Sign In
Endpoint Engineering

For Security Engineers and Administrators Who Configure, Tune, and Maintain Defender for Endpoint, Intune Security Policies, and Endpoint Hardening

Aligned to MITRE ATT&CKCIS ControlsMandiant tradecraftNCSC guidance

Endpoint Security

Engineer endpoint protection that stops real attacks — not just passes a compliance check.

Deploy and tune Microsoft Defender for Endpoint as a complete endpoint security platform. Move ASR rules from audit to block mode using evidence-based promotion, engineer antivirus beyond defaults, configure device control and application control, build custom endpoint detections with KQL, and validate that every control actually works against real attack techniques.

Start Free — No Account Needed See Pricing
What you'll deploy immediately after this course
20+ production KQL detection rules with automated response actions
Production endpoint hardening baselines + architecture document
Full ASR rule set promoted to block mode (evidence-based, blast-radius tested)
40+ ATT&CK-mapped KQL hunting queries you can run today
Complete forensic readiness stack (Sysmon + KAPE + Velociraptor configs)
Deployable MDE health monitoring + cross-platform integration playbook
ENDPOINT SECURITY ARCHITECTURE LAYER 1 Hardening — OS internals, CIS Benchmarks, LAPS, audit policy Reduce the attack surface before the attacker arrives LAYER 2 Prevention — ASR rules, AV tuning, WDAC, exploit protection Block known attack techniques at the endpoint LAYER 3 Detection — EDR, custom KQL rules, endpoint hunting queries Catch what prevention misses with behavioral detection LAYER 4 Response — AIR, live response, isolation, containment at scale Contain confirmed threats automatically or manually LAYER 5 Forensic Readiness — Sysmon, PowerShell logging, KAPE, Velociraptor Ensure evidence exists when the incident happens LAYER 6 Integration — Zero trust, Sentinel, automation, cross-platform Connect endpoint security to the broader security architecture 865 endpoints · 12 servers · 8 Linux · 520 mobile — Northgate Engineering
View Pricing Download Lab Pack Take End of Course Exam → 36 CPE Credits

What you'll be able to do

Deploy ASR rules in block mode using evidence-based promotion methodology
Engineer Defender Antivirus beyond defaults for production environments
Build custom endpoint detection rules with KQL
Validate that endpoint security controls work against real attack techniques
Design endpoint hardening baselines with blast radius analysis
Premium tier | 16 modules across 4 phases | 36–40 hours at your own pace | 36 CPE credits | 2 free modules — no account needed | Updated May 2026
Course Agenda View all 16 modules

Free Phase 1 — Foundations (Free)

ES0
Endpoint Security Foundations
 ES1
Endpoint Architecture and OS Internals

Phase 2 — Protection Engineering

ES2
ES2 — MDE Architecture, Onboarding & Device Health
 ES3
ES3 — Production Deployment, Compliance & Conditional Access
 ES4
ES4 — Attack Surface Reduction Rules Mastery
 ES5
ES5 — Antivirus Engineering & Behavioral Protection
 ES6
ES6 — Device Control, Application Control & Exploit Guard

Phase 3 — Detection & Response

ES7
ES7 — EDR Configuration & Automated Response
 ES8
ES8 — Detection Engineering for Endpoints
 ES9
ES9 — KQL for Endpoint Hunting
 ES10
ES10 — Alert Triage, Investigation & Containment

Phase 4 — Advanced & Operations

ES11
ES11 — Forensic Readiness & Artifact Collection
 ES12
ES12 — Advanced Evasion, Anti-Forensics & Threat Intelligence
 ES13
ES13 — Servers, Linux & Cross-Platform Endpoint Security
 ES14
ES14 — Zero Trust, Integration & Automation
 ES15
ES15 — Capstone: Complete Endpoint Security Architecture

Who this course is for

“We onboarded MDE and everything is still at defaults.” You have Defender for Endpoint licensed and deployed, but ASR rules are in audit mode, antivirus is at factory settings, and custom detections don't exist. This course takes each layer from default to production-tuned.

“I want to enable ASR rules but I'm afraid of breaking things.” The audit-to-block promotion methodology gives you evidence-based confidence. You analyze audit data, measure blast radius, document exclusions, and move to block mode knowing exactly what will and won't break.

“Our endpoint alerts are noise — I don't know which ones matter.” You build 20+ custom KQL detection rules that catch what the defaults miss, validated against real attack techniques with Atomic Red Team. Each rule has a documented false positive baseline.

“When we get an endpoint incident, there's nothing to investigate.” Forensic readiness means the evidence exists before the incident happens. Sysmon, PowerShell logging, KAPE triage configs, Velociraptor deployment — you build the collection pipeline so investigations have data to work with.

“I manage Windows endpoints but I also have Linux servers and Macs.” Cross-platform coverage in Module 14: MDE on Linux, macOS, mobile. Same console, different capabilities and limitations. You know what each platform gives you and where the gaps are.

“I need to present an endpoint security strategy, not just run the tools.” The capstone produces a complete architecture document — hardening baselines, detection rules, ASR deployment status, forensic readiness posture, cross-platform coverage gaps. The deliverable your CISO and auditors can act on.

