Sign In

The Practitioners Who Build Are the Ones Who Stay.

AI copilots are triaging alerts. Automated playbooks are replacing runbooks. The security professionals who thrive are the ones who design architecture, build detection programs, and investigate what automation can't. Every course here produces artifacts you deploy at work — detection rules, investigation playbooks, architecture decisions — proof that you can do the work, not just describe it.

Start Free — No Account Needed See What You'll Build

Every course produces artifacts you keep and use.

Architecture decisions, detection rules, and playbooks you deploy at work
Hands-on labs in your own environment — persistent, never expire
Verification scripts confirm your work before you move on
Written by practicing security engineers · 34 courses & skills · New content added regularly
From $179/year — less than 3% of what a week of instructor-led training costs. See pricing →

What a real module looks like

Detection Rule — BEC Mailbox Forwarding
OfficeActivity | where Operation in ("New-InboxRule", "Set-InboxRule") | where Parameters has_any ("ForwardTo", "RedirectTo", "DeleteMessage") | project TimeGenerated, UserId, Operation

Deploy as a Sentinel analytics rule. Copy, paste, deploy. This is what you build in every module.

KQLSentinelCopy-Paste Ready
Lab — Investigate Compromised Identity
1Query SigninLogs for the user's last 7 days. Identify the first sign-in from an unfamiliar IP.
2Check AuditLogs for MFA method registration in the same 30-minute window.
3If a new MFA method was registered from the attacker IP — that's persistence. Document the method and timestamp.

Run this in your own environment against real telemetry. The lab is yours permanently.

Hands-OnYour InfrastructurePermanent
Verification — Detection Rule Deployed
Analytics rule created — BEC_Forwarding_Rule
Query syntax validated — 0 errors
Test against sample data — 3 matches found
False positive check — review IT-admin@contoso.com

Verification scripts confirm your work is correct before you move on.

AutomatedPass/FailProduction-Ready

Written by Practicing Security Engineers

Ridgeline's content is written by cybersecurity practitioners with over fifteen years of experience in DFIR, detection engineering, and threat hunting across production M365, Azure, Windows, and Linux environments. The detection rules we teach are rules we've deployed and tuned in production. The investigation methods are extracted from real forensic engagements. The architecture decisions are ones we've made and defended in front of CISOs and auditors.

CISSP-ISSAPCISMCCSPCEHCHFISC-200SC-300SC-400AZ-500CCNP
About the team →
The Shift

Before and After Ridgeline

The difference isn't what you know. It's what you can prove you've done.

Before

You Google KQL queries during incidents and hope the syntax is right.

Your architecture decisions are verbal — undocumented and indefensible when auditors ask.

Your CV lists certifications. Your interview portfolio is empty.

AI handles the alerts you used to triage. Your role feels vulnerable.

After

You have 30+ detection rules running in production that you wrote, tested, and tuned.

Your architecture decisions are documented in ADRs your CISO presents to the board.

You walk into interviews with deployed artifacts — rules, playbooks, architecture packages.

You design the detections and architecture that AI assists with — you're the engineer, not the operator.

Pricing

Premium
$179/year
Specialist
$289/year
Business
$324/seat/yr

Every course includes free modules. Start learning before you pay anything.

See Full Pricing & Start Free →
What You'll Build

Courses That Produce Operational Results

Each course is structured around the artifacts you produce — not content you consume. You finish with deliverables you deploy at work or take into interviews.

