Detection Engineer
Build and tune detection rules across SIEM, EDR, and log analytics platforms.
15 modules Β· ~12 weeks
Modules
01MITRE ATT&CK 101 β Tactics, Techniques, Navigator
beginnerNavigate the ATT&CK matrix, distinguish tactic / technique / sub-technique / procedure, and map real adversary writeups to techniques.
5 lessons
02Logs, Events & Schemas β The Raw Material of Detection
beginnerRead raw EVTX, syslog, and JSON cloud audit logs; articulate why ECS/OCSF exist; and map fields across schema standards.
5 lessons
03Windows Telemetry Deep Dive β EVTX, Sysmon, ETW
beginnerAudit-configure Windows for high-fidelity logging, read Sysmon config XML, and identify which EVTX events catch which TTPs.
6 lessons
04Linux & Cloud Telemetry β auditd, eBPF, CloudTrail, K8s Audit
beginnerRead auditd rules, eBPF traces, and cloud audit logs across AWS, Azure, GCP, and Kubernetes; articulate telemetry trade-offs.
5 lessons
05SIEM Query Languages β SPL, KQL, EQL, ES|QL
beginnerWrite equivalent searches across SPL, KQL, and EQL given the same hunt; master aggregation, time-bucketing, and joins.
5 lessons
06Detection Strategy β Pyramid of Pain, Funnel of Fidelity, ADS
intermediateApply the Pyramid of Pain to rank detection ideas, fill out an ADS document, and articulate the Funnel of Fidelity.
4 lessons
07Sigma Fundamentals β Rule Anatomy, Logsources, Conversion
intermediateAuthor, lint, test, and convert a Sigma rule for a real TTP. Learn the universal detection rule format used across 30+ SIEM platforms.
5 lessons
08Writing Good Detections β Precision, Recall, Robustness
intermediateReason about precision, recall, robustness to evasion, and analyst burden when designing a detection.
5 lessons
09Tuning & False-Positive Reduction β From Noisy to Trusted
intermediateRun an FP-reduction loop on a noisy detection and ship a measurably-improved version with documented precision delta.
4 lessons
10Adversary Emulation β Atomic Red Team, Caldera, Stratus
intermediateRun Atomic Red Team tests, Caldera operations, and Stratus Red Team scenarios; interpret which detections fired and why others did not.
5 lessons
11Detection-as-Code β Git, CI, Tests, Deployment
intermediateStructure a detection repository with PR-based authoring, automated linting, unit tests, and CI deployment pipelines.
5 lessons
12Threat Hunting β PEAK, TaHiTI, Hypothesis to Evidence
advancedRun a PEAK-framework hunt end-to-end β hypothesis, data, search, finding, and detection back-pressure.
5 lessons
13Cloud Detection Engineering β AWS, Azure, GCP, SaaS, Identity
advancedAuthor cloud-specific detections covering identity attack paths, data exfil, persistence, and SaaS log sources.
5 lessons
14Metrics & Maturity β DEBMM, DML, Detection Coverage
advancedScore a detection program against DEBMM and DML, build a coverage report from rule frontmatter, and run a detection engineering retro.
4 lessons
15Detection Engineer Interview Prep β Take-Homes, System Design
advancedNavigate the full DE interview loop β phone screen, take-home, system design, behavioral, and panel rounds.
5 lessons
MITRE ATT&CK Coverage
Green = at least one covering lesson completed
// final assessment
Final Exam
20 hard, scenario-based questions spanning the full curriculum. Pass at 80% to earn your certificate.