Sign In

Courses That Close the Gap Between Certification and Capability.

You passed the exam but can't build the detection, investigate the incident, or present the architecture. These courses produce the artifacts that prove you can do the work — deployed in your environment, not a sandbox.

Every course produces artifacts you deploy at work.

Detection rules that fire on real attacks, playbooks that contain real incidents, architectures your CISO approves
Built in your own environment — persistent labs that never expire
Verification scripts confirm your work is production-ready before you move on
Start Free — No Account Needed Jump to courses for your role ↓
Written by practicing security engineers · 34 courses · New modules added regularly
From $179/year — every course includes free modules. See pricing →
Jump to the courses for your role
Security Engineer Entra ID, endpoint protection, M365 platform — 3 courses covering identity architecture, endpoint hardening, and security operations mapped to SC-200. View 3 courses in this path →
Detection & Hunt Engineer 71 production KQL detection rules, 10 complete hunt campaigns, 68 KQL exercises across four progressive courses. View 4 courses in this path →
Incident Responder / DFIR Triage-to-containment across cloud, Windows, and Linux. Filesystem forensics, memory analysis, event logs, and cross-domain investigation. View 4 courses in this path →
Deep-Dive Specialist Purple team validation across 136 ATT&CK techniques, applied memory forensics, and offensive operations analysis. Specialist tier. View 4 specialist courses →
Security Engineering

Identity, Endpoint & Platform Security

After these courses, your Conditional Access framework is documented and defensible, your endpoints are hardened to a verifiable baseline, and your M365 security stack is configured the way it should have been from day one — not the way the defaults left it.

Advanced
Premium
Endpoint Security
ASR · AV · EDR · Custom Detections · Forensic Readiness · Cross-Platform
What you'll deployEndpoint hardening baselines, ASR rules, and Defender for Endpoint detection configs you can push today
ARC402 · Endpoint Security
  • 16 Modules
  • Lab Exercises with KAPE, Sysmon, MDE
  • 2 Free Modules — No Account Required
Start Free Module →See What You'll Deploy →
Advanced
Premium
Entra ID Security
Conditional Access · Token Security · PIM · Workload Identity · Detection
What you'll deployProduction-ready Conditional Access policies + identity threat detection rules you can deploy immediately
ARC401 · Identity Security
  • 21 Modules
  • Lab Exercises with Entra, Conditional Access, KQL
  • 2 Free Modules — No Account Required
Start Free Module →See What You'll Deploy →
Essentials
Premium
Microsoft 365 Security Operations
Defender XDR · Sentinel · Purview · Copilot · Investigation Scenarios
What you'll deployFull M365 security operations playbook + live Sentinel + Defender XDR detections
SEC301 · Security Operations
  • 19 Modules
  • Lab Exercises with Sentinel, Defender XDR
  • 2 Free Modules — No Account Required
Start Free Module →See What You'll Deploy →
Detection & Hunting

Detection Engineering, KQL, Threat Hunting & Offensive Analysis

After these courses, threats that used to slip through your SIEM undetected are caught by rules you wrote, tested, and deployed. You produce 71 production KQL rules, execute 10 complete hunt campaigns, understand how attackers plan and execute campaigns, and build a detection-as-code pipeline that keeps your coverage current.

