A focused course, tailored for you
The Merchant-Platform SecOps Analyst Detection Engineering Course
Write, tune, and ship the detections that hold up under merchant-scale traffic, PCI scope, and an incident-response review.
The detection you wrote last sprint fired three times overnight on the same merchant checkout pattern. The on-call left a tuning-candidate note. The IR review is in two weeks. The question is whether that rule should have caught the abuse one stage earlier in the kill chain, and whether the evidence it produced is enough for PCI.
Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.
Why this course
A SecOps analyst on a merchant-platform team works in a setting where every false positive costs on-call sleep and every miss can show up in a merchant complaint, an acquirer escalation, or a card-brand inquiry. The detections live next to a checkout flow that handles cardholder data, sits inside PCI-DSS scope, and is targeted continuously by carding, credential stuffing, account takeover, fraud, fulfilment abuse, and storefront-injection campaigns. Writing a rule is the easy part. The hard part is writing rules that produce evidence an incident-response lead can defend to a CISO under time pressure, that an auditor will accept as a compensating control, and that an on-call rotation will keep on rather than silence after the third 3am page. That gap is the difference between a triage analyst and a detection engineer. The course teaches you to close it with detection-as-code, a coverage map tied to the merchant-platform threat model, a tested false-positive budget per detection, and runbooks that name the containment action, the merchant-comms decision, and the PCI evidence trail.
What you walk away with
- A documented threat model for a merchant checkout flow, mapped to ATT&CK and to the PCI-DSS control set, with coverage gaps named and ranked.
- A working portfolio of detection-as-code rules in Sigma plus your SIEM's query language, version-controlled, with test fixtures using replayed merchant traffic.
- A false-positive budget per detection that on-call peers accept, with the tuning history captured so an IR review can audit how the rule got there.
- Runbooks that tie each high-severity detection to a containment action, a merchant-comms decision tree, and the PCI evidence artefact the auditor will want.
- A detection-engineering review cadence you can defend to a CISO, with monthly coverage drift, weekly tuning notes, and a quarterly threat-model refresh.
The 12 modules
How this addresses your situation
Specific modules that map to what you said you are dealing with.
What you get with this course
- Twelve written modules in the Art of Service learning environment.
- Detection-as-code starter repo with Sigma rules, SIEM-language rules, metadata schema, and a CI fixture harness.
- Threat-model and coverage-map templates pre-populated for a merchant checkout flow.
- Runbook templates for the top abuse patterns at merchant platforms.
- Purple-team scenario pack scoped to merchant-platform reality.
- Monthly review pack template and metrics worksheet.
- Hand-built implementation playbook tuned to your detection portfolio and merchant-platform context, delivered alongside course access.
- Thirty-day money-back guarantee.
What you will have in hand by Day 1, Week 1, Month 1
Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.
Modules unlock immediately and remain available without expiry.
Detection-as-code starter repo, fixture harness, and templates download from the learning environment on day one.
Suggested cadence is one module per week over twelve weeks, faster for full-time focus, slower around on-call rotations.
Before and after
Writing detections one at a time in a SIEM console. Tuning by intuition after on-call complaints. Defending rules to an IR lead from memory. PCI evidence assembled by hand each cycle. Coverage gaps discovered only when an incident exposes one.
Detection portfolio in a versioned repo with tested fixtures and named false-positive budgets. Coverage map tied to the threat model and to PCI controls. Runbooks that name the containment action and the evidence artefact. Monthly review pack that holds up to a CISO. A documented case for the next role.
What happens if you do not address this
The merchant-platform attack surface keeps widening at the checkout, at the storefront, at the merchant admin, and at the third-party script layer. Analysts who stay in the triage queue carry the on-call burden but not the visibility. Analysts who move into detection engineering own the portfolio that gets cited in incident reviews, in PCI evidence packs, and in the headcount conversation for the next security-engineering hire. The gap between those two paths widens every quarter that the work stays manual.
Who it is for
Cyber security analyst on a merchant or commerce-platform security team. Already comfortable reading logs, writing basic queries, and triaging alerts in a SOAR or SIEM. Wants to move from running other people's detections to owning the detection portfolio for a slice of the platform. Expected to defend each rule to incident response, on-call peers, and a PCI assessor.
How it arrives
Text-based course in the Art of Service learning environment, plus downloadable detection-as-code templates, runbook skeletons, threat-model and coverage-map worksheets, plus the hand-built implementation playbook delivered alongside course access.
Time investment. About six to ten hours per module across reading, working the templates against your own environment, and producing the module artefact. Roughly eighty to one hundred and twenty hours end to end. The artefacts produced are the work products you would have built on the job, compressed into a structured sequence.
Why $199 is the right number
SANS detection-engineering tracks cover similar ground at five-figure prices and rarely scope down to merchant-platform reality. Vendor-led SIEM certifications teach the query language but not the engineering discipline. Generalist blue-team courses teach triage, not portfolio ownership. Free community resources (Sigma HQ, MITRE ATT&CK, detection-engineering blogs) are excellent reference material but do not assemble into a defendable portfolio without a guiding structure. This course brings the structure, the templates, and the merchant-platform context together at 199 USD.
FAQ
30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.
Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.