Skip to main content
Image coming soon

The Senior Technical Security Analyst Detection Engineering Course

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Senior Technical Security Analyst Detection Engineering Course

Turn raw cloud and identity telemetry into high-signal detections that the on-call queue can actually act on, with playbooks the next analyst can read at 2am.

Your detection backlog is full of rules someone wrote a year ago against a threat model that has since changed, and every false positive on the on-call queue is time you do not get back.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

A senior technical security analyst sits at a specific seat. The triage queue is yours. The post-incident writeup is yours. The detection backlog is yours. The merchant-side identity anomaly that fired three times this morning is the same one that fired last week, because nobody had time to retune the rule between pages. The new threat-intel report on session-token theft against e-commerce checkouts landed on Friday and the question in the channel is whether your current detections would catch it. The honest answer is that the rule logic was written against a different telemetry shape and nobody is sure. Detection engineering is the skill that closes this gap: writing hypotheses against real adversary behaviour, building queries against the telemetry you have rather than the telemetry you wish you had, tuning on real noise, and wrapping the whole thing in a runbook the next analyst on rotation can run cold. This course teaches that skill end to end, with templates a working analyst can use the same week.

What you walk away with

  • Write threat-informed detection hypotheses that map to specific adversary behaviours and the telemetry that would reveal them.
  • Build queries against identity, cloud, and host telemetry that fire on real activity and stay quiet on documented noise.
  • Tune detections against a stated noise budget so the on-call queue stops eating analyst time.
  • Author runbooks that the next analyst on rotation can run cold, including triage steps, escalation criteria, and a clear close-out path.
  • Run detections as code in a git repository with peer review, version history, and a retirement path when data shape changes.

The 12 modules

Module 1. The senior analyst seat and why detection engineering belongs here
Frames the work from the seat of a senior technical security analyst carrying triage, writeups, and the detection backlog. Names the specific failure modes that detection engineering as a discipline is designed to close: rules drifting from the current threat model, runbooks that only the original author can read, and false-positive rates that the on-call queue silently absorbs. Sets the working method the rest of the course teaches.
Module 2. Threat-informed hypothesis writing
Walks through turning a piece of threat intelligence, a red-team finding, or an incident lesson into a written hypothesis of the form a detection can be built against. Covers naming the adversary behaviour, the telemetry source that would reveal it, the expected signal shape, and the noise hypothesis up front. Includes a hypothesis template and worked examples against identity-attack and cloud-workload scenarios.
Module 3. Telemetry mapping for identity, cloud, and host
Catalogues the telemetry sources a senior analyst typically has access to, from identity-provider audit logs and cloud control-plane events through host endpoint telemetry to application logs. For each source the module names the fields that matter for detection work, the latency and completeness characteristics, and the common gaps. Gives a working data-availability checklist to run before writing any query.
Module 4. Query patterns for identity detections
Goes deep on detection query patterns against identity telemetry: impossible-travel logic that survives mobile-VPN false positives, session-token reuse detection across user agents, privileged-role assignment outside change windows, and OAuth grant anomalies. Each pattern is shown as a query skeleton with the tuning levers named, plus the runbook outline the analyst on call would need.
Module 5. Query patterns for cloud and workload detections
Walks through query patterns against cloud control-plane and workload telemetry: IAM-policy drift, unusual cross-region API activity, container-runtime anomalies that suggest live-off-the-land behaviour, and storage-egress patterns that suggest data theft. Each pattern names the cloud-provider log source it depends on and the noise sources that have to be handled in tuning.
Module 6. Noise budgets and tuning loops
Introduces the noise-budget concept: a stated false-positive rate the detection is allowed to produce before it gets retuned or retired. Walks through the tuning loop of measuring current rate, classifying the noise, deciding whether to suppress, refine, or split, and updating the runbook to reflect the new behaviour. Includes a tuning-log template the team can keep in version control.
Module 7. Runbook structure that survives a handover
Teaches a runbook structure designed for the case where the analyst on call is not the analyst who wrote the detection. Names the sections that have to be there: triage steps with explicit decision points, evidence-collection checklist, escalation criteria with named on-call roles, and close-out conditions. Includes a runbook template plus three worked runbooks against the detections from earlier modules.
Module 8. Detection-as-code in git with peer review
Moves detection authoring into a git repository: directory structure that scales past 100 detections, naming conventions, pull-request review checklists, change-history hygiene, and a release pattern that lets detections move from development into production with a tested tuning state. Includes the CI-style checks that should run on every PR and the review prompts a peer reviewer should answer.
Module 9. Metrics that show the queue is getting shorter
Defines the small set of metrics a detection-engineering programme should track: true-positive rate per detection, time-to-triage, time-to-close, recurring-noise detections, and detections retired versus authored each cycle. Shows how to instrument these from the SIEM or detection platform, how to present them to a security leader, and how to use them to argue for time on the detection backlog rather than only on incidents.
Module 10. Retiring detections when the data shape changes
Treats detection retirement as a first-class operation. Walks through how to spot when a detection has stopped working because the underlying telemetry shape changed, how to retire it cleanly without leaving silent blind spots, and how to record the retirement so future analysts know why coverage was removed. Includes a retirement checklist and a worked example against a cloud log-format change.
Module 11. Working with threat intel and red-team feedback as inputs
Builds the input side of the detection-engineering loop: how to consume external threat intelligence, internal red-team output, and post-incident lessons in a way that produces written hypotheses rather than ad-hoc one-off rules. Includes a weekly intake template and a triage rubric for deciding which inputs are worth turning into detections this cycle.
Module 12. Building a personal detection-engineering practice
Closes the course by stepping back from individual detections to the analyst's own working practice. Covers the weekly cadence that keeps the detection backlog moving, the writing habits that produce runbooks other analysts can read, the way to keep current with adversary behaviour without drowning in feeds, and the conversations to have with the rest of the team about where detection engineering sits next to incident response and threat hunting.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

