Skip to main content
Image coming soon

The Hyperscaler Security Program Detection Engineering Playbook

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Hyperscaler Security Program Detection Engineering Playbook

A practical build for hyperscaler security engineers who own detection coverage across identity, data, and product attack surfaces.

The quarterly detection coverage slide has more "partial" cells than "covered" cells, and the runbook for the alerts you do catch tells the on-call analyst to "investigate" with no next step named.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Security engineers inside hyperscalers sit between three pressures that nobody else on the org chart owns at the same time. The product surface ships new internal services every sprint, each introducing a new identity boundary, a new data flow, and a new audit log shape. The compliance surface (SOC 2, ISO 27001, PCI DSS for payment-adjacent products, FedRAMP for the public-sector arms, regional privacy regimes for the consumer surfaces) wants evidence that detections cover the controls that auditors care about. The threat surface keeps evolving toward identity-first attacks, OAuth abuse, session token replay, SSRF into metadata services, supply-chain compromise of internal libraries. The TPM running the quarterly review wants one number: percent of ATT&CK techniques relevant to the surface that have a tested detection with a real runbook. Most teams cannot produce that number cleanly, because detection logic lives in one repo, data source mappings live in a wiki, the runbook lives in a different wiki, and the validation evidence lives in a Jira ticket nobody has time to reopen. The course is the build that closes that loop.

What you walk away with

  • Produce a single ATT&CK coverage score the TPM accepts as the quarterly detection metric.
  • Stand up a detection-as-code pipeline that gates merges on unit tests and purple-team validation.
  • Map every relevant ATT&CK technique on the identity and SaaS surfaces to a data source, a detection, and a runbook artefact.
  • Ship a triage runbook template that names the specific artefact an analyst pulls at every step.
  • Close the loop between detection coverage, control evidence the compliance team needs, and the threat model the product team owns.

The 12 modules

Module 1. ATT&CK Coverage Scoring on the Identity Surface
Build the coverage matrix the TPM actually wants. Enumerate the ATT&CK techniques relevant to identity-first attacks at hyperscaler scale (T1078 valid accounts, T1550 alternate auth material, T1539 steal web session cookie, T1606 forge web credentials). Score each as covered, partial, or uncovered against the data sources you currently ingest. Produce a one-page coverage view the TPM can present in the quarterly review.
Module 2. Data Source Mapping for Internal SaaS and OAuth Surfaces
Map every detection-relevant data source on the internal SaaS surface: OAuth grant logs, scope changes, app installation events, refresh token use, admin role grants. Identify which sources are ingested, which are sampled, and which are absent. Build the gap remediation queue the data engineering team can prioritise against the coverage score from module 1.
Module 3. Detection-as-Code in a CI Pipeline
Move detection logic from production consoles into a code repository with unit tests, peer review, and a merge gate. Define the test fixtures (synthetic log events that simulate the technique). Wire up the CI pipeline so a detection change cannot land without a passing test and a reviewer sign-off. Adopt versioning so the TPM can answer "what changed between Q1 and Q2 coverage".
Module 4. Alert Quality Metrics and the Signal-to-Noise Loop
Define the alert quality metrics the TPM uses to assess detection health: true positive rate, false positive rate, mean time to triage, mean time to escalate, runbook completion rate. Instrument each metric end to end. Build the weekly review where detection engineers see which detections are degrading and which need to be retired. Tie the metric back to the coverage score so noise reduction does not silently uncover techniques.
Module 5. Purple-Team Validation Cadence
Stand up a purple-team validation cadence that proves the detections work against the techniques they claim to cover. Define the engagement scope, the success criteria, and the reporting template. Decide which detections are validated quarterly versus only on change. Wire the validation result back into the coverage matrix as a "tested" flag that the TPM can rely on.
Module 6. Triage Runbook Template That Names the Artefact
Replace "investigate the alert" runbooks with templates that name the specific artefact at every step. For each detection: what log to pull, what query to run, what field to compare, what threshold escalates, who owns the escalation. Build the on-call experience so an analyst at 02:00 follows the runbook to a decision in under fifteen minutes, not to another page of links.
Module 7. Internal Service Onboarding Pattern
Define the pattern for onboarding a newly shipped internal service into the detection stack. The threat model owner files a single document. The detection engineering team produces a service profile (data sources, ATT&CK techniques in scope, detections required, runbooks needed). The pattern compresses the time-from-launch-to-covered from quarters to weeks and prevents the coverage matrix from rotting silently.
Module 8. Compliance Evidence Pipeline
Connect detection coverage directly to the evidence the compliance team needs for SOC 2, ISO 27001, PCI DSS, FedRAMP, and the regional privacy regimes that apply to the surface. Build the evidence export that maps detections to control IDs, validates the mapping holds, and produces the artefact an auditor accepts. Stop the quarterly scramble where compliance asks security to manually screenshot consoles.
Module 9. Insider Risk and Privileged Action Detection
Build the detection stack for insider risk and privileged action on a hyperscaler surface. Identify the privileged actions that matter (production data access, customer data exports, configuration changes to authentication boundaries, internal admin role grants). Build detections that combine action signal with context signal (tenure, team, prior pattern). Define the escalation path that respects employee privacy and legal review.
Module 10. Threat Intelligence Pipeline into Detection Logic
Wire the threat intelligence feed into detection logic without producing a flood of low-quality alerts. Define the feed quality bar, the matching logic, the escalation criteria. Distinguish intelligence that updates a detection from intelligence that triggers an immediate alert. Build the feedback loop where confirmed positives improve the feed and confirmed negatives prune it.
Module 11. Cross-Team Operating Model for Detection Engineering
Codify how detection engineering, the SOC, threat intelligence, red team, and the product security partners work together. Define the artefacts each team owns, the cadence at which they exchange them, and the escalation path when a detection needs a product change. Build the on-call rotation and the post-incident review template that compounds learning rather than blaming.
Module 12. Quarterly Coverage Review Pack and Roadmap
Assemble the quarterly coverage review pack the TPM presents. Coverage score by surface, change since prior quarter, top five gaps with owners and dates, validation results, evidence pipeline health, headcount and tooling asks justified against gap. Build the rolling twelve-month roadmap so the conversation moves from defending the current number to negotiating the trajectory.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Quarterly detection coverage review where the TPM wants a single ATT&CK coverage score.
On-call analyst opens an alert at 02:00 and the runbook says "investigate" with no artefact named.
Compliance team asks for evidence that detections cover SOC 2 or FedRAMP control families.
Product team ships a new internal service and detection coverage silently rots before the next review.

