A focused course, tailored for you
The Security Engineer's Detection Engineering Playbook
Turn a noisy SIEM and a backlog of half-tuned detections into a measured, peer-reviewed detection program with documented coverage.
You inherited a detection stack where the top 20 rules carry the rotation and the next 200 mostly auto-close. Coverage is asserted, not measured. Every red-team finding turns into a new rule nobody owns six months later.
Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.
Why this course
Security engineers running detection in a large product environment carry a specific kind of debt. The SIEM has rules that fired three years ago for a threat that no longer applies, rules added after a tabletop that were never tuned, rules with no documented owner, and rules that overlap so heavily nobody can say which one actually catches a given technique. The coverage matrix in the wiki cites ATT&CK techniques the team hasn't tested against in months. The on-call rotation knows which rules to trust and which to mute, but that knowledge lives in private Slack threads. Leadership asks for a coverage number and gets a percentage that nobody on the team would defend in a deposition. The work to fix this is not glamorous. It is detection-as-code review discipline, false-positive budget tracking per rule, deprecation criteria, and a peer-review workflow that makes a new rule cheaper to add than to skip. The course is the operating manual for that work.
What you walk away with
- Run a measured, documented detection program where every active rule has an owner, a coverage statement, and a false-positive budget.
- Map your detection stack to ATT&CK in a way that a sceptical red team will accept, with gaps explicit and prioritised.
- Operate a detection-as-code workflow with peer review, version control, and a deprecation log that stops dead rules from accumulating.
- Cut alert volume on the worst-offender rules by 60 to 80 percent without losing coverage on the threats those rules were written for.
- Hand the on-call rotation a runbook that turns repeat incidents from a meeting into a rule update.
The 12 modules
How this addresses your situation
Specific modules that map to what you said you are dealing with.
What you get with this course
- Twelve written modules in the Art of Service learning environment.
- Rule inventory spreadsheet template with the columns the audit in Module 1 needs.
- Detection-as-code repo skeleton with CI lint, sample tests, and pull-request template.
- ATT&CK coverage heat map template, populated with worked examples.
- Rule review form, false-positive budget worksheet, and deprecation log template.
- Sigma-to-platform translation cheat sheet for Splunk, Elastic, and a generic SQL-style SIEM.
- On-call runbook template tied to the rule review process.
- Detection metrics dashboard mock-up with the supporting query patterns.
- Hand-built implementation playbook scoped to your stack and team size, delivered alongside course access.
What you will have in hand by Day 1, Week 1, Month 1
Account in the Art of Service learning environment provisioned within 24 hours of purchase.
Hand-built implementation playbook delivered alongside course access, scoped to your SIEM, EDR, and team size.
Two follow-up check-ins by email at week 2 and week 6 to surface blockers on the audit and the peer-review workflow.
Before and after
The rule estate is a pile. Top 20 rules carry the rotation. The rest auto-close. Coverage is a percentage nobody on the team would defend. New rules get added after every incident and never deprecated. The on-call rotation knows which rules to trust but that knowledge lives in private Slack threads. Leadership asks for a number and gets one that nobody really believes.
Every active rule has an owner, a threat statement, a false-positive budget, and a documented review date. The coverage heat map matches what a red team finds when they test. The peer-review workflow makes a new rule cheaper to add than to skip. On-call pages drive rule updates instead of meetings. The dashboard the security leader takes to a board review is one the team built and stands behind.
What happens if you do not address this
The rule estate keeps growing faster than the team can review it. Real attacks land on techniques the coverage matrix claims to cover. The on-call rotation burns out on auto-closing low-value alerts. The next red-team report or board-level review forces the program rebuild on a deadline rather than on a plan, and the rebuild gets handed to a vendor who does not know your stack.
Who it is for
Security engineers responsible for detection content in a high-volume, multi-platform environment. Typical context: a SIEM with hundreds to thousands of rules, an EDR platform, a cloud-native logging pipeline, an on-call rotation that has run for years, and a coverage story that needs to hold up to a board-level security review.
How it arrives
Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.
Time investment. Roughly 12 to 16 hours of reading and template work across the twelve modules. The rule estate audit in Module 1 takes a working day for a mid-sized team. The detection-as-code repo set up in Module 2 takes one to two days including CI. Most engineers run the course over four to six weeks alongside normal duties.
Why $199 is the right number
Free blog posts cover detection-as-code at a conceptual level but not the rule review form, the false-positive budget worksheet, or the on-call to rule-update loop. Vendor whitepapers cover their own platform's rule library but not the workflow that keeps the estate honest. A consulting engagement to do the same work runs into five figures and leaves the team without the documented templates. The course delivers the templates, the workflow, and the implementation playbook scoped to your stack at 199 USD.
FAQ
30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.
Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.