Prove You Can Work an Incident From Alert to Closure.
Not a quiz. Not a multiple-choice recall test. A single realistic incident unfolds based on your decisions. You triage the alert, investigate the attack chain, contain the compromise, and write the CISO summary — under time pressure. The score reflects your investigation judgment, not your memorization.
How It Works
1
Triage
An alert fires. Classify the severity, identify the ATT&CK technique, select your first investigation step, and decide: investigate, escalate, or close.
20 points · 5 minutes
2
Investigation
The incident branches based on your decisions. Evidence accumulates on your evidence board. Wrong choices cost points but don't dead-end — you continue with reduced score.
50 points · 25 minutes
3
Response & Reporting
Select containment actions in the correct order. Write a CISO incident summary. Identify recommendations. Classify the severity for the formal report.
30 points · 10 minutes
Available Assessments
19 courses. 28 scenarios. Each attempt randomly selects a scenario. Retake with a different incident each time. Pass at 70/100.
Security Engineering
M365 Security Architecture
Identity · Data Protection · Endpoint · Detection · Governance
MSA · Security Architecture
40 minutes · 100 points · Certificate on pass
Entra ID Security
Conditional Access · OAuth · Service Principals · Tokens
EI · Identity Security
40 minutes · 100 points · Certificate on pass
Endpoint Security Engineering
ASR · AV · EDR · Custom Detections · Forensic Readiness
ES · Endpoint Security
40 minutes · 100 points · Certificate on pass
M365 Security Operations
Defender XDR · Sentinel · Purview · Investigation
M365 · Platform Security
40 minutes · 100 points · Certificate on pass
Detection & Hunting
Detection Engineering
Sigma · KQL · ATT&CK · Detection-as-Code
DE · Detection
40 minutes · 100 points · Certificate on pass
Mastering KQL
Operators · Joins · Time-Series · Anomaly Detection
K · Query Language
40 minutes · 100 points · Certificate on pass
Practical Threat Hunting
Hypothesis · Identity · OAuth · Exfiltration
TH · Threat Hunting
40 minutes · 100 points · Certificate on pass
Security Automation
Sentinel Playbooks · Logic Apps · Auto-Containment
SA · Automation
40 minutes · 100 points · Certificate on pass
Investigation & Response
Incident Triage & First Response
Cloud · Windows · Linux · KAPE · Velociraptor
TR · Triage
40 minutes · 100 points · Certificate on pass
Practical Incident Response
Windows · M365 · AiTM · Ransomware · Insider Threat
IR · Investigation & Response
40 minutes · 100 points · Certificate on pass
Practical Linux IR
SSH · Privilege Escalation · Containers · Kubernetes
LX · Linux Forensics
40 minutes · 100 points · Certificate on pass
Network Detection & Forensics
Wireshark · Zeek · Suricata · PCAP Analysis
NF · Network Forensics
40 minutes · 100 points · Certificate on pass
Specialist
Purple Teaming for Blue Teams
136 ATT&CK Techniques · Sigma · Detection Validation
PT · Technique Validation
40 minutes · 100 points · Certificate on pass
Advanced Windows Forensic Analysis
MFT · USN · ShellBags · Amcache · Prefetch · Registry
WF · Windows Forensics
40 minutes · 100 points · Certificate on pass
Applied Memory Forensics
Volatility 3 · MemProcFS · WinDbg · YARA
MF · Memory Forensics
40 minutes · 100 points · Certificate on pass
Offensive Security for Defenders
Campaign Reconstruction · Infrastructure · Payloads
OD · Offensive Operations
40 minutes · 100 points · Certificate on pass
Operations & Governance
SOC Operations
SOC Workflow · Detection Libraries · IR Playbooks · Metrics
S · SOC Operations
40 minutes · 100 points · Certificate on pass
Practical GRC
ISO 27001 · NIST CSF · SOC 2 · GDPR · Audit Management
G · Governance
40 minutes · 100 points · Certificate on pass
Claude for Security Professionals
Investigation · Detection · Automation · Governance
C · AI Security
40 minutes · 100 points · Certificate on pass
Not Another Multiple-Choice Quiz
Every other platform tests recall. Ridgeline tests judgment.
Typical certification exam
"What Event ID indicates a successful logon?" — tests whether you memorised a number. Disconnected questions. No investigation flow. No evidence. No decisions under pressure.
Ridgeline investigation simulation
A single incident unfolds from alert to report. Your decisions reveal evidence. The evidence board builds as you investigate. You write the CISO summary. The score reflects investigation quality, not memorisation.
What Passing Actually Means
A Ridgeline assessment score isn't a certification exam result — it's evidence that you can work an incident under pressure. Pass at 70 and you've demonstrated triage, investigation, containment, and reporting across a realistic scenario. You earn a verifiable credential with 36–40 CPE credits that you share with employers, include in CPD logs, and reference in job applications. The credential is permanent. The public verification page at /verify/ confirms it to anyone who asks.
The next real incident won't give you 40 minutes.
These simulations build the decision-making speed so that when the alert fires at work, your hands already know what to do. Start with the course to learn the methodology, then prove you own it here.