What you get with this course

  • ATT&CK coverage matrix template scoped to identity, SaaS, and product surfaces.
  • Detection-as-code CI pipeline reference (test fixtures, review gates, versioning).
  • Alert quality metric instrumentation guide and weekly review template.
  • Purple-team validation engagement scope, success criteria, and reporting template.
  • Triage runbook template that names the artefact at every step.
  • Internal service onboarding pattern document and intake form.
  • Compliance evidence export mapping detections to control IDs.
  • Insider risk and privileged action detection reference library.
  • Threat intelligence feed integration pattern.
  • Cross-team operating model document for detection engineering.
  • Quarterly coverage review pack template the TPM can present.
  • Hand-built per-buyer implementation playbook that tunes all of the above to the specific surface the buyer owns.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours: learning environment account provisioned, course access enabled, hand-built implementation playbook delivered alongside.

Weeks 1-2: complete modules 1-3 (coverage scoring, data source mapping, detection-as-code) and produce the first coverage matrix.

Weeks 3-4: complete modules 4-6 (alert quality, purple-team validation, triage runbook) and ship the first runbook template the on-call rotation uses.

Weeks 5-8: complete modules 7-9 (service onboarding, compliance evidence, insider risk) and integrate with the product security partner teams.

Weeks 9-12: complete modules 10-12 (threat intel, operating model, quarterly review pack) and present the first full coverage review to the TPM.

Before and after

Before

Detection coverage is a slide deck assembled quarterly from four wikis, a Jira board, and screenshots of consoles. Runbooks say "investigate". Compliance evidence is a scramble.

After

Detection coverage is a single score the TPM trusts, generated from a code repository with tested fixtures, validated by a purple-team cadence, and exportable as compliance evidence on demand.

What happens if you do not address this

The coverage slide keeps reading "partial" across the identity and SaaS surfaces. The next significant identity-first incident lands inside a detection gap the team knew about and could not close in time. The post-incident review names the gap, the TPM asks why it persisted for three quarters, and the answer is that the team was busy tuning the same five high-volume detections.

Who it is for

Security engineers, detection engineers, and security program owners inside hyperscalers and other large product organisations where the security team owns detection coverage as a quarterly metric, the compliance team consumes that coverage as evidence, and the product surface keeps shipping new internal services that the detection stack has to catch up with.

Who this is NOT for. Not for security leaders running a generic SIEM tuning exercise on a single product, not for compliance-only audiences who do not own detection logic, not for SOC analysts looking for a triage cheat sheet without the engineering build behind it.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Roughly forty to sixty hours of focused work across twelve weeks, scoped to fit alongside a normal on-call rotation rather than replacing it.

Why $199 is the right number

Vendor SIEM training teaches the console, not the operating model. Generic detection engineering blog posts give patterns without the compliance and operating model integration. Big consulting engagements deliver a one-time assessment without leaving the code-and-runbook stack behind. This course leaves the stack and the documentation behind, scoped to the specific surface the buyer owns.

FAQ

Does this assume a specific SIEM or detection platform?
No. The patterns are vendor-neutral. The implementation playbook tunes the patterns to the specific stack the buyer runs.
How is this different from MITRE ATT&CK navigator?
The navigator is a visualisation. This course builds the operating model behind the visualisation: detections, runbooks, validation cadence, evidence pipeline, and the quarterly review that ties them together.
Is the implementation playbook generic or scoped to my surface?
Scoped. The playbook is hand-built per buyer against the specific surface, data sources, and compliance regimes the buyer operates within.
What if my team is two people, not twenty?
The patterns compress. Modules 1, 3, 6, and 12 are the highest leverage at small team size. The playbook calls out the compressed path explicitly.
Is there a refund policy?
Thirty-day refund window if the course and the playbook do not match the situation.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.