Whatever your background — if the subject interests you and you're willing to put in the work, this course is for you.

Before and after this course

Before

ASR rules are all in audit mode because you're not confident enabling block won't break a line-of-business application.

Defender AV is at factory defaults. Cloud protection level, behavioral monitoring, ransomware protection — you've never changed them because the documentation doesn't explain the trade-offs.

An endpoint gets compromised and there's no Sysmon, no PowerShell logging, no KAPE config. The investigation has almost nothing to work with.

You can't tell your CISO what percentage of your endpoints are actually protected or what attack techniques your current configuration stops.

After

ASR rules in block mode with documented exclusions, quarterly review cadence, and audit data proving each rule's impact before enforcement.

Every AV setting configured with architectural reasoning. Cloud protection at high, behavioral monitoring tuned, ransomware protection active, role-specific server profiles deployed.

Sysmon deployed with a tuned config, PowerShell ScriptBlock logging active, KAPE triage collection ready to run. When the incident happens, the evidence is already there.

A complete architecture document with onboarding coverage, ASR enforcement status, detection rule inventory, and forensic readiness posture — the report your CISO presents to the board.

How the course works

Six layers of endpoint security, each building on the previous. You start at the operating system and work outward to detection, response, and integration:

Layer 1
Hardening

OS internals, CIS Benchmarks, LAPS, audit policy. Reduce the attack surface before the attacker arrives.

Layer 2
Prevention

ASR rules, AV tuning, WDAC application control, exploit protection. Block known attack techniques at the endpoint.

Layer 3
Detection

EDR behavioral detection, custom KQL rules, endpoint hunting queries. Catch what prevention misses.

Layer 4
Response

Automated Investigation and Response, live response sessions, device isolation, containment at fleet scale.

Layer 5
Forensic Readiness

Sysmon, PowerShell logging, KAPE, Velociraptor. Ensure the evidence exists when the incident happens.

Layer 6
Integration

Zero trust device compliance, Sentinel integration, cross-platform coverage, automation. Connect endpoints to the security architecture.

What the content looks like

This is a real ASR block event from the endpoint hardening modules. When a Word document tries to spawn PowerShell, ASR intercepts it before execution. You read the event to understand what was blocked, verify it’s an attack technique and not a legitimate macro, and use the data to make the audit-to-block promotion decision:

Event Log — From Module 4: ASR Audit-to-Block Promotion
Log Name:      Microsoft-Windows-Windows Defender/Operational
Event ID:      1121
Level:         Warning
Source:        Windows Defender
Task:          ASR
Description:   Attack Surface Reduction blocked an operation.
  Rule ID:     d4f940ab-401b-4efc-aadc-ad5f3c50688a
  Rule Name:   Block Office applications from creating child processes
  Detection:   Block
  Target:      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Parent:      C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  User:        NE\t.ashworth
  Action:      Blocked
  Path:        C:\Users\t.ashworth\Downloads\Invoice-Q2-2026.docm

The parent-child relationship tells you everything: Word spawning PowerShell from a downloaded .docm is a textbook macro-based payload delivery. ASR stopped it at the behavioral level — no signature required. The module walks you through every ASR rule, the audit data that tells you when each rule is safe to promote, and the exclusions that prevent legitimate applications from breaking.

Lab Pack — Endpoint Security Toolkit

KQL query packs: Device health monitoring, ASR audit analysis, AV health, 20+ custom detection rules, 40+ hunting queries by ATT&CK tactic.

Configurations: Sysmon baseline (NE-tuned), ASR deployment config (safe/careful/high-risk with per-rule FP analysis), exploit protection system-wide XML.

Scripts: Windows endpoint triage collection (PowerShell), ASR audit report generation, device health assessment.

Templates: Gap assessment, maturity model scoring, ASR readiness report, containment decision tree, forensic readiness checklist, architecture document template.

Endpoint Security Lab Pack
20+ KQL rules · ASR configs · Sysmon baseline · triage scripts · architecture templates
Download Lab Pack (.zip)

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may deploy configurations, detection rules, scripts, and policies from this course in your organization's production environment. You may not redistribute course content, share account credentials, or republish course materials.

Endpoint security configurations: All Intune policies, KQL queries, detection rules, Sysmon configs, and automation playbooks are provided as-is. Test every configuration in audit mode before enforcement. Ridgeline Cyber Defence is not responsible for operational impact from deployed configurations.

Fictional environment: All scenarios use the fictional Northgate Engineering environment. Any resemblance to real organizations is coincidental.

Version and changelog

Current version: 1.0  |  Last updated: 2026

2026 — v1.0: Course launch. 16 modules (ES0–ES15) across 4 phases. Complete endpoint security engineering from OS internals through architecture deployment. 20+ custom detection rules, 40+ hunting queries, forensic readiness stack, cross-platform coverage, zero trust integration.

This course is actively maintained. Endpoint security configurations are updated as MDE capabilities evolve and new attack techniques emerge.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
1scenario
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.