Advanced
Premium
Detection Engineering
71 KQL Rules · 6 Attack Chains · ATT&CK Mapped · Detection-as-Code
What you'll deploy71 production KQL detection rules + 6 full ATT&CK-mapped attack chains you can deploy today
SEC401 · Detection Engineering
  • 14 Modules
  • 71 Production Detection Rules
  • 2 Free Modules — No Account Required
Start Free Module →See What You'll Deploy →
Essentials
Premium
KQL for Security Operations
Operators · Joins · Time-Series · Anomaly Detection · Performance
What you'll deploy68 production-grade KQL exercises + reusable query library you can use in every hunt
SEC201 · Query Language
  • 16 Modules
  • 68 KQL Exercises
  • 2 Free Modules — No Account Required
Start Free Module →See What You'll Deploy →
Advanced
Premium
Threat Hunting in Microsoft 365
10 Hunt Campaigns · Hypothesis-Driven · Identity · OAuth · Exfiltration
What you'll deploy10 complete hypothesis-driven hunt campaigns + Sentinel playbooks ready for your environment
SEC402 · Threat Hunting
  • 18 Modules
  • 10 Complete Hunt Campaigns
  • 2 Free Modules — No Account Required
Start Free Module →See What You'll Deploy →
Essentials
Premium
Security Automation with Sentinel
Sentinel Playbooks · Auto-Containment · Evidence Collection · Orchestration
What you'll deployFully built Sentinel + Logic Apps playbooks for auto-containment and evidence collection
SEC202 · Automation
  • 15 Modules
  • Lab Exercises with Logic Apps, Sentinel
  • 2 Free Modules — No Account Required
Start Free Module →See What You'll Deploy →
Premium
Premium New
Offensive Security for Defenders
KQL · Sentinel · Defender XDR · Sliver · Evilginx · Sysmon · AI-assisted analysis
What you'll deployCampaign-level detection thinking + real attacker TTPs translated into production Sentinel + Defender XDR detections
SEC403 · Offensive Operations
  • 13 Modules
  • Campaign-Level Detection Thinking
  • 2 Free Modules — No Account Required
Start Free Module →See What You'll Deploy →
Investigation & Response

Incident Triage, Forensics & IR

After these courses, incidents that used to take days to investigate are triaged and contained in hours. You produce investigation playbooks, evidence collection procedures, containment workflows, and forensic timelines that hold up under legal scrutiny.

Advanced
Premium
Incident Triage and First Response
Cloud · Windows · Linux · KAPE · Velociraptor · KQL · Containment
What you'll deployComplete triage-to-containment playbook + KAPE + Velociraptor lab environment
FOR301 · Triage
  • 17 Modules
  • Lab Exercises with KAPE, Velociraptor, PowerShell
  • 2 Free Modules — No Account Required
Start Free Module →See What You'll Deploy →
Advanced
Premium New
Network Detection and Forensics
Zeek · Suricata · Wireshark · tcpdump · PCAP · DNS · TLS · NetFlow
What you'll deploy5 full network investigation scenarios + Zeek/Suricata + Wireshark/PCAP analysis artifacts
FOR403 · Network Forensics
  • 15 Modules
  • 5 NE Investigation Scenarios + Capstone
  • 2 Free Modules — No Account Required
Start Free Module →See What You'll Deploy →
Advanced
Premium
Incident Response: Windows and Microsoft 365
KAPE · EZ Tools · Volatility 3 · Ransomware · BEC · Insider · APT
What you'll deploy4 complete Windows + M365 investigation scenarios + Volatility + BEC + ransomware response playbooks
FOR401 · Incident Response
  • 22 Modules
  • 4 Investigation Scenarios + Capstone
  • 2 Free Modules — No Account Required
Start Free Module →See What You'll Deploy →
Advanced
Premium
Incident Response: Linux Systems
Filesystem · Memory · Logs · Containers · Cloud VMs · Persistence
What you'll deployFull Linux forensic investigation toolkit + Volatility + Log2Timeline labs on your own hardware
FOR402 · Linux Forensics
  • 18 Modules
  • Lab Exercises with Volatility, Log2Timeline
  • 2 Free Modules — No Account Required
Start Free Module →See What You'll Deploy →
Specialist

Advanced Specialist Courses

After these courses, you operate at depth most practitioners never reach — complete M365 security architecture with 30+ ADRs, detection validation against 136 ATT&CK techniques, applied memory forensics with learner-captured images, and offensive campaign analysis that informs your detection program.

