A focused course, tailored for you
The Senior Security Analyst Merchant-Trust Detection Playbook
How a senior analyst at a high-volume commerce platform turns checkout fraud, account-takeover, and PII-leak signals into a defensible detection portfolio.
You own detections that sit between fraud, trust, app-platform, and PII teams. Nobody else has the full picture, and the runbooks for those rules are half-finished. This is the course that turns that ambiguous portfolio into the work that gets you to staff.
Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.
Why this course
A senior security analyst at a high-volume commerce platform sits at an awkward intersection. Checkout fraud detections belong half to security and half to merchant-risk. Account-takeover signals belong half to security and half to the trust org. Third-party app-platform abuse belongs half to security and half to whoever runs the app review pipeline. Buyer PII exposure belongs to security, legal, and the data-protection function depending on the jurisdiction.
The analyst who can write a detection rule, define what a true positive means in plain English, agree the runbook with the operational team that will actually triage the alert, and review the rule against real chargeback and incident outcomes one quarter later, is the analyst who gets paged first when a real incident lands. The analyst who only writes the rule and hands it over the wall ends up watching their detections get muted because nobody downstream knows what to do with them.
This course is the written method for the first analyst. It covers the twelve specific moves that turn an ambiguous cross-team detection into a defensible portfolio you can point at in a staff-engineer or principal-analyst conversation. Not generic SOC analyst content. Specifically the merchant-trust intersection inside a commerce platform.
What you walk away with
- Frame any cross-team detection (checkout fraud, ATO, app abuse, PII leak) in a one-page threat model the neighbouring team will actually sign off on.
- Write the detection rule with a plain-English true-positive definition the downstream triage team can use without paging you.
- Build a runbook the merchant-risk, trust, or platform ops team will execute at three in the morning, not push back on.
- Run a quarterly review of every detection against real chargeback, ATO, and incident outcomes, and retire the rules that did not earn their keep.
- Carry a portfolio of five to seven defensible cross-team detections into a staff or principal conversation, with the evidence trail to back each one.
The 12 modules
How this addresses your situation
Specific modules that map to what you said you are dealing with.
What you get with this course
- Twelve written modules, each with the worked artefact for the move it teaches.
- The boundary-diagram template, the threat-model template, the detection-rule version log, and the runbook template as downloadable files.
- A quarterly detection-review document template you fill in against your own outcome data.
- The staff-level portfolio document template plus a worked example.
- The hand-built implementation playbook produced for your account: your queue, your neighbouring teams, your on-call rotation.
What you will have in hand by Day 1, Week 1, Month 1
Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.
Modules one through four are designed to be worked in week one alongside an active detection you already own.
Modules five through eight occupy weeks two and three and produce the runbook and quarterly-review artefacts.
Modules nine through twelve occupy weeks four through six and produce the portfolio document and the staff-level conversation prep.
Before and after
You write detection rules that are technically clean. The runbooks are half-finished. Merchant-risk, trust, and app-platform ops each think one of the other teams owns the triage. Your quarterly review meeting is a tooling demo, not an outcomes conversation. Your staff-level case is a list of incident-counts.
You have a portfolio of five to seven cross-team detections, each with a one-page threat model, a runbook signed off by the operational team, a quarterly review against real chargeback and incident outcomes, and a portfolio document you can hand to your skip-level. The staff-level conversation becomes a development plan with named milestones.
What happens if you do not address this
Detections without runbooks get muted. Senior analysts who keep writing rules without owning the cross-team conversation end up doing the same work for three more years while a peer who owned the intersection moves to staff. The next promotion cycle is the deadline that matters.
Who it is for
Senior security analyst at a commerce, marketplace, or platform business with a high transaction volume, where checkout fraud, account-takeover, third-party app abuse, and buyer PII exposure all generate detection work and no single team owns the full signal. You write Sigma or platform-native detection rules, you sit in fraud and trust review meetings, you handle the awkward conversations about who triages an alert, and you are within twelve to eighteen months of a staff or principal conversation.
How it arrives
Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.
Time investment. Roughly six to eight hours per module, worked alongside live detections in your queue. Total commitment over four to six weeks of normal working time.
Why $199 is the right number
SANS detection-engineering courses cover rule-writing technique well but do not address the cross-team operational conversation a senior analyst at a commerce platform actually owns. Vendor SIEM training teaches the tool, not the threat-model or the runbook handoff. Internal staff-engineering reading lists cover platform engineering, not the security-analyst path. This course is the missing middle: the operational moves that turn detection writing into a defensible cross-team portfolio.
FAQ
30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.
Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.