Sign In
In this section

How the Triage Course Works

1-2 hours · Module 0

Method over tooling

The organising principle of this course is that the durable skill is the method, not the tool. This is not a slogan, it is a bet about where your time is best spent, and it is worth being honest about the trade. If you spend this course memorising one SIEM's query syntax, you will be fast in that SIEM and helpless the day you change jobs to a shop that runs a different one. If you spend it learning how to reason about evidence, how to derive severity from what you find, and how to decide containment under uncertainty, you carry that into any environment, and you pick up the new syntax in a week because you already know what you are looking for and why.

So the course teaches the method first and shows it executed in specific tools second. When a query appears, you see it in more than one place: a SIEM language and the equivalent on the box itself. The repetition is deliberate. It stops you anchoring on syntax and trains you to see the question underneath, which is the part that transfers. You saw this in the last sub already, the same authentication question rendered in Sentinel, in a Windows event log, and in auth.log. That pattern runs through the whole course.

This also shapes what the course refuses to do. It will not teach you to click through one vendor's incident console step by step, because that knowledge expires. It will teach you what evidence that console is showing you, what question it answers, and how to get the same answer somewhere else when you do not have it.

How each lesson is built

The teaching subs follow one shape, so once you can read one you can read them all. The shape is built around a simple idea: you learn triage by doing triage, not by reading descriptions of it.

Description What the move is, stated plainly. The teaching The concept, the mental model, the failure modes. The demonstration The concept worked on real evidence. The call The decision the evidence supports. Your turn You apply it, keep a reference, and face a challenge.

Every teaching sub runs this arc. The teaching layer is the part you are paying for; the demonstration proves it on evidence; your turn makes you do it.

The teaching layer is where the substance lives. It is not a definition you could find anywhere, it is the mental model: why the move exists, how to think about it, the overrides that beat the obvious reading, and the specific mistakes analysts make. The demonstration then takes that concept and works it on real evidence, so you see the idea touch data rather than stay abstract. The call shows the decision the evidence supports. And your turn hands you fresh evidence to work yourself, a reference card to keep for the job, and a scenario challenge that tests judgment rather than recall.

One feature is worth knowing up front, because it changes how you should read. Output is hidden until you ask for it. When a query's results sit behind a reveal, predict what they will show before you reveal them. This is not a gimmick. Triage is prediction under uncertainty, you are constantly forming a read before you have all the data, and the habit of committing to a prediction and then checking it is the exact habit the job rewards. Read passively and you will recognise the answers. Predict first and you will be able to produce them.

Predict first, then reveal Predict commit to a read of the output Reveal unhide the actual results Check match prediction to evidence read passively and you recognise answers; predict first and you can produce them, which is what triage rewards

The hidden-output habit mirrors the job: triage is forming a read before you have all the data, then checking it.

Who this is for

The course is pitched for practitioners with roughly two years of experience: SOC analysts, responders, consultants, managed-SOC analysts, security engineers who carry response duties. It assumes you are comfortable in at least one SIEM, can write a basic query, and recognise the common attack patterns by name. It does not stop to explain what an adversary-in-the-middle attack is. It teaches you how to turn the evidence one leaves into a defensible call.

If you are coming from an adjacent background and do not yet have those foundations, you are still welcome, and the outcome is genuinely reachable with work. Where a sub assumes something you have not built, it names what to shore up and points you at it, including the foundational short courses on KQL and the core tools. Your starting background does not bar you from the result. It only sets what you prepare first. This is a deliberate stance: triage is not a club with an entry exam, it is a skill, and skills are built.

And if you already know a topic cold, every sub opens with a short marker of what it assumes, so you can skip what you have mastered without stepping over anything you will need later.

The next sub introduces the environment the course's examples live in, and how to map it onto whatever you actually run at work.

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.
← Previous Next →