How to Learn from This Course

Why text, not video

Security operators read documentation during incidents and deployments. They don't watch videos. When you're configuring a conditional access policy at 10 PM during a maintenance window, you read the configuration guide, copy the PowerShell command, and verify the output. When you're investigating AiTM phishing and need a cross-product KQL query, you read the query pattern, adapt it to your tenant, and run it. The format of this course matches the format of the job.

Video courses have a structural problem for security operations training: they age instantly. Microsoft updates the Defender XDR portal layout every few months. A video recorded in January shows navigation that doesn't exist by April. The instructor says "click the button in the upper right corner" and Microsoft moved it to a sidebar three months later. Text updates in minutes. A description that says "navigate to Microsoft Sentinel, then Analytics, then Active rules" remains accurate even when the exact pixel position of those menu items changes. KQL queries are version-independent entirely. The query language specification doesn't change when Microsoft redesigns the portal chrome.

Text also gives you something video cannot: searchable reference during real incidents. When you're investigating a live compromise at 2 AM and need the cross-product correlation query pattern from Module 12, you search the text, find the query, read the annotation, and adapt it. Try doing that with a 40-minute video. You would spend 10 minutes scrubbing for the 30-second segment where the instructor typed the query, and by the time you find it, the table name has changed.

Figure 0.3 — Every section teaches the concept first, shows a concrete example, has you apply it in your environment, then explains what the output means.

The harder advantage of text is the honesty it forces on you. Video keeps playing whether you understand the content or not. You can watch 40 minutes, nod along, and finish feeling like you learned something. Research from TechSmith's 2024 survey shows 83% of learners prefer video for instructional content, and retention studies consistently show higher recall rates for video than for text. That research is real. For general knowledge transfer, video works well. The reason this course uses text anyway is specific to security operations: the job requires precision recall of query syntax, configuration parameters, and investigation procedures under time pressure, and the reference pattern matters more than the initial learning pattern. An analyst who watched a video about AiTM investigation remembers the concept. An analyst who read and practiced the KQL queries can pull them up, modify them, and run them during a live incident. The searchability and reference usability of text content outweigh the initial retention advantage of video specifically because security operations is a reference-heavy discipline.

There is also a cognitive honesty argument that the retention research obscures. Video completion rates look impressive because the content keeps playing even when attention wanders. Long-form learning modules have completion rates around 20%, while short video modules reach 80%. But completion measures whether someone finished, not whether they learned. Text stops you cold the moment you lose the thread. If you cannot parse the next paragraph, you know immediately. That discomfort is the point. When you finish a section and can explain what you read, you actually learned it.

Interactive labs

Six interactive components run in your browser throughout the course, placed at the exact point in the content where you need to apply what you just learned. Parameter sandboxes let you adjust detection thresholds and observe the impact on false positive rates in real time. Alert simulators present realistic triage queues where you classify alerts based on the evidence presented, with branching outcomes based on your decisions. Investigation engines walk you through multi-step investigations where your choices determine the investigation path and the evidence you collect. Terminal simulators let you practice volatile evidence collection commands in a safe environment before executing them against a real system.

All interactive labs run entirely in the browser with no separate environment to configure, no virtual machines, and no cloud credits to manage. Lab data is simulated and clearly labeled with a demonstration notice. The simulation is pedagogical: it lets you practice the decision-making and query construction before working with real data. When you are ready to work with production telemetry, you run the same queries in your own Sentinel workspace. The transition from simulated labs to real investigation is seamless because the queries, the tables, and the investigation methodology are identical.

Prerequisite knowledge

Before starting Module 1, verify four areas. If more than one is unfamiliar, spend time on the prerequisite resources before continuing. These prerequisites are for self-assessment, not as gates. If you're uncertain whether you meet them, start Module 1 anyway. The first few sections will tell you whether the assumed knowledge is solid enough to support the pace.

Networking. You understand IP addresses, DNS, TCP ports (443 for HTTPS, 25 for SMTP), and what a VPN does. You don't need to be a network engineer. When the course says "the attacker signed in from IP 203.0.113.47 on port 443," you need to know what that means. When Module 12 shows a sign-in from a geo-location that doesn't match the user's normal pattern, you need to understand why an IP address in a different country is suspicious. When Module 14 discusses token replay from a different IP, you need to understand that IP addresses identify network locations and that two simultaneous sessions from different IPs suggest two different devices. CompTIA Network+ covers this. So does any introductory networking course. The level required is conceptual, not implementation.

