Skip to main content
Image coming soon

The Senior Security Analyst Merchant-Trust Detection Playbook

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Senior Security Analyst Merchant-Trust Detection Playbook

How a senior analyst at a high-volume commerce platform turns checkout fraud, account-takeover, and PII-leak signals into a defensible detection portfolio.

You own detections that sit between fraud, trust, app-platform, and PII teams. Nobody else has the full picture, and the runbooks for those rules are half-finished. This is the course that turns that ambiguous portfolio into the work that gets you to staff.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

A senior security analyst at a high-volume commerce platform sits at an awkward intersection. Checkout fraud detections belong half to security and half to merchant-risk. Account-takeover signals belong half to security and half to the trust org. Third-party app-platform abuse belongs half to security and half to whoever runs the app review pipeline. Buyer PII exposure belongs to security, legal, and the data-protection function depending on the jurisdiction.

The analyst who can write a detection rule, define what a true positive means in plain English, agree the runbook with the operational team that will actually triage the alert, and review the rule against real chargeback and incident outcomes one quarter later, is the analyst who gets paged first when a real incident lands. The analyst who only writes the rule and hands it over the wall ends up watching their detections get muted because nobody downstream knows what to do with them.

This course is the written method for the first analyst. It covers the twelve specific moves that turn an ambiguous cross-team detection into a defensible portfolio you can point at in a staff-engineer or principal-analyst conversation. Not generic SOC analyst content. Specifically the merchant-trust intersection inside a commerce platform.

What you walk away with

  • Frame any cross-team detection (checkout fraud, ATO, app abuse, PII leak) in a one-page threat model the neighbouring team will actually sign off on.
  • Write the detection rule with a plain-English true-positive definition the downstream triage team can use without paging you.
  • Build a runbook the merchant-risk, trust, or platform ops team will execute at three in the morning, not push back on.
  • Run a quarterly review of every detection against real chargeback, ATO, and incident outcomes, and retire the rules that did not earn their keep.
  • Carry a portfolio of five to seven defensible cross-team detections into a staff or principal conversation, with the evidence trail to back each one.

The 12 modules

Module 1. The merchant-trust intersection in a commerce platform
Maps the four neighbouring teams a senior security analyst at a commerce platform interacts with on detection work: merchant-risk operations, trust and safety, app-platform review, and buyer-PII handling. Names the artefacts each team produces (chargeback queues, account-action queues, app review tickets, data-subject requests) and shows where your detections need to plug into theirs. The module ends with a one-page boundary diagram you fill in for your own org.
Module 2. Threat-modelling a checkout-fraud detection without a fraud team
Walks through threat-modelling a single checkout-fraud pattern (rapid card-cycling across newly onboarded merchants) without waiting for fraud to lead. Covers attacker goal, observable signal, data sources you actually have access to, false-positive scenarios from legitimate merchant behaviour, and the buy-in conversation with merchant-risk. Ends with the threat-model artefact written in language merchant-risk reads without flinching.
Module 3. Writing the rule and defining true-positive in plain English
Takes the threat model from module two and writes the detection rule against the platform's own log schema. Covers how to define true-positive in a sentence anyone in the triage path can read, how to define hard false-positive so the rule self-mutes on known good behaviour, and how to version the rule so the next analyst can see what changed and why. Worked example: card-cycling rule with three iterations against synthetic logs.
Module 4. Account-takeover detections at platform scale
Senior analysts at commerce platforms inherit ATO detection work that spans buyer accounts, merchant staff accounts, and partner-developer accounts, each with different session models and different recovery flows. The module walks through writing one ATO detection per population, the signal differences across them, and the explicit handoff conversation with the trust team about who actions which alert.
Module 5. Third-party app-platform abuse detections
Storefront apps, partner-developer integrations, and embedded checkout extensions are a detection surface that nobody owns cleanly. This module covers the four common abuse patterns (token-scope creep, data-exfil-on-uninstall, abusive review-bombing, payments-rail bypass), how to write detections against the platform's own API logs, and how to negotiate the runbook with app-platform ops without ending up owning the triage yourself.
Module 6. Buyer-PII exposure and the data-protection conversation
PII-exposure detections sit between security, legal, and data-protection officers. The module covers writing detections for the three common leak patterns at a commerce platform (over-permissioned merchant app data scopes, mis-scoped support tooling, accidental indexing of preview storefronts), and the structured conversation with legal and DPO so the runbook does not collapse into legal review every time the rule fires.
Module 7. The runbook handoff that does not bounce back
Detections that have no runbook get muted within a quarter. The module covers the runbook template a senior analyst writes once per detection, the explicit decision tree for the triage team, the named escalation contact when the runbook does not cover the situation, and the review meeting where the runbook gets signed off so the analyst is not pulled in on every alert.
Module 8. Quarterly detection review against real outcomes
Every quarter a senior analyst reconciles every active detection against the chargeback ledger, the ATO incident log, the app-platform abuse cases, and the PII-incident register. The module walks through pulling those four outcome datasets, joining them to detection-fire events, and producing the quarterly review document that proves which detections earned their keep and which should be retired.
Module 9. Working with the SOC and incident response on shared signal
Cross-team detections often fire into the SOC queue and the merchant-trust queue at the same time. The module covers the duplicate-alert problem, the explicit ownership matrix the senior analyst writes to settle who actions first, and the post-incident review template that makes the matrix the durable artefact (not a Slack agreement that gets relitigated every quarter).
Module 10. Tooling discipline (SIEM, detection-as-code, log warehouse)
Senior analysts work across the SIEM, a detection-as-code repo, a query warehouse, and the platform's own internal admin tooling. The module covers the tooling discipline that keeps a detection portfolio coherent across all four: where the canonical rule lives, where the runbook is linked, how a change in one tool gets reflected in the others, and the on-call rotation handover format.
Module 11. Writing the detection portfolio document
Builds the artefact a senior analyst takes into a staff-engineer or principal-analyst conversation: a single document listing every active cross-team detection, the threat model behind it, the runbook owner, the quarterly outcome data, and the case for why this is staff-level work. Worked example: a five-detection portfolio across fraud, ATO, app-abuse, and PII.
Module 12. The staff or principal conversation
Senior analysts who want a staff or principal level conversation in the next twelve to eighteen months need to lead with the portfolio, not with tooling or incident-count metrics. The module covers the structured conversation with your skip-level: the framing of your detection portfolio as platform-level work, the evidence trail from the quarterly reviews, and the specific asks that turn the conversation into a development plan rather than a wait-and-see.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