Specialist
Specialist
Microsoft 365 Security Architecture
Entra ID · Conditional Access · PIM · Purview · Intune · Sentinel · Defender XDR
What you'll deploy30+ ADRs, decision matrices, risk register, architecture diagrams, and an executive summary — a complete, portfolio-grade architecture package
ARC501 · Security Architecture
  • 17 Modules
  • M365 E5 Developer Tenant + Azure Subscription
  • 2 Free Modules — No Account Required
Start Free Module →See What You'll Deploy →
Specialist
Specialist
Identity and Access Management
Entra ID · Entra ID Governance · Conditional Access · PIM · Graph API · PowerShell
What you'll deployA governed identity program where every identity — human and machine — has an owner, a lifecycle, and compliance evidence
ARC502 · Identity & Access Management
  • 17 Modules
  • M365 E5 Developer Tenant + Entra ID Governance Trial
  • 2 Free Modules — No Account Required
Start Free Module →See What You'll Deploy →
Specialist
Specialist New
Windows Forensics
MFT · USN Journal · ShellBags · Amcache · Prefetch · SRUM · Registry · Event Logs
What you'll deploy2 full capstone investigations + court-ready forensic reports and testimony artifacts
FOR501 · Windows Forensics
  • 15 Modules
  • 2 Capstone Investigations + Court Testimony
  • 2 Free Modules — No Account Required
Start Free Module →See What You'll Deploy →
Specialist
Specialist
Memory Forensics
Metasploit · Mimikatz · Volatility 3 · MemProcFS · WinDbg · YARA
What you'll deploy7 real attack techniques + 11 learner-captured memory images you can analyze end-to-end
FOR502 · Memory Forensics
  • 11 Modules
  • 7 attack techniques · 11 learner-captured memory images
  • 2 Free Modules — No Account Required
Start Free Module →See What You'll Deploy →
Specialist
Specialist
Purple Team Operations
Sigma · KQL · Sentinel · Defender XDR · Splunk · Elastic · Atomic Red Team · Caldera · VECTR · ATT&CK Navigator
What you'll deploy61 ATT&CK techniques walked end-to-end across 4 environments + 3 SIEMs (Sigma + KQL + Splunk)
SEC501 · Purple Teaming
  • 16 Modules
  • 61 ATT&CK Techniques Walked End-to-End
  • 2 Free Modules — No Account Required
Start Free Module →See What You'll Deploy →
Operational Security

GRC, SOC Operations & AI Security

After these courses, your security program has the operational backbone that ties technical controls to business outcomes — GRC frameworks that survive audits, SOC playbooks your analysts actually follow, and AI-assisted workflows that make the team faster without creating new risk.

Essentials
Premium
SOC Operations
SOC Workflow · Detection Libraries · IR Playbooks · Metrics · Automation
What you'll deploySOC operational playbooks for triage, escalation, and shift handover you can implement this week
SEC302 · SOC Operations
  • 17 Modules
  • Lab Exercises with Sentinel, KQL
  • 2 Free Modules — No Account Required
Start Free Module →See What You'll Deploy →
Essentials
Premium
GRC for Security Professionals
ISO 27001 · NIST CSF · SOC 2 · GDPR · CMMC · Audit Management
What you'll deployGRC program framework with risk registers, policy templates, and audit evidence
GRC201 · Governance & Compliance
  • 18 Modules
  • 2 Free Modules — No Account Required
Start Free Module →See What You'll Deploy →
Essentials
Premium
AI-Powered Security Operations
Investigation · Detection · Automation · Governance · Team Deployment
What you'll deployAI-powered security investigation and documentation workflows
SEC203 · AI Security
  • 12 Modules
  • 2 Free Modules — No Account Required
Start Free Module →See What You'll Deploy →
Free Courses

Start Here — Entirely Free

Complete courses with no subscription required. No account needed. Start learning immediately and progress into any specialization when you’re ready.

100% Free
Free
Security Foundations for M365 Administrators
MFA · Conditional Access · Email · Devices · Monitoring · Governance
What you'll deploySecurity mindset and M365 security fundamentals for IT admins transitioning to security
SEC101 · Security Foundations
  • 8 Modules
  • Entirely Free — No Account Required
Start Course →See What You'll Deploy →
100% Free
Free
AI-Assisted Security with Claude
Prompts · Investigation · Detection · Documentation · Automation · Governance
What you'll deployAI-assisted security workflows with Claude for investigations and documentation
SEC102 · AI Essentials
  • 3 Modules
  • Entirely Free — No Account Required
Start Course →See What You'll Deploy →
12 Short Courses

One Capability. Production-Ready.

