part two focuses on detecting and remediating compromised IAM credentials. Both parts include setup, simulated attacks, remediation steps, and opportunities for enhancement. The document encourages enabling GuardDuty to monitor for threats during the free trial period.