Skip to main content
Image coming soon

The Merchant-Platform SecOps Analyst Detection Engineering Course

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Merchant-Platform SecOps Analyst Detection Engineering Course

Write, tune, and ship the detections that hold up under merchant-scale traffic, PCI scope, and an incident-response review.

The detection you wrote last sprint fired three times overnight on the same merchant checkout pattern. The on-call left a tuning-candidate note. The IR review is in two weeks. The question is whether that rule should have caught the abuse one stage earlier in the kill chain, and whether the evidence it produced is enough for PCI.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

A SecOps analyst on a merchant-platform team works in a setting where every false positive costs on-call sleep and every miss can show up in a merchant complaint, an acquirer escalation, or a card-brand inquiry. The detections live next to a checkout flow that handles cardholder data, sits inside PCI-DSS scope, and is targeted continuously by carding, credential stuffing, account takeover, fraud, fulfilment abuse, and storefront-injection campaigns. Writing a rule is the easy part. The hard part is writing rules that produce evidence an incident-response lead can defend to a CISO under time pressure, that an auditor will accept as a compensating control, and that an on-call rotation will keep on rather than silence after the third 3am page. That gap is the difference between a triage analyst and a detection engineer. The course teaches you to close it with detection-as-code, a coverage map tied to the merchant-platform threat model, a tested false-positive budget per detection, and runbooks that name the containment action, the merchant-comms decision, and the PCI evidence trail.

What you walk away with

  • A documented threat model for a merchant checkout flow, mapped to ATT&CK and to the PCI-DSS control set, with coverage gaps named and ranked.
  • A working portfolio of detection-as-code rules in Sigma plus your SIEM's query language, version-controlled, with test fixtures using replayed merchant traffic.
  • A false-positive budget per detection that on-call peers accept, with the tuning history captured so an IR review can audit how the rule got there.
  • Runbooks that tie each high-severity detection to a containment action, a merchant-comms decision tree, and the PCI evidence artefact the auditor will want.
  • A detection-engineering review cadence you can defend to a CISO, with monthly coverage drift, weekly tuning notes, and a quarterly threat-model refresh.

The 12 modules

Module 1. Threat-modelling a merchant checkout flow
Walk a real checkout flow from cart to settlement, name every actor and data store, and produce a STRIDE-flavoured model that overlays ATT&CK techniques onto each stage. Identify which stages carry cardholder data, which sit in PCI scope, and which abuse patterns (carding, BOPIS abuse, refund fraud, account takeover) most often hit which stage. Output is a one-page model your IR lead can challenge.
Module 2. Coverage maps that an IR lead and a PCI assessor both read
Build a coverage matrix that maps your existing detection portfolio to the threat model from module 1, ATT&CK tactic and technique, and the PCI-DSS controls the rule contributes evidence for. Identify the empty cells. Rank them by merchant impact and assessor exposure. Output is a coverage map that doubles as a roadmap for the next quarter of detection engineering work.
Module 3. Detection-as-code in Sigma and the platform query language
Move from clicking rules in a console to writing them as code in a repo. Sigma for portability, the SIEM's native language for fidelity. Naming conventions, metadata schema, MITRE mapping fields, severity rubric, and the pull-request review checklist. Output is a starter repo structure that another analyst on your team can contribute to without asking permission.
Module 4. Building test fixtures from replayed merchant traffic
Detections without tests rot. Build a fixture pipeline that captures sanitised merchant traffic, replays it through your detection logic, and asserts the expected hits and misses. Cover normal carting, known-good bot traffic, replayed historical incidents, and synthesised carding sequences. Output is a CI job that fails a pull request when a fixture regresses.
Module 5. False-positive budgets the on-call will respect
Every high-severity detection gets a documented false-positive budget per week, agreed with on-call peers before the rule ships. Tuning is logged so the IR review can audit how the rule was shaped. Walk the negotiation, the metrics, the dashboards, and the rule-retirement criteria. Output is a budget sheet for your five highest-fire detections.
Module 6. Carding, credential stuffing, and ATO at checkout scale
The three abuse patterns that hit merchant platforms hardest. Indicators at the edge, at the auth service, at the checkout API, and at the issuer-response layer. Detection patterns that survive at scale, including velocity, BIN range distribution, device-graph signals, and behavioural-biometric integration where available. Output is three production-ready detections tested against replayed campaign data.
Module 7. Storefront-injection and supply-chain detections
Magecart-class skimmers, third-party script tampering, and merchant-side admin compromise that ends in injected checkout code. Where to instrument, what to log, how to write a detection that fires before the card data leaves the page. Output is a detection portfolio for the storefront layer with runbooks that include merchant comms.
Module 8. Account-takeover detections across merchant admin and shopper accounts
Two populations, two threat models, two different tolerance levels for friction. Detection design for merchant-admin compromise that respects support workflow. Detection design for shopper-account takeover that respects conversion. Output is a paired detection set with explicit hand-offs to trust-and-safety and to merchant support.
Module 9. Runbooks that name the containment action, the merchant decision, and the PCI evidence
A runbook is not a paragraph. It is a decision tree with named actors, named systems, and a documented evidence trail. Walk a runbook template that ties every high-severity detection to the containment step, the merchant-communication call, the trust-and-safety hand-off, and the artefact the PCI assessor will ask for. Output is runbooks for your top ten detections.
Module 10. Purple-team validation against your own portfolio
A detection that has never been exercised is a hope, not a control. Run a structured purple-team cycle against your portfolio using ATT&CK-aligned scenarios scoped to merchant-platform reality. Capture coverage, dwell time, and analyst response quality. Feed the gaps back into the coverage map from module 2. Output is a quarterly purple-team report a CISO will read.
Module 11. Detection engineering metrics and the monthly review
What to count, what to ignore, and what to report. Mean time to detect, alert-to-incident ratio, tuning velocity, coverage drift, runbook freshness, and the analyst satisfaction signal that says the on-call rotation is healthy. Output is a monthly review pack you can defend to a security director and reuse in a board update without rewrites.
Module 12. Career path from analyst to detection engineer to platform security owner
What the next two roles ask of you. The artefacts that prove you can do them. The internal conversations that move you from the triage queue to owning a detection portfolio, and from there to leading a detection-engineering function. Output is a personal artefact portfolio, a 90-day learning plan, and a one-page case for your next role conversation.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Module 1 and 2 give you the threat model and the coverage map you need before a quarterly planning conversation.
Modules 3 through 5 are the detection-engineering core. Use them when you are moving the team off click-rules and onto detection-as-code.
Modules 6 through 8 are the abuse-pattern modules. Use them when the next carding wave, ATO spike, or storefront-injection campaign hits.
Modules 9 through 12 are the operational and career modules. Use them to prove the work and to plan the next role.