Not every capability needs a 15-module course. Ridgeline Short Courses give you the same depth in a focused 4–8 hour format — one tool, one technique, one deployable outcome. Included with your subscription.

Same quality as full courses
4–8 hours to completion
Deploy what you build immediately

DFIR & Investigation

Short Course
KAPE and EZ Tools Mastery
KAPE · MFTECmd · PECmd · AmcacheParser · Timeline Explorer
What you'll deployKAPE collection profiles + EZ Tools parsing pipeline for endpoint triage
DFIR Tools
  • 6 sections + guided endpoint triage lab
Start Free →See What You'll Deploy →
Short Course
Velociraptor for Endpoint Investigation
Velociraptor · VQL · Notebooks · Artifact Exchange
What you'll deployVelociraptor deployment + hunt workflows for endpoint investigation
DFIR Tools
  • 9 sections + guided investigation lab
Start Free →See What You'll Deploy →
Short Course
Malware Triage
PEStudio · strings · VirusTotal · ANY.RUN · YARA · STIX
What you'll deployMalware triage workflow from initial sample through behavioural analysis
DFIR Tools
  • 5 sections + guided triage lab
Start Free →See What You'll Deploy →
Short Course
YARA Rule Writing for DFIR
YARA · THOR Lite · Velociraptor · yarGen · PE headers
What you'll deployCustom YARA rules for malware detection and threat hunting
DFIR Tools
  • 6 sections + guided malware hunting lab
Start Free →See What You'll Deploy →
Short Course
Wireshark for Security Analysts
Wireshark · tshark · tcpdump · BPF · Display Filters
What you'll deployWireshark filters and analysis techniques for security investigations
Network Analysis
  • 5 sections + guided PCAP lab
Start Free →See What You'll Deploy →

Detection & Hunting

Short Course
Sigma Rules for Detection Engineers
Sigma · sigma-cli · KQL · SPL · Elastic · ATT&CK
What you'll deploySigma detection rules convertible to KQL, SPL, and Elastic
Detection Engineering
  • 6 sections + guided detection lab
Start Free →See What You'll Deploy →
Short Course
Sysmon Configuration and Tuning
Sysmon · XML Config · SwiftOnSecurity · GPO · Intune
What you'll deployProduction Sysmon configuration with detection-optimised event filtering
Detection Engineering
  • 6 sections + guided deployment lab
Start Free →See What You'll Deploy →
Short Course
Log Analysis with Regex
grep · sed · awk · PowerShell · regex101
What you'll deployRegex patterns for parsing security logs across Windows, Linux, and network devices
Log Analysis
  • 5 sections + guided parsing lab
Start Free →See What You'll Deploy →

Security Engineering

Short Course
Conditional Access Design
Entra ID · Conditional Access · Named Locations · Device Compliance
What you'll deployConditional Access policy designs covering the common attack paths
Identity Security
  • 6 sections + guided design lab
Start Free →See What You'll Deploy →
Short Course
Email Authentication Masterclass
SPF · DKIM · DMARC · DNS · M365 · Google Workspace
What you'll deploySPF, DKIM, and DMARC configuration for your email domains
Email Security
  • 5 sections + guided audit lab
Start Free →See What You'll Deploy →
Short Course
PowerShell for Security Operations
PowerShell · WinRM · Get-WinEvent · Microsoft Graph
What you'll deploySecurity-focused PowerShell scripts for M365 administration and forensics
Security Operations
  • 7 sections + guided investigation lab
Start Free →See What You'll Deploy →
Short Course
Git for Security Teams
Git · GitHub · VS Code · CI/CD · Sigma
What you'll deployGit workflows for detection-as-code and security team collaboration
Security Operations
  • 5 sections + guided repo lab
Start Free →See What You'll Deploy →
View All Short Courses →

Read the free modules. Then decide.

Every paid course opens with free foundation modules — no account, no email, no gate. Read the content, run the queries, and see for yourself whether this is the depth that closes the gap between where you are and where you need to be.

Start Free — No Account Needed Find Your Path by Role