M365 Security Architecture
You'll build: 30+ Architecture Decision Records, decision matrices, a risk register, architecture diagrams, and a board-ready executive summary
Your next architecture review has documented, defensible decisions instead of verbal justifications — and your CISO has a package they can present to the board.
15 modulesSpecialist40 CPE
2 free modulesSee what you'll build →
Detection Engineering
You'll build: A detection program from coverage gap analysis through production-deployed Sigma and KQL rules with a CI pipeline
Threats that used to slip through your SIEM undetected are now caught by rules you wrote, tested, and deployed yourself — with a pipeline that keeps them current.
13 modulesPremium36 CPE
Free modules availableSee what you'll build →
Practical Incident Response
You'll build: Investigation playbooks, evidence collection procedures, timeline templates, and a complete response framework
Incidents that used to take days to investigate are triaged and contained in hours — because your team has battle-tested playbooks, not ad-hoc guesswork.
20 modulesPremium40 CPE
Free modules availableSee what you'll build →
Purple Teaming for Blue Teams
You'll build: Validated detection rules for 136 ATT&CK techniques with Sigma rules and SIEM conversions
Your blue team knows exactly what real attacks look like and how to stop them — because they just executed, detected, and documented every one.
14 modulesSpecialist136 techniques
Free modules availableSee what you'll build →
View all courses →
Who This Is For

You Know You Need to Go Deeper. This Is How.

Certifications test what you memorized. Ridgeline builds what you can do. Every course produces artifacts that prove capability — to your employer, to hiring managers, and to yourself.

“I just got handed security for our M365 tenant.” You need to design Conditional Access, configure Defender, and present a defensible architecture to leadership — not just enable features and hope.

“I'm a SOC analyst and AI is doing my L1 job.” The move to detection engineering, threat hunting, or DFIR is the path forward. You need structured depth that gets you there — not another overview course.

“I need skills that justify my salary.” Architecture decisions, forensic investigations, detection programs — the work that automation can't replace. You leave with a portfolio of artifacts that prove you can do it.

“I'm transitioning into security from IT.” Start with the free Admin to Defender course. Progress into any specialization. Every course is self-contained — no prerequisites, no gatekeeping.

“My employer won't pay for training.” $179/year vs. $6,000+ for a week of instructor-led training. Same operational depth. Artifacts you keep permanently. A price you can justify yourself.

“I need to prove capability, not just knowledge.” Every course ends with a scenario-based exam. Pass and earn a verifiable credential with CPE credits. The artifacts you built are the proof.

Learning Paths

Choose Your Path

Each path progresses from foundational to advanced. Every path has free starting points.

Not sure which path? Find yours in 30 seconds →
Security Engineer
Endpoint hardening → Identity architecture → Detection program → Automation
After this path: design and operate the endpoint, identity, and detection stack across an M365 environment.
Endpoint SecurityEntra IDDetection EngineeringAutomation
4 coursesView path →
Detection & Hunting Engineer
KQL mastery → Detection rules → Threat hunting → Automation
After this path: build and operate a detection program with production KQL rules, hunt campaigns, and automated response.
KQL71 RulesATT&CKSentinel
4 coursesView path →
Investigation & Response
Triage → Windows/M365 forensics → Linux forensics → Memory forensics
After this path: conduct end-to-end forensic investigations on Windows, M365, and Linux, producing court-defensible reports.
KAPEEZ ToolsVolatility 3KQL
5 coursesView path →
Transitioning Into Security
Admin to Defender (free) → KQL → SOC Operations → Specialize
After this path: transition from IT administration into a security engineering or SOC analyst role with hands-on M365 security skills and a portfolio of artifacts to prove it.
Free StartM365IdentityEndpoint
Structured transitionStart free →
Prove Your Work

Verifiable Credentials and CPE Credits

Complete a course, pass the scenario-based exam, and earn a verifiable credential with CPE credits. Share it with employers, include it in CPD logs, reference it in job applications.

Scenario-Based Exams
Triage (20pts) → Investigation (50pts) → Response (30pts). Tests operational judgment, not memorization. Pass at 70.
80% completion requiredRealistic scenarios
CPE Credits & Public Verification
36–40 CPE credits per course. Public verification page at /verify/ — share with employers and include in CPD logs. Credentials are permanent.
36–40 CPEPublic verificationPermanent

Weekly Security Engineering Insights

Detection techniques, architecture patterns, and operational judgment — delivered to your inbox every Tuesday.

No spam. Unsubscribe anytime.