What you get with this course

  • Twelve written modules in the Art of Service learning environment.
  • Detection-as-code starter repo with Sigma rules, SIEM-language rules, metadata schema, and a CI fixture harness.
  • Threat-model and coverage-map templates pre-populated for a merchant checkout flow.
  • Runbook templates for the top abuse patterns at merchant platforms.
  • Purple-team scenario pack scoped to merchant-platform reality.
  • Monthly review pack template and metrics worksheet.
  • Hand-built implementation playbook tuned to your detection portfolio and merchant-platform context, delivered alongside course access.
  • Thirty-day money-back guarantee.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Modules unlock immediately and remain available without expiry.

Detection-as-code starter repo, fixture harness, and templates download from the learning environment on day one.

Suggested cadence is one module per week over twelve weeks, faster for full-time focus, slower around on-call rotations.

Before and after

Before

Writing detections one at a time in a SIEM console. Tuning by intuition after on-call complaints. Defending rules to an IR lead from memory. PCI evidence assembled by hand each cycle. Coverage gaps discovered only when an incident exposes one.

After

Detection portfolio in a versioned repo with tested fixtures and named false-positive budgets. Coverage map tied to the threat model and to PCI controls. Runbooks that name the containment action and the evidence artefact. Monthly review pack that holds up to a CISO. A documented case for the next role.

What happens if you do not address this

The merchant-platform attack surface keeps widening at the checkout, at the storefront, at the merchant admin, and at the third-party script layer. Analysts who stay in the triage queue carry the on-call burden but not the visibility. Analysts who move into detection engineering own the portfolio that gets cited in incident reviews, in PCI evidence packs, and in the headcount conversation for the next security-engineering hire. The gap between those two paths widens every quarter that the work stays manual.

Who it is for

Cyber security analyst on a merchant or commerce-platform security team. Already comfortable reading logs, writing basic queries, and triaging alerts in a SOAR or SIEM. Wants to move from running other people's detections to owning the detection portfolio for a slice of the platform. Expected to defend each rule to incident response, on-call peers, and a PCI assessor.

Who this is NOT for. Not a beginner SOC analyst course. Not a generalist blue-team primer. Not a managerial detection-program course. Not for analysts in environments without cardholder data, merchant traffic, or customer-trust pressure where checkout abuse is the primary loss vector.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable detection-as-code templates, runbook skeletons, threat-model and coverage-map worksheets, plus the hand-built implementation playbook delivered alongside course access.

Time investment. About six to ten hours per module across reading, working the templates against your own environment, and producing the module artefact. Roughly eighty to one hundred and twenty hours end to end. The artefacts produced are the work products you would have built on the job, compressed into a structured sequence.

Why $199 is the right number

SANS detection-engineering tracks cover similar ground at five-figure prices and rarely scope down to merchant-platform reality. Vendor-led SIEM certifications teach the query language but not the engineering discipline. Generalist blue-team courses teach triage, not portfolio ownership. Free community resources (Sigma HQ, MITRE ATT&CK, detection-engineering blogs) are excellent reference material but do not assemble into a defendable portfolio without a guiding structure. This course brings the structure, the templates, and the merchant-platform context together at 199 USD.

FAQ

Do I need to be a senior analyst already?
No. The course assumes comfort reading logs, writing basic queries, and triaging alerts. It does not assume you have written production detections before. By module five you will have.
Which SIEM does the course assume?
Sigma is used as the portable detection format throughout. Examples translate to Splunk SPL, Elastic ES|QL, Sentinel KQL, and Chronicle YARA-L. The engineering discipline carries across platforms; the syntax adjusts.
Is this course PCI-DSS compliant material?
It teaches you to produce detections and runbooks that contribute evidence to a PCI-DSS assessment. It is not a PCI certification course and does not substitute for the QSA's report. It will make your QSA's job materially easier.
How tailored is the implementation playbook?
Hand-built per buyer against the role context shared at purchase. For a merchant-platform SecOps analyst it will scope to your detection portfolio, your stack, and the abuse patterns most relevant to your storefront and checkout flow.
What if it is not the right fit?
Thirty-day money-back guarantee, no questions on the work product you produced in that time.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.