A new checkout-fraud pattern hits the queue and merchant-risk asks who owns the runbook.
An ATO wave lands on partner-developer accounts and the trust team is unsure whether the detection is yours or theirs.
A storefront app is suspected of exfiltrating order data on uninstall and app-platform ops needs the detection in 48 hours.
The quarterly chargeback review shows two of your detections did not catch a single confirmed fraud case all quarter.

What you get with this course

  • Twelve written modules, each with the worked artefact for the move it teaches.
  • The boundary-diagram template, the threat-model template, the detection-rule version log, and the runbook template as downloadable files.
  • A quarterly detection-review document template you fill in against your own outcome data.
  • The staff-level portfolio document template plus a worked example.
  • The hand-built implementation playbook produced for your account: your queue, your neighbouring teams, your on-call rotation.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Modules one through four are designed to be worked in week one alongside an active detection you already own.

Modules five through eight occupy weeks two and three and produce the runbook and quarterly-review artefacts.

Modules nine through twelve occupy weeks four through six and produce the portfolio document and the staff-level conversation prep.

Before and after

Before

You write detection rules that are technically clean. The runbooks are half-finished. Merchant-risk, trust, and app-platform ops each think one of the other teams owns the triage. Your quarterly review meeting is a tooling demo, not an outcomes conversation. Your staff-level case is a list of incident-counts.

After

You have a portfolio of five to seven cross-team detections, each with a one-page threat model, a runbook signed off by the operational team, a quarterly review against real chargeback and incident outcomes, and a portfolio document you can hand to your skip-level. The staff-level conversation becomes a development plan with named milestones.

What happens if you do not address this

Detections without runbooks get muted. Senior analysts who keep writing rules without owning the cross-team conversation end up doing the same work for three more years while a peer who owned the intersection moves to staff. The next promotion cycle is the deadline that matters.

Who it is for

Senior security analyst at a commerce, marketplace, or platform business with a high transaction volume, where checkout fraud, account-takeover, third-party app abuse, and buyer PII exposure all generate detection work and no single team owns the full signal. You write Sigma or platform-native detection rules, you sit in fraud and trust review meetings, you handle the awkward conversations about who triages an alert, and you are within twelve to eighteen months of a staff or principal conversation.

Who this is NOT for. Not for SOC tier-one analysts who have not yet written a detection rule end to end. Not for fraud or trust operations leads who do not write detections themselves. Not for application security engineers focused exclusively on code review and AppSec tooling rather than runtime detection on payment, identity, or platform signals.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Roughly six to eight hours per module, worked alongside live detections in your queue. Total commitment over four to six weeks of normal working time.

Why $199 is the right number

SANS detection-engineering courses cover rule-writing technique well but do not address the cross-team operational conversation a senior analyst at a commerce platform actually owns. Vendor SIEM training teaches the tool, not the threat-model or the runbook handoff. Internal staff-engineering reading lists cover platform engineering, not the security-analyst path. This course is the missing middle: the operational moves that turn detection writing into a defensible cross-team portfolio.

FAQ

Is this technical or operational?
Both. Each module covers the rule-writing or data-instrumentation work and the parallel conversation with the neighbouring team. The two are inseparable for a senior analyst at this level.
Will the implementation playbook reference real systems on my account?
Yes. The hand-built playbook is rebuilt for your actual queue, your actual neighbouring teams, and your actual on-call rotation. Delivered alongside course access.
What if my org does not have all four neighbouring teams (fraud, trust, app-platform, PII)?
The boundary diagram in module one is fill-in-the-blank. Smaller orgs have two or three of the four; the method is the same, the artefacts are produced for the teams you actually neighbour.
Is there a refund window?
Thirty-day refund on the course. The implementation playbook is hand-built per buyer, so refunds after the playbook is delivered are pro-rated against the work already done.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.