Invest in Capability That Compounds.

One subscription. Every course. Detection rules, architecture decisions, investigation playbooks, and hardening configurations you deploy at work and keep permanently. Less than a single day of consulting — and the artifacts are yours forever.

Free

No account needed

Free modules in every course
Full content — not previews
Run exercises in your environment
No credit card required

Browse Courses

Premium

$179/year

or $19.99/month

All Premium courses & skills
Detection rules you deploy to production
Investigation playbooks & templates
Lab packs & downloadable assets
Scenario-based exams & CPE credits
Verifiable credentials

Cancel anytime · Stripe · Instant access

Specialist

$289/year

or $29/month

Everything in Premium
M365 Security Architecture
Identity & Access Management
Purple Teaming (136 techniques)
Memory Forensics & Windows Forensics
Architecture decision records & ADRs

Cancel anytime · Stripe · Instant access

Business

$899/year

or $99.99/month · 5 seats

Everything in Specialist
5 named user seats
Single billing account
Shared artifact library
Business-wide CPE tracking
Invoice for expense reporting

Cancel anytime · Stripe · Instant access

What Subscribers Say

“After the training, I went back and re-evaluated our environment, and the courses are relevant to our business setup and operations. Looking forward to the other courses on the platform. Keep the good work going.”

Sebastian

“Spent a ton of time digging into Entra sign-in logs and looking at how token theft actually works in the real world; the Entra ID Security training was very helpful for this. Thankfully, not another ‘turn on MFA’ lecture. The course was very helpful in learning how to properly audit your environment.”

Hanna

“Really appreciate how the training broke down and showed us how to find the stuff that matters and create effective trigger points for detections. Writing KQL queries to hunt for mailbox delegation changes and persistence mechanisms gave us a massive practical experience.”

Ahmad

“I really liked how the Identity and Access Management course addressed the realities of hybrid environments rather than just the basic textbook scenario. The sections that focused on breaking down how legacy protocols are abused and actually locking them down without breaking production apps were really helpful.”

Ajay

“I’ve taken several M365 courses, and most are focused on the products and features, but not on how to incorporate them into your existing solutions or real-world applications. The courses here skip the generic Microsoft marketing and focus on how to actually handle real security issues.”

Carlos

“Coming from an admin background, the incident triage course forced me to think a little when things are hitting the fan. Appreciate the platform and what you guys are trying to do. So far, it’s worth my subscription.”

Jamie

Getting Your Employer to Pay

A Specialist subscription costs less than a single day of security consulting. Your team gets structured professional development that produces documented architecture decisions, tested detection rules, and validated security configurations — artifacts your organization keeps permanently.

Forward this page to your manager with one sentence: “This is a professional development subscription that produces operational security artifacts for our environment — detection rules, architecture documentation, and investigation playbooks. It costs less than one day of consultant time per year.”

Ridgeline subscriptions are commonly expensed as professional development, training, or continuing education. Annual subscriptions generate a single invoice suitable for expense reporting or purchase orders.

Common Questions

What's the difference between Premium and Specialist?

Premium gives you access to every course marked Premium — detection engineering, incident response, threat hunting, SOC operations, KQL, and more. Specialist adds advanced courses: M365 Security Architecture, Identity and Access Management, Purple Teaming, Applied Memory Forensics, and Advanced Windows Forensics. All subscribers get full access to the Incident Lab, Forensic Lab, Playbook Suite, and every platform feature. You can see which tier a course requires on its course page.

Can I try before subscribing?

Every course includes free modules you can read without an account. No signup required. Two complete courses are entirely free: Admin to Defender (8 modules) and AI for Security (11 modules). All reference tools are free. Read the content, run the exercises, and decide if the depth is right for your work.

What format is the content?

Written content only — no video. Annotated KQL code blocks with line-by-line explanation, SVG diagrams, worked investigation scenarios, knowledge checks, and downloadable assets. Written content is searchable, bookmarkable, and referenceable during live investigations at 2 AM. This is a reference library, not a lecture series.

What practice environments are included?

Every subscription includes three practice tools. The Incident Lab has 35 guided investigation scenarios where you triage alerts, write KQL queries against a synthetic corpus of 79,000 log entries, and make scored containment decisions. The Forensic Lab has 16 cases with generated forensic evidence across Windows, Linux, and cross-platform attacks. The Playbook Suite provides 43 production IR playbooks with decision trees and KQL queries. All three build investigation methodology in a structured format — for hands-on practice with real tools and telemetry, the Lab Setup Guide walks you through building your own environment.

Do I need a lab environment?

Free modules can be read without any lab. For hands-on exercises in paid modules, the Lab Setup Guide walks you through a complete security operations lab — VMware, Windows 11, Ubuntu, M365 E5 developer tenant, Sentinel, and the full forensic toolchain. You build it once on your own hardware and keep it permanently. Total cost: free.

Do I need an M365 tenant?

For cloud-focused courses (M365 Security Operations, Detection Engineering, Threat Hunting, Entra ID Security, KQL, Security Automation), yes — a free M365 developer tenant is required. The Lab Setup Guide covers this. For IR, forensics, and Linux IR courses, the tenant is optional.

Can my employer pay for this?

Yes. Annual subscriptions generate a single invoice. Most subscribers expense Ridgeline as professional development, training, or continuing education. Business subscriptions provide access for up to 5 users under a single billing account.

What if I cancel?

You keep access until the end of your billing period. No penalty. Cancel from your account page at any time. The artifacts you built during your subscription — detection rules, architecture decisions, investigation playbooks — are yours permanently.

Is this a replacement for certification training?

No. Certifications test whether you can pass an exam. Ridgeline builds whether you can do the job. The focus is operational capability and deployable artifacts — not exam prep. Every course offers scenario-based exams with verifiable credentials and 36–40 CPE hours.

Who built this?

Security practitioners with over 15 years of experience in DFIR, detection engineering, and security operations across M365, Azure, Windows, and Linux environments. The content is built from operational experience, not vendor documentation. See the About page for full background.