← All Roles

Detection Engineer

Build and tune detection rules across SIEM, EDR, and log analytics platforms.

15 modules Β· ~12 weeks

Modules

01MITRE ATT&CK 101 β€” Tactics, Techniques, Navigator

beginner

Navigate the ATT&CK matrix, distinguish tactic / technique / sub-technique / procedure, and map real adversary writeups to techniques.

5 lessons

02Logs, Events & Schemas β€” The Raw Material of Detection

beginner

Read raw EVTX, syslog, and JSON cloud audit logs; articulate why ECS/OCSF exist; and map fields across schema standards.

5 lessons

03Windows Telemetry Deep Dive β€” EVTX, Sysmon, ETW

beginner

Audit-configure Windows for high-fidelity logging, read Sysmon config XML, and identify which EVTX events catch which TTPs.

6 lessons

04Linux & Cloud Telemetry β€” auditd, eBPF, CloudTrail, K8s Audit

beginner

Read auditd rules, eBPF traces, and cloud audit logs across AWS, Azure, GCP, and Kubernetes; articulate telemetry trade-offs.

5 lessons

05SIEM Query Languages β€” SPL, KQL, EQL, ES|QL

beginner

Write equivalent searches across SPL, KQL, and EQL given the same hunt; master aggregation, time-bucketing, and joins.

5 lessons

06Detection Strategy β€” Pyramid of Pain, Funnel of Fidelity, ADS

intermediate

Apply the Pyramid of Pain to rank detection ideas, fill out an ADS document, and articulate the Funnel of Fidelity.

4 lessons

07Sigma Fundamentals β€” Rule Anatomy, Logsources, Conversion

intermediate

Author, lint, test, and convert a Sigma rule for a real TTP. Learn the universal detection rule format used across 30+ SIEM platforms.

5 lessons

08Writing Good Detections β€” Precision, Recall, Robustness

intermediate

Reason about precision, recall, robustness to evasion, and analyst burden when designing a detection.

5 lessons

09Tuning & False-Positive Reduction β€” From Noisy to Trusted

intermediate

Run an FP-reduction loop on a noisy detection and ship a measurably-improved version with documented precision delta.

4 lessons

10Adversary Emulation β€” Atomic Red Team, Caldera, Stratus

intermediate

Run Atomic Red Team tests, Caldera operations, and Stratus Red Team scenarios; interpret which detections fired and why others did not.

5 lessons

11Detection-as-Code β€” Git, CI, Tests, Deployment

intermediate

Structure a detection repository with PR-based authoring, automated linting, unit tests, and CI deployment pipelines.

5 lessons

12Threat Hunting β€” PEAK, TaHiTI, Hypothesis to Evidence

advanced

Run a PEAK-framework hunt end-to-end β€” hypothesis, data, search, finding, and detection back-pressure.

5 lessons

13Cloud Detection Engineering β€” AWS, Azure, GCP, SaaS, Identity

advanced

Author cloud-specific detections covering identity attack paths, data exfil, persistence, and SaaS log sources.

5 lessons

14Metrics & Maturity β€” DEBMM, DML, Detection Coverage

advanced

Score a detection program against DEBMM and DML, build a coverage report from rule frontmatter, and run a detection engineering retro.

4 lessons

15Detection Engineer Interview Prep β€” Take-Homes, System Design

advanced

Navigate the full DE interview loop β€” phone screen, take-home, system design, behavioral, and panel rounds.

5 lessons

// final assessment

Final Exam

20 hard, scenario-based questions spanning the full curriculum. Pass at 80% to earn your certificate.