The on-call queue is full of repeat false positives from a small number of stale detections.
A new threat-intel item lands and the team cannot quickly answer whether existing coverage would catch it.
The runbook for a critical detection is in one analyst's head and nobody else on rotation can run it cold.
The detection backlog keeps growing because there is no shared method for moving items from hypothesis to production.

What you get with this course

  • Twelve written modules covering threat-informed hypothesis writing, query patterns, tuning, runbook structure, detection-as-code, metrics, and retirement.
  • Hypothesis, query-skeleton, runbook, tuning-log, and retirement-checklist templates as downloadable files.
  • Worked examples for identity, cloud, and host detection patterns.
  • The hand-built implementation playbook keyed to the telemetry surface you describe at checkout.
  • 30-day money-back guarantee.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours: account in the Art of Service learning environment is provisioned and the hand-built implementation playbook is delivered alongside it.

Weeks 1 to 2: hypothesis writing and telemetry mapping modules, applied against your current telemetry sources.

Weeks 3 to 4: query patterns for identity, cloud, and host detections, including tuning against your stated noise budget.

Weeks 5 to 6: runbook authoring, detection-as-code workflow, and metrics instrumentation.

Weeks 7 to 8: retirement workflow, threat-intel intake practice, and personal-practice consolidation.

Before and after

Before

The detection backlog grows, on-call analysts re-litigate the same false positives every week, and runbooks live in the head of whoever wrote them.

After

Detection authoring follows a written method, the on-call queue is measurably shorter, and any analyst on rotation can pick up a runbook cold and run it to close-out.

What happens if you do not address this

Detection drift compounds quietly. Each new threat-intel item that the team cannot quickly map to existing coverage becomes an unanswered risk question, and each stale rule that keeps firing trains the on-call analysts to ignore the queue. Both costs land on the senior technical seat first.

Who it is for

You are a senior technical security analyst working a real triage queue against real cloud and identity telemetry. You write detections, you tune them, you carry the pager, you write the post-incident notes, and you are increasingly the person the team turns to when a new threat-intel item lands and someone has to decide whether existing coverage would catch it. You want a working method for detection engineering that does not depend on a single SIEM vendor and does not assume a 30-person team behind you.

Who this is NOT for. Not for a SOC manager looking for a coverage dashboard, not for a CISO building a detection programme from a blank sheet, and not for an analyst whose day is purely consuming vendor-shipped rules without authoring or tuning any.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable query, runbook, tuning-log, and retirement-checklist templates for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. About four to six hours per module, working at the pace of a real triage queue. Most senior analysts complete the twelve modules across six to eight weeks while continuing to carry on-call duties.

Why $199 is the right number

Vendor-specific SIEM training teaches the tool but not the method, and assumes the rules you write today will still fit the data shape next quarter. Conference talks give you ideas but no working templates. This course is built around the method a senior technical analyst owns: hypothesis to detection to runbook to retirement, with the templates and the per-buyer playbook a working seat needs.

FAQ

Is this tied to a specific SIEM or detection platform?
No. The query patterns are taught as logical skeletons against named telemetry sources. The downloadable templates are platform-agnostic and translate cleanly to the major SIEM and detection-as-code platforms.
How is this different from a threat-hunting course?
Threat hunting is iterative search against telemetry, often led by a hypothesis but not necessarily producing a durable detection. Detection engineering is the discipline of turning the hunt findings into tuned, runbooked, version-controlled detections that the on-call queue can act on without the original author present.
Does the per-buyer playbook get built around my actual telemetry?
Yes. At checkout you describe the telemetry surface you work with. The hand-built implementation playbook is keyed to that surface, with the query skeletons and runbooks adapted to the log sources and platform conventions you actually have.
What level of seniority is assumed?
Senior technical analyst level. You should already be comfortable writing queries against at least one SIEM or log platform and carrying triage responsibilities. This course teaches the engineering discipline around that, not the basics of log analysis.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!