Skip to content
>_
SecOps
Log
_
Home
Courses
Learning path
Resources
Topics
Blog
All courses
Detection engineering
Advanced
5 sections · 15 lessons · ~9h total · 60-question self-test
Start course
01
Detection-as-code & Sigma
3 lessons
Test yourself
01
Detection as code
Version-controlled, tested, CI/CD-deployed detections.
30 min
02
Sigma rules
Vendor-agnostic detections compiled to any SIEM.
30 min
03
Testing detections
True-positive/negative tests and Atomic Red Team.
30 min
02
Pipelines & SIEM
3 lessons
Test yourself
01
Log pipelines
Collect, normalize, enrich; guard the blind spots.
30 min
02
SIEM & correlation
Ingest, correlate weak signals, manage cost.
30 min
03
SOAR & response
Playbooks that automate first response.
30 min
03
Threat hunting
3 lessons
Test yourself
01
Hypothesis-driven hunting
Assume breach; hunt what alerts miss.
30 min
02
TTPs & the Pyramid of Pain
Detect behavior, not disposable indicators.
30 min
03
Behavioral analytics (UEBA)
Baseline normal, flag meaningful deviation.
30 min
04
Cloud DFIR & forensics
3 lessons
Test yourself
01
Cloud DFIR process
Order of volatility; automate before teardown.
35 min
02
Evidence acquisition
Snapshots, memory, integrity, chain of custody.
35 min
03
Timeline analysis
Reconstruct the intrusion; feed new detections.
30 min
05
Deception & alert quality
3 lessons
Test yourself
01
Honeytokens & deception
Decoys nothing legitimate ever touches.
25 min
02
Alert quality & tuning
Precision over volume; beat alert fatigue.
30 min
03
Metrics & the loop
Coverage, MTTD, precision — measure and improve.
25 min
Final exam
Test yourself on everything
60 questions drawn from all 5 sections — every answer explained as you pick.
Start final exam