Sign In

Threat Detection Engineering

Master Threat Detection Engineering

Design, build, and operationalise advanced detection capabilities that actually stop modern threats across on-prem and cloud environments.

Preview Course See Pricing
View Pricing Download Lab Pack Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Build detection capabilities that transform your security capabilities from reactive alert triage to proactive threat detection
Respond to new threat advisories by developing, testing, and deploying validated detections
Develop and maintain detection capabilities and manage detection programs that meet organisational requirements with confidence
Manage the full detection lifecycle from development through tuning to retirement
Develop structured analytical techniques for detection engineering and security operations
SEC401 | Premium tier | 13 modules across 4 phases | 36–40 hours at your own pace | 40 CPE credits | 5 free preview lessons - no account needed | All tools free | Updated June 2026
Course Agenda View all 13 modules

Course overview

This Threat Detection Engineering course equips you with the practical skills to design, build, and operationalise high-fidelity detection capabilities that actually stop threats in cloud, on-prem, and hybrid environments. You'll work hands-on with industry tools including Microsoft Sentinel, Microsoft Defender XDR, and leading open-source technologies to:

Develop a sharp investigative mindset that turns alerts into actionable intelligence
Engineer, test, and deploy production-ready detections across your entire stack
Move from reactive monitoring to proactive, engineering-led threat detection and response

By the end, you'll have the confidence and capabilities to protect organisational assets at scale - exactly what modern security teams need from a true threat detection engineer.

Who this course is for

You're ready to move into (or level up in) threat detection engineering. Whether you're a SOC analyst, security engineer, or experienced defender, this course is designed for you if you want to:

Develop a sharp investigative mindset that turns raw alerts into actionable intelligence
Master how to design, build, and operationalise high-fidelity detection capabilities
Confidently analyse, deploy, and run detections that actually work across on-prem, cloud, and hybrid environments
Protect organisational assets with engineering-level precision instead of just monitoring

In short: if you want to stop being a passive alert triager and become the engineer who builds the detections that matter, this course is for you.

What you'll learn

By the end of this Threat Detection Engineering course you will be able to:

Assess your current defences against the real-world threat landscape and engineer high-fidelity detections that actually work
Apply the MITRE ATT&CK framework to build threat-informed, proactive detection strategies
Proactively hunt threats across networks, endpoints, cloud, and hybrid environments using advanced tools and techniques
Build complete visibility into hybrid, decentralised, and encrypted infrastructure
Design, analyse, and operationalise detections with Microsoft Defender XDR, Microsoft Sentinel, endpoint tools, and leading SIEM platforms
Secure identities, harden endpoints, and transform SOC operations from reactive monitoring to engineering-led threat detection

Key course takeaways

Build repeatable, high-fidelity detection strategies that work seamlessly across cloud, on-prem, network, and hybrid environments
Engineer and operationalise production-grade threat detection and response capabilities organisations can actually rely on
Apply threat-informed defense (MITRE ATT&CK) to continuously optimise and mature your security operations
Proactively identify, close, and eliminate protection gaps before attackers can exploit them
Maximise your existing tools and infrastructure - including Microsoft Sentinel, Defender XDR, and open-source solutions - for maximum detection impact
Transform your SOC from reactive alert triage into a proactive, engineering-driven threat detection powerhouse

Lab Pack - Threat Detection Engineering Toolkit

Downloadable lab pack covering the full detection engineering lifecycle. Realistic-volume evidence data across 8 Sentinel tables with all 6 attack chains buried in 14 days of legitimate noise, plus detection rules in 6 formats, a Sysmon configuration, threat model artifacts, and program management templates.

Evidence data (~3,500 entries): SigninLogs, AuditLogs, EmailEvents, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceRegistryEvents, SysmonEvents with attack indicators hidden in baseline noise.

Detection rules (6 formats, ~80 files): 10 KQL rules, 10 Sigma rules, 5 YARA rules, 30+ auditd rules by tactic, 7 Suricata rules, 7 Velociraptor VQL hunts.

Program artifacts: ATT&CK coverage matrix (30 techniques), NE threat profile, detection-as-code Git structure, FP register with classification guide, 3 tuning case studies, Atomic Red Team test mapping, Sysmon config.

Threat Detection Engineering Lab Pack
~80 files · 6 rule formats · ~3,500 evidence entries · Sysmon config · ATT&CK coverage matrix
Download Lab Pack (.zip)

Things you need to know

What are the prerequisites for this course?

There are no prerequisites. The course teaches detection engineering from first principles. Familiarity with KQL syntax and the Microsoft security stack will help you move faster through the early modules, but neither is required. Every concept is explained at first use.

What are the device requirements?

A device with at least 8 GB of RAM. Access to a Microsoft 365 developer tenant (free) or a production Sentinel workspace for hands-on rule deployment. The lab pack provides synthetic data if you cannot use a live environment.

How will the course benefit your career?

Detection engineering is one of the fastest-growing disciplines in cybersecurity. Organisations need people who can build custom detection rules, not just triage vendor alerts. This course gives you the skills to write production detection rules, operate a detection-as-code pipeline, and measure detection coverage, capabilities that are directly applicable in detection engineering, SOC, threat hunting, and security operations roles.

The demand for engineers who can build and maintain detection programs continues to grow as organisations move beyond vendor-provided templates to custom, threat-informed detection.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may deploy detection rules in your organisation's production Sentinel workspace. You may not redistribute course content or share account credentials.

Detection rules: Provided as-is for deployment. Test every rule against your environment's data before enabling in production.

Fictional environment: All scenarios use Northgate Engineering. Any resemblance to real organisations is coincidental.

Version and changelog

Current version: 2.0  |  Last updated: June 2026

June 2026 - v2.0: Course page restructured. Reference module rebuilt: 69-rule quick reference, field manual with 7 step-by-step procedures, references and further reading.

2026 - v1.0: Course launch. 13 modules (DE0–DE12). 71 production KQL detection rules. 6 attack chains.

This course is actively maintained.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
3scenarios
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.