Identity. Authentication versus authorization. What multi-factor authentication is and why bypassing it matters. You've heard of Active Directory and understand it stores user accounts, groups, and computer objects. You know what a password hash is at a conceptual level: a one-way transformation that can be verified but not reversed. The course uses Entra ID (Microsoft's cloud identity platform, formerly Azure AD) extensively. Module 12's AiTM investigation traces authentication flows through Entra ID, and Module 14's token investigation examines session token lifetimes and refresh token behavior. If you've administered user accounts in any directory service, you have enough background. If "authentication" and "authorization" are unfamiliar terms, start with Microsoft's SC-900 learning path, which covers identity concepts in about four hours.

M365. You know Microsoft 365 includes Exchange Online, SharePoint, Teams, and Entra ID. You've used at least one as an administrator or end user. You know the admin center exists at admin.microsoft.com. If you've managed mailboxes, created users, or configured any M365 service, you have this prerequisite. SC-900 or CompTIA Security+ provides more than enough background.

Operating systems. You can navigate a Windows file system, understand what a process is, and know the difference between a user-mode application and a system service. You've seen PowerShell, even if you haven't written scripts. Module 2 examines process trees in Defender for Endpoint device timelines, which requires understanding that a process has a parent process, that processes load DLLs, and that services run with specific privilege levels. You don't need to be a Windows internals expert. You need to understand the vocabulary. Linux experience is not required.

Nothing else is required. No programming, no incident response background, no red team knowledge. Every concept is explained at first use. If you've completed CompTIA Security+ or SC-900, you already understand phishing, malware, encryption, and least privilege, and will move through early modules faster. If not, the course introduces those concepts when they become relevant.

Study cadence

The course is self-paced. No cohorts, no deadlines, no streaks. Work at the pace that produces retention for you. The recommended cadence for someone studying alongside a full-time role is five to eight hours per week, which produces consistent progress through one to two modules per week. That cadence works because it leaves time between sessions for consolidation. Memory research consistently shows that spaced practice produces better long-term retention than massed practice.

Phase timing at five to eight hours per week:

Phase 1 (Modules 0-1): one to two evenings. Module 0 is orientation and lab setup. Module 1 covers the Defender XDR unified portal. Budget two to three hours for the investigation exercises in Module 1.

Phase 2 (Modules 2-5): two to three weeks. Four modules covering Defender for Endpoint, Purview, Defender for Cloud, and Security Copilot. Module 4 (Defender for Cloud) is the densest.

Phase 3 (Modules 6-11): three to four weeks. Six modules covering Sentinel operations. Module 6 (KQL) and Module 10 (detection engineering) are the most intensive. Plan extra time for both.

Phase 4 (Modules 12-16): three to four weeks. Five complete investigation scenarios. Plan a full weekend or several evenings for Module 12 (AiTM credential phishing), which is the most complex single investigation.

Full course: ten to sixteen weeks. Deploy every artifact. A KQL query you read and understand is knowledge. A KQL query running as an analytics rule in your Sentinel workspace is security capability.

Non-linear navigation

After completing Phase 1, you can navigate modules in modified order within dependency constraints. The dependency map:

Module 6 (KQL) is required before any module that uses KQL queries, which is every module from Module 7 onward. Modules 7 (Sentinel workspace) and 8 (data connectors) are required before Module 10 (detection engineering). The Phase 4 investigations (Modules 12-16) require Phases 2 and 3 as prerequisites.

Within those constraints, you have flexibility. If your immediate need is investigation capability, prioritize M0, M6, M1, M7, M8, M12. If your need is detection engineering, prioritize M0, M6, M7, M8, M10, M11. If you need to pass the SC-200 quickly, focus on Domain 1 modules first (M1, M6, M7, M8, M10) since Domain 1 carries 40-45% of the exam weight.

If you already have KQL experience from production work or another course, skim Module 6 and focus on the M365-specific table knowledge and query patterns. If you already manage a Sentinel workspace, skim Modules 7 and 8 and focus on Module 10. The You Already Know anchor at the top of every section tells you what prior knowledge is assumed so you can decide whether to read or skip.

Every module produces something you can use immediately. Module 1 teaches investigation methodology that improves your alert triage today. Module 6 gives you KQL fluency you can use in production the same day. Module 7 teaches workspace architecture decisions that reduce your Sentinel costs. Module 10 produces detection rules running in your workspace. You do not need to complete the entire course before the